Compliance

Healthcare Slow to Adopt NIST Digital Identity and Authentication Guidance

Coalfire Assessment Team

August 1, 2019

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. Please see the latest on this topic here.

The National Institute of Standards and Technology (NIST) published an updated guide (Special Publication 800-63b) for Digital Identity Guidance in June 2017. This is a comprehensive and holistic guide to authentication processes, which includes choices of authenticators that may be used at various Authenticator Assurance Levels (AALs). It provides recommendations on the lifecycle of authenticators, including revocation in the event of loss or theft, complexity requirements, and authenticator expirations.

A fundamental precept of digital authentication is adherence to the lifecycle process of the authenticators; taking portions of the guidance and not implementing the entirety of the recommendations may leave your corporate data exposed to risk.

Most healthcare organizations have been slow or reluctant to adopt this guidance, while some have been selective in their interpretation of it and have narrowly implemented sections of the guidance without a full understanding of the implications of those choices. To illustrate, many have decided it is no longer necessary to expire a password after a set number of days based on a very narrow reading of the publication. This narrow interpretation is only true within the context of many other conditions. The publication is not an ala cart menu of choices, but rather, a systematic framework for improving authentication practices.

While this publication is a “requirements” document for federal agencies within the context of FISMA compliance, it is only to be considered instructional and informative to commercial enterprises. Many good recommendations are documented, but they must be implemented in the context of the whole and not pulled out to satisfy a singular agenda (e.g., no more password expirations).  

To recap, authentication is performed by verifying that the claimant controls one or more authenticators. It is often said an authenticator is something you know (password/passphrase), something you have (a device with a secondary authenticator), and something you are (fingerprint/vein scan). Any two of these are referred to as “two-factor authentication,” and all three would be “multifactor authentication.” Sometimes, two-factor is referred to as multifactor.

Many healthcare organizations have focused on the recommended changes to password expiration and complexity. Specifically, two misstatements seem to have emerged from the guidance:

  1. NIST no longer requires password resets after 90 days, so we can retain our same passwords without ever resetting them
  2. Password strength/complexity no longer need to be enforced since NIST is recommending passphrases that don’t expire

Neither of these statements is factual when taking lifecycle management into account. 

In a broader context, NIST does, in fact, state that password resets or expiration are not necessary if certain conditions are met, such as:

  1. Stored “hints” are disallowed
  2. Memorized secret verifiers (e.g., passwords) should be compared against commonly used, expected, or compromised verifiers – weak, easily guessed, or compromised verifiers should never be used
  3. Passwords obtained from previous breach corpuses should never be allowed
  4. Repetitive or sequential characters should not be part of a verifier construct
  5. Context-specific words, such as the name of the service, the username, and derivatives should never be used

If the Credential Service Provider (CSP) is not conducting this level of analysis, then the guidance would be void.

NIST does recommend the switch from passwords with enforced complexity requirements (i.e., special characters) to the use of strong passphrases. Again, this assumes the CSP is managing the process.  Foundationally, the CSP must have a robust program for authentication management (i.e., how to know whether a passphrase has been compromised).

NIST is embracing the need for usability of authenticators to meet business needs and is providing recommendations to support the user. One of the recommendations is Single Sign On (SSO), which is used extensively in healthcare, to improve the usability experience while retaining appropriate security.

Taking everything into account as it relates to Digital Identity and Authentication, healthcare organizations may do the following to improve the user experience and align with these NIST guidelines:

  1. Implement a strong passphrase management process aligned with the guidance. Ensure users are implementing strong passphrases with a minimum of 64 characters. Passphrases should be approved by the CSP. This is typically part of the identity and access management process within the IT department.
  2. Implement two-factor authentication on all network connections. Use a One Time Password (OTP) device. Do not use SMS texting, if possible. It has been deprecated by NIST due to inherent vulnerabilities. Ideally, two-factor should be used when accessing both the network from inside the firewall and external to the firewall. It is an absolute must for accessing the network from outside the firewall (i.e., remotely through a VPN or secure gateway).
  3. Ensure security awareness training is updated to reflect the process and provide users with the knowledge and/or tools necessary to reset a passphrase in the event of a suspected compromise.
  4. If in doubt about the compromise of a passphrase, change it.
  5. Implement SSO to minimize user friction. 

Making the change must be a programmatic decision, but the technology vendors are already moving in this direction – so consider a proactive move to an updated Identity and Access Management program.


https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/