secure access for web-based patient portals and applications
DESCRIPTION
Secure Access for Web-based Patient Portals and Applications. Chris Brooks, Senior Vice President of Technology, WebMD Health Services. October 30, 2013. MISSION: To provide expert guidance that inspires people to take charge of their health. WHAT WE DO: - PowerPoint PPT PresentationTRANSCRIPT
Personal Guidance. Positive Change.SM
Secure Access for Web-based Patient Portals and ApplicationsChris Brooks, Senior Vice President of Technology, WebMD Health Services
October 30, 2013
MISSION: To provide expert guidance that inspires people to take charge of their health.
WHAT WE DO: We offer health, wellness, and care transparency solutions that help large organizations with complex populations improve people’s health, productivity, and happiness.
WHS Key Statistics500 Employees
Over 225 Customers
Registered Users: 7.1 million
Activated personal health records:
4.7 million
Completed health assessments:
1.5 million per year
© WebMD Health Services Group, Inc.All rights reserved. 3
Meaningful Use of Electronic Health Records is a United States National Imperative
This mandate isn’t just about improving care
coordination and quality
… it is also about patient engagement
© WebMD Health Services Group, Inc.All rights reserved. 4
Stage 2 of of the CMS Incentive Program Sets Goals for Patient Engagement
Core Measure 7:
Provide patients the ability to view online, download and transmit their
health information within four business days of the information
being available to the EP.
Core Measure 17:
Use secure electronic messaging to communicate with patients on
relevant health information.
© WebMD Health Services Group, Inc.All rights reserved. 5
Electronic Health Information Providers Face Stringent Security and Privacy Requirements
HIPAA Omnibus Rule for 2013: “Significant risk of harm” test replaced by more objective “probability of compromise” test.
Regulatory (HIPAA, HITECH) drivers
Patient / user trust and brand reputation
© WebMD Health Services Group, Inc.All rights reserved. 6
There are Competing Forces at Play When it Comes to Electronic Health Information Access Ease of use and access
from a wide range of devices (desktops, tablets, smartphones) is key to driving patient engagement
Yet
Providers must still ensure robust authentication standards are in place
© WebMD Health Services Group, Inc.All rights reserved. 7
Example: Mobile App Authentication
WebMD Health Services recently shipped a native iOS and Android “tiny habits” app called “Daily Victory”
Key attributes:
No access to or sharing of personal health information
Allows user to share daily wellness activities with WebMD and a small social network
Authentication:
Initial authorization code to provision app
No password or PIN required
Revocable access
© WebMD Health Services Group, Inc.All rights reserved. 8
Evaluate Authentication Needs based on Risk and Engagement Requirements
Sensitivity of Information HighNone
Eng
agem
ent a
nd F
requ
ency
of U
seHigh /
Frequent
Low/Infrequent
Mobile Fitness Tracker
Patient / Physician
Communication
Blood Sugar Tracker
Health Information Research
Personal Health Record
“In Case of Emergency”E-cards?
Provider Medical Imaging Mobile
Viewer
© WebMD Health Services Group, Inc.All rights reserved. 9
How Might Authentication Approaches Map to this?
HighNone
Eng
agem
ent a
nd F
requ
ency
of U
seHigh /
Frequent
Low/Infrequent
PIN auth
Multi-factor Auth
Strong Password
“Remember Me”
Risk-based Auth
Sensitivity of Information
© WebMD Health Services Group, Inc.All rights reserved. 10
How Might Authentication Approaches Map to this?
HighNone
Eng
agem
ent a
nd F
requ
ency
of U
seHigh /
Frequent
Low/Infrequent
PIN auth
Multi-factor Auth
Strong Password
“Remember Me”
Risk-based Auth
Initial one-time authentication with optional or automatic “remember
me” for future visits. Possible remote revocation (e.g., “forget this device”).
Sensitivity of Information
© WebMD Health Services Group, Inc.All rights reserved. 11
How Might Authentication Approaches Map to this?
HighNone
Eng
agem
ent a
nd F
requ
ency
of U
seHigh /
Frequent
Low/Infrequent
PIN auth
Multi-factor Auth
Strong Password
“Remember Me”
Risk-based Auth
Short PIN or similar shorter-than-password code for
application entry after initial authentication
Sensitivity of Information
© WebMD Health Services Group, Inc.All rights reserved. 12
How Might Authentication Approaches Map to this?
HighNone
Eng
agem
ent a
nd F
requ
ency
of U
seHigh /
Frequent
Low/Infrequent
PIN auth
Multi-factor Auth
Strong Password
“Remember Me”
Risk-based Auth
Sensitivity of Information
Full (presumably strong) password required for access to
any personal information.
© WebMD Health Services Group, Inc.All rights reserved. 13
How Might Authentication Approaches Map to this?
HighNone
Eng
agem
ent a
nd F
requ
ency
of U
seHigh /
Frequent
Low/Infrequent
PIN auth
Multi-factor Auth
Strong Password
“Remember Me”
Risk-based Auth
Variable level of authentication based on pre-determined risk of both the current user session as well as the intended user
activity.
Sensitivity of Information
© WebMD Health Services Group, Inc.All rights reserved. 14
How Might Authentication Approaches Map to this?
HighNone
Eng
agem
ent a
nd F
requ
ency
of U
seHigh /
Frequent
Low/Infrequent
PIN auth
Multi-factor Auth
Strong Password
“Remember Me”
Risk-based Auth
Use at least two factors (know / has / is) for authentication. Rotating tokens, SMS codes,
“dongles”, and biometrics are examples.
Sensitivity of Information
© WebMD Health Services Group, Inc.All rights reserved. 15
Closing Thoughts
Context is critical! Know your risks and adapt your approach accordingly.
Engagement can suffer in the face of enhanced authentication strength.
When appropriate, allow the user to manage their own risk.
Personal Guidance. Positive Change.SM
Secure Access for Web-based Patient Portals and ApplicationsChris Brooks, Senior Vice President of Technology, WebMD Health Services
October 30, 2013