We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byRegina Crafton
Modified over 2 years ago
Why we need a single token for user authentication and how do we get there?
HOW HITRUST Got Interest How HITRUST Got Interest in Digital Identities 3 © 2012 HITRUST Identity Services. All rights reserved Approached in April 2009 by organizations adopting CSF indicating that complaints specific to information security were increasing Specifically around authentication and access controls Meeting in Washington DC Surveys confirmed that implementation of stronger authentication (deemed appropriate based on risk) did significantly decrease user satisfaction with systems Password complexity Password refresh Multifactor authentication Created a program to address user satisfaction issues Collaborated with a number of organizations from across the nation on development of requirements Partnered with Baylor Health Care System and Dallas County Medical Society to make it a reality and bring it to market Strong technology partnership with Computer Associates, Gemalto and others
What problems are we trying to solve? 4 Growing dissatisfaction among healthcare professionals coinciding with the increasing number of badges, tokens, usernames and passwords Healthcare organizations are struggling with the inefficiencies, complexities and costs of token and authentication mechanisms © 2012 HITRUST Identity Services. All rights reserved
Multiple Perspectives on the situation 5 Physicians Payers I pay the full cost of registration, ID and card issuance and password maintenance process that is almost identical as every other organization I service nearly the same providers as everyone else It seems like all my help desk does is reset passwords and call physicians to provide information they should already have access It costs me time and money to maintain access to all the services; and they are all a little different to deal with It is ridiculous that my staff and I need to have a different logon to access every different organizations we work with and sometimes multiple per organization Hospitals New compliance requirements are a moving target. I need an easy way to keep up Between my own systems, ePrescribing, payer systems, & HIEs. My physicians are asking us to make it easier for them to access our facilities and systems Implementing and maintaining token and identity management systems is costly and complex © 2012 HITRUST Identity Services. All rights reserved
End User Realities 6 Users are issued user names, tokens and badges High level of dissatisfaction with authentication process that extends to users applications experience Users want a simplified authentication solution that is UNIVERSAL across information systems and organizations © 2012 HITRUST Identity Services. All rights reserved
Accepting Entity Realities 7 Increased costs Each organization is issuing and supporting IDs, tokens and badges Average costs associated with supporting PROX cards and user IDs in a healthcare organization are over $110/year in security administration 1 Greater complexity Organizations are working with an assortment of technologies and applications Technology limitations and restrictions Unique myriad of regulations and compliance requirements Decreased user satisfaction End-user frustration is increasing, coinciding with the number of user names, tokens, badges and support numbers to remember and the increasing requirements for stronger passwords and authentication as well as change frequency Reduced policy enforcement and increased risk Organizations compromise information security to accommodate end user complaints 1 Source: Gartner Research report and does not include OTP tokens © 2012 HITRUST Identity Services. All rights reserved
Accepting Entity objectives 8 Accepting Entity Objectives Implement an authentication approach that simplifies the end user experience while meeting and complying with stated information protection standards, regulations, and policies in a cost effective and manageable manner Reduce number of times a user has to login and use the simplest method possible based on risk Provide flexibility with authentication options Meet compliance requirements Provided as a service that combines technology, operations and support Pay-for-use on an annual basis © 2012 HITRUST Identity Services. All rights reserved
What is the HITRUST ID? 9 © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID 10 Single strong identification and authentication solution Issued to individuals in the healthcare community Can be accepted by multiple organizations Offered in multiple form factors Available with multiple grades of vetting and proofing Incorporates technology, operations and policy © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID – Authentication Suite HITRUST ID - Authentication Suite 11 HITRUST Username/Password Mobile Device APP One Time Password (OTP) HITRUST ID Smartcard (Universal and Organization Specific) SMS/text based One Time Password (OTP) Adaptive Authentication Risk Based Authentication © 2012 HITRUST Identity Services. All rights reserved
