Secure Access for Web-based Patient Portals and Applications

Download Report

Transcript Secure Access for Web-based Patient Portals and Applications

Personal Guidance. Positive Change.

SM

Secure Access for Web-based Patient Portals and Applications

Chris Brooks, Senior Vice President of Technology, WebMD Health Services

October 30, 2013

MISSION:

To provide expert guidance that

inspires people to take charge of their health.

WHAT WE DO:

We offer

health, wellness, and care transparency solutions

that help large organizations with complex populations improve people’s health, productivity, and happiness .

WHS Key Statistics

500 Employees Over 225 Customers

Registered Users:

7.1 million

Activated personal health records:

4.7 million

Completed health assessments:

1.5 million per year

Meaningful Use of Electronic Health Records is a United States National Imperative

This mandate isn’t just about improving care coordination and quality … it is also about patient engagement © WebMD Health Services Group, Inc.

All rights reserved. 3

Stage 2 of of the CMS Incentive Program Sets Goals for Patient Engagement

 Core Measure 7:

Provide patients the ability to view online, download and transmit their health information within four business days of the information being available to the EP.

 Core Measure 17:

Use secure electronic messaging to communicate with patients on relevant health information .

© WebMD Health Services Group, Inc.

All rights reserved. 4

Electronic Health Information Providers Face Stringent Security and Privacy Requirements

 Regulatory (HIPAA, HITECH) drivers  Patient / user trust and brand reputation HIPAA Omnibus Rule for 2013: “Significant risk of harm” test replaced by more objective “probability of compromise” test.

© WebMD Health Services Group, Inc.

All rights reserved. 5

There are Competing Forces at Play When it Comes to Electronic Health Information Access

 Ease of use and access from a wide range of devices (desktops, tablets, smartphones) is key to driving patient engagement

Yet

 Providers must still ensure robust authentication standards are in place © WebMD Health Services Group, Inc.

All rights reserved. 6

  

Example: Mobile App Authentication

WebMD Health Services recently shipped a native iOS and Android “tiny habits” app called “Daily Victory” Key attributes:  No access to or sharing of personal health information  Allows user to share daily wellness activities with WebMD and a small social network Authentication:  Initial authorization code to provision app   No password or PIN required Revocable access © WebMD Health Services Group, Inc.

All rights reserved. 7

Evaluate Authentication Needs based on Risk and Engagement Requirements

High / Frequent Mobile Fitness Tracker Blood Sugar Tracker Provider Medical Imaging Mobile Viewer “In Case of Emergency” E-cards?

Personal Health Record Low/ Infrequent None Health Information Research Sensitivity of Information Patient / Physician Communication High © WebMD Health Services Group, Inc.

All rights reserved. 8

How Might Authentication Approaches Map to this?

High / Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Low/ Infrequent None Sensitivity of Information High © WebMD Health Services Group, Inc.

All rights reserved. 9

How Might Authentication Approaches Map to this?

High / Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Initial one-time authentication with optional or automatic “remember me” for future visits. Possible remote revocation (e.g., “forget this device”).

Low/ Infrequent None Sensitivity of Information High © WebMD Health Services Group, Inc.

All rights reserved. 10

How Might Authentication Approaches Map to this?

High / Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Short PIN or similar shorter than-password code for application entry after initial authentication Low/ Infrequent None Sensitivity of Information High © WebMD Health Services Group, Inc.

All rights reserved. 11

How Might Authentication Approaches Map to this?

High / Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Full (presumably strong) password required for access to any personal information.

Low/ Infrequent None Sensitivity of Information High © WebMD Health Services Group, Inc.

All rights reserved. 12

How Might Authentication Approaches Map to this?

High / Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Variable level of authentication based on pre-determined risk of both the current user session as well as the intended user activity.

Low/ Infrequent None Sensitivity of Information High © WebMD Health Services Group, Inc.

All rights reserved. 13

How Might Authentication Approaches Map to this?

High / Frequent “Remember Me” PIN auth Strong Password Risk-based Auth Multi-factor Auth Use at least two factors (know / has / is) for authentication. Rotating tokens, SMS codes, “dongles”, and biometrics are examples.

Low/ Infrequent None Sensitivity of Information High © WebMD Health Services Group, Inc.

All rights reserved. 14

Closing Thoughts

Context is critical! Know your risks and adapt your approach accordingly.

Engagement can suffer in the face of enhanced authentication strength.

When appropriate, allow the user to manage their own risk.

© WebMD Health Services Group, Inc.

All rights reserved. 15

Personal Guidance. Positive Change.

SM

Secure Access for Web-based Patient Portals and Applications

Chris Brooks, Senior Vice President of Technology, WebMD Health Services

October 30, 2013