This week I am talking to Kim Biddings, VP of Product for BIO-key (@BIOkeyIntl) a company focused on providing tools to uniquely and securely identify individuals to allow secure access. Kim is an expert in cybersecurity, biometric identification, and Identity and Access Management, and also a pastry chef in the making.
We talk about the importance of security in healthcare and the challenge of implementations that never make it to full adoption. As Kim says
“Security only works when it’s adopted”
We discuss the various types of security and dive into two-factor authentication (2FA) or multi-factor authentication (MFA). A topic that is quite personal to me as I was recently SIMJacked – SIM Jacking or SIM Swapping (also known as a port-out scam, SIM splitting, Smishing and simjacking, SIM swapping) is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone. By taking control of someone’s cell phone you can take control of a large number of that individual’s accounts through their cell phone number. This attack was a reasonably sophisticated attempt to wrestle control of my life and specifically gain control of my bank account. You can read more details here.
Kim shares the details of a study conducted by Vanderbilt University in 2018 that showed that while the cyberattacks conducted on six hospitals and healthcare systems had technology impacts such as data loss, it was the security controls that were put in after the fact, to mitigate future attacks, that increased patient mortality rates.
When it comes to healthcare there are two key things that all security professionals need to keep in mind when they look to implement MFA, you must consider workflows and all the variations and as we discuss not only does too much security potentially have a negative impact on patient lives so to will poor security have a negative impact as well
Listen in to hear our discussion on some of the challenges and solutions to implementing effective security in healthcare that can have strong authentication but still be convenient and adapt and layer to different circumstances.
Listen live at 4:00 AM, 12:00 Noon, or 8:00 PM ET, Monday through Friday for the next week at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #TheIncrementalist.
Listen along on HealthcareNowRadio or on SoundCloud
Raw Transcript
Nick van Terheyden
And today, I’m delighted to welcome Kim bidding, she is the vice president of product for bio ki Kim. Thanks for joining me today.
Kim Biddings
Thanks for having me, Nick. Happy to be here.
Nick van Terheyden
So, before we start off, I think it’s always relevant for our listeners to get a little bit of background, tell us about your background and how you arrived at this point in your career.
Kim Biddings
Sure, um, so I like to tell the Fun fact, I was going to be a baking and pastry art major, I am no longer baking cakes. I know, I know, I still eat them, you know. But no fell into this cyber career of mine, straight out of college and started in the identity and access management space. I’ve sent for over the past decade work for all kinds of different cyber firms, as well as healthcare identity and access management. And now at bio key and really responsible for all of the product product marketing and marketing functions at the organization. And I work very, very closely with our customers to deploy solutions like multi factor authentication, or other things successfully for them, right security, my mantra is security only works when it’s adopted, and people can use it. And so that’s really a key focus for us here is making sure that the flexibility in the solutions work for the people that have to use these secure solutions.
Nick van Terheyden
I think that’s a great mantra. Just to be clear, it only works if you use it, it reminds me a lot of a neighbor of mine who was complaining that his particular exercise machine hadn’t actually had any impact. And I asked him how often he was using it. And he said he wasn’t so similar sort of experience.
Kim Biddings
Or like, you know, my favorite actually healthcare related, favorite story ever is they painted the hallways of the hospital. And all the clinicians started calling the Help Desk on Monday because they had written the passwords down next to the computer on the wall. And so again, it doesn’t work if the people don’t like using it. So it’s really important to make sure it’s usable for people as well as secure. So I know we’ll cover some of that. But
Nick van Terheyden
I just have to say we’ve got to do a show just separately on stories from healthcare, because I think we could go on back and forth, because I’ve got a few more around those exams. That’s a fantastic one.
Kim Biddings
The NHS, by the way, was the classic one. So maybe I’ll tease you with that. And we’ll hold it for another time. But
Nick van Terheyden
I look forward to some additional exploration of this. So. So security multifactor, you’ve talked a little bit about that those people that follow me or see some of my material will know that I’d been sim jacked relatively recently, just for the benefit of the listeners, what sim jacking while that’s the process of taking over somebody’s phone number, not just the phone, but the actual phone number, and then pointing all text messages, importantly, but also calls to a new number that’s no longer under my control. And then they use that to sort of break in. And the text messaging piece, or in fact, even the voice messaging is is is a an example of two factor authentication. But unfortunately, it’s not great in terms of security. So if you would share a little bit of the background of the multi factor authentication that you’ve had experience with and seen implemented successfully. Sure, sure.
Kim Biddings
And you know, Nick to go along with it. It kind of an unknown fact is the NIST right is the organization that sets a lot of these standards for security. They actually put out a notice that SMS, those codes that you’re getting the attacks should be banned. And that was in 2016. And a lot of organizations so you become a victim to something that was known in the industry too needed to have be banned in 2016. For anybody listening Nixa not happy with that outcome. But you know, they’re sent in clear text is one of the the main issues with with that method. But yeah, so looking at multi factor authentication. First of all, it’s important just to know the definition, all that it’s trying to do is we’ve gone digital, right? We’re all these digital identities when we’re signing into something logging in, and ultimately all the goal that it is for multifactor MFA is to prove you are who you say you are. Okay, that’s that’s been the goal of it always. We started with passwords those Another fun fact that I founded in the 1960s. And when the two years of them being created, they were hacked as well. Yeah, we still use them in 2022. We now then added in things that you have, right? So there’s always categories things that you know, things that you have. And what happened is the industry really standardized on phone based methods, people started carrying cell phones, this was a very common thing to have, before that you had to carry around little hardware keys, these extra little tokens. And people didn’t love that. And it’s like, well, why can’t I use the cell phone that’s attached to my hip? Right? And so what happened is, the bad guys, the hackers have just gotten smarter and smarter and smarter, like the person that walked into I believe it was Verizon, right and issued the themselves your phone. And fundamentally, if you take away all the factors and the tech and everything, what I tell people, our problem is, is we got away from people being part of the equation, if you look at what people are trusting, right, security is all based on a sense of trust. And so all we’re trusting at this point is devices and tokens and objects, nothing is actually telling me when I do a transaction with you that Nick, you’re actually the human behind the screen or the human behind the phone. And so there’s the actual authentication process that’s happening. And then what you experienced is when you unroll to use that factor in the first place, no one checks if you’re you, you know, you just say, Oh, I have a new phone, I want to now use for this purpose. And they add these phones, or they sim swap sim Jack and get that. And again, it just goes back to nothing’s identifying the people behind these transactions.
Nick van Terheyden
So you highlight one of the major challenges with this, the nuclear arms race of competition around security and the hacking community who continue to find new avenues. One of my favorite sort of commentaries around this is, if you don’t think they’ll do something, spend a day at DEF CON. And you’ll realize, yes, they will. And they’ll find new and innovative ways, they’re very, very creative. And I think it’s important to understand that. But as I’m listening to you, I’m you know, we rely on all of these things we need to secure and you know, especially in healthcare, because we’ve got all of this, you know, they’re a target. In fact, they have the biggest target in terms of data breaches on their back, because it’s such a rich environment to mind for information to then go and do more bad stuff, not necessarily healthcare related. So they’re a big target. But we’re struggling with capabilities, how do we approach it? How do we fix this?
