Eventually, patients had to react to ongoing stories of how their data is used without their knowledge online. They may have felt safe on Facebook before, but ongoing privacy scandals across the internet seem to have caused new awareness of data dangers.

A recent survey by insurance company Aetna shows patient concerns have now tilted to privacy over cost or even quality of care. Healthcare can’t rely on HIPAA alone to reassure patients that their data is safe.

HIPAA isn’t network security – it’s a protocol. Patients now clearly want a stronger defense.

Aetna’s survey of 1,000 consumers (December 2017) in its first annual Health Ambitions Study sought to better understand patient goals. It asked patients what the most important aspects of healthcare were. Findings:

·         Patient privacy (80%)

·         Data security (76%)

·         Cost of care (73%)

·         Personalized care (71%)

·         Coordination of care among providers (68%)

 

Women were more concerned about patient privacy than men (84% vs 71%). As women make more family health decisions this offers a clear opportunity to healthcare providers to meet new concern for privacy with necessary security technology that protects and reassures patients.

The study also looked at telemedicine attitudes. It found a generational divide with digital technology.

Under age 35

  • 37% of consumers said virtual office visits would be helpful
  • 36% said telehealth would be valuable to them

People aged 65 and older

  • 17 % liked the idea of virtual office visits
  • 14% rated the idea of telehealth as helpful

Patient privacy in EMS systems and the rise of telemedicine require strong authentication security to keep imposters out. It must protect records and enable long-distance telecommunication between patient and provider.

Authentication is identifying the person logging in, not the username and password. Up till now there has been no magic bullet that will manage these security demands without hardware.

Most systems use cobbled together solutions such as constantly changing passwords or 2 factor authentications via SMS that place a burden on providers and require a great deal of valuable time.

Nothing authenticates like biometrics. They used to require hardware and devices, but no more.

BioSig-ID is a smart password product that uses the way a person draws to biometrically identify them. It’s a simple 4-character password that is drawn with a finger or mouse instead of a typed password. It can be used for patient portals, telemedicine, electronic medical records, even online medical education and credentialing. 

BioSig-ID uses gesture biometrics to defend against imposters and positively identify legitimate users with high accuracy and absolutely no hardware.

BioSig-ID integrates with Epic and PING and offers an innovative way to secure patient data and provide evidence of concern within healthcare that patient preferences are heard.

Isn't it also time to free practitioners of the demands of data management? It’s not what they trained for. Why make them become digital experts? Imagine what could they do with the extra time every day.

 

If someone enters the right credentials, that’s good enough for any website. Simple username/password is the most popular way hackers gain entry. For business, shared passwords are an ongoing headache and risk.

You’ve almost certainly done it too. You’ve impersonated someone, or someone else has impersonated you with your help. Have you ever….

1.       Shared your banking login with your spouse

2.       Used team passwords at work

3.       Shared passwords for a family photo sharing account

4.       Shared passwords for individual iTunes accounts to share music

5.       Shared passwords for a household device or appliance

6.       Asked a friend to log you in to a timeclock when running late

7.       Shared your email password with a significant other to show your commitment

 

So, you’re guilty of credential fraud. Most of us are.

We don’t think about sharing credentials with people we trust. And the system doesn’t know the difference. There is no identity authentication. Simply verification that someone typed in the right password. Everyone is the same to the system. All it takes is that PIN and password.

The only way to tell who is who online is with authentication. Authentication determines the actual person who is logging in by adding additional steps to determine identity. You’ve probably answered challenge questions or entered an SMS code you were sent to prove your identity before accessing a site.

But answering a question about the city you were born in or mother’s maiden name is easily discovered. And an SMS code only verifies the device attached to the account, not the person. Have you ever shared your phone passcode…? You get the drift.

How does business handle the need for real authentication? Not that well. Its continuing reliance on usernames and passwords (SSO) is baked in. So shared and stolen passwords are a continuing threat. With employees always coming and going and using different devices, managing identity is a complex problem.

The only way to be truly sure about someone’s identity is to use a biometric to identify them.

