As more and more electronic protected health information (ePHI) comes online with the rapid adoption of EMR/EHR systems, end users can expect more and more online access to their ePHI, and thus risk that someone will heist their credentials to log into their online account.

1. Improving Authentication for Online Services
The FFIEC (Federal Financial Institutions Examination Council), the banking interagency body that creates unified
standards across the various regulatory agencies, recently issued new guidance on managing risks in user authentication
for online transactions. The guidance is practical and has relevance for any industry in which sensitive transactions are
conducted online. Categorically this applies to banks (of course) but also to healthcare organizations. As more and more
electronic protected health information (ePHI) comes online with the rapid adoption of EMR/EHR systems, end users
can expect more and more online access to their ePHI, and thus risk that someone will heist their credentials to log into
their online account.
First, it’s important to understand why the FFIEC issued the new guidance. They make that very clear: current
authentication strategies are not working. The FFIEC cites the loss of “hundreds of millions of dollars resulting from
online account takeovers and unauthorized funds transfers” based on the government’s IC3 Annual Internet Crime
Reports. With our extensive experience in the financial services industry we can vouch for the losses incurred by the
industry due to online account takeovers.
The FFIEC guidance essentially breaks down to three primary recommendations or activities:
1. Periodic risk assessments (“prior to implementing new electronic financial services, or at least every twelve months“)
2. Layered security
3. Customer awareness and education
In the FFIEC’s press release, (July 28, 2011), it states that regulatory examiners will be focused on this issue starting next
year: “The FFIEC member agencies [FDIC, NCUA, OCC, OTS] will continue to work closely with financial institutions to
promote security in electronic banking and have directed examiners to formally assess financial institutions under the
enhanced expectations outlined in the supplement beginning in January 2012“. This means that banking industry
players should expect to present to examiners that they’ve taken some action in this regard by the time of their 2012
regulatory examinations. While healthcare organizations are not regulated by the FFIEC member agencies, this guidance
provides a practical approach to managing risk in an increasingly risky online environment.
We strongly urge any organization that requires user authentication for sensitive online transactions to evaluate the
guidance - Authentication in an Internet Banking Environment - and ensure that your controls are evolving
commensurate with the nature of the online transactions you provide your customers as well as evolving nature of the
risk.
Furthermore, because so many banks and healthcare organizations (both providers and payers) are relying on third-
party software for their online services, we recommend that you push your vendors for better controls. While some of
the smaller upstarts (such as online banking service providers and new EMR vendors) are agile and aggressively pushing
new controls for differentiation, some of the more established players can be slower to react to the dynamic nature of
security threats. Given how difficult it can be to move to a new system there is not always much leverage for service
providers to aggressively improve their offerings. Nonetheless, I urge both banks and healthcare organizations to push
hard for improved controls.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM