Brett McDowell, executive director, FIDO Alliance
Last week, Aetna’s Chief Security Officer Jim Routh told the Wall Street Journal about his organization’s pioneering efforts to improve security and usability of its online services for its customers, partners and employees. A core component of that effort is FIDO Authentication.
Aetna is now in a multi-year process of rolling out its next-generation authentication (NGA) platform across mobile and web applications. With NGA, Aetna is forging new industry best practices for improving healthcare access through a two-pronged approach to strong authentication. First, they have adopted passwordless FIDO Authentication with biometrics for their customers’ online account credentials, reducing their reliance on highly vulnerable “shared secrets,” like passwords and one-time-passcodes with strong, unphishable, public key cryptography.
Routh recently talked about Aetna’s FIDO adoption: “Aetna adopted the FIDO standard for biometric information to create consistency and simplify the entire authentication process. FIDO insulates us from the implications of the consumer choice or the security functionality that is built into the device. The standard separates the authentication process from an application developer so regardless of the configuration of mobile carrier, device maker or online service, we can authenticate every time. More importantly, our member’s biometric information never leaves his or her device, ensuring the member’s identity remains protected and uncompromised.”
We applaud Aetna’s commitment to consumer choice and creating a more unified experience throughout its services with single-gesture, FIDO-based biometric authentication. Adopting FIDO also will help Aetna protect its customers, partners and employees against phishing, man-in-the-middle and other attacks often used to harvest traditional user credentials.
While deploying standards-based strong authentication like FIDO helps resolve many of the authentication problems organizations have faced around security and user experience, healthcare providers still have to contend with risks associated with lost and stolen devices. Thus, Aetna is rolling out the second core component of the NGA platform — continuous, behavior-based authentication — to ensure that the authenticated user is the same person throughout the lifetime of the session. To do this, Aetna looks at several user attributes (such as the way they hold their phone) and assigns risk scores to determine how much access to give a user during a session. If high risk is detected during a session, Aetna may challenge the user for additional information before allowing continued access from that device.
Aetna’s rollout of FIDO Authentication plus continuous, behavioral authentication should go a long way towards combating the growing threats against sensitive healthcare data. It couldn’t come at a better time, as 36 percent of all breaches and 44 percent of all records compromised in 2016 were healthcare-related, and account takeover attempts are at an all-time high.
Aetna has set the bar for remote authentication and access management of sensitive healthcare data. They have done this in a way that improves patient and provider access to the data while simultaneously improving the protection of that data; the classic “win win” situation we designed the FIDO standards to enable service providers to achieve. While this is a great milestone for an industry in need of innovative solutions, it is only the beginning of FIDO Authentication in healthcare. I anticipate that other healthcare organizations will follow Aetna’s lead and either replicate or leverage the platform Aetna has put in place to deliver more convenient, stronger authentication leading to increased patient record access and decreased data breach metrics across their highly targeted industry.