·         Biometrics are unique body characteristics like fingers or irises

·         They don’t change

·         They are, by far, the strongest way to identify a person

If you use a fingerprint to unlock your phone, it works on your device because you have a fingerprint reader in your hand. But it won’t work for online accounts. 

Consumers can’t press their finger on any screen to access a shopping site or  bank. Not without hardware like a fingerprint reader to plug into a device, read the fingerprint and send it to the site which has to authenticate the print.

If a company had 100,000 users it needed to authenticate, the hardware investment alone would bankrupt them.

Many people don't realize that there is an affordable way to use biometrics online without hardware. 

BioSig-ID is a new way to use biometrics without hardware or downloads. It's a biometric Smart Password. Users have everything they need to login in the palm of their hand. Only the rightful user can enter the password which is drawn with a finger (touch enabled screen) or a mouse.  It's 99.97% accurate at stopping imposters , stolen passwords and password sharing. It’s also great at identifying the correct person – 99.78%. This ensures a smooth user experience without frustration. Login using a 4 character password takes only about five seconds. 

Whether a site takes online payments, holds sensitive medical records or transfers large sums of money – biometric authentication is the only way to be sure the right person is using the credentials. If you've hacked your way in with a shared password, bad guys can do it too because typed passwords are inherently unsafe.

 

Reputation is a precious resource for online Higher Ed. It drives your degree value and that drives revenue. 

Criminals are one of the top causes of school reputation destruction. They get inside your system by impersonating others. Scandals from online fraud can trash your reputation forever in just a few days. Remember Corinthian College?

Criminals always refining their techniques. Are you refining yours to stop them?

The anonymous internet makes it easy to impersonate others. Logging in as someone else is behind almost ALL data crimes. 

·         Fake students who steal financial aid

·         Paid students who take tests or entire classes for others

·         Cheating rings

·         Cryptojackers who steal bandwidth and cause giant bills

The only weapon against scandals caused by impersonation is strong identity authentication.

Authentication identifies the person, not the device or credentials. It sifts legitimate students from the criminals. It's NOT a username and password.

To stop reputation threats you need two things at login.

·         Something only the legitimate user knows or IS, like biometric information (unique physical or gestural attributes) OR

·         Devices and/or questions that only the real user has or knows

Questions: Mother's maiden name or high school you attended or city you were born in questions by using public databases. The answers can be given by the student to another student to cheat. 

Devices: Can be given to another person to cheat.

 

You need one more piece:

Forensics to detect potential impersonators. Every action online leaves data behind. Fraud has various “tells” that a robust authentication technology can detect, for example:

·         Logins from atypical IP addresses

·         Logins using the same credentials from multiple IPs

·         Logins that change historic usage patterns

No administrator looking at logs could possibly manage this kind of big data. It takes authentication and forensics to make sense of it, cross reference it, and analyze what is a danger to your school.

The goal is to identify worrisome user behaviors when you can still do something about it, not after the fact.

BioSig-ID is one authentication technology that can guard your LMS from attempts to game the system. It uses a smart biometric password that students draw. Nobody else can forge the password because it's biometric and unique. Only the rightful user can login. 

BioSig-ID can also provide your school with:

·         Warns of potential grant fraud by flagging behaviors that indicate possible drop out

·         Evidence of attendance which schools are required to do for compliance

·         Reporting dashboard and real-time alerts that may prevent a severe breach

·         Analysis of atypical logins which may indicate academic fraud

·         Compliance with the latest identity requirements needed for new yearly audits - and accreditation

 

It only takes one story in the media to tarnish your school’s reputation. And, that story will live online forever.

Maybe you think these activities are a cost of doing business and they happen to every school. Most schools now have measures in place to stop these crimes and protect their reputations. 

Let us educate you on how to protect against today’s identity threats that can damage the one business asset you can’t replace – your reputation.

Schedule a demo today to see how you can put a stop to stolen and shared passwords.

Case Study

 

By Dr. Mark Sarver, Chief Behaviorist, Biometric Signature ID and Former CEO of EDUKAN

 

The findings of the audit, which began more than four years ago, were not a surprise to most observers.
 
That’s because the inspector general relied on a 1992 federal law that defines aid eligibility for distance education programs, which many have said poses a problem for WGU, some other competency-based programs, and possibly online education writ large.
 
