Case Study: Password Authentication in eHealth Applications - PowerPoint PPT Presentation

Loading...

PPT – Case Study: Password Authentication in eHealth Applications PowerPoint presentation | free to download - id: 207cd9-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Case Study: Password Authentication in eHealth Applications

Description:

Subscriber owner of the health plan account ... Password Reminder or 'hint' questions used. Mother's maiden name. Pet's name ... – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 11
Provided by: benl161
Learn more at: http://www.ehcca.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Case Study: Password Authentication in eHealth Applications


1
Case Study Password Authentication in eHealth
Applications
Seventh National HIPAA SummitSeptember 15, 2003
  • Ken Patterson, CISSP
  • Information Security Officer
  • Harvard Pilgrim Health Care

2
Harvard Pilgrim Health Care
  • Medium size health plan serving MA, NH, and ME
  • 800,000 Members
  • 22,000 Providers
  • 6,000 Employer Broker Accounts
  • Web Applications supporting all of our
    constituents

Ken Patterson
3
Password Controls
  • Minimum 8 characters
  • Can not use username, first name, or last name
    combinations
  • Must use at least 1 numeric alpha
  • Can not use dictionary word
  • Can not use strings
  • Password lockout
  • Password change aging

Ken Patterson
4
Subscriber vs. Member Model
  • Subscriber owner of the health plan account
  • One account for subscriber that contains all
    family members
  • Self-service account creation
  • Supply the following to create an account
  • Social Security Number
  • Date of Birth
  • Member ID Number
  • Re-enter if password is forgotten
  • Subscriber has access to view and change
    demographic and PCP information for plan members

Ken Patterson
5
Subscriber vs. Member Model
  • Members are individuals identified on a health
    plan account that have a relationship to a valid
    subscriber
  • Member model
  • Each adult member has their own account with
    health information
  • Access to view and change demographic and PCP
    info
  • Claims, referrals, medications more more to
    come
  • Secure messaging also available
  • Links to other business partners that require an
    authenticated member

Ken Patterson
6
Registering Members
  • Self-registration via web considered assurance
    an issue
  • Benchmarked other organizations
  • Industry best practice financial
  • Healthcare some best in class
  • Adopted best practice approach
  • Generate a one-time password (OTP)
  • Send OTP via first class U.S. Mail to members
    address of record
  • Good for 60 days
  • Member creates permanent userid and password
  • Use password controls

Ken Patterson
7
Forgotten Password
  • Benchmarked other organizations
  • Industry best practice financial
  • PIN / new password sent to home address
  • Healthcare definitely not best practice
  • Password Reminder or hint questions used
  • Mothers maiden name
  • Pets name
  • Not secret easily guessable

Ken Patterson
8
Forgotten Password
  • Best practice was proposed
  • Send new OTP first class U.S. Mail to address of
    record
  • Senior management pressure against using best
    practice
  • Adversely affect eHealth adoption
  • Can not find other healthcare industry examples
    using best practice
  • Compromise approach informed consent by member
  • Choice made at account creation
  • Use of U.S. Mail recommended / default
  • Password reminder an option use with caution
  • Can change choice later

Ken Patterson
9
Forgotten Password
  • Must provide Member ID number and Date of Birth
  • Choices for password reminder
  • Name a place you would like to visit
  • Name of an actor or actress
  • Name of a teacher or student
  • Name of a historical or literary figure
  • Name of a food or drink
  • Name of a book or movie
  • Select new password
  • Confirmation letter sent to home address after pw
    change
  • Lock-out in place for unsuccessful attempts
  • Revert to U.S. Mail

Ken Patterson
10
Conclusion
  • A password reminder is still a backdoor password
    and does not conform to password controls
  • A password reminder may not be secret
  • Some healthcare organizations have weak security
    controls for their web applications that access
    PHI
  • Still looking for an easy and cost-effective
    solution to securely authenticate self-service
    registrations for web access to PHI
  • Anyone for a Patient National ID system?
About PowerShow.com