Advancing PIV Use for Federal Cybersecurity Headlines the 14th Annual Smart Card Alliance Government Conference
Princeton Junction, N.J., June 11, 2015 – Industry leaders shared insights into the latest trends and advancements in identity management and cybersecurity for government, enterprise and healthcare at the 14th Annual Smart Card Alliance Government Conference in Washington, D.C. this week.
Securing cyberidentity in government through PIV
In the wake of the data breach involving the Office of Personnel Management (OPM) where 4.1 million federal employee records were stolen, one of the hot topics at the conference was re-energizing the federal government’s efforts to start using PIV credentials to secure information access and system privileges. The recent data breach disclosure by the OPM, while not discussed by any presenters, is the most recent example of why the use of PIV cards for strong authentication is a high priority. According to the FY2014 Federal Info Security Act Annual Report to Congress (2014 FISMA Report), the OPM reported that 1 percent of its employees were using PIV-based strong authentication to log on to its computers.
Several speakers noted that once hackers get a foothold in a system, they elevate their privileges and move laterally through the network to gain sensitive data.
“This is where we should be knocking them down,” said Michael Papay, vice president and CISO of Northrop Grumman. “That chain could be easily mitigated by having a secure cyberidentity.” Northrop Grumman has 200,000 computers and has fully implemented the commercial PIV-I version of strong authentication, and actively uses the smart card-based credentials in a framework of trust with the federal government and other defense contractors through participation in the Transglobal Secure Collaboration Program (TSCP).
In federal post-breach event action, “the number one mitigation is implementation of PIV. Every time,” said Trevor Rudolph, chief of the eGov Cyber Unit for the Executive Office of the President (EOP) and the Office Management and Budget. This organization’s mission is to reduce the number of cyber incidents in which sensitive government information is compromised. Like Papay, Rudolph is a strong proponent of PIV card use to make it much more difficult for hackers to move laterally through a network. Yet the use of PIV for log on by civilian agencies (excluding the DoD) is only 42 percent, well below the target of 75 percent, he said, citing the 2014 FISMA Report. According to analysis by his organization, 52 percent of the incidents involving social engineering, phishing and malware could have been prevented by the use of PIV strong authentication. Rudolph said the biggest barrier they are working to overcome at non-complying agencies is cultural—the unwillingness of users and their leadership to use two-factor authentication.
One example of a federal civilian department getting PIV cybersecurity right is the EOP. Haj Ramos, branch chief in Information Assurance, EOP, said they have implemented PIV log on authentication both on premise and remote, for all of their users – federal, political and career employees, contractors, detailees, interns and 100 percent of their system administrators. Keys to success Ramos identified included always-available support for card and certificate issues, day-one mandatory use for new employees, involvement and collaboration with user groups, and perhaps most important, leadership backing.
Healthcare and secure identities
A convergence of issues in the healthcare industry is bringing the topic of secure identity credentials to the forefront, according to conference speakers. These include fraud, increased patient mobility between providers, concerns over safety caused by patient misidentification, the use of the Internet to deliver healthcare services more efficiently and the opportunities created by pervasive mobile devices and the U.S. migration to EMV chip technology.
Fraud. A stolen healthcare record is worth $50 on the cyber black market, more than 10 times the value of a social security number ($0.43). This prompts 42.5 percent of all cyberattacks to target healthcare, according to Sheila Stromberg, director of Vertical Industries and Healthcare Solutions for HID Global. Medicare fraud tops $60 billion a year in fraud, and use of a secure credential for recipients could save at least half of that each year, according to Neville Pattinson, SVP of Government Affairs and Standards for Gemalto.
Patient safety and misidentification. An alarming 19 percent of healthcare CIOs reported adverse healthcare events caused by patient misidentification, and data error rates have grown to 12 percent of records, according to Michelle O’Connor, director identity and information governance, QuadraMed.
U.S. migration to EMV and mobile. As of 2015, healthcare organizations, like all merchants, will be incented to move to EMV chip card-accepting payment terminals. According to David Batchelor, CEO of LifeMedID, this creates an opportunity to add an app for smart card-based identity credentials to the terminals without the cost of additional equipment. Batchelor also sees possibilities to use patients’ mobile devices in conjunction with other information as “BYO-ID” tokens for healthcare identities.
Industry players taking action. Former Tenet CIO Roderick Bell sees things changing in healthcare with organizations showing an increased willingness to tackle healthcare identity issues in their own organizations or regions. He led a very successful smart card identity credentialing deployment in Texas that streamlined admissions, increased patient matching accuracy, improved the customer experience and became a competitive marketing advantage for the hospital.
Other notable items
In an informal live survey, Frazier Evans, an associate at Booz Allen Hamilton, asked five millennials in the IT security space about their views on day-to-day security practices. While some would trust Facebook with their entire online identity because it already serves as the basis of other identities such as Instagram and Spotify, others felt the platform had too much control, and they wouldn’t trust it with their valuable information. One speaker said that he would even use a PIV card in his personal life, and felt others would do the same, if they were offered for consumers.
Rene McIver, CSO of SecureKey, provided an update on Connect.gov, a solution that allows citizens to use already-established credentials (e.g., Google, PIV, PayPal and others) to log in to federal agency websites.
Randy Vanderhoof announced that the Alliance’s Certified System Engineer ICAM PACS (CSEIP) program, which satisfies the GSA’s Qualified HSPD-12 Service Providers requirement for system integrators and technicians, has completed training for over 100 system integrators in its first year.
A new Secure ID Coalition report, “State Secure Identity Practices and Policies in 2015,” announced at the conference by Kelli Emerick, executive director of the coalition, examines secure identity efforts in the top 10 most technologically effective and populous states. States play a critical role in identity through their management of drivers’ license issuance and local benefit programs. Pennsylvania, Texas and Virginia were rated the top three; Illinois was the lowest.
The Pentagon Force Protection Agency now has transitioned 30 facilities including the Pentagon in the National Capital Region to PIV compliance for physical access, according to Derek Nagle, chief of the Electronic Security Systems Division. Eventually, 70,000 employees will be enrolled. For biometrics, they are supporting both iris and fingerprint in order to minimize the estimated 700 people who would not be able to enroll in a single biometric system. So far they have enrolled 60,000 people with zero failures to enroll at least one biometric.
The two-day Smart Card Alliance Government Conference concluded on Thursday, June 10th with 628 attendee registrations, including 217 registrations from government agencies.
About the Smart Card Alliance
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.
Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.securetechalliance.org.
Montner Tech PR