The US Department of Education’s Office of Inspector General  ruled today that Western Governors University was out of compliance with Title IV financial aid rules, especially the “regular and substantive interaction” provisions that Van Davis (Blackboard) and Russ Poulin (WCET) outlined last year. Their findings include a recommendation for returning Title IV funds described below:
 
“From the OIG- We concluded that Western Governors University did not comply with the institutional eligibility requirement that limits the percentage of regular students who may enroll in correspondence courses.5 Therefore, the Department should require the school to return the $712,670,616 in Title IV funds it received from July 1, 2014, through June 30, 2016, and any additional funds it received after June 30, 2016.”
 
Several issues were the highlight of the audit report:
 
1.   Regular and substantive interaction issue: The audit report said most courses at WGU do not meet the distance education requirement because they were not designed for regular and substantive interaction between students and faculty members. Those courses instead should have been labeled as correspondence courses, according to the inspector general.
 
Under the law, a college is not eligible to receive federal financial aid if more than half of its courses are offered via correspondence or if most of its students are enrolled in correspondence courses. The inspector general’s audit report said 62 percent (37,899) of the 61,180 students who were enrolled at WGU in 2014 took at least one of 69 courses (among 102 courses in the university’s three largest academic programs) that failed to meet the distance education requirements.
 
None of these 69 courses could reasonably be considered as providing regular and substantive interaction between students and instructors, the key requirement to be considered a course offered through distance education,” according to the report. “Therefore, Western Governors University became ineligible to participate in the Title IV programs as of June 30, 2014.”
 
2.   Student attendance issue: Here’s what the OIG said about this issue that also affects Title IV funding eligibility:
 
“We also concluded that the school did not always confirm that students started attendance in the courses on which their eligibility was based before disbursing Pell funds on or after the first day of a payment period. By not confirming attendance before disbursing Pell funds, the school
BioMetric Signature ID 3
 
increased the risk that it would disburse the funds to students who were not academically active during the payment period”
 
Western Governors University considered the date of academic activity verification (AAV) to be each student’s first day of attendance and disbursed Pell funds once AAV occurred. The date of AAV should not have automatically qualified as a day of academic attendance for Title IV purposes. AAV was the process to select courses or register for courses.
 
“According to 34 C.F.R. § 668.21(a), if a student does not begin attendance in a payment period, the school must return all Title IV funds that were credited to the student’s account for that payment period.  Therefore, if a student does not start attendance in the classes on which his or her eligibility was based and only participates in AAV during the payment period, the school should be returning all Title IV funds disbursed to the student for the payment period”.
 
3.   `SEC. 102. DEFINITION OF INSTITUTION OF HIGHER EDUCATION FOR PURPOSES OF TITLE IV PROGRAMS. `(3) LIMITATIONS BASED ON COURSE OF STUDY OR ENROLLMENT- An institution shall not be considered to meet the definition of an institution of higher education in paragraph (1) if such institution--
 
`(A) offers more than 50 percent of such institution's courses by correspondence, unless the institution is an institution that meets the definition in section 521(4)(C) of the Carl D. Perkins Vocational and Applied Technology Education Act;
 
`(B) enrolls 50 percent or more of the institution's students in correspondence courses, unless the institution is an institution that meets the definition in such section, except that the Secretary, at the request of such institution, may waive the applicability of this subparagraph to such institution for good cause, as determined by the Secretary in the case of an institution of higher education that provides a 2- or 4-year program of instruction (or both) for which the institution awards an associate or baccalaureate degree, respectively;
 
`(C) has a student enrollment in which more than 25 percent of the students are incarcerated, except that the Secretary may waive the limitation contained in this subparagraph for a nonprofit institution that provides a 2- or 4-year program of instruction (or both) for which the institution awards a bachelor's degree, or an associate's degree or a postsecondary diploma, respectively; or
 
