In the agency’s latest effort to protect sensitive information, the Department of Health and Human Services (HHS) partnered with the Defense Information Systems Agency (DISA) to develop biometric and behavior-based access credentials for employees.
Teased by HHS CIO Jose Arrieta over the summer, CISO Janet Vogel gave a closer look at the justification behind the program at the Digital Government Institute’s Cybersecurity Conference and Expo: Women Leaders in Cyber on Nov. 14.
Vogel began by explaining HHS’s data problem.
“Locking down data is part of what we have to do on a regular basis,” Vogel said. While she commended HHS’s data security improvements, Vogel admitted that 7 million healthcare records were exposed in 2018. At $6.2 million per breach in recovery costs, protecting health data is crucial to HHS’s mission.
The program considers biometric and behavior indicators to determine a user’s access credentials. Factors like how a user is holding their phone, facial scans, thumbprints, heart rate, and even the applications that the user interacts with are measured to determine legitimacy. Assured Identity goes beyond two-factor authentication or strong password management standard and starts to utilize personal human signals that are almost impossible to duplicate.
Vogel said that HHS and DISA are still doing research on these methods but lamented that securing the funds for implementation could also pose future challenges.
“In security, you’re successful if nothing happens. It’s hard to make the argument for investment in cybersecurity until something bad happens,” Vogel said.
