After the September 11, 2001 attacks, STRAC undertook to help its hospitals protect their emergency rooms from potential attack, developing the first STRAC-ID card to improve physical security. Since then, cyber attack has grown as a major threat not just to national security, but also to hospital business interests, quality of care, and patient privacy.
- Medical-related identity theft accounted for 43 percent of all identity thefts in the U.S. in 2013.
- Network passwords must be replaced and strengthened frequently, at substantial cost in both time and money.
- Physical (building) access systems typically use proprietary card solutions, driving costs higher.
- Imposters posing as nurses or doctors are common.
- Hackers frequently exploit username / password security to steal valuable, sensitive data. Remote access (VPN) is a favorite pathway for hackers due to reliance on single factor user name / password process.
- Implemented solutions are typically proprietary and neither broadly trusted nor broadly usable across disparate entities.
- Emergency responders with trusted ID cards can be put to work faster upon arriving at the scene.
One Identity Card, Many Hospitals and Applications
Since 2008, STRAC has provided its hospitals with a secure way to confirm the identity of physicians with a high degree of assurance. The STRAC-ID Card uses a federal standard (FIPS-201, the same used for IDs for federal government employees and military personnel) to enable different hospitals in different systems using different infrastructure and applications to know with certainty the identity of the person presenting the card.
STRAC-ID started off as a simple bar-code card used for physical access to the emergency room, the physician’s parking lot, and the physicians' lounge. Today, the card carries an embedded smart chip that contains electronic certificates allowing secure authentication not just for physical access but also for logical access to applications such as “tap-and-go” single sign-on, Active Directory integration, and VPN integration. Over 4,500 doctors in the San Antonio area use their STRAC-ID cards to prove their identity and gain access to places and systems. In all, approximately 6,000 STRAC-ID smartcards have been issued to physicians, Fire/EMS personnel, and mid-level health care providers. All of STRAC’s 53 hospitals accept STRAC-ID for physical access today; a growing number of sites use it for logical access.
Flexibility In Real Time
A hospital can rely upon the asserted identity of a STRAC-ID cardholder, regardless of the entity that sponsored that card. Depending upon the hospital business rules for a particular application, electronic identity authentication with a STRAC-ID card can require only the card (one-factor authentication), the card and a PIN (two-factor), or the card, a PIN, and a matching biometric, such as a fingerprint (three-factor). Using STRAC-ID rather than the problematic username / password combination typical in hospitals today eliminates the need for password resets, reduces human error, and can support non-repudiation where the situation calls for it. Though a cardholder’s identity never changes, hospitals may frequently change the cardholder’s access rights to places and systems. Because the STRAC-ID provides certainty of who the cardholder is, a hospital can immediately remove access rights when the need arises. For example, STRAC developed a service for its hospitals that enables near-real-time removal of an identity from all participating physical access systems. And, if a card should be compromised (for example, if a hospital learns there was fraud in its issuance), it can be electronically revoked immediately so that any hospital will know not to trust the cardholder’s asserted identity.
At the heart of the value of the STRAC-ID is trust. Trust that the card follows specific technical interoperability requirements, and trust that STRAC followed a specific, rigorous process in proofing the doctor’s identity and issuing the card. This trust is born not only of STRAC’s reputation and performance, but more importantly, it is a result of STRAC’s independently audited compliance with the federal standard. Though STRAC-ID has long been based on the federal FIPS-201 standard, STRAC is in the final stages of a two-year federal certification process. After STRAC obtains the federal certification, STRAC-ID will transition to an officially certified compliant “Personal Identification Verification – Interoperable” (PIV-I) card. As a certified PIV-I card, STRAC-ID will still look much the same as today, but it will gain automatic acceptance and trust from federal agencies.
To learn more about STRAC-ID or to see how it may benefit your agency, please contact us at [email protected].