PhoneFactor and Imprivata Team Up to Ensure That Protected Health Information Is Really Protected
They don’t call it Protected Health Information for nothing. Access to electronic medical records must be safeguarded by healthcare organizations. It is critical for regulatory compliance, but perhaps more importantly, it is essential to maintaining patient trust.
Securing access to patient records is vital, but so too is enabling convenient access to those records from a growing number of endpoint devices and locations. PhoneFactor and Imprivata, a leading provider of single sign-on and access management solutions for the healthcare industry, recently joined forces to guard Protected Health Information while enabling easy access for healthcare providers from both inside and outside the hospital walls.
Here’s how it works: Imprivata OneSign® and OneSign Anywhere™ provide authorized doctors, nurses, and other caregivers with fast and secure access to electronic medical records (EMR) and other applications. PhoneFactor provides an additional layer of protection by verifying access through an automated phone call or text message. The caregiver answers the call and presses # or replies to the text message to authenticate. This simple process provides the multi-factor security required by many regulatory agencies, including HIPAA and state pharmacy boards, yet is extremely easy to setup, manage, and use.
PhoneFactor integrates seamlessly with Imprivata via RADIUS and synchronizes with AD and LDAP servers to streamline user management. Easy, automated enrollment and self-service options are available through the phone and web. Learn more about PhoneFactor for Imprivata.
~Sarah
PhoneFactor Aids Customers in Accomplishing Strategic IT Objectives
PhoneFactor helps organizations meet their strategic IT objectives by providing stronger security, an improved user experience, reduced setup and management time, and a lower total cost of ownership. But don’t take our word for it. Here are the top three IT initiatives that our customers say PhoneFactor helped them achieve.
 | Customers also cited: |
Is Mobile Workforce Enablement one of your goals?
Watch the on demand webcast Strong Security for Remote Workers Is Just a Phone Call Away for valuable information on how to support your increasingly mobile workforce while ensuring the strong security necessary to prevent unauthorized access and meet regulatory mandates.
~ Sarah
Slaying BEAST: Mitigating the latest SSL/TLS Vulnerability
Not even two years after Marsh and I described the renegotiation flaw, TLS and SSL have been hit again. The attack, dubbed BEAST by researchers, was described by Rizzo and Duong at the ekoparty security conference. It allows an adversary to decrypt parts of the encrypted data stream, potentially leading to session hijacking, information disclosure, and more. The concept behind the attack had been previously described, but it was thought at the time to be impractical.
The problem lies in the way that block ciphers are used in SSL/TLS. Block ciphers are generally operated in one of several modes that define how encrypted blocks are manipulated to ensure complete confidentiality. Cipher Block Chaining, or CBC mode, is used in SSL for all block ciphers, including AES and Triple-DES. The BEAST attack relies on a weakness in the way CBC mode is used in SSL and TLS. Non-CBC cipher suites, such as those using the RC4 stream encryption algorithm, are not vulnerable.
There have been several suggested mitigations that can be put into play from the perspective of the client, such as reorganizing the way the data is sent in the encrypted stream. Servers can protect themselves by requiring a non-CBC cipher suite. One such cipher suite is rc4-sha, which is widely supported by clients and servers.
To assist with the necessary server reconfiguration, PhoneFactor has produced a white paper describing the process. Please note that it is just a recommendation that we feel would work for most sites, but it is important for you to evaluate our suggestions in light of your actual architecture.
Download Whitepaper
Download Associated Text File
In the end, TLS is still among the most widely deployed security protocols, and the fact that it’s had a difficult couple of years is an indicator of just how many eyeballs are pointed at it. It’s still always safer to use a public, highly analyzed cryptosystem than to invent one from scratch, as attacks like BEAST show just how difficult it can be to get it right.
- Steve
Subscribe in a reader.