HITR UST ID - Sma rtcar d 12 HITRUST ID – Smartcard Picture 1.33 in x 1 in Picture 1.33 in x 1 in Name Smartcard 64k v7 CHIP with X.509 Cert. Role Identifier Role Identifier Professiona l Certification Personalize d Information Personalize d Information HID Username Magnetic Strip (3T XT4000) Magnetic Strip (3T XT4000) 1 D Barcode (Code 39) 1 D Barcode (Code 39) 3.35 in x 2.12 in Unique ID Number (ID number also embedded within Magnetic Strip, 1 D and QR Barcode) QR code Expiration Uniquely designed to incorporate numerous technologies and safeguards © 2012 HITRUST Identity Services. All rights reserved Security features include hologram and tamper proof laminate ISO MHZ Type A and B
HITRUST ID – Colors and Departments 13 Respiratory Transport Pharmacy Radiology Lab Social work/ Pastoral care © 2012 HITRUST Identity Services. All rights reserved Designed in collaboration with hospital, physician, nurse and regulatory representatives Intended to standardize the presentation of ID cards across facilities Rehabilitation Nutrition Nursing Admin/ non-patient Physician Special Services Designation
HITRUST ID – Mobile Device APP for OTP 14 SMS generator for other cellular devices Application available for multiple platforms: iPhones iPads Android smart phones Blackberry devices Device security using DDNA One-time Password Highly secure, easy to use, one-time password generator © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID – Risk Based Authentication 15 Provides the ability to meet strong authentication requirements without requiring additional user input or intervention Based on HITRUST CSF Alternate Control and on-going risk assessment Ability to require stronger authentication based on the perceived risk Ability to choose authentication method based on risk Accepting entities can refine policies (i.e. location, resource, previous use) Balances authentication convenience with the transaction risk © 2012 HITRUST Identity Services. All rights reserved
Balan cing conv enien ce and risk Balancing Convenience and Risk 16 CONVENIENCE Low High RISK MITIGATION High Low Smart card with digital certificate Username/Password APP based OTP Adaptive Authentication Risk based authentication analysis SMS/text based OTP © 2012 HITRUST Identity Services. All rights reserved
Typical solution uses – health system Typical Solution Uses – Health System 17 Authentication TypeHITRUST Identity Solution(s) Facility accessSmart Cards Meal plansSmart Cards Active Directory logonSoft IDs, Smart Cards, OTP Device and VDI logonSoft IDs, SSO, Smart Cards VPN logonSoft IDs, Smart Cards, OTP Digital Signing of DocumentsSmart Cards, OTP Application logonSmart Cards, Soft IDs, OTP Application logon (specialized – eRX CS)OTP, Smart Cards Portal/website logonSmart Cards, Soft IDs, OTP © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID – benefits to accepting entities HITRUST ID – Benefits to Accepting Entities 18 Decreased costs: lower start-up and operating costs achieved through outsourced approach, proofing, issuance, maintenance and support Reduced risk: Utilization and enforcement of appropriate authentication mechanism Lessened complexity: cloud-based service eliminates need for in- house supported complex systems that manage identities within organizations Increased end user satisfaction: improved experience coupled with greater familiarity – Leads to a decrease in support inquiries and self- service visits related to lost IDs, passwords and badges Future proof: flexibility and adaptability eliminate concerns over obsolete tokens or software due to requirement changes, regulations Higher system utilization: by simplifying the end user experience regarding access -- users are more inclined to use an online services © 2012 HITRUST Identity Services. All rights reserved
Security becomes a satisfaction tool Security Becomes a Satisfaction Tool 19 © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID Level II Uses and VettingHITRUST ID Level II Uses and Vetting Used in situations where a very high level of assurance is required about the users identity and token integrity - NIST Level 3 Proofing (Remote) - Users who do not require onsite access, but do require system access or as addition to those with smartcards HITRUST ID Level II Uses and Vetting HITRUST ID (Time Sensitive Token) Information System Access Remote Access © 2010 HITRUST Identity Services. All rights reserved20
HITRUST ID level V uses and vetting HITRUST ID Level V Uses and Vetting HITRUST ID (Smart Card) First Responders Hospital Meal Plans Facilities Access Information System Access Domain Access ePrescribing of Controlled Substances Secure eSignatures © 2010 HITRUST Identity Services. All rights reserved21 Used in situations where a very high level of assurance is required about the users identity and token integrity, as well as ability for credential to support ePrescribing of controlled substances - NIST Level 4 Proofing - E-Prescribing controlled substance proofing
Questions 22 © 2012 HITRUST Identity Services. All rights reserved ?
