Dec 23 2019

HHS Teams with DISA on Biometric Identity Login

The solution, embedded in a smartphone, could allow HHS to identify users by thumbprints, heart rate and even the applications that users interact with.

The Department of Health and Human Services protects millions of health records, and cybersecurity is a key concern.

That’s why HHS has partnered with the Defense Information Systems Agency to create biometric and behavior-based access credentials for employees. The system, called Assured Identity, was first hinted at by HHS CIO Jose Arrieta this past summer. 

Last month, HHS CISO Janet Vogel disclosed more details about the program and why HHS is using it. Speaking at the Digital Government Institute’s Cyber Security Conference and Expo: Women Leaders in Cyber on Nov. 14, Vogel noted that “locking down data is part of what we have to do on a regular basis,” MeriTalk reports.

Vogel acknowledged that, despite cybersecurity enhancements HHS has made, 7 million healthcare records were exposed in 2018, according to MeriTalk. And, at $6.2 million per breach in recovery costs, HHS knows that there is both a tangible and reputational cost to breaches

At an agency as vast as HHS, it is difficult to manage employees’ endpoint security. Each of HHS’ 87,000 employees, especially those who use mobile devices, is a potential attack vector for malicious actors

MORE FROM FEDTECH: Find out how file integrity monitoring can help feds improve cybersecurity. 

HHS Turns to Biometrics to Verify Users

Assured Identity uses biometric and behavioral factors to determine a user’s access credentials, according to MeriTalk. The publication reports: 

Factors like how a user is holding their phone, facial scans, thumbprints, heart rate, and even the applications that the user interacts with are measured to determine legitimacy. Assured Identity goes beyond two-factor authentication or strong password management standard and starts to use personal human signals that are almost impossible to duplicate

HHS and DISA are still doing research on the project, but Vogel said she worried that funding constraints could limit how it develops. 

“In security, you’re successful if nothing happens. It’s hard to make the argument for investment in cybersecurity until something bad happens,” Vogel said, according to MeriTalk.

As FedScoop reports, the solution is “embedded into a device and uses more than 200 biological and contextual traits to build a unique credential that is continuously checked.” 

DISA approached an unnamed commercial phone chipset manufacturer over a year ago to develop authentication technology that could use a person’s gait as a factor, Maj. Nikolaus Ziegler, the military director of DISA’s Innovation Office, told FedScoop in August. 

DISA went about the project this way in part because all of the personally identifying data will stay on the device. Eventually, the goal is to have the identifying object be a wearable device, such as a watch or a necklace.

NatalyaBurova/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.