Healthcare Slow to Adopt NIST Digital Identity and Authentication Guidance

Rich Curtiss, Director, Healthcare Risk Assurance Services

The National Institute of Standards and Technology (NIST) published an updated guide (Special Publication 800-63b) for Digital Identity Guidance in June 2017. This is a comprehensive and holistic guide to authentication processes, which includes choices of authenticators that may be used at various Authenticator Assurance Levels (AALs). It provides recommendations on the lifecycle of authenticators, including revocation in the event of loss or theft, complexity requirements, and authenticator expirations.

A fundamental precept of digital authentication is adherence to the lifecycle process of the authenticators; taking portions of the guidance and not implementing the entirety of the recommendations may leave your corporate data exposed to risk.

Most healthcare organizations have been slow or reluctant to adopt this guidance, while some have been selective in their interpretation of it and have narrowly implemented sections of the guidance without a full understanding of the implications of those choices. To illustrate, many have decided it is no longer necessary to expire a password after a set number of days based on a very narrow reading of the publication. This narrow interpretation is only true within the context of many other conditions. The publication is not an ala cart menu of choices, but rather, a systematic framework for improving authentication practices.

While this publication is a “requirements” document for federal agencies within the context of FISMA compliance, it is only to be considered instructional and informative to commercial enterprises. Many good recommendations are documented, but they must be implemented in the context of the whole and not pulled out to satisfy a singular agenda (e.g., no more password expirations).  

To recap, authentication is performed by verifying that the claimant controls one or more authenticators. It is often said an authenticator is something you know (password/passphrase), something you have (a device with a secondary authenticator), and something you are (fingerprint/vein scan). Any two of these are referred to as “two-factor authentication,” and all three would be “multi-factor authentication.” Sometimes, two-factor is referred to as multi-factor.

Many healthcare organizations have focused on the recommended changes to password expiration and complexity. Specifically, two misstatements seem to have emerged from the guidance:

  1. NIST no longer requires password resets after 90 days, so we can retain our same passwords without ever resetting them
  2. Password strength/complexity no longer need to be enforced since NIST is recommending passphrases that don’t expire

Neither of these statements is factual when taking lifecycle management into account. 

In a broader context, NIST does, in fact, state that password resets or expiration are not necessary if certain conditions are met, such as:

  1. Stored “hints” are disallowed
  2. Memorized secret verifiers (e.g., passwords) should be compared against commonly used, expected, or compromised verifiers – weak, easily guessed, or compromised verifiers should never be used
  3. Passwords obtained from previous breach corpuses should never be allowed
  4. Repetitive or sequential characters should not be part of a verifier construct
  5. Context-specific words, such as the name of the service, the username, and derivatives should never be used

If the Credential Service Provider (CSP) is not conducting this level of analysis, then the guidance would be void.

NIST does recommend the switch from passwords with enforced complexity requirements (i.e., special characters) to the use of strong passphrases. Again, this assumes the CSP is managing the process.  Foundationally, the CSP must have a robust program for authentication management (i.e., how to know whether a passphrase has been compromised).

NIST is embracing the need for usability of authenticators to meet business needs and is providing recommendations to support the user. One of the recommendations is Single Sign On (SSO), which is used extensively in healthcare, to improve the usability experience while retaining appropriate security.

Taking everything into account as it relates to Digital Identity and Authentication, healthcare organizations may do the following to improve the user experience and align with these NIST guidelines:

  1. Implement a strong passphrase management process aligned with the guidance. Ensure users are implementing strong passphrases with a minimum of 64 characters. Passphrases should be approved by the CSP. This is typically part of the identity and access management process within the IT department.
  2. Implement two-factor authentication on all network connections. Use a One Time Password (OTP) device. Do not use SMS texting, if possible. It has been deprecated by NIST due to inherent vulnerabilities. Ideally, two-factor should be used when accessing both the network from inside the firewall and external to the firewall. It is an absolute must for accessing the network from outside the firewall (i.e., remotely through a VPN or secure gateway).
  3. Ensure security awareness training is updated to reflect the process and provide users with the knowledge and/or tools necessary to reset a passphrase in the event of a suspected compromise.
  4. If in doubt about the compromise of a passphrase, change it.
  5. Implement SSO to minimize user friction. 

Making the change must be a programmatic decision, but the technology vendors are already moving in this direction – so consider a proactive move to an updated Identity and Access Management program.

Rich Curtiss


Rich Curtiss — Director, Healthcare Risk Assurance Services

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS