ALL ABOUT AUTHENTICATION: A Health-ISAC Guide for CISOs
MFA. OTP. FIDO. SMS. PKI. All of these acronyms might have you saying OMG, but they are each important to understand when it comes to managing authentication. It’s an anomaly these days when a major breach happens and compromised authentication systems don’t play a role. Multi Factor Authentication (MFA) is critical to stopping attacks — but as we’ll detail in this paper, not all MFA is the same, and attackers are catching up to some first-generation MFA tools. Health CISOs need to stay ahead of the curve.
This is the third installment in the H-ISAC’s ongoing series focused on helping CISOs implement an identitycentric approach to cybersecurity. Our first paper, Identity for the CISO Not Yet Paying Attention to Identity, explained why identity matters. We followed that with An H-ISAC Framework for CISOs to Manage Identity, outlining how CISOs can implement a comprehensive approach to identity-centric security that will protect against modern attacks and support key business drivers.
Now we’re going to start diving deeper into different areas of that framework, starting with authentication. Most cybersecurity professionals know that authentication is important, but many do not understand the differences between various authentication tools or how to best implement it in their organization. This paper was written to address those questions and includes two case studies detailing how different health organizations have implemented strong authentication.
1 – Passwords alone offer minimal security; MFA is essential.
2 – Not all MFA is the same. Attackers have found ways to phish authentication technologies such as one-time passwords (OTPs) that are based on “shared secrets.” Wherever possible, use high assurance, phishing-resistant tools such as FIDO or Public Key Infrastructure (PKI).
3 – Usability matters. MFA implementations struggle if they degrade the user experience. Modern MFA solutions offer streamlined authentication processes that are easier to use than passwords.
4 – Where feasible, move from static MFA to a multi-layered approach that integrates sign
H-ISAC is all about increasing cyber resilience in the healthcare sector. We are interested in disseminating actionable content that is in keeping with security thought leadership. In alignment with this statement, we do not require your email to download original content from our website.