News & Perspective
Drugs & Diseases
CME & Education
Video
Decision Point

Specialty: Multispecialty
Allergy & Immunology
Anesthesiology
Cardiology
Critical Care
Dermatology
Diabetes & Endocrinology
Emergency Medicine
Family Medicine
Gastroenterology
General Surgery
Hematology - Oncology
HIV/AIDS
Hospital Medicine
Infectious Diseases
Internal Medicine
Multispecialty
Nephrology
Neurology
Ob/Gyn & Women's Health
Oncology
Ophthalmology
Orthopedics
Pathology & Lab Medicine
Pediatrics
Plastic Surgery
Psychiatry
Public Health
Pulmonary Medicine
Radiology
Rheumatology
Transplantation
Urology
Today on Medscape
Business of Medicine
Medical Lifestyle
Science & Technology
Medical Students
Nurses
Pharmacists
Residents
Edition: English

Medscape

English
Deutsch
Español
Français
Português
UKNew

Univadis

Sign Up It's Free!
English Edition

Medscape

Univadis

    X
    Univadis from Medscape

    No Results

      Friday, April 26, 2024
      News & Perspective Drugs & Diseases CME & Education Video Decision Point
      News > Medscape Medical News

      New Healthcare Tool: Universal ID Can Replace Login/Password

      Ken Terry

      September 02, 2014

      Healthcare security breaches have become increasingly common. In fact, a recent report shows that 90% of healthcare organizations exposed their patients' data or were the victim of a breach in 2012 and 2013. Another report from Verizon found that 2 of 3 security breaches resulted from lost or stolen user names and passwords.

      Now Verizon Enterprise Solutions (VES) has introduced a new method of logging onto Web sites that doesn't require a login name or a password. Called the Universal ID (UID), it relies on randomly generated numbers and smartphone scans of images corresponding to those numbers. It can be deployed either alone or to supplement conventional user names and passwords.

      "We are introducing an exponentially more sophisticated and secure way of logging in than a simple user name and password," said Tracy Hulver, chief identity strategist for VES. "If somebody compromises a user name and password, it won't be able to be used in isolation, because of the multi-factor element that the system is built upon."

      Here's how it works: When an individual goes to a participating Web site, he or she is prompted to apply for a Verizon UID. If the person is an employee of a participating enterprise, such as a healthcare organization, the company would give VES the employee's login name and password, and that person would receive an email from VES asking them to set up a UID, Hulver said.

      Besides security questions, people are asked to list the computer devices they want to use, and VES links the person to those devices. They can then download the UID app to their smartphones. Next time they sign in, they're asked for their UID user name and passcode. The passcode is a set of numbers generated by the app. When they double-click it with their fingers, it authenticates them on VES' cloud server.

      After that, whenever they log in to a participating Web site, they can use their smartphone to scan an image that appears on the login page and that authenticates them in the cloud. The scanned image represents a randomly generated code that is unique to that transaction and that disappears after about 30 seconds, said Hulver.

      There are 2 advantages in this approach, according to Verizon. First, the authentication code can't be cracked, as a password can, because it consists of randomly generated numbers. Second, the UID relies on multifactor authentication, including identity proofing, the passcode, and the device used.

      Verizon has no studies to back up its assertion that the UID would reduce fraud and phishing attacks. But Hulver notes that 2-factor authentication has been shown to be 5 times more secure than names and passwords alone.

      Hulver admits that it's possible for someone to steal an authenticated device, gain access to personal information, and use the UID to launch a cyber attack on a system. But he says that the risk of this happening is much lower than the risk of a login name and password being compromised.

      "Real Potential" for Healthcare

      Kenneth Rashbaum, a healthcare security expert based in New York, told Medscape Medical News that the UID looks promising. "It's a very helpful development in the quest to find security. There are no impregnable passwords, and if they're too long nobody will remember them. The idea of having a frequently changing code where you don't have to remember it to have it at your disposal has real potential."

      He also noted that with all the security breaches lately, something like the UID could improve consumer confidence in the security of electronic health records and transactions.

      On the other hand, Rashbaum cautioned, the ability to log onto any participating Web site with the UID creates additional security issues. "This app looks like the skeleton key to your life. It's the master key to everything that you're doing. So now you have another reason to make sure your cellphone is locked down and to have remote wiping in the event your phone is lost."

      Rashbaum acknowledged the challenges of identity-proofing individuals — one that is much simpler for an enterprise — when they obtain a UID. But the healthcare industry should not let that stand in the way if the system has been tested and shows promise, he said. "The industry should not let the perfect be the enemy of the good."

      Hulver said that the UID could be used in hospitals in place of the "touch and go" security badges that are used to log onto different workstations as clinicians make their rounds. Rashbaum liked that idea, but he warned that a hospital would have to put "strong mobile device management policy in place to do that. It would also need good controls over remote access."

      Comments

      3090D553-9492-4563-8681-AD288FA52ACE
      Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.

      processing....

      Feedback
      Help us make reference on Medscape the best clinical resource possible. Please use this form to submit your questions or comments on how to make this article more useful to clinicians.
      Pleasedo not use this form to submit personal or patient medical information or to report adverse drug events. You are encouraged to report adverse drug event information to the FDA.
      Find Us On
      About
      About Medscape Privacy Policy Editorial Policy Cookies Manage Preferences Terms of Use Advertising Policy Help Center
      Membership
      Become a Member About You Professional Information Newsletters & Alerts Market Research
      App
      Medscape
      WebMD Network
      Medscape Live Events WebMD MedicineNet eMedicineHealth RxList WebMD Corporate Medscape UK
      Editions
      English Deutsch Español Français Português UK
      All material on this website is protected by copyright, Copyright © 1994-2024 by WebMD LLC. This website also contains material copyrighted by 3rd parties.