It’s a relatively simple matter to grant physicians and other healthcare providers…
Trusted platform modules are the key.
Steven
Sprague
It’s a relatively simple matter to grant physicians and other healthcare providers the ability to remotely access patient medical histories, share diagnostic images or lab results online, or track vital signs in real time. But, clearly, these capabilities must come with strong network security.
Fortunately, the healthcare industry needn’t invent some radical new security solution before it can realize the benefits of remote and mobile network access. Two-factor authentication technologies, such as smart cards and USB security tokens, have already found application as a single point of defense in healthcare networks. Both confirm the identity of users attempting to access a network. But the most secure – and arguably the most cost-effective – protection relies on more than a single point of defense, and instead applies a layered approach. More specifically, it leverages the trusted platform modules (TPMs) on board virtually every business-class laptop today to authenticate the identity of any device trying to log into the network.
Smart cards and security tokens require a secure object that the user carries – the card or token – as well as some intangible information known only by an authorized user – usually a personal identification number (PIN) or password. One downside for both technologies is that their total cost of ownership increases in proportion to the number of employees using them. Specifically, it becomes increasingly expensive to acquire, deploy and replace cards and tokens as the number of laptops and users expands. In addition, because these technologies only verify the identity of the user, the security and health of the computer they use to access the network remains a dangerously open question.
Plus, these technologies are not as immune to hackers as once thought. Last spring, a double-header attack on USB token provider RSA subsequently allowed hackers to gain unauthorized access to Lockheed Martin’s network, which relied on the tokens for security. It’s important to note the breach required an extraordinarily sophisticated attack and doesn’t entirely negate the value of security tokens. But it serves to underscore the argument for a layered defense built on a strong foundation of device identification.
The foundation of device identity is that only known devices – those authorized by the organization – are granted access to information and sensitive resources. It’s an approach that’s long provided strong network security for cellular networks and cable providers. Thanks to the technology, both industries have virtually eliminated the once-frequent illegitimate use and theft of their services.
On data networks, device identification has conventionally relied on MAC addresses and user credentials in software to identify a device on the network. But MAC addresses and software-based user credentials can be spoofed, allowing another device to claim the same MAC address.
TPMs provide a far more powerful foundation for creating and verifying strong device identities, and ensuring only authorized devices gain access to the network. Because these cryptographic security chips are embedded in a computer’s motherboard, they effectively make a built-in token. They enable IT managers to create, sign and store authentication keys within a PC’s hardware, strongly binding the identity of the machine and its user to the device. Further, because keys are stored and protected within embedded hardware, they cannot be changed or stolen by malware.
TPMs are neither an emerging nor experimental technology. Leading vendors such as Dell, Lenovo and HP have been including the chips as a standard component on all business-class notebook and desktop computer lines for many years. Indeed, virtually all business-class laptops and PCs in use today include TPM chips based on open standards from the Trusted Computing Group.
Unlike smart cards and tokens, TPMs integrate easily with existing VPN and wireless infrastructures, facilitating the use of a single sign-on to access both the machine and the network. Further, they can be fully activated and managed from a central location. Trusted Computing software and server providers, such as Wave Systems, can help minimize the IT overhead required to set up and manage TPM chips, enabling organizations to make use of them for an additional layer of security.
Combined with two-factor authentication technologies, TPMs offer a readily available foundation on which to build a strong, layered network defense. Even on their own, however, they provide healthcare organizations a secure alternative to conventional smart cards and USB tokens but impose neither the incremental acquisition costs nor the hard deployment expenses that these technologies incur. Thus, TPMs not only lower the total cost of ownership, the business case for these chips largely mirrors that for strong, fully automated and transparent authentication of both devices and users on healthcare networks.
Steven Sprague is CEO of Wave Systems Corp.
Click Here for more on Wave Systems Corp. solutions.