Most security regulations use the wildcard term “reasonable” when referring to security policies that maintain the integrity of covered systems.
So, what does reasonable mean? The answer is changing all the time. What was reasonable yesterday, may or may not be reasonable today, or tomorrow, as technology, circumstances, and vulnerabilities evolve over time.
For example, the workplace and security landscape have forever changed due to COVID-19. Users work remotely, often with BYOD (Bring Your Own Device) devices, and work for 3rd or 4th party vendors. This presents a well-documented set of risk and security challenges to organizations that have significant reputational exposure in a breach.
The ease (and some might argue prevalence) with which credentials and MFA (Multi Factor Authentication) codes can be shared amongst users makes it difficult to prove who was the physical person behind a logon event and more importantly who was the physical person during the entire access session. From a regulatory perspective, that is a bad place to be.
Security regulations designed to protect ePHI and PII content make specific reference to physical security requirements, which is a challenge in a remote work setting. SessionGuardian offers a technical solution that can continuously ensure that only the authorized user is allowed to view protected content wherever they are connected. This enables a regulated business to provide an end-to-end audit trail proving reasonable efforts were undertaken to comply even in a remote work setting.
An organization that has taken all reasonable steps to safeguard information they are responsible for, will not only lower the risk of a breach, but will limit legal and regulatory exposure in the unfortunate event of a breach.
The time has come to enhance authentication capabilities with technology that can physically recognize a user logging on.
If these issues keep you up at night, please drop me a line.
The SessionGuardian team will also be available for live demos and consultations at the following industry events:
- FSISAC – Denver – Mar 19th -22nd – Booth 325
- LegalWeek – NYC – Mar 20th-23rd – Booth 2308
- HIMSS (Healthcare Info Mgmt. Systems Society) – Chicago – Apr 16th-20th – Citrix Ready Booth 674
- RSA – San Francisco – Apr 24th-27th – Booth ESE-12
