Portals and Applications

idleheadedceleryMobile - Wireless

Dec 10, 2013 (3 years and 10 months ago)

61 views

Personal Guidance. Positive
Change.
SM

Secure Access for Web
-
based Patient
Portals and Applications

Chris Brooks, Senior Vice President of Technology, WebMD Health Services

October 30, 2013

MISSION:

To provide expert guidance that
inspires people to take charge of
their health.



WHAT WE DO:

We offer
health, wellness, and
care transparency solutions
that
help large organizations with
complex populations improve
people’s health, productivity, and
happiness
.

WHS

Key Statistics

500 Employees

Over 225 Customers

Registered
Users:

7.1 million

Activated
personal health

records
:

4.7 million

Completed
health
assessments:

1.5 million per
year

©
WebMD Health Services Group, Inc
.

All rights reserved.

3

Meaningful Use of
Electronic Health
Records is a United
States National
Imperative

This mandate isn’t just
about improving care
coordination and quality

… it is also about
p
atient
engagement

©
WebMD Health Services Group, Inc
.

All rights reserved.

4

Stage 2 of of the CMS
Incentive Program Sets
Goals for Patient
Engagement


Core Measure 7:

Provide
patients the ability to view
online, download and transmit their
health information
within four
business days of the information
being available to the EP.


Core Measure
17
:

Use
secure electronic messaging to
communicate with patients on
relevant health
information
.

©
WebMD Health Services Group, Inc
.

All rights reserved.

5

Electronic Health
Information Providers
Face Stringent
Security
and Privacy Requirements



HIPAA Omnibus Rule for 2013:
“Significant risk of harm” test replaced
by more objective “probability of
compromise” test.


Regulatory (HIPAA, HITECH)
drivers


Patient / user trust and brand
reputation

©
WebMD Health Services Group, Inc
.

All rights reserved.

6

There are Competing
Forces at Play When it
Comes to Electronic
Health Information
Access


Ease of use and access from
a wide range of devices

(desktops, tablets,
smartphones) is key to
driving patient engagement

Yet


Providers must still ensure
robust authentication
standards are in place

©
WebMD Health Services Group, Inc
.

All rights reserved.

7

Example: Mobile App
Authentication


WebMD Health Services recently
shipped a native
iOS

and Android
“tiny habits” app called “Daily Victory”


Key attributes:


No access to or sharing of
personal health information


Allows user to share daily
wellness activities with WebMD
and a small social network


Authentication:


Initial authorization code to
provision app


No password or PIN required


Revocable access

©
WebMD Health Services Group, Inc
.

All rights reserved.

8

Evaluate Authentication Needs based on Risk and
Engagement Requirements

Sensitivity of Information

High

None

Engagement and Frequency

of Use

High /

Frequent

Low/

Infrequent

Mobile Fitness
Tracker

Patient /
Physician
Communication

Blood Sugar
Tracker

Health
Information
Research

Personal
Health Record

“In Case of Emergency”

E
-
cards?

Provider Medical
Imaging Mobile
Viewer

©
WebMD Health Services Group, Inc
.

All rights reserved.

9

How Might Authentication Approaches Map to this?

High

None

Engagement and Frequency

of Use

High /

Frequent

Low/

Infrequent

PIN
auth

Multi
-
factor
Auth

Strong
Password

“Remember
Me”

Risk
-
based
Auth

Sensitivity of Information

©
WebMD Health Services Group, Inc
.

All rights reserved.

10

How Might Authentication Approaches Map to this?

High

None

Engagement and Frequency

of Use

High /

Frequent

Low/

Infrequent

PIN
auth

Multi
-
factor
Auth

Strong
Password

“Remember
Me”

Risk
-
based
Auth

Initial one
-
time authentication with
optional or automatic “remember
me” for future visits. Possible remote
revocation (e.g., “forget this device”).

Sensitivity of Information

©
WebMD Health Services Group, Inc
.

All rights reserved.

11

How Might Authentication Approaches Map to this?

High

None

Engagement and Frequency

of Use

High /

Frequent

Low/

Infrequent

PIN
auth

Multi
-
factor
Auth

Strong
Password

“Remember
Me”

Risk
-
based
Auth

Short PIN or similar shorter
-
than
-
password code for
application entry after initial
authentication

Sensitivity of Information

©
WebMD Health Services Group, Inc
.

All rights reserved.

12

How Might Authentication Approaches Map to this?

High

None

Engagement and Frequency

of Use

High /

Frequent

Low/

Infrequent

PIN
auth

Multi
-
factor
Auth

Strong
Password

“Remember
Me”

Risk
-
based
Auth

Sensitivity of Information

Full (presumably strong)
password required for access to
any personal information.

©
WebMD Health Services Group, Inc
.

All rights reserved.

13

How Might Authentication Approaches Map to this?

High

None

Engagement and Frequency

of Use

High /

Frequent

Low/

Infrequent

PIN
auth

Multi
-
factor
Auth

Strong
Password

“Remember
Me”

Risk
-
based
Auth

Variable

level of authentication based on
pre
-
determined risk of both the current
user session as well as the intended user
activity.

Sensitivity of Information

©
WebMD Health Services Group, Inc
.

All rights reserved.

14

How Might Authentication Approaches Map to this?

High

None

Engagement and Frequency

of Use

High /

Frequent

Low/

Infrequent

PIN
auth

Multi
-
factor
Auth

Strong
Password

“Remember
Me”

Risk
-
based
Auth

Use at least two factors (know /
has / is) for authentication.
Rotating tokens, SMS codes,
“dongles”, and biometrics are
examples.

Sensitivity of Information

©
WebMD Health Services Group, Inc
.

All rights reserved.

15

Closing Thoughts

Context is critical! Know
your risks and adapt your
approach accordingly.


Engagement can suffer in
the face of enhanced
authentication strength.


When appropriate, allow
the user to manage their
own risk.


Personal Guidance. Positive
Change.
SM

Secure Access for Web
-
based Patient
Portals and Applications

Chris Brooks, Senior Vice President of Technology, WebMD Health Services

October 30, 2013