Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case Study: Password Authentication in eHealth Applications

Similar presentations


Presentation on theme: "Case Study: Password Authentication in eHealth Applications"— Presentation transcript:

1 Case Study: Password Authentication in eHealth Applications
Seventh National HIPAA Summit September 15, 2003 Case Study: Password Authentication in eHealth Applications Ken Patterson, CISSP Information Security Officer Harvard Pilgrim Health Care Ken Patterson

2 Harvard Pilgrim Health Care
Medium size health plan serving MA, NH, and ME 800,000+ Members 22,000+ Providers 6,000 Employer & Broker Accounts Web Applications supporting all of our constituents Ken Patterson Ken Patterson

3 Password Controls Minimum 8 characters
Can not use username, first name, or last name combinations Must use at least 1 numeric & alpha Can not use dictionary word Can not use strings Password lockout Password change & aging Ken Patterson Ken Patterson

4 Subscriber vs. Member Model
Subscriber – owner of the health plan account One account for subscriber that contains all family members Self-service account creation Supply the following to create an account Social Security Number Date of Birth Member ID Number Re-enter if password is forgotten Subscriber has access to view and change demographic and PCP information for plan members Ken Patterson Ken Patterson

5 Subscriber vs. Member Model
Members are individuals identified on a health plan account that have a relationship to a valid subscriber Member model Each adult member has their own account with health information Access to view and change demographic and PCP info Claims, referrals, medications… more & more to come Secure messaging also available Links to other business partners that require an authenticated member Ken Patterson Ken Patterson

6 Registering Members Self-registration via web considered – assurance an issue Benchmarked other organizations Industry best practice – financial Healthcare – some best in class Adopted best practice approach Generate a one-time password (OTP) Send OTP via first class U.S. Mail to member’s address of record Good for 60 days Member creates permanent userid and password Use password controls Ken Patterson Ken Patterson

7 Forgotten Password Benchmarked other organizations
Industry best practice – financial PIN / new password sent to home address Healthcare – definitely not best practice Password Reminder or “hint” questions used Mother’s maiden name Pet’s name Not secret & easily guessable Ken Patterson Ken Patterson

8 Forgotten Password Best practice was proposed
Send new OTP first class U.S. Mail to address of record Senior management pressure against using best practice Adversely affect eHealth adoption Can not find other healthcare industry examples using best practice Compromise approach – informed consent by member Choice made at account creation Use of U.S. Mail recommended / default Password reminder an option – use with caution Can change choice later Ken Patterson Ken Patterson

9 Forgotten Password Must provide Member ID number and Date of Birth
Choices for password reminder Name a place you would like to visit Name of an actor or actress Name of a teacher or student Name of a historical or literary figure Name of a food or drink Name of a book or movie Select new password Confirmation letter sent to home address after pw change Lock-out in place for unsuccessful attempts Revert to U.S. Mail Ken Patterson Ken Patterson

10 Conclusion A password reminder is still a backdoor password and does not conform to password controls A password reminder may not be secret Some healthcare organizations have weak security controls for their web applications that access PHI Still looking for an easy and cost-effective solution to securely authenticate self-service registrations for web access to PHI Anyone for a Patient National ID system? Ken Patterson


Download ppt "Case Study: Password Authentication in eHealth Applications"

Similar presentations


Ads by Google