1 / 26

User Authentication in Mobile Healthcare Applications

User Authentication in Mobile Healthcare Applications. Yaira K. Rivera Sánchez Computer Science & Engineering Department University of Connecticut, Storrs. Overview. Background User Authentication Problem Goal Approaches Existing Mobile Applications Limitations Conclusion. Overview.

lani-cardenas
Download Presentation

User Authentication in Mobile Healthcare Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User Authentication in Mobile Healthcare Applications Yaira K. Rivera Sánchez Computer Science & Engineering Department University of Connecticut, Storrs

  2. Overview • Background • User Authentication • Problem • Goal • Approaches • Existing Mobile Applications • Limitations • Conclusion

  3. Overview • Background • User Authentication • Problem • Goal • Approaches • Existing Mobile Applications • Limitations • Conclusion

  4. Background – HIT Systems EHR EMR Kareo EHR OFFICE EMR  PHR/PPHR Capzule PHR 

  5. Background-User Authentication • Definition: • “Process of determining whether someone is, in fact, who or what is declared to be.” [1] • “Process of identifying an individual, usually based on a username and password.” [2] • Examples: • Username/Password combination, tokens, biometrics.

  6. Background – User Authentication (Cont.) • Secure Sockets Layer (SSL) Transmit data through network. Public key and private key. • Multi-factor Authentication: • Knowledge factor • Username/Password • Personal Identification Number (PIN) • Possession factor • Digital Signature • Digital Certificate • X.509 Certificate • Inherence factor • Biometrics

  7. Overview • Background • User Authentication • Problem • Goal • Approaches • Existing Mobile Applications • Limitations • Conclusion

  8. Who needs it and why is it important? • Who needs user authentication? • Patients and Medical Providers • Why is it important? • Smartphones  important source of healthcare information for many. • In 2012, about 95 million Americans used their mobile phones either as healthcare tools or to find health-related information according to [3]. • Mobile healthcare applications are increasing everyday (20,000+). • Sensitivity and confidentiality of healthcare data.

  9. Problem • People want to have access to their healthcare data in a secure and easy way. • There exists a lot of mobile healthcare applications to do this, but… are they secure?. • What approach could we use to secure user authentication in mobile healthcare applications?.

  10. Goal • Find and describe different approaches to do secure user authentication for mobile healthcare applications.

  11. Overview • Background • User Authentication • Problem • Goal • Approaches • Existing Mobile Applications • Limitations • Conclusion

  12. Check, Assurances, Protection (CAP) Framework • Directed towards: • Ensuring secure interactions between mobile applications by encrypting healthcare data when it is been exchanged. • Utilizing strong authentication protocols in order to determine what data needs to be exposed/stored on a system. • Proposed SSL and Shared Certificates combined with CIA (security tenets: confidentiality, integrity, availability) to do authentication.

  13. HealthPass • Secure access control model for PPHRs. • Extended digital certificate. • Dynamic interactions without using a classical authorization and authentication approach like username and password. Overall PPHR architecture with XML-based PHR – PHR certificate (HealthPass) issuing

  14. Generic Bootstrap Architecture • Mutual authentication of users and network applications. • Directed toward EHRs. • Mutual authentication  Use of SIM card credentials. • PIN number in order to unlock the token. GBA Reference Model

  15. Two-Factor Authentication • Encryption and a two-factor authentication method. • Secure authentication and communication between a mobile device and a healthcare service provider. • Provides multi-factor authentication without the need to have an authentication token. Reference model of security architecture for mobile access to information from patient’s medical record

  16. Three-factor user authentication • Use of smartphone as whole identity  No need for token. • Three-factor authentication: username/password combination, biometrics and smartphone. • Secure and hassle-free authentication. Patient Authentication Framework

  17. Overview • Background • User Authentication • Problem • Goal • Approaches • Existing Mobile Applications • Limitations • Conclusion

  18. Medisoft • Requires the user to login with a username and password. • User can setup a time span where the application will automatically log off after that amount of time. • User can setup a four-digit security code (a PIN number) to login to the app again once the time span has expired. • HIPAA compliant.

  19. PatientKeeper • Users have to enter a PIN/Password to gain access to the application. • Incorrect password several times  System can lock the user out of the account and could delete all the information that is stored in the device. • Encrypts the data that is sent to the device. It remains encrypted until the user accesses such data from the application. • AES + SSL/TLS = Secure transfer of data • HIPAA compliant.

  20. Dr. Chrono • Authenticates a user utilizing the username/password combination. • Auto-logoff feature  Automatically logs off users that are logged into the account but have been inactive for a certain period of time. • Digital certificate  Used to verify that the user is authenticated correctly and is in the correct site. • HIPAA compliant.

  21. Overview • Background • User Authentication • Problem • Goal • Approaches • Existing Mobile Applications • Limitations & Conclusion

  22. Limitations • Authentication: • Passwords: • Widely used and acceptable by users. • Doubts of level of security. • More difficult for users to remember them. • Tokens: • Use of digital certificates. • Falsifying digital certificates. • Biometrics: • Is currently limited. • Privacy concerns: misuse of data, tracking, additional data, etc.

  23. Limitations (Cont.) • Patient’s EHR might be fragmented and accessible from several places (they could be in different hospitals, providers, etc.). • Security defects on these systems could cause the disclosure of information to unauthorized users. • Difficulties in maintaining data privacy. • Example: Administrative staff could access the information without the patient’s consent.

  24. Conclusion • Presented different authentication methods. • Problems and goals. • Discussed other approaches that researchers have done. • Existing mobile applications. • Limitations. • Still a long way to go…

  25. References • [1] http://searchsecurity.techtarget.com/definition/authentication • [2] http://www.webopedia.com/TERM/A/authentication.html • [3] Laurie A. Jones, Annie I. Antón, and Julia B. Earp. “Towards understanding user perceptions of authentication technologies”. In Proceedings of the 2007 ACM workshop on Privacy in electronic society (WPES '07). ACM, New York, NY, USA, 91-98. 2007.

  26. Questions? • Background • User Authentication • Problem • Goal • Approaches • Existing Mobile Applications • Limitations • Conclusion

More Related