For More Information 23 © 2012 HITRUST Identity Services. All rights reserved For more information: For more information
© ASSA ABLOY. All rights reserved. Data Connectors HID Global January 2010.
Xinhua Digital Hospital Building Summit How HIT Can Solve or Cause Quality Problems Shanghai, China June 8, 2012.
301 Military Hospital Management Seminar How HIT Can Solve or Cause Quality Problems Beijing, China June 21, 2012.
© Copyright Ovum. All rights reserved. Ovum is a subsidiary of Informa plc. 1 Addressing “The BYOD Gap” Richard Absalom, Analyst, Consumer Impact Technology.
1 Services. 2 Agenda Overview –Managing the Transitions of The Networked Learning Environment Blackboard Consulting –Who We Are and What We Do Blackboard.
1 Services. 2 Agenda Overview –Managing the Transitions of The Networked Transaction Environment Blackboard Consulting –Who We Are and What We Do Blackboard.
MONITORING AND DOCUMENTING HIPAA PRIVACY AND SECURITY IMPLEMENTATION USING METRICS Mr. Sam Jenkins TMA Privacy Office Department of Defense.
Service Officer Training David Jungquist Training Officer 2 VA Systems Overview (A Review of VA Applications) VA VSO Dedicated Phone.
Copyright Davis Wright Tremaine LLP - Jan Working with the HIPAA Privacy Manual and Forms --- HIPAA Summit West II Clark Stanton & Tom Jeffry Davis.
Final Report Briefing Working Group 1A Public Safety Consolidation Effective Practices and Recommendations October 7, 2010.
1 Blackboard Sales Presentation. 2 Agenda Introduction –The Company and the Community Why Blackboard –Product Strategy What Blackboard Provides –Product.
1 Unified Communications and Collaboration Campaign MM TI-BDM Deck User Guidance Purpose of this deck: –Show how Microsoft ® Unified Communications and.
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner.
Android 11: Google Play for Education Kirk Scott 1.
A 360-Degree Approach to EMR Implementation Daniel J. Marino Health Directions, LLC.
Communication for the open minded Study on user identification methods in card payments, e-payments and mobile payments Summary of recommendations (WP5)
Harrow Council Transformation Programme October 2010 Tom Whiting, Assistant Chief Executive.
How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.
London Strategic Performance Network 26 November 2010 DOC G Transparency in outcomes: a framework for adult social care.
Implementing and Enforcing the HIPAA Security Rule John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions,
0 Welcome! Closer Look at AT Exchange Programs Carolyn P. Phillips Georgia Department of Labor – Tools for Life
Session 4.01: Christine Stahlecker, Principal Consultant Computer Task Group Healthcare Solutions WEDI SNIP Co-Chair HL7 A-SIG Co-Chair Contingency Planning.
1 Accountable Care Organizations: Can they live up to the hype? Presentation for WMGMA Thursday, May 12, 2011 By Attorney Barbara J. Zabawa Whyte Hirschboeck.
1 Serving Youth With Mental Health Needs NCLD/Youth: Independent Living Center Youth Programs Leadership Learning Community January 14 th, 2009.
Kunal Kodkani Senior Consultant Microsoft Corporation.
1 Capability Set - Detail. 2 Bb Commerce Suite Capability Set by: System.
How to find the RIGHT Information Technology Professional (IT NERD!) MGMA 2007 Annual Conference Presented by: Nancy Babbitt, FACMPE
1 Monitoring Compliance with HIPAA Privacy HIPAA Summit VII Session /15/03 Patricia Johnston, CHP, FHIMSS Texas Health Resources
Global Education Industry Building a Smarter Classroom Investing in Education to Stimulate and Sustain the Economy IBM Global Education Industry © Copyright.
© 2016 SlidePlayer.com Inc. All rights reserved.