`(D) has a student enrollment in which more than 50 percent of the students do not have a secondary school diploma or its recognized equivalent, and does not provide a 2- or 4-year program of instruction (or both) for which the institution awards a bachelor's degree or an associate's degree, respectively, except that the Secretary may waive the limitation contained in this subparagraph if a nonprofit institution demonstrates to the satisfaction of the Secretary that the institution exceeds such limitation because the institution serves, through contracts with Federal, State, or local government agencies, significant numbers of students who do not have a secondary school diploma or its recognized equivalent.
BioMetric Signature ID 4
 
Why was WGU audited: The audit report is primarily based on the OIG’s interpretation of a provision of the Higher Education Act enacted in 1992 defining requirements for interaction between faculty and students in distance learning programs. The OIG used its definition of “faculty” to find that WGU faculty did not provide the required “regular and substantive interaction” with WGU’s students.
 
Audit Results: The Office of Inspector General said the U.S. Department of Education should require WGU to return $713 million in federal aid it received during the two years before July of last year, as well as any federal aid it received since then.
 
Additionally, the  final audit report, issued, also said the nonprofit university, which enrolls 83,000 students, should be ineligible to receive any more federal aid payments.
 
 
Selected Observers React: Supporters of competency-based education said the federal government should update its regular-and- substantive requirement, but in a way that might encourage fraudulent, low-quality programs who can take advantage of students.
 
In an excerpt from a recent WCET blog where experts weighed in including Deb Bushway Ph.D current provost at Northwestern Health Sciences University who also worked for Capella University, the University of Wisconsin Extension and as an adviser to the Education Department.
 
“The inspector general is clearly following the letter of the law,” Bushway said, adding that the report was not a regulatory overextension. But she also called it “more evidence that the law needs to be changed.”
 
Pulling the regular-and-substantive language completely, however, which some advocates are quietly pushing for, would be a mistake, said Bushway. “That would invite bad players into the field and threaten the reputation of competency-based education,” she said.
 
Instead, Bushway and others call for a two-pronged solution, with a fix that would protect WGU and other competency-based programs in the short term while Congress revisits the law, perhaps as part of the reauthorization of the Higher Education Act.
 
 
Recommendation: Regardless of who wins in this conflict, all points are converging on more DOE/OIG oversight and enforcement. The DOE and OIG have shown they are ready to take on some large institutions, (examples, ITT, Corinthian) for failure to comply with their rules. Since there will be a loser in this latest attempt, enforcement is expected to increase.
 
Some of the following issues will undoubtedly be under enforcement with resulting accreditation and Title IV eligibility at stake. My recommendation is to use our multimedia approach to inform our clients and potential clients that we offer a budget easy solution to overcome these pertinent issues.
BioMetric Signature ID 5
 
• Regular and substantive interaction – Institutions will need to demonstrate they have a system to both verify student ID and then verify that student’s attendance at one of 8 identified “educational activities” that is initiated by the instructor o BSI solves this issue with the use of its Academic attendance report that captures computer-assisted instruction or other educational activities throughout the course. o This report can also be used in WGU’s case to comply with to 34 C.F.R. § 668.21(a), to ensure the student remains eligible for Title IV funds (see issue # 2 in this document)
 
 
• At some point the huge burden of “improper payments” from Pell grants and other FSA will be focused on. This fraud is now over $3B, is under congressional oversight and is not going away. BSI is working with selected members of the federal Educational Committee to use our forensic reports to capture fraudulent students. Our clients using BioSig-ID have significant advantage and head start in reducing their own FSA fraud by using our reports to identify and stop payments to fraudsters
 
 
• The OIG has issued another Final Audit Report (https://www.biosig-id.com/doe-final-audit) to enforce student ID verification to enable continued Title IV funding. Institutions who do not have a process in place for student ID verification are at risk of being cut off from FSA including military and Title IV o BSI offers compliance with the DOE’s and OIG’s regulations on the processes required to ID students and measure them throughout the course
 
• On the edge institutions with the 50% rule, BSI can quickly offer a solution to help capture and monitor a student ID verification system demonstrating faculty interaction.
 
Additional Notes: It’s naïve to assume your college has not been affected by fraud. The growth of online education has brought a wave of what’s referred to as Pell Runners, in reference to the federal student aid program. Online classes make it easier than ever before to apply for assistance, register with a college, take the money and never attend classes.
 
