We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byRegina Crafton
Modified over 3 years ago
Why we need a single token for user authentication and how do we get there?
HOW HITRUST Got Interest How HITRUST Got Interest in Digital Identities 3 © 2012 HITRUST Identity Services. All rights reserved Approached in April 2009 by organizations adopting CSF indicating that complaints specific to information security were increasing Specifically around authentication and access controls Meeting in Washington DC Surveys confirmed that implementation of stronger authentication (deemed appropriate based on risk) did significantly decrease user satisfaction with systems Password complexity Password refresh Multifactor authentication Created a program to address user satisfaction issues Collaborated with a number of organizations from across the nation on development of requirements Partnered with Baylor Health Care System and Dallas County Medical Society to make it a reality and bring it to market Strong technology partnership with Computer Associates, Gemalto and others
What problems are we trying to solve? 4 Growing dissatisfaction among healthcare professionals coinciding with the increasing number of badges, tokens, usernames and passwords Healthcare organizations are struggling with the inefficiencies, complexities and costs of token and authentication mechanisms © 2012 HITRUST Identity Services. All rights reserved
Multiple Perspectives on the situation 5 Physicians Payers I pay the full cost of registration, ID and card issuance and password maintenance process that is almost identical as every other organization I service nearly the same providers as everyone else It seems like all my help desk does is reset passwords and call physicians to provide information they should already have access It costs me time and money to maintain access to all the services; and they are all a little different to deal with It is ridiculous that my staff and I need to have a different logon to access every different organizations we work with and sometimes multiple per organization Hospitals New compliance requirements are a moving target. I need an easy way to keep up Between my own systems, ePrescribing, payer systems, & HIEs. My physicians are asking us to make it easier for them to access our facilities and systems Implementing and maintaining token and identity management systems is costly and complex © 2012 HITRUST Identity Services. All rights reserved
End User Realities 6 Users are issued 6 - 66 user names, tokens and badges High level of dissatisfaction with authentication process that extends to users applications experience Users want a simplified authentication solution that is UNIVERSAL across information systems and organizations © 2012 HITRUST Identity Services. All rights reserved
Accepting Entity Realities 7 Increased costs Each organization is issuing and supporting IDs, tokens and badges Average costs associated with supporting PROX cards and user IDs in a healthcare organization are over $110/year in security administration 1 Greater complexity Organizations are working with an assortment of technologies and applications Technology limitations and restrictions Unique myriad of regulations and compliance requirements Decreased user satisfaction End-user frustration is increasing, coinciding with the number of user names, tokens, badges and support numbers to remember and the increasing requirements for stronger passwords and authentication as well as change frequency Reduced policy enforcement and increased risk Organizations compromise information security to accommodate end user complaints 1 Source: Gartner Research report and does not include OTP tokens © 2012 HITRUST Identity Services. All rights reserved
Accepting Entity objectives 8 Accepting Entity Objectives Implement an authentication approach that simplifies the end user experience while meeting and complying with stated information protection standards, regulations, and policies in a cost effective and manageable manner Reduce number of times a user has to login and use the simplest method possible based on risk Provide flexibility with authentication options Meet compliance requirements Provided as a service that combines technology, operations and support Pay-for-use on an annual basis © 2012 HITRUST Identity Services. All rights reserved
What is the HITRUST ID? 9 © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID 10 Single strong identification and authentication solution Issued to individuals in the healthcare community Can be accepted by multiple organizations Offered in multiple form factors Available with multiple grades of vetting and proofing Incorporates technology, operations and policy © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID – Authentication Suite HITRUST ID - Authentication Suite 11 HITRUST Username/Password Mobile Device APP One Time Password (OTP) HITRUST ID Smartcard (Universal and Organization Specific) SMS/text based One Time Password (OTP) Adaptive Authentication Risk Based Authentication © 2012 HITRUST Identity Services. All rights reserved
HITR UST ID - Sma rtcar d 12 HITRUST ID – Smartcard Picture 1.33 in x 1 in Picture 1.33 in x 1 in Name Smartcard 64k v7 CHIP with X.509 Cert. Role Identifier Role Identifier Professiona l Certification Personalize d Information Personalize d Information HID Username Magnetic Strip (3T XT4000) Magnetic Strip (3T XT4000) 1 D Barcode (Code 39) 1 D Barcode (Code 39) 3.35 in x 2.12 in Unique ID Number (ID number also embedded within Magnetic Strip, 1 D and QR Barcode) QR code Expiration Uniquely designed to incorporate numerous technologies and safeguards © 2012 HITRUST Identity Services. All rights reserved Security features include hologram and tamper proof laminate ISO 14443 13.56 MHZ Type A and B
HITRUST ID – Colors and Departments 13 Respiratory Transport Pharmacy Radiology Lab Social work/ Pastoral care © 2012 HITRUST Identity Services. All rights reserved Designed in collaboration with hospital, physician, nurse and regulatory representatives Intended to standardize the presentation of ID cards across facilities Rehabilitation Nutrition Nursing Admin/ non-patient Physician Special Services Designation
HITRUST ID – Mobile Device APP for OTP 14 SMS generator for other cellular devices Application available for multiple platforms: iPhones iPads Android smart phones Blackberry devices Device security using DDNA One-time Password Highly secure, easy to use, one-time password generator © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID – Risk Based Authentication 15 Provides the ability to meet strong authentication requirements without requiring additional user input or intervention Based on HITRUST CSF Alternate Control and on-going risk assessment Ability to require stronger authentication based on the perceived risk Ability to choose authentication method based on risk Accepting entities can refine policies (i.e. location, resource, previous use) Balances authentication convenience with the transaction risk © 2012 HITRUST Identity Services. All rights reserved
Balan cing conv enien ce and risk Balancing Convenience and Risk 16 CONVENIENCE Low High RISK MITIGATION High Low Smart card with digital certificate Username/Password APP based OTP Adaptive Authentication Risk based authentication analysis SMS/text based OTP © 2012 HITRUST Identity Services. All rights reserved
Typical solution uses – health system Typical Solution Uses – Health System 17 Authentication TypeHITRUST Identity Solution(s) Facility accessSmart Cards Meal plansSmart Cards Active Directory logonSoft IDs, Smart Cards, OTP Device and VDI logonSoft IDs, SSO, Smart Cards VPN logonSoft IDs, Smart Cards, OTP Digital Signing of DocumentsSmart Cards, OTP Application logonSmart Cards, Soft IDs, OTP Application logon (specialized – eRX CS)OTP, Smart Cards Portal/website logonSmart Cards, Soft IDs, OTP © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID – benefits to accepting entities HITRUST ID – Benefits to Accepting Entities 18 Decreased costs: lower start-up and operating costs achieved through outsourced approach, proofing, issuance, maintenance and support Reduced risk: Utilization and enforcement of appropriate authentication mechanism Lessened complexity: cloud-based service eliminates need for in- house supported complex systems that manage identities within organizations Increased end user satisfaction: improved experience coupled with greater familiarity – Leads to a decrease in support inquiries and self- service visits related to lost IDs, passwords and badges Future proof: flexibility and adaptability eliminate concerns over obsolete tokens or software due to requirement changes, regulations Higher system utilization: by simplifying the end user experience regarding access -- users are more inclined to use an online services © 2012 HITRUST Identity Services. All rights reserved
Security becomes a satisfaction tool Security Becomes a Satisfaction Tool 19 © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID Level II Uses and VettingHITRUST ID Level II Uses and Vetting Used in situations where a very high level of assurance is required about the users identity and token integrity - NIST 800-63 Level 3 Proofing (Remote) - Users who do not require onsite access, but do require system access or as addition to those with smartcards HITRUST ID Level II Uses and Vetting HITRUST ID (Time Sensitive Token) Information System Access Remote Access © 2010 HITRUST Identity Services. All rights reserved20
HITRUST ID level V uses and vetting HITRUST ID Level V Uses and Vetting HITRUST ID (Smart Card) First Responders Hospital Meal Plans Facilities Access Information System Access Domain Access ePrescribing of Controlled Substances Secure eMaileSignatures © 2010 HITRUST Identity Services. All rights reserved21 Used in situations where a very high level of assurance is required about the users identity and token integrity, as well as ability for credential to support ePrescribing of controlled substances - NIST 800-63 Level 4 Proofing - E-Prescribing controlled substance proofing
Questions 22 © 2012 HITRUST Identity Services. All rights reserved ?
For More Information 23 © 2012 HITRUST Identity Services. All rights reserved For more information: www.HITRUSTID.com For more information
Eligibility, Benefits, and Pre-certifications
McAfee One Time Password
© 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
2 Industry trends and challenges Windows Server 2012: Modern workstyle, enabled Access from virtually anywhere, any device Full Windows experience.
Results from a Mobile Finance Survey. 2 2 Second survey sponsored by CheckFree with fieldwork in April 2008; First survey completed in March ,007.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
NIH is a Valuable Place with Valuable People: We Need to Protect it! Cyber threat is one of the most serious economic and national security challenges.
Smart Identity Protection That Works for You and Your Users 2 Petri Ala-Annala Senior Principal, CISSP-ISSAP, CISA, CISM.
A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.
Why EMS? What benefit does EMS provide O365 customers Manage Mobile Productivity Increase IT ProductivitySimplify app delivery and deployment LOB Apps.
Mid-market server campaign – thru partner presentation: Slide for presenter only: do not show Speaker: Partner Title of Presentation: Giving you the power.
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
Large-Scale, Cost-Effective, Progressive Authentication and Identify Management Solutions Enabling Security, Efficiency and Collaboration through Technology.
Employee & Manager Self Service Overview
Authentication choices! Vincent van Kooten: Business Sales Manager Benelux Distributed by -
Test Accommodations Students with Disabilities 2013 Presented by Janice Koblick, Curriculum Supervisor Exceptional Student Education 1.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
© 2017 SlidePlayer.com Inc. All rights reserved.