In the agency’s latest effort to protect sensitive information, the Department of Health and Human Services (HHS) partnered with the Defense Information Systems Agency (DISA) to develop biometric and behavior-based access credentials for employees.
Teased by HHS CIO Jose Arrieta over the summer, CISO Janet Vogel gave a closer look at the justification behind the program at the Digital Government Institute’s Cybersecurity Conference and Expo: Women Leaders in Cyber on Nov. 14.
Vogel began by explaining HHS’s data problem.
“Locking down data is part of what we have to do on a regular basis,” Vogel said. While she commended HHS’s data security improvements, Vogel admitted that 7 million healthcare records were exposed in 2018. At $6.2 million per breach in recovery costs, protecting health data is crucial to HHS’s mission.
HHS supports 87,000 employees, Vogel explained, which is difficult to manage from an endpoint security perspective. Every user creates an access point for malicious actors to exploit sensitive HHS information, especially as work becomes intertwined with personal mobile devices. To combat this, HHS teamed up with DISA to develop the Assured Identity pilot program.
The program considers biometric and behavior indicators to determine a user’s access credentials. Factors like how a user is holding their phone, facial scans, thumbprints, heart rate, and even the applications that the user interacts with are measured to determine legitimacy. Assured Identity goes beyond two-factor authentication or strong password management standard and starts to utilize personal human signals that are almost impossible to duplicate.
Vogel said that HHS and DISA are still doing research on these methods but lamented that securing the funds for implementation could also pose future challenges.
“In security, you’re successful if nothing happens. It’s hard to make the argument for investment in cybersecurity until something bad happens,” Vogel said.