1 / 16

Secure Access for Web-based Patient Portals and Applications

Secure Access for Web-based Patient Portals and Applications. Chris Brooks, Senior Vice President of Technology, WebMD Health Services. October 30, 2013. MISSION: To provide expert guidance that inspires people to take charge of their health. WHAT WE DO:

zizi
Download Presentation

Secure Access for Web-based Patient Portals and Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Access for Web-based Patient Portals and Applications Chris Brooks, Senior Vice President of Technology, WebMD Health Services October 30, 2013

  2. MISSION: To provide expert guidance that inspires people to take charge of their health. WHAT WE DO: We offer health, wellness, and care transparency solutions that help large organizations with complex populations improve people’s health, productivity, and happiness.

  3. Meaningful Use of Electronic Health Records is a United States National Imperative This mandate isn’t just about improving care coordination and quality … it is also about patient engagement

  4. Stage 2 of of the CMS Incentive Program Sets Goals for Patient Engagement • Core Measure 7: Provide patients the ability to view online, download and transmit their health information within four business days of the information being available to the EP. • Core Measure 17: Use secure electronic messaging to communicate with patients on relevant health information.

  5. Electronic Health Information Providers Face Stringent Security and Privacy Requirements • Regulatory (HIPAA, HITECH) drivers • Patient / user trust and brand reputation • HIPAA Omnibus Rule for 2013: “Significant risk of harm” test replaced by more objective “probability of compromise” test.

  6. There are Competing Forces at Play When it Comes to Electronic Health Information Access • Ease of use and access from a wide range of devices (desktops, tablets, smartphones) is key to driving patient engagement Yet • Providers must still ensure robust authentication standards are in place

  7. Example: Mobile App Authentication • WebMD Health Services recently shipped a native iOS and Android “tiny habits” app called “Daily Victory” • Key attributes: • No access to or sharing of personal health information • Allows user to share daily wellness activities with WebMD and a small social network • Authentication: • Initial authorization code to provision app • No password or PIN required • Revocable access

  8. Evaluate Authentication Needs based on Risk and Engagement Requirements High /Frequent Provider Medical Imaging Mobile Viewer Blood Sugar Tracker Mobile Fitness Tracker Engagement and Frequencyof Use “In Case of Emergency” E-cards? Personal Health Record Health Information Research Patient / Physician Communication Low/Infrequent None Sensitivity of Information High

  9. How Might Authentication Approaches Map to this? High /Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Engagement and Frequencyof Use Low/Infrequent None Sensitivity of Information High

  10. How Might Authentication Approaches Map to this? High /Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Initial one-time authentication with optional or automatic “remember me” for future visits. Possible remote revocation (e.g., “forget this device”). Engagement and Frequencyof Use Low/Infrequent None Sensitivity of Information High

  11. How Might Authentication Approaches Map to this? High /Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Short PIN or similar shorter-than-password code for application entry after initial authentication Engagement and Frequencyof Use Low/Infrequent None Sensitivity of Information High

  12. How Might Authentication Approaches Map to this? High /Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Full (presumably strong) password required for access to any personal information. Engagement and Frequencyof Use Low/Infrequent None Sensitivity of Information High

  13. How Might Authentication Approaches Map to this? High /Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Variable level of authentication based on pre-determined risk of both the current user session as well as the intended user activity. Engagement and Frequencyof Use Low/Infrequent None Sensitivity of Information High

  14. How Might Authentication Approaches Map to this? High /Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Use at least two factors (know / has / is) for authentication. Rotating tokens, SMS codes, “dongles”, and biometrics are examples. Engagement and Frequencyof Use Low/Infrequent None Sensitivity of Information High

  15. Closing Thoughts Context is critical! Know your risks and adapt your approach accordingly. Engagement can suffer in the face of enhanced authentication strength. When appropriate, allow the user to manage their own risk.

  16. Secure Access for Web-based Patient Portals and Applications Chris Brooks, Senior Vice President of Technology, WebMD Health Services October 30, 2013

More Related