Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why we need a single token for user authentication and how do we get there?

Similar presentations


Presentation on theme: "Why we need a single token for user authentication and how do we get there?"— Presentation transcript:

1 Why we need a single token for user authentication and how do we get there?

2 Background 2

3 HOW HITRUST Got Interest How HITRUST Got Interest in Digital Identities 3 © 2012 HITRUST Identity Services. All rights reserved Approached in April 2009 by organizations adopting CSF indicating that complaints specific to information security were increasing Specifically around authentication and access controls Meeting in Washington DC Surveys confirmed that implementation of stronger authentication (deemed appropriate based on risk) did significantly decrease user satisfaction with systems Password complexity Password refresh Multifactor authentication Created a program to address user satisfaction issues Collaborated with a number of organizations from across the nation on development of requirements Partnered with Baylor Health Care System and Dallas County Medical Society to make it a reality and bring it to market Strong technology partnership with Computer Associates, Gemalto and others

4 What problems are we trying to solve? 4 Growing dissatisfaction among healthcare professionals coinciding with the increasing number of badges, tokens, usernames and passwords Healthcare organizations are struggling with the inefficiencies, complexities and costs of token and authentication mechanisms © 2012 HITRUST Identity Services. All rights reserved

5 Multiple Perspectives on the situation 5 Physicians Payers I pay the full cost of registration, ID and card issuance and password maintenance process that is almost identical as every other organization I service nearly the same providers as everyone else It seems like all my help desk does is reset passwords and call physicians to provide information they should already have access It costs me time and money to maintain access to all the services; and they are all a little different to deal with It is ridiculous that my staff and I need to have a different logon to access every different organizations we work with and sometimes multiple per organization Hospitals New compliance requirements are a moving target. I need an easy way to keep up Between my own systems, ePrescribing, payer systems, & HIEs. My physicians are asking us to make it easier for them to access our facilities and systems Implementing and maintaining token and identity management systems is costly and complex © 2012 HITRUST Identity Services. All rights reserved

6 End User Realities 6 Users are issued user names, tokens and badges High level of dissatisfaction with authentication process that extends to users applications experience Users want a simplified authentication solution that is UNIVERSAL across information systems and organizations © 2012 HITRUST Identity Services. All rights reserved

7 Accepting Entity Realities 7 Increased costs Each organization is issuing and supporting IDs, tokens and badges Average costs associated with supporting PROX cards and user IDs in a healthcare organization are over $110/year in security administration 1 Greater complexity Organizations are working with an assortment of technologies and applications Technology limitations and restrictions Unique myriad of regulations and compliance requirements Decreased user satisfaction End-user frustration is increasing, coinciding with the number of user names, tokens, badges and support numbers to remember and the increasing requirements for stronger passwords and authentication as well as change frequency Reduced policy enforcement and increased risk Organizations compromise information security to accommodate end user complaints 1 Source: Gartner Research report and does not include OTP tokens © 2012 HITRUST Identity Services. All rights reserved

8 Accepting Entity objectives 8 Accepting Entity Objectives Implement an authentication approach that simplifies the end user experience while meeting and complying with stated information protection standards, regulations, and policies in a cost effective and manageable manner Reduce number of times a user has to login and use the simplest method possible based on risk Provide flexibility with authentication options Meet compliance requirements Provided as a service that combines technology, operations and support Pay-for-use on an annual basis © 2012 HITRUST Identity Services. All rights reserved

9 What is the HITRUST ID? 9 © 2012 HITRUST Identity Services. All rights reserved

10 HITRUST ID 10 Single strong identification and authentication solution Issued to individuals in the healthcare community Can be accepted by multiple organizations Offered in multiple form factors Available with multiple grades of vetting and proofing Incorporates technology, operations and policy © 2012 HITRUST Identity Services. All rights reserved

11 HITRUST ID – Authentication Suite HITRUST ID - Authentication Suite 11 HITRUST Username/Password Mobile Device APP One Time Password (OTP) HITRUST ID Smartcard (Universal and Organization Specific) SMS/text based One Time Password (OTP) Adaptive Authentication Risk Based Authentication © 2012 HITRUST Identity Services. All rights reserved

12 HITR UST ID - Sma rtcar d 12 HITRUST ID – Smartcard Picture 1.33 in x 1 in Picture 1.33 in x 1 in Name Smartcard 64k v7 CHIP with X.509 Cert. Role Identifier Role Identifier Professiona l Certification Personalize d Information Personalize d Information HID Username Magnetic Strip (3T XT4000) Magnetic Strip (3T XT4000) 1 D Barcode (Code 39) 1 D Barcode (Code 39) 3.35 in x 2.12 in Unique ID Number (ID number also embedded within Magnetic Strip, 1 D and QR Barcode) QR code Expiration Uniquely designed to incorporate numerous technologies and safeguards © 2012 HITRUST Identity Services. All rights reserved Security features include hologram and tamper proof laminate ISO MHZ Type A and B

13 HITRUST ID – Colors and Departments 13 Respiratory Transport Pharmacy Radiology Lab Social work/ Pastoral care © 2012 HITRUST Identity Services. All rights reserved Designed in collaboration with hospital, physician, nurse and regulatory representatives Intended to standardize the presentation of ID cards across facilities Rehabilitation Nutrition Nursing Admin/ non-patient Physician Special Services Designation

14 HITRUST ID – Mobile Device APP for OTP 14 SMS generator for other cellular devices Application available for multiple platforms: iPhones iPads Android smart phones Blackberry devices Device security using DDNA One-time Password Highly secure, easy to use, one-time password generator © 2012 HITRUST Identity Services. All rights reserved

15 HITRUST ID – Risk Based Authentication 15 Provides the ability to meet strong authentication requirements without requiring additional user input or intervention Based on HITRUST CSF Alternate Control and on-going risk assessment Ability to require stronger authentication based on the perceived risk Ability to choose authentication method based on risk Accepting entities can refine policies (i.e. location, resource, previous use) Balances authentication convenience with the transaction risk © 2012 HITRUST Identity Services. All rights reserved

16 Balan cing conv enien ce and risk Balancing Convenience and Risk 16 CONVENIENCE Low High RISK MITIGATION High Low Smart card with digital certificate Username/Password APP based OTP Adaptive Authentication Risk based authentication analysis SMS/text based OTP © 2012 HITRUST Identity Services. All rights reserved

17 Typical solution uses – health system Typical Solution Uses – Health System 17 Authentication TypeHITRUST Identity Solution(s) Facility accessSmart Cards Meal plansSmart Cards Active Directory logonSoft IDs, Smart Cards, OTP Device and VDI logonSoft IDs, SSO, Smart Cards VPN logonSoft IDs, Smart Cards, OTP Digital Signing of DocumentsSmart Cards, OTP Application logonSmart Cards, Soft IDs, OTP Application logon (specialized – eRX CS)OTP, Smart Cards Portal/website logonSmart Cards, Soft IDs, OTP © 2012 HITRUST Identity Services. All rights reserved

18 HITRUST ID – benefits to accepting entities HITRUST ID – Benefits to Accepting Entities 18 Decreased costs: lower start-up and operating costs achieved through outsourced approach, proofing, issuance, maintenance and support Reduced risk: Utilization and enforcement of appropriate authentication mechanism Lessened complexity: cloud-based service eliminates need for in- house supported complex systems that manage identities within organizations Increased end user satisfaction: improved experience coupled with greater familiarity – Leads to a decrease in support inquiries and self- service visits related to lost IDs, passwords and badges Future proof: flexibility and adaptability eliminate concerns over obsolete tokens or software due to requirement changes, regulations Higher system utilization: by simplifying the end user experience regarding access -- users are more inclined to use an online services © 2012 HITRUST Identity Services. All rights reserved

19 Security becomes a satisfaction tool Security Becomes a Satisfaction Tool 19 © 2012 HITRUST Identity Services. All rights reserved

20 HITRUST ID Level II Uses and VettingHITRUST ID Level II Uses and Vetting Used in situations where a very high level of assurance is required about the users identity and token integrity - NIST Level 3 Proofing (Remote) - Users who do not require onsite access, but do require system access or as addition to those with smartcards HITRUST ID Level II Uses and Vetting HITRUST ID (Time Sensitive Token) Information System Access Remote Access © 2010 HITRUST Identity Services. All rights reserved20

21 HITRUST ID level V uses and vetting HITRUST ID Level V Uses and Vetting HITRUST ID (Smart Card) First Responders Hospital Meal Plans Facilities Access Information System Access Domain Access ePrescribing of Controlled Substances Secure eSignatures © 2010 HITRUST Identity Services. All rights reserved21 Used in situations where a very high level of assurance is required about the users identity and token integrity, as well as ability for credential to support ePrescribing of controlled substances - NIST Level 4 Proofing - E-Prescribing controlled substance proofing

22 Questions 22 © 2012 HITRUST Identity Services. All rights reserved ?

23 For More Information 23 © 2012 HITRUST Identity Services. All rights reserved For more information: For more information


Download ppt "Why we need a single token for user authentication and how do we get there?"

Similar presentations


Ads by Google