The number of potential fraud recipients increased 82 percent between 2009 and 2012 according to an Inspector General report for the U.S. Department of Education. These so-called students stole an estimated $187 million in federal aid in 2012 alone.
 
Because fraud usually involves federal (not institutional) funds that are funneled through the college or university, it often occurs under the radar. If allowed to occur for a prolonged period of time, it results in less access to aid (and access to courses) for legitimate students and potentially affects an institution’s default rate.
 
Catching fraud can take a lot of staff time and financial resources, but technology can simplify the process. As an example, BioSig-ID allows institutions to track the IP addresses of applicants and to monitor suspicious login patterns. These patterns include multiple accounts logging in from the same IP address or accounts with multiple login failures, too many password resets and other behaviors that just don’t hold up. For example a student who lives in Baltimore and submits all assignments through an IP address in Baltimore, except quizzes and exams, which are submitted through an IP address in Houston. Don’t think so.
 
With BioSig-ID, we do all of the grunt work for you. We find the needle in the haystack and allow you to focus on what’s really important. Teaching.
 
To read more on how to protect yourself go to  https://biosig-id.com/resources/blog/246-will-you- protect-your-school-from-student-loan-fraud-this-year
 
 
- Dr. Mark Sarver

speaker at podiumGDPR Compliance Overview 

 

A look at the EU’s latest General Data Protection directive (GDPR) and the new PCI DSS and how BioSig-ID meets regulatory statutes to keep you in compliance

 

By Jeff Maynard, Founder, President and CEO, Biometric Signature ID

 

A new EU (European Union) compliance regulation and the new PCI DSS (Payment Card Industry Data Security Standards) will redefine user privacy within Europe and beyond. The General Data Protection Regulation (GDPR) will have a far-reaching impact for organizations throughout the world. 

GDPR is intended to broadly and conclusively provide data privacy and security protection for residents of the EU. It becomes effective May 25, 2018. 

The GDPR is binding on all 28 EU member states and will immediately repeal previous data regulations, including the 1995 EU Data Protection Directive. The GDPR has a wider reach and broader scope than the EU Data Protection Directive. The GDPR can, in many cases, apply to U.S. higher education institutions and companies if those entities control or process data about residents of the EU. 

 

What GDPR Covers

 

The GDPR imposes a variety of new requirements that organizations must follow, regarding:

 

·         Data security practices

·         Personal data usage and privacy restrictions

·         Data breach reporting requirements

·         Personal data consent collection requirements

 

Breach Responsibilities under GDPR

 

If your organization suffers a data breach, under the new EU compliance standard, the following may apply depending on the severity of the breach:

 

·         Organizations must notify the local data protection authority and potentially the owners of the breached records

·         Your organization could be fined up to 4% of global turnover or €20 million

 

 

Exceptions to the Rule
 

The GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations.  For example, a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data, is not mandated to notify the affected record owners. 

The chances of being fined are also reduced if the organization can demonstrate a secure breach has taken place.

 

 

Addressing GDPR Compliance
 

To maintain GDPR compliance requirements, organizations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:

 

·         Servers, including via file, application, database, and full disk virtual machine encryption

·         Storage, including through network-attached storage and storage area network encryption

·         Media, through disk encryption

·         Networks, for example through high-speed network encryption

 

Additionally, strong key management is required to not only protect the encrypted data, but to ensure the deletion of files to comply with a user’s “right to be forgotten.” 

Organizations must also provide a way to verify the legitimacy of user identities and transactions to prove compliance. It is critical that the security controls in place be demonstrable and auditable.

GDPR expects organizations to stay in control of their data to ensure that it is accessed and processed by authorized users only when appropriate. The control requirements are covered in Articles 5, 25, and 32.

 

Under GDPR, Organizations ARE REQUIRED TO

 

·         Only process data for authorized purposes

·         Ensure data accuracy and integrity

·         Minimize subjects’ identity exposure

·         Implement data security measures

 

 

Data Security Measures and Compliance


The GDPR does not specifically mandate two-factor and multifactor authentication solutions per se, however a careful read of the regulation leaves no doubt that if companies leave simple, static passwords in place and they are breached, auditors will come for them.

