Case Study: Password Authentication in eHealth Applications

Slides:



Advertisements
Similar presentations
Education Professional Standards Board New User Registration.
Advertisements

Professional Development Management System (PDMS) A tutorial for professional development cluster Vendors, Providers and Instructors Charlie Michels PSB.
Office of Labor-Management Standards (OLMS)
Financial Aid Management System Account Registration and Confirmation.
Medicaid Member Card July Medicaid Member Card Medicaid and PCN members received a new wallet-sized plastic Medicaid card starting July 2014 Each.
Health Insurance Portability and Accountability Act (HIPAA)
PowerChart Basics Session 1 June Goal: To acquaint the user with the basics of PowerChart patient information security. Objective: 1.State the importance.
National Service Trust Automation Project Training Materials: Members and Alumni Corporation for National & Community Service (CNCS) National Service Trust.
Education Professional Standards Board Password Recovery Process.
Sandhills Center Encryption Overview for External Recipients
Become a Member and Schedule Your Health Evaluation
Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.
FSA ID TRANSITION Ditch the PIN. WHAT IS THE NEW FSA ID AND PASSWORD? U.S. Department of Education has a new login process beginning April 26 th for student-
Today’s Objective: I will create a strong, private password.
To Access Parent Portal The easiest way is to go to the school website which is,
Tell me about my Personal Health Record  Contains your personal health information  Combines medical information from your insurance claims with health.
To navigate through this slideshow, use the arrow keys on your keyboard to go forward or backward.  or  Use your mouse to click to the next step within.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
WELCOME SAINTS AND CENTURIONS!!. Reasons for Choosing College Career focus Practical, industry partnerships, coop Cost (time, tuition) Personal Lots of.
HealthSpace Dr Amir Hannan Full-time GP Information Management & Technology Lead Tameside & Glossop PCT Member of the Records Access.
Presenter name. Ryan Brandon Exan Group What’s New with axiUm New Features in axiUm Patient Self-Service Options Future Plans axiUmSupport.com.
Navigating Through Your Senior Year. Access Family Connections through both the CGHS and Guidance Homepages.
Member Mail Order Helpful Hints, Reminders and Tools.
HumanaVitality® Instruction Guide: Registering for Humana Vitality and Completing your Health Assessment GCHHVG4EN.
BackForward HPHConnect Making Employee Health Benefits Easier to Manage. Set up your HPHConnect account today by calling your broker or your Harvard Pilgrim.
Digital Citizenship Grade Why are we here and what is Digital Citizenship? Part 1: What is Private Online? Part 2: Passwords Part 3: Responsibilities.
Parent Portal Also known as: The next best thing to being at school with your student!
University Health Care Computer Systems Fellows, Residents, & Interns.
 Logging students onto the Ultranet.. Log on Dates  3 trial grades weeks 4 & 5  All students weeks 6 & 7  Trial group of parents week 8  All parents.
HP Enterprise Services HomeTown Health Presentation September 9, 2010 Partnering for Success!
General Session/ Presentation: “Cross Training: Security Best Practices from Other Industries”.
Reporters: Franz Rosedale M. Alag Mirwen H. Cuares I-Fleming Mrs. Maria Consuelo C. Jamera Media Arts Teacher I.
This is a short presentation to explain how and why to login to the CIM website as a member. Benefits are: Access to myCIM (private member area, contains.
Navigating Through Your Senior Year. Access Family Connections through both the CGHS and Guidance Homepages.
Creating and Using Your FSA ID: An Overview
How & Why 1 of 8 security. 2 of 8 security – Why? 1.Your address is your online identity If it is not secure you may get s (including.
Applicant sends request for username and password to; Applicant sends request for username and password.
ANNUAL HIPAA AND INFORMATION SECURITY EDUCATION. KEY TERMS  HIPAA - Health Insurance Portability and Accountability Act. The primary goal of the law.
CROOM HIGH SCHOOL INTRODUCTION TO SCHOOLMAX’s FAMILY PORTAL The purpose of SchoolMAX’s Family Portal is to ensure that all legally responsible family members.
RCCD Application. Gather Information Gather the following information before you begin the application process: Full Name Permanent Address Date of Birth.
Health Insurance Portability and Accountability Act (HIPAA) © 2013 Project Lead The Way, Inc.Principles of Biomedical Science.
Florida Department of Business and Professional Regulations Ken Lawson Juana Watkins Secretary Director Division of Real Estate.
Online Applications. Login / Register If a student has already registered then they may login with their username and password. If not registered they.
OPS Requirements Specification and Analysis Dustin Larson Bryan Campbell Charles Sears.
Patient access – Ordering a prescription
Understanding the Investors’ e-Delivery Experience: NetXInvestor™
Registering for patient access
Password Management Limit login attempts Encrypt your passwords
Patient access Forgotten password
Navigating Through Your Senior Year
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Bethany Dumond and Rachel DeSantis June 2017
How to Login or Register at My.QuestForHealth.com
How to Login or Register at My.QuestForHealth.com
Concurrent enrollment registration
INFORMATION TECHNOLOGY NEW USER ORIENTATION
Registration MyMathLab Online HW MA
How to Login or Register at My.QuestForHealth.com
Registration MyMathLab Online HW MA
Registration MyMathLab Online HW MA
Registration MyMathLab Online HW MA
Getting Your Healthcare Reminders
Health Insurance Portability and Accountability Act
HAWTHORNS SURGERY – ONLINE SERVICES
Registration MyMathLab Online HW MA
Creating a MyMedicare Account
Creating a MyMedicare Account
Creating a MyMedicare Account
Terry O’Neill, Taxpayer Services Specialist
Presentation transcript:

Case Study: Password Authentication in eHealth Applications Seventh National HIPAA Summit September 15, 2003 Case Study: Password Authentication in eHealth Applications Ken Patterson, CISSP Information Security Officer Harvard Pilgrim Health Care Ken Patterson

Harvard Pilgrim Health Care Medium size health plan serving MA, NH, and ME 800,000+ Members 22,000+ Providers 6,000 Employer & Broker Accounts Web Applications supporting all of our constituents Ken Patterson Ken Patterson

Password Controls Minimum 8 characters Can not use username, first name, or last name combinations Must use at least 1 numeric & alpha Can not use dictionary word Can not use strings Password lockout Password change & aging Ken Patterson Ken Patterson

Subscriber vs. Member Model Subscriber – owner of the health plan account One account for subscriber that contains all family members Self-service account creation Supply the following to create an account Social Security Number Date of Birth Member ID Number Re-enter if password is forgotten Subscriber has access to view and change demographic and PCP information for plan members Ken Patterson Ken Patterson

Subscriber vs. Member Model Members are individuals identified on a health plan account that have a relationship to a valid subscriber Member model Each adult member has their own account with health information Access to view and change demographic and PCP info Claims, referrals, medications… more & more to come Secure messaging also available Links to other business partners that require an authenticated member Ken Patterson Ken Patterson

Registering Members Self-registration via web considered – assurance an issue Benchmarked other organizations Industry best practice – financial Healthcare – some best in class Adopted best practice approach Generate a one-time password (OTP) Send OTP via first class U.S. Mail to member’s address of record Good for 60 days Member creates permanent userid and password Use password controls Ken Patterson Ken Patterson

Forgotten Password Benchmarked other organizations Industry best practice – financial PIN / new password sent to home address Healthcare – definitely not best practice Password Reminder or “hint” questions used Mother’s maiden name Pet’s name Not secret & easily guessable Ken Patterson Ken Patterson

Forgotten Password Best practice was proposed Send new OTP first class U.S. Mail to address of record Senior management pressure against using best practice Adversely affect eHealth adoption Can not find other healthcare industry examples using best practice Compromise approach – informed consent by member Choice made at account creation Use of U.S. Mail recommended / default Password reminder an option – use with caution Can change choice later Ken Patterson Ken Patterson

Forgotten Password Must provide Member ID number and Date of Birth Choices for password reminder Name a place you would like to visit Name of an actor or actress Name of a teacher or student Name of a historical or literary figure Name of a food or drink Name of a book or movie Select new password Confirmation letter sent to home address after pw change Lock-out in place for unsuccessful attempts Revert to U.S. Mail Ken Patterson Ken Patterson

Conclusion A password reminder is still a backdoor password and does not conform to password controls A password reminder may not be secret Some healthcare organizations have weak security controls for their web applications that access PHI Still looking for an easy and cost-effective solution to securely authenticate self-service registrations for web access to PHI Anyone for a Patient National ID system? Ken Patterson

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.