October 10, 2017

Will new identity-proofing NIST standards prove who you say you are?

Marcia Noyes
Marcia Noyes

Datica Alumni — Former Director of Communications

Cybersecurity risk management has quickly moved from the “nagging mosquito” kind of problem that every industry must swat to one more likened to a full frontal attack, requiring more arsenal than budgets sometimes allow. Everywhere, from White House hacks into communication emails to security breaches, like the recent one announced by Equifax that has affected 145.5 million Americans, leave cybercriminals more in touch with our private financial and healthcare data than perhaps we are ourselves.

All of these attacks have cybersecurity professionals searching every nook and cranny for ways to more easily understand, manage and mitigate risks to their organizations. Those security exposures abound everywhere and no organization is immune to the problem. One governmental organization actively addressing the widespread issue is the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST).

A recent NIST update, specifically revision 3 of 800-63, includes important changes that encourage (out of band authentication methods versus a single source email. Out of band authentication is more commonly used by financial institutions that often require two separate and unconnected authentication channels for access. This type of two-factor authentication makes hacking an account more difficult.

Authentication versus identity proofing

The recent NIST update includes a further clarification that separates out identity authentication from identity proofing. “Identity authentication and authentication proofing complement each other to definitively prove that you have the proper credentials to access a file, server, or other data containing device or software,” explained Datica’s Director of Compliance Lori Meals. “The whole question is: How do we prove John is really John in any instance?”

This nuance is important to Datica customers who live and breathe in an environment awash with protected health information. More and more the healthcare industry is affected by security breaches that have deep financial impacts to providers, as well as financial and emotional ramifications to patients. Meals explains that “Healthcare data fetches a high price on the black market, so that makes it a lucrative target for bad actors.”

This clarification for authentication proofing affects our customers because that will change their controls. When an email has been compromised within an organization, a hacker potentially has easy access to all other aspects of the victim’s accounts.

How Datica compliance efforts will adapt and respond

The engineering team is busy prepping a new feature to the Datica Platform so that an organization can change its multi-factor authentication options to disallow email as an authentication method.

No organization is immune to the problem of hacking or phishing; risks proliferate everywhere. However, as a trusted partner for the protected health information of our customers, Datica takes a “no stone left unturned” approach to helping customers prevent the all too common publicity crisis and organizational chaos that occurs when hackers break through organizational walls. That’s why Datica developed its HIPAA compliant platform initially and was one of the first healthcare IT organizations to become HITRUST CSF Certified. Security and compliance is in our DNA.

Is security and compliance a top concern and priority for your organization? Contact Datica at hello@datica.com to arrange a quick chat about your needs and to learn more about how the Datica Platform can take that burden off your shoulders.

tag Security Healthcare News Compliance