This threat can be prevented with multi-factor authentication, the first line of defense in any scenario. Strong authentication controls which users have access to the network and the resources within. By assigning credentials to individuals authenticated with multi-factor solutions, organizations can track access to resources to monitor internal risks.

Multi-factor authentication also makes it more difficult for unauthorized users to access sensitive resources. For known and unknown threats, multi-factor authentication raises the barriers to data access making it easier for an organization to stay in control of their data.

Unlike prior laws, the GDPR takes the position that residents of the EU should not be deprived of security and privacy protections solely because a business or organization that targets those residents is located elsewhere (outside the EU). This provision brings companies throughout the world and the United States into the picture.

It’s important to note that no single solution will make an organization GDPR compliant. The regulation is too broad – covering everything from governance to contractual obligations. However, deploying measures such as MFA will go a long way to maintaining best practices and mitigating future data breaches.

 

BioSig-ID and GDPR

 

Biometric Signature ID’s state-of-the-art authentication system meets the litmus test put forth by the GDPR. Not only is our BioSig-ID™ MFA biometric solution the only one of its kind, we provide all of the necessary forensics and reporting that needed to accurately maintain sensitive personal information and respond to incoming threats in real time.

BioSig-ID’s ability to revoke and replace credentialing at any time provides the only privacy sensitive biometric solution for GDPR compliance. Unlike other biometrics that use static physical attributes for identity proofing, BioSig-ID merely captures a gesture – drawing a password – that can be changed and could not be used, if compromised, to steal a user’s identity.

In our global economy, most large companies are doing business in the EU or working with EU citizens. Cloud based BioSig-ID offers a simple solution to the complex demands of identity authentication, providing a high level of biometric assurance without the inherent risk of other biometrics.

 

Satisfies PCI DSS and meets the GDPR requirements
 

Both the PCI DSS and the GDPR aim to ensure organizations secure personal data. The PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers. It also applies to all other entities that store, process or transmit cardholder data or sensitive authentication data.

The GDPR focuses on European residents’ personal data. The important difference is that the GDPR is less prescriptive than the PCI DSS. The GDPR provides guidance on what needs protecting but does not provide a detailed action plan. Conversely, the PCI DSS details clearly what needs to be achieved and provides a clear methodology for securing cardholder data.

 

The PCI DSS as a tool to achieve GDPR compliance


The PCI DSS establishes a set of controls for keeping cardholder data secure, supported by a regulatory framework. If deployed to the rest of the business – without extending the cardholder data environment – these same controls and processes could provide organizations with a head start in meeting the sixth principle of the GDPR (integrity and confidentiality). This principle requires data controllers and processors to assess risk, implement appropriate security for the data concerned and, crucially, check on a regular basis that it is up to date and that controls to protect it are working effectively.

The first change to Requirement 8.3 in PCI DSS is the introduction of the term “multi-factor authentication” rather than the previous term “two-factor authentication”, as two or more factors may be used. By changing this terminology, two factors of authentication becomes the minimum requirement. Two factors has also meant in the past 2 similar factors (sic 2 of the same or multi-layer). Example you know a password and you are then asked ask a security question – BUT these are not multi-factor as described below. 

Multi-factor authentication requires the use of at least two of the three authentication factors as described in PCI DSS Requirement 8.2:

  • Something you know, such as a password, PIN or the answer to secret questions
  • Something you have, such as a token device or smartcard
  • Something you are, such as a biometric

 

A PCI breach is a GDPR breach

·         Under the GDPR, personal data “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4, clause 1)

·         As defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms, cardholder data is, at a minimum, the full primary account number (PAN), but may also appear in the form of the full PAN plus one of the following: cardholder name, expiration date and/or service code

Where cardholder data includes any information that could be used to identify the individual, then it is personal data as defined by the GDPR. If that data is compromised in a data breach, the breached organization is likely to be liable under both the PCI DSS and the GDPR.

It’s important to note that all reporting and fines because of a data breach fall within the legalese of the GDPR code.

 

For a description of the industry-accepted principles and best practices for a MFA implementation, select this link. Information Supplement – Multi-Factor Authentication version 1.0