Transcript PKI: Returning to Fundamentals

Seventh National HIPAA Summit
September 15, 2003
Case Study:
Password Authentication in
eHealth Applications
Ken Patterson, CISSP
Information Security Officer
Harvard Pilgrim Health Care
Ken Patterson
Harvard Pilgrim Health Care
 Medium size health plan serving MA, NH,
and ME
 800,000+ Members
 22,000+ Providers
 6,000 Employer & Broker Accounts
 Web Applications supporting all of our
constituents
Ken Patterson
Ken Patterson
Password Controls
 Minimum 8 characters
 Can not use username, first name, or last
name combinations
 Must use at least 1 numeric & alpha
 Can not use dictionary word
 Can not use strings
 Password lockout
 Password change & aging
Ken Patterson
Ken Patterson
Subscriber vs. Member Model
 Subscriber – owner of the health plan account
– One account for subscriber that contains all family
members
– Self-service account creation
– Supply the following to create an account
• Social Security Number
• Date of Birth
• Member ID Number
– Re-enter if password is forgotten
 Subscriber has access to view and change demographic
and PCP information for plan members
Ken Patterson
Ken Patterson
Subscriber vs. Member Model
 Members are individuals identified on a health plan
account that have a relationship to a valid subscriber
 Member model
– Each adult member has their own account with health
information
 Access to view and change demographic and PCP info
– Claims, referrals, medications… more & more to come
– Secure messaging also available
– Links to other business partners that require an
authenticated member
Ken Patterson
Ken Patterson
Registering Members
 Self-registration via web considered – assurance an issue
 Benchmarked other organizations
– Industry best practice – financial
– Healthcare – some best in class
 Adopted best practice approach
– Generate a one-time password (OTP)
– Send OTP via first class U.S. Mail to member’s address
of record
– Good for 60 days
– Member creates permanent userid and password
– Use password controls
Ken Patterson
Ken Patterson
Forgotten Password
 Benchmarked other organizations
– Industry best practice – financial
• PIN / new password sent to home address
– Healthcare – definitely not best practice
– Password Reminder or “hint” questions used
• Mother’s maiden name
• Pet’s name
• Not secret & easily guessable
Ken Patterson
Ken Patterson
Forgotten Password
 Best practice was proposed
– Send new OTP first class U.S. Mail to address of record
 Senior management pressure against using best practice
– Adversely affect eHealth adoption
– Can not find other healthcare industry examples using
best practice
 Compromise approach – informed consent by member
– Choice made at account creation
– Use of U.S. Mail recommended / default
– Password reminder an option – use with caution
– Can change choice later
Ken Patterson
Ken Patterson
Forgotten Password
 Must provide Member ID number and Date of Birth
 Choices for password reminder




– Name a place you would like to visit
– Name of an actor or actress
– Name of a teacher or student
– Name of a historical or literary figure
– Name of a food or drink
– Name of a book or movie
Select new password
Confirmation letter sent to home address after pw
change
Lock-out in place for unsuccessful attempts
Ken Patterson
Revert to U.S. Mail
Ken Patterson
Conclusion
 A password reminder is still a backdoor password
and does not conform to password controls
 A password reminder may not be secret
 Some healthcare organizations have weak security
controls for their web applications that access PHI
 Still looking for an easy and cost-effective
solution to securely authenticate self-service
registrations for web access to PHI
 Anyone for a Patient National ID system?
Ken Patterson