Kim Biddings
Ya know, it’s a great question. And, you know, the other thing you have to remember is healthcare is critical infrastructure. And we are in a time where cyber warfare is absolutely a real thing, right? And well beyond the current situation in eastern Europe, right, that’s been going on for decades. So if you, you know, hackers, look for things about monetizing data, like you said, very valuable information. But they also look at disruption, right. That’s why they’ve gone after elections or health care or things like that. When it comes to health care, what I always tell people is it’s even more about people than in any other vertical, right? Because if you block a clinician from being able to access a record, you are literally blocking them for maybe knowing what a patient is allergic to when they’re having a heart attack. Right. Or in a case there was a recent lawsuit actually is about mid last year, where a doctor is actually being sued by a mother because they were under a ransomware attack. The fetal monitors had crashed, right had been ransomed. And people were charting on paper, and unfortunately, her infant who had just been born was under distress for a very long period of time, and, unfortunately, lost their lives. And that’s because that technology was ransomed. Right? So again, we’ve gotten to this world, especially in healthcare, right? Meaningful Use was, I believe, 2009 or so timeframe where you can’t do paper records, you have to be on a computer, you have to have digital records. But what that did is it made clinicians have so much screen time and not facing the patient. Right. So solving this really means understanding how people work in a healthcare setting, and understanding how they operate and making sure that you’re providing the amount of security that they need and that HIPAA requires right or any of those others, but that they it actually has to be usable. Going back to my password example. The reason they write them on the wall is it’s just completely ineffective for them to do. So they need very fast access to the information that they need. They need fast access on things across shared workstations, things that aren’t their personal laptop, it’s not how they operate. And the only way really to do that is not going with phones or carrying around little hardware tokens. A lot of times the two primary solutions that I’ve seen work fairly well are proximity card, something that you tap to get into the building, they tap next to it pewter, and they’re logged in, and then also a biometric. So simply walk up, scan your fingerprint, don’t type anything in or remember anything, and you’re logged into your patient record. But again, healthcare is really about understanding those workflows, how people operate.
Nick van Terheyden
So I, you know, clearly tragic case, but I think an important one, you know, the lack of access that drives poor outcomes or potential poor outcomes. And in fact, we were seeing more and more of this. I mean, we saw 2017, I think it was was patch and no patch of ransomware that sort of exploded, and ironically, I think, in the aftermath, it wasn’t really targeted to do that it was targeted. This was country shenanigans going on. And, you know, everybody else got wrapped up into it, because they made such effective spreading tools. Right. So what are the share a little bit of the consequences? Because I think there’s, there’s even more information in terms of the negative impact of these, these failures in securing information or importantly, access to information?
Kim Biddings
Yeah, no, great question. And again, in healthcare, there’s human impact, right. It’s, it’s so there’s been studies out there, I’ve shared one, you know, out there and with you as well, Vanderbilt University did one in 2018. And it essentially tied not the breach itself, but it tied the controls like multifactor other security controls they put in place that actually kept clinicians from being able to treat patients effectively and quickly. And it raised mortality rate. Right. So in that case, oversteering, overcorrecting after a breach, cause mortality rate to increase. The other thing you see often is if people you know, hospitals is ransomed Hollywood, Presbyterian, I believe was around 2012 That was one of the you know, I love people ask me about ransomware it’s like, you know, this has been going on a very long time. didn’t just start ransom and people, they’ve been doing this, you know, it’s just becoming a business now. But Hollywood press had to reroute all er C, excuse me, all er, transit, all ambulances, everything had to get routed. If you’re having a heart attack, you need to get to the closest hospital and fast and they had impact there. So the consequences in healthcare is extremely damaging. On top of that, you’re gonna remember breaches and and Ransom or anything, regardless of the industry has very, very bad reputational and brand damages. And so it’s about data theft, you know, it is about fines, HIPAA violations, all of that. But in hospitals, right? We people are revenue, we make revenue for hospitals, that’s essentially by treating us and everything else. They are businesses, they operate as businesses. And so they focus on things like age cap scores, right things in terms of patient satisfaction. And patients we’re getting much more savvy on when our data isn’t safe. Or when an incidents happened. We may not go to the hospital anymore. We may choose you know, I live in Boston, I have a lot of options if I don’t want to go to that one system. So it’s having a dramatic impact. And it impacts us personally as people directly.
Nick van Terheyden
So for those of you just joining, I’m Dr. Nick the incrementalist today I’m talking to Kim beddings. She’s the vice president of product for bio key, we were just talking about the negative impact of ransomware. And the security attacks that have taken place. I think you described this going back considerable number of years. In fact, there are some good proxies for this, we’ve we’ve seen studies that look at the impact of redirects of emergency cases in the case of marathons that descend, in fact, in your neck of the woods in Boston, and you see an impact on morbidity and mortality as a result of the Boston Marathon because people have to be redirected around the course because there’s no traffic through that. So there’s good data showing that this is a huge issue plus all of the downstream that you rightly described. So how do we go about fixing that without killing are individuals who are struggling with, you know, day to day and I’ve sort of cited before the busy clinician who’s walking in and out of rooms going through? How do we get to that so that this doesn’t become a burden, but still manages to secure the data and access appropriately and keep things working?
