1 / 10

Case Study: Password Authentication in eHealth Applications

Seventh National HIPAA Summit September 15, 2003. Case Study: Password Authentication in eHealth Applications. Ken Patterson, CISSP Information Security Officer Harvard Pilgrim Health Care. Harvard Pilgrim Health Care. Medium size health plan serving MA, NH, and ME 800,000+ Members

tekla
Download Presentation

Case Study: Password Authentication in eHealth Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Seventh National HIPAA SummitSeptember 15, 2003 Case Study: Password Authentication in eHealth Applications Ken Patterson, CISSP Information Security Officer Harvard Pilgrim Health Care Ken Patterson

  2. Harvard Pilgrim Health Care • Medium size health plan serving MA, NH, and ME • 800,000+ Members • 22,000+ Providers • 6,000 Employer & Broker Accounts • Web Applications supporting all of our constituents Ken Patterson Ken Patterson

  3. Password Controls • Minimum 8 characters • Can not use username, first name, or last name combinations • Must use at least 1 numeric & alpha • Can not use dictionary word • Can not use strings • Password lockout • Password change & aging Ken Patterson Ken Patterson

  4. Subscriber vs. Member Model • Subscriber – owner of the health plan account • One account for subscriber that contains all family members • Self-service account creation • Supply the following to create an account • Social Security Number • Date of Birth • Member ID Number • Re-enter if password is forgotten • Subscriber has access to view and change demographic and PCP information for plan members Ken Patterson Ken Patterson

  5. Subscriber vs. Member Model • Members are individuals identified on a health plan account that have a relationship to a valid subscriber • Member model • Each adult member has their own account with health information • Access to view and change demographic and PCP info • Claims, referrals, medications… more & more to come • Secure messaging also available • Links to other business partners that require an authenticated member Ken Patterson Ken Patterson

  6. Registering Members • Self-registration via web considered – assurance an issue • Benchmarked other organizations • Industry best practice – financial • Healthcare – some best in class • Adopted best practice approach • Generate a one-time password (OTP) • Send OTP via first class U.S. Mail to member’s address of record • Good for 60 days • Member creates permanent userid and password • Use password controls Ken Patterson Ken Patterson

  7. Forgotten Password • Benchmarked other organizations • Industry best practice – financial • PIN / new password sent to home address • Healthcare – definitely not best practice • Password Reminder or “hint” questions used • Mother’s maiden name • Pet’s name • Not secret & easily guessable Ken Patterson Ken Patterson

  8. Forgotten Password • Best practice was proposed • Send new OTP first class U.S. Mail to address of record • Senior management pressure against using best practice • Adversely affect eHealth adoption • Can not find other healthcare industry examples using best practice • Compromise approach – informed consent by member • Choice made at account creation • Use of U.S. Mail recommended / default • Password reminder an option – use with caution • Can change choice later Ken Patterson Ken Patterson

  9. Forgotten Password • Must provide Member ID number and Date of Birth • Choices for password reminder • Name a place you would like to visit • Name of an actor or actress • Name of a teacher or student • Name of a historical or literary figure • Name of a food or drink • Name of a book or movie • Select new password • Confirmation letter sent to home address after pw change • Lock-out in place for unsuccessful attempts • Revert to U.S. Mail Ken Patterson Ken Patterson

  10. Conclusion • A password reminder is still a backdoor password and does not conform to password controls • A password reminder may not be secret • Some healthcare organizations have weak security controls for their web applications that access PHI • Still looking for an easy and cost-effective solution to securely authenticate self-service registrations for web access to PHI • Anyone for a Patient National ID system? Ken Patterson

More Related