Case Study: Password Authentication in eHealth Applications

1
Case Study Password Authentication in eHealth
Applications
Seventh National HIPAA SummitSeptember 15, 2003

• Ken Patterson, CISSP
• Information Security Officer
• Harvard Pilgrim Health Care

2
Harvard Pilgrim Health Care

• Medium size health plan serving MA, NH, and ME
• 800,000 Members
• 22,000 Providers
• 6,000 Employer Broker Accounts
• Web Applications supporting all of our
  constituents

Ken Patterson
3
Password Controls

• Minimum 8 characters
• Can not use username, first name, or last name
  combinations
• Must use at least 1 numeric alpha
• Can not use dictionary word
• Can not use strings
• Password lockout
• Password change aging

Ken Patterson
4
Subscriber vs. Member Model

• Subscriber owner of the health plan account
• One account for subscriber that contains all
  family members
• Self-service account creation
• Supply the following to create an account
• Social Security Number
• Date of Birth
• Member ID Number
• Re-enter if password is forgotten
• Subscriber has access to view and change
  demographic and PCP information for plan members

Ken Patterson
5
Subscriber vs. Member Model

• Members are individuals identified on a health
  plan account that have a relationship to a valid
  subscriber
• Member model
• Each adult member has their own account with
  health information
• Access to view and change demographic and PCP
  info
• Claims, referrals, medications more more to
  come
• Secure messaging also available
• Links to other business partners that require an
  authenticated member

Ken Patterson
6
Registering Members

• Self-registration via web considered assurance
  an issue
• Benchmarked other organizations
• Industry best practice financial
• Healthcare some best in class
• Adopted best practice approach
• Generate a one-time password (OTP)
• Send OTP via first class U.S. Mail to members
  address of record
• Good for 60 days
• Member creates permanent userid and password
• Use password controls

Ken Patterson
7
Forgotten Password

• Benchmarked other organizations
• Industry best practice financial
• PIN / new password sent to home address
• Healthcare definitely not best practice
• Password Reminder or hint questions used
• Mothers maiden name
• Pets name
• Not secret easily guessable

Ken Patterson
8
Forgotten Password

• Best practice was proposed
• Send new OTP first class U.S. Mail to address of
  record
• Senior management pressure against using best
  practice
• Adversely affect eHealth adoption
• Can not find other healthcare industry examples
  using best practice
• Compromise approach informed consent by member
• Choice made at account creation
• Use of U.S. Mail recommended / default
• Password reminder an option use with caution
• Can change choice later

Ken Patterson
9
Forgotten Password

• Must provide Member ID number and Date of Birth
• Choices for password reminder
• Name a place you would like to visit
• Name of an actor or actress
• Name of a teacher or student
• Name of a historical or literary figure
• Name of a food or drink
• Name of a book or movie
• Select new password
• Confirmation letter sent to home address after pw
  change
• Lock-out in place for unsuccessful attempts
• Revert to U.S. Mail

Ken Patterson
10
Conclusion

• A password reminder is still a backdoor password
  and does not conform to password controls
• A password reminder may not be secret
• Some healthcare organizations have weak security
  controls for their web applications that access
  PHI
• Still looking for an easy and cost-effective
  solution to securely authenticate self-service
  registrations for web access to PHI
• Anyone for a Patient National ID system?