Kim Biddings
Right. Yeah, it’s um, it’s there. only about giving them strong authentication that’s still convenient. That’s what is going to come down to write a password is not that it’s it’s cumbersome. By the way recommendations from SIS Sousa is now up to 20 characters, which no one can remember. Right? So yeah, for clinicians specifically, it has to be very, very fast. And it has to be secure. And so ultimately speaking, like I said that that procs badge tab with what we call single sign on, so they log in once a very strong login. And then what it does is it just allows them to access all the other applications they need. So like their EHR, their radiology system, any of those other applications without having to log in multiple times, right. So when you combine authentication, that front door access that’s super convenient, and gets them in quickly and secure, then you can give them the super convenience of removing all those other login prompts that they normally would have to do. On average studies back maybe four or five years was 45 minutes per clinician per shift can be saved, if you give them that single sign on capability if you let them log in strong and then pass that authentication. In terms of methods, that’s kind of what I mentioned, right? So something that they’re going to carry, but that is centralized. And what I mean by that is that the identity or the thing that’s being authenticated is actually stored centrally, and let’s say a server. Why is that important? It’s because they roam all across the hospital, no, no clinician is standing, typically at a single laptop all day, not going anywhere else. It’s very rare, right? When you walk in a room, there’s a cart with a computer on it, etc. And so centralized authentication for clinicians is really going to be the best offering for them. Again, proximity cards are good. The challenge with those is, again, it’s just identifying a thing. The only thing that you can prove with that is that that badge that tap is what logged in, I don’t know if for sure it’s Dr. Neck, a biometric if it’s something that you physically are, that actually verifies that you are Dr. Neck that that fingerprint, that facial scan, that voice that is actually matched to the original enrollment of your biometric entity. So there’s use cases for all of that a bad chat may be fine when you’re just accessing a simple patient record, or you need to do something fast. When you’re doing prescribing of controlled substances, right? EPCs requirements, you probably want something like a biometric. Again, if there’s some areas like we see in research labs, it’s not safe to carry anything, literally not okay, it could get stuck. I have some customers that have some really interesting manufacturing use cases with explosives, right? I mean, there are unsafe work environments where anything carried is not okay. And so then biometrics are also a great offering. So we call them identity bound biometrics, it’s because it binds the biometric to you to the person and the identity, not just like, you know, a touch ID face ID that’s just talking and authenticating on the device.
Nick van Terheyden
So some great examples there, you know, across what I would call the spectrum of, you know, appropriate layers of security that, you know, these aren’t nuclear codes to these are nuclear codes. I guess that’s my sort of spectrum. And you know, and healthcare has some of that. I mean, let’s be clear, via level four to me, nuclear code kind of security, and, you know, all of the issues that you described, yeah, but you talked about something and, you know, I want to push back a little bit and say, Well, if you centralize this, isn’t that a perfect target? I’m gonna say, Oh, well, well, let’s just go access that and, and that’s what I see on Hollywood. I’m just gonna say, yeah,
Kim Biddings
yeah, yeah. And we get it all the time. So you know, often these at least the biometric part, it’s not about secrets. And by the way, in this central repository, it’s not pictures of fingerprints, that’s like, the most common question I get is, they’re gonna hack the server, and they’re gonna get my fingerprints, and then it’s all falling apart. And the difference of these things is that, for example, you can see my fingerprints when I show you my hands, you can see my face by looking at me, the way these systems work are through very heavy encryption, heavy algorithmic processes. So when you actually enroll, let’s say a fingerprint, what happens is what gets stored in the server is so algorithmically changed and encrypted and stored at rest and blocked, that it’s not something that someone can open up that server and reverse engineer it and create it. So that’s the first part. The other part is the actual capture of let’s say, a biomed. Trick, a lot of people have questions. Well, I just hold up a picture of you or I press my finger into a gummy bear. I love that one. And I put my gummy bear on the, you know, sensor. And so what happens with that is it’s all about liveness detection, right? And there’s a whole thing that obviously anybody that’s providing these solutions, and this is why look, the FBI use us, the Israeli Defense Force uses us like, again, this isn’t technology that’s not well tested for integrity is that we’re testing the liveness we’re capturing 1000s of data points of all the ridges and grooves and shadows and nuances of who you are. And then by Integrity, storing that through encryption, so again, it’s it’s people think it’s like a password. You know, it’s a secret as soon as I tell you, it’s breached, right. And that’s just not how biometrics work. It’s based on on essentially this integrity process, the algorithm that’s in play at that point.
