.st0{fill:#FFFFFF;}

No More Passwords FIDO – Ep 361 

 June 24, 2022

By  Donna Grindle

password killerWe use passwords for everything. Creating a unique, secure password for every website and application can seem complicated, not to mention hard to remember them all, right? So, why hasn’t someone figured out how to get rid of the need for passwords? Well, today we are going to talk about the FIDO password killer solution.

A 5 star review is all we ask from our listeners.
1x
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

No More Passwords FIDO – Ep 361

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!


HIPAA Say What!?!

[10:22] Here is a recent question submitted to us:

A psychotherapist sent my full record to an incorrect address in an attempt to cause harm. I submitted a complaint and it was dropped after nearly 5 months because she isn’t a covered entity. I assume this person sends something electronically under HHS guidelines (she is therefore a covered entity). What do you do if the OCR made a mistake?

#1 – to be a covered entity, the business or the provider of care (the psychotherapist in this case) must submit electronic claims for payment of services. Period. All of the other transactions have to do with submitting an electronic claim, like the remittance advice, authorizations, eligibility, etc. All of that has to do with insurance processing. So, number one, if they do not accept insurance, then they are not going to be a covered entity.

#2 – very small provider organizations (one provider, no help, no nothing) may take some insurance, but they will file it on paper. If they do that, then they are not a covered entity. There are plenty of small psychotherapist practices that do not process insurance. You can take their records and file it on your own insurance and get paid potentially, but they do not process the insurance. And that makes them not subject to HIPAA.

_________________

We also received a question about how you report a complaint to OCR anonymously.

HIPAA Complaint Process | HHS.gov

In that complaint process, they tell you the rules and what you have to do to file a complaint. They even have a little questionnaire that you can go through so that it’ll help you figure out whether or not the provider or practice is considered a covered entity. During the process, they will ask who you are and if they can’t initiate a conversation with you to get more details. They often have questions for you. If they can’t get their questions answered, then likely there is nothing else they can do with the complaint.

If you do want to file an anonymous complaint, the easiest thing is they do have addresses where you could write a letter and send it. There are other ways, but they really want the ability to ask questions. Keep in mind, they see a lot of cases where people will be disgruntled employees and they’ll report something that doesn’t even exist.

So, on the website, I think it makes you give an email address at a minimum. But go to the complaint process link and follow all of the different options they give you to report. If you ask to maintain your anonymity, I believe that they will follow your wishes, so to speak.

405(d) Tip of the Week

[20:59] Practice #8 Incident response is the ability to discover cyberattacks on the network and prevent them from causing data breach or loss. Incident response is often referred to as the standard “blocking and tackling” of information security. Many types of security incidents occur on a regular basis across organizations of all sizes. Two common security incidents that affect organizations of all sizes are 1) the installation and detection of malware, and 2) phishing attacks that include malicious payloads (via attachments and links).

For Small Organizations:

  • Establish and implement an incident response plan. Before an incident occurs, make sure you understand who will lead your incident investigation.
  • Execute your incident response plan. Once your incident response plan is implemented, ensure compliance with the plan’s elements. At minimum, your plan should describe steps to be followed in the event of malware downloaded on a computer or upon receipt of a phishing attack.
  • For malware attacks a good response is to re-image, rebuild, or reset affected computers to a known good state. For email phishing, identify malicious e-mail messages and delete from mailboxes and also identify malware that might have been installed on computers, and remediate appropriately if present.

For Medium/Large Organizations:

In addition to instituting the tips for Small Organizations be sure to incorporate the following:

  • Establish a Security Operations Center. A SOC is an organizational structure that leverages cybersecurity frameworks, people, tools, and processes to provide dedicated cybersecurity operations. Also utilize robust playbooks in your response process.
  • Engage in Information Sharing and Analysis Centers or Organizations (ISACs/ISAOs). ISACs and ISAOs’ primary function is to establish and maintain channels for sharing cyber intelligence. No attack is alike therefore we must learn from previous examples including auto threat intel sharing.
  • Implement Incident Response Orchestration. This allows you to automate your incident response playbooks.

No More Passwords FIDO

[31:30] An alliance was founded in July 2012 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio. The objective of the group was to create an industry standard passwordless authentication protocol for websites. They decided on “FIDO”, Fast IDentity Online, as the name and the FIDO Alliance was born. Over the years pretty much all of the big tech providers have become a member of the Alliance.

Side Note: Unlike most techie groups they don’t seem to be jumping all in with a puppy mascot named FIDO, yet.

In May 2020, they published a consumer site, FidoAlliance.org, to start teaching about the standard and how it will be so awesome for the whole world as we know it.

After 10 years of work, we will all begin to benefit from this work in the very near future. There have been many “killer” tools over the years which only complicated things. For example, the list of tools that were billed as “email killers” is longer than we could begin to list. Yet, here we all are dealing with email every day to conduct business. This time, it looks like it may be possible to get rid of most of your passwords. Don’t think they will all be gone. You can simplify though and only remember two or three, hopefully.

March 17, 2022 – Death of the Password? FIDO Alliance Reveals Its New Plan | WIRED

May 5, 2022 – Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins – FIDO Alliance

The intent is to make the standard part of what they define as the Web’s DNA. They plan to do this with industry standards and collaboration, which they have already done. Next, shipping in devices and platforms at a massive scale. Finally, getting FIDO built into regulations and the government to embrace the solution.

If you want to understand how it works, there is a lot of information on the website. Starting with the FIDO Masterclass. Certification programs are used to determine what level of security is in place – Functional FIDO certification levels, Security certifications levels, plus Biometric Certification levels.

Bottom line here is that the authentication will be built into the device operating systems and apps directly. Browsers already support it to some extent and it is growing.

How do they envision this will work?

[40:59] FIDO explains on their website it is really no different than what you do today other than making a point to use the FIDO options:

  1. Once a website has turned on FIDO, you’ll have the option to register using FIDO.
  2. You’ll be prompted by your operating system to use FIDO Device Unlock, the same method you use to unlock your device (like a fingerprint, face scan, or PIN) or a FIDO Security Key:
    1. Fingerprint
    2. Facial Scan
    3. Security Key
    4. Local PIN
  3. Next time you visit the website, you’ll have the option to log in with FIDO using the same method you use for your device.

Just like we look for certain icons or symbols to know what credit cards can be used, there will be FIDO symbols to let you know a site or app uses FIDO.

      or     

They included things like recovery of an account when lost or stolen devices happen since you are linked to the devices. They also have the ability to sync the authentication across devices, which is very important as well. It does appear that we are on the edge of a password killer implementation.

Why are we talking about it now?

[42:56] There are some ways to use it today with Gmail, Windows accounts, Mint, eBay and Login.gov, but there isn’t widespread adoption. The big news that got it on our radar is that widespread adoption will be baked in for Apple devices starting with their next operating system versions.

June 10, 2022 – Apple just killed the password—for real this time

Big news for FIDO:

At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination. Wired

With Google and Microsoft already committed, we should expect to see the same coming soon for Windows and Android.

Stay tuned, folks.

We’ve heard several times in the past that someone is creating a way to kill email. Well, so far that hasn’t happened. But, FIDO as a password killer looks promising. We look forward to seeing where this goes. We’ll keep an eye on Apple to see how their “password killer” solution goes. Regardless, this is something we all need to keep in mind and pay attention to so we can have those conversations around passwordless logins.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: