Smart Card Alliance calls for two-factor authentication

April 21, 2010 | Bernie Monegain, Editor

PRINCETON JUNCTION, NJ – The Smart Card Alliance Healthcare Council is urging the use of two-factor authentication with smart card technology as a way to protect against medical identity theft.

According to a recent Ponemon Institute study, nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion – about $20,000 per victim.

Though recent legislation, such as the American Recovery and Reinvestment Act (ARRA) and the associated provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act, highlights the need to address privacy and security across the U.S. healthcare system, no controls have been put in place to assure that patient information is always protected, notes the alliance.

"The individuals whose medical identities are stolen have to deal with lingering effects, like erroneous medical expenses, problems with insurance, and incorrect data on their medical records that can lead to potentially fatal medical errors," said Randy Vanderhoof, executive director of the Smart Card Alliance. "To prevent this, patients need an unambiguous way to identify themselves to their healthcare provider when accessing patient records or requesting healthcare services, whether it be in person or over a network."

The Smart Card Alliance Council has published a brief that explains how two-factor authentication with smart cards can accomplish this.

In "Medical Identity Theft in Healthcare," the council describes how two-factor authentication with smart card technology allows patients and providers to securely access personal health information. Smart card technology is a proven technology, already used in U.S. electronic passports, and in the U.S. federal government's employee ID cards that are used to access the nation's most secure computer networks and facilities, the council notes. The technology includes a tamper-resistant chip with security software that can be embedded into a card, token or mobile device (like a mobile phone).

As the council is composed of industry professionals from all parts of the healthcare sector, it has a unique perspective on the issues facing the industry, said Paul Contino, vice president of information technology at Mount Sinai Medical Center and chairman of the Smart Card Alliance Healthcare Council.

"This is especially important as healthcare moves quickly toward electronic records, and ready solutions are needed to address the security and privacy challenges ahead," Contino said.

Reader Comments (1)Login to Post a Comment

BrentH says: Smart cards work well, but planning is everything

April 22, 2010 | 4:55PM GMT

Much of the Military Health System (MHS) infrastructure supports and/or requires smart card use by providers and support staff. Two factor authentication combined with single sign on (SSO) solutions eliminate the need for passwords and leave users with a single 6 to 8 digit PIN. This eliminates the need to frequently change passwords, which users tend to write down and place in convenient locations anyway.

From a security standpoint, as a security manager I can personally vouch for the effectiveness of smart cards. This authentication method is also ideal for providing non-repudiation and complex data encryption. Non-repudiation is going to become vital during the shift to electronic records to ensure data integrity. The encryption offerings are capable of protecting data at rest and in transit - hopefully putting the public's mind at ease when it comes to the privacy and security of their personal information.

Having transitioned to smart card technology a couple of times, I can also say that there are user hurdles to overcome for the first few months as people become accustomed to using the cards, remembering the cards, and accessing infrequently used systems for the first time that may not fully cooperate with the SSO authentication methods.

All in all though, I think that this is probably one of the best solutions available, particularly if the RFID contactless technologies are employed. Properly configured, users would be able to keep the cards on their person and access the systems they need immediately but also meet HIPAA compliance when they leave the vicinity as the system logs them off or locks the session.