Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case Study: Password Authentication in eHealth Applications

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Case Study: Password Authentication in eHealth Applications"— Presentation transcript:

1 Case Study: Password Authentication in eHealth Applications
Seventh National HIPAA Summit September 15, 2003 Case Study: Password Authentication in eHealth Applications Ken Patterson, CISSP Information Security Officer Harvard Pilgrim Health Care Ken Patterson

2 Harvard Pilgrim Health Care
Medium size health plan serving MA, NH, and ME 800,000+ Members 22,000+ Providers 6,000 Employer & Broker Accounts Web Applications supporting all of our constituents Ken Patterson Ken Patterson

3 Password Controls Minimum 8 characters
Can not use username, first name, or last name combinations Must use at least 1 numeric & alpha Can not use dictionary word Can not use strings Password lockout Password change & aging Ken Patterson Ken Patterson

4 Subscriber vs. Member Model
Subscriber – owner of the health plan account One account for subscriber that contains all family members Self-service account creation Supply the following to create an account Social Security Number Date of Birth Member ID Number Re-enter if password is forgotten Subscriber has access to view and change demographic and PCP information for plan members Ken Patterson Ken Patterson

5 Subscriber vs. Member Model
Members are individuals identified on a health plan account that have a relationship to a valid subscriber Member model Each adult member has their own account with health information Access to view and change demographic and PCP info Claims, referrals, medications… more & more to come Secure messaging also available Links to other business partners that require an authenticated member Ken Patterson Ken Patterson

6 Registering Members Self-registration via web considered – assurance an issue Benchmarked other organizations Industry best practice – financial Healthcare – some best in class Adopted best practice approach Generate a one-time password (OTP) Send OTP via first class U.S. Mail to member’s address of record Good for 60 days Member creates permanent userid and password Use password controls Ken Patterson Ken Patterson

7 Forgotten Password Benchmarked other organizations
Industry best practice – financial PIN / new password sent to home address Healthcare – definitely not best practice Password Reminder or “hint” questions used Mother’s maiden name Pet’s name Not secret & easily guessable Ken Patterson Ken Patterson

8 Forgotten Password Best practice was proposed
Send new OTP first class U.S. Mail to address of record Senior management pressure against using best practice Adversely affect eHealth adoption Can not find other healthcare industry examples using best practice Compromise approach – informed consent by member Choice made at account creation Use of U.S. Mail recommended / default Password reminder an option – use with caution Can change choice later Ken Patterson Ken Patterson

9 Forgotten Password Must provide Member ID number and Date of Birth
Choices for password reminder Name a place you would like to visit Name of an actor or actress Name of a teacher or student Name of a historical or literary figure Name of a food or drink Name of a book or movie Select new password Confirmation letter sent to home address after pw change Lock-out in place for unsuccessful attempts Revert to U.S. Mail Ken Patterson Ken Patterson

10 Conclusion A password reminder is still a backdoor password and does not conform to password controls A password reminder may not be secret Some healthcare organizations have weak security controls for their web applications that access PHI Still looking for an easy and cost-effective solution to securely authenticate self-service registrations for web access to PHI Anyone for a Patient National ID system? Ken Patterson

Download ppt "Case Study: Password Authentication in eHealth Applications"

Similar presentations

Education Professional Standards Board New User Registration.

Education Professional Standards Board New User Registration.
Professional Development Management System (PDMS) A tutorial for professional development cluster Vendors, Providers and Instructors Charlie Michels PSB.

Professional Development Management System (PDMS) A tutorial for professional development cluster Vendors, Providers and Instructors Charlie Michels PSB.
Office of Labor-Management Standards (OLMS)

Office of Labor-Management Standards (OLMS)
Financial Aid Management System Account Registration and Confirmation.

Financial Aid Management System Account Registration and Confirmation.
Medicaid Member Card July 2014. Medicaid Member Card Medicaid and PCN members received a new wallet-sized plastic Medicaid card starting July 2014 Each.

Medicaid Member Card July Medicaid Member Card Medicaid and PCN members received a new wallet-sized plastic Medicaid card starting July 2014 Each.
Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)
PowerChart Basics Session 1 June 2009. Goal: To acquaint the user with the basics of PowerChart patient information security. Objective: 1.State the importance.

PowerChart Basics Session 1 June Goal: To acquaint the user with the basics of PowerChart patient information security. Objective: 1.State the importance.
National Service Trust Automation Project Training Materials: Members and Alumni Corporation for National & Community Service (CNCS) National Service Trust.

National Service Trust Automation Project Training Materials: Members and Alumni Corporation for National & Community Service (CNCS) National Service Trust.
Education Professional Standards Board Password Recovery Process.

Education Professional Standards Board Password Recovery Process.
Sandhills Center Encryption Overview for External Recipients

Sandhills Center Encryption Overview for External Recipients
Become a Member and Schedule Your Health Evaluation www.interactivehs.com.

Become a Member and Schedule Your Health Evaluation
Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.

Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.
FSA ID TRANSITION Ditch the PIN. WHAT IS THE NEW FSA ID AND PASSWORD? U.S. Department of Education has a new login process beginning April 26 th for student-

FSA ID TRANSITION Ditch the PIN. WHAT IS THE NEW FSA ID AND PASSWORD? U.S. Department of Education has a new login process beginning April 26 th for student-
2014-2005. Today’s Objective: I will create a strong, private password.

Today’s Objective: I will create a strong, private password.
To Access Parent Portal The easiest way is to go to the school website which is, www.bovinaisd.net.

To Access Parent Portal The easiest way is to go to the school website which is,
Tell me about my Personal Health Record  Contains your personal health information  Combines medical information from your insurance claims with health.

Tell me about my Personal Health Record  Contains your personal health information  Combines medical information from your insurance claims with health.
To navigate through this slideshow, use the arrow keys on your keyboard to go forward or backward.  or  Use your mouse to click to the next step within.

To navigate through this slideshow, use the arrow keys on your keyboard to go forward or backward.  or  Use your mouse to click to the next step within.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
WELCOME SAINTS AND CENTURIONS!!. Reasons for Choosing College Career focus Practical, industry partnerships, coop Cost (time, tuition) Personal Lots of.

WELCOME SAINTS AND CENTURIONS!!. Reasons for Choosing College Career focus Practical, industry partnerships, coop Cost (time, tuition) Personal Lots of.

Similar presentations

Ads by Google