Nick van Terheyden
Yeah, I think, great points. And you sort of intimated a little bit about that, when you talked about the recommendation for passwords. Now, you know, the 20 level, because that’s essentially, you know, brute force decryption techniques and time value, and how quickly you can achieve that. We’ve seen this sort of, you know, continued exponential Moore’s law. And I gotta say, quantum computing, which I used to be, but, you know, seems to be progressing. And you know, I hear stories about sort of capturing of data. So, as you think about the future, and you know, how we deliver this, because we all want this, and, you know, I sure as hell do based on my experience, I definitely don’t want 2060. Or even worse than that, the passwords, let’s be clear, because that’s everywhere. Yeah. What is the future hold? And where are we going?
Kim Biddings
Yeah, so you know, from my perspective, we have to bring people back into it, we’re gonna have no choice other than to start verifying that the person behind these devices and screens are who we are. And so I’m all about bringing people back as a credential. We’re the only constant think about that we’re the only constant in this situation, right? Our phones change our devices change, or our laptops, change our scenarios change, you have to get back to the constant security, which is people. The other part I’ll say, that’s a very keen push in the market and has been, it’s just a little bit more of a more mature approach, but needs to be adopted, is context. So getting away from the actual individual authentication method. So saying, Hey, we’re only gonna let Nick in because his phone’s given us a code or codes been typed in, we’ll let you you in what we’re actually able to do now and is looking at context, what time of day, is it? Where is he? What device? Is he on? What’s the typing behavior, right? Behavioral biometrics, is this normal patterns that are being shown and just how even the screen was opened or brought up. And so what happens is, now we’re bringing in literally your surroundings, not just a single factor, or even multi factors to be the only security so that that’s really where I think the industry is going. The problem is passwords are cheap. People have them. So, you know, again, I wish me personally after a decade of saying the same thing, by the way, I said this in 2009. Two, I wish we were further along, and I think we’re going to have to get there because the bad guys are just getting a heck of a lot smarter.
Nick van Terheyden
Yeah. And to be clear, the bad guys in this scenario, are using the same technology. They’re using AI tools to actually approach attacks. And you know, sometimes I cite that and people really, you know, it’s not an individual that sits No, they have the tool sets, as you rightly described.
Kim Biddings
They’re generating revenue, they’re gonna put every effort, they have to generate revenue, that there are a full business and industry and everybody needs to realize that it’s not some hacker in a dark closet anymore. This is this is a full business and revenue machine.
Nick van Terheyden
Right. And let’s be clear, they also have an organizational structure because I’ve seen a an expose, I think it was Brian Krebs showed that the CEO HR functions,
Kim Biddings
marketing to get people to pay people to sell their credentials, I mean, full business is is how you want to think about as much effort as you put into your business every day they’re putting into there so I can promise you,
Nick van Terheyden
right, and I think, you know, to summarize, we have to see security as not just a requirement, but it’s an investment for a whole number of reasons in patient safety. You know, this is not a cost base. It’s an investment in what we do. And there are tools and capabilities and we can be better at this. Unfortunately, as we do most weeks. We’ve run out of time just remains for me to thank you I’m I’m just gonna say you’re the pastry chef that should have been that I want to spend time with talking about packing and so forth in the future Kim thanks for joining me today
Kim Biddings
thanks for having me Dr Nick I appreciate it