user authentication in mobile healthcare applications
DESCRIPTION
User Authentication in Mobile Healthcare Applications. Yaira K. Rivera Sánchez Computer Science & Engineering Department University of Connecticut, Storrs. Overview. Background User Authentication Problem Goal Approaches Existing Mobile Applications Limitations Conclusion. Overview. - PowerPoint PPT PresentationTRANSCRIPT
RIVERA SÁNCHEZ-1
CSE5810
User Authentication in Mobile Healthcare Applications
Yaira K. Rivera SánchezComputer Science & Engineering Department
University of Connecticut, Storrs
RIVERA SÁNCHEZ-2
CSE5810
Overview
Background
User Authentication Problem Goal
Approaches
Existing Mobile Applications
Limitations
Conclusion
RIVERA SÁNCHEZ-3
CSE5810
Overview
Background
User Authentication Problem Goal
Approaches
Existing Mobile Applications
Limitations
Conclusion
RIVERA SÁNCHEZ-4
CSE5810
Background – HIT Systems
EHR
PHR/PPHR
EMR
Kareo EHR
OFFICE EMR
Capzule PHR
RIVERA SÁNCHEZ-5
CSE5810
Background-User Authentication
Definition: “Process of determining whether someone is,
in fact, who or what is declared to be.” [1]
“Process of identifying an individual, usually based on a username and password.” [2]
Examples: Username/Password combination, tokens,
biometrics.
RIVERA SÁNCHEZ-6
CSE5810
Background – User Authentication (Cont.) Secure Sockets Layer (SSL) Transmit data
through network. Public key and private key.
Multi-factor Authentication: Knowledge factor
Username/Password Personal Identification Number (PIN)
Possession factor Digital Signature Digital Certificate X.509 Certificate
Inherence factor Biometrics
RIVERA SÁNCHEZ-7
CSE5810
Overview
Background
User Authentication Problem Goal
Approaches
Existing Mobile Applications
Limitations
Conclusion
RIVERA SÁNCHEZ-8
CSE5810
Who needs it and why is it important?
Who needs user authentication?
Patients and Medical Providers
Why is it important? Smartphones important source of healthcare
information for many. In 2012, about 95 million Americans used
their mobile phones either as healthcare tools or to find health-related information according to [3].
Mobile healthcare applications are increasing everyday (20,000+).
Sensitivity and confidentiality of healthcare data.
RIVERA SÁNCHEZ-9
CSE5810
Problem
People want to have access to their healthcare data in a secure and easy way.
There exists a lot of mobile healthcare applications to do this, but… are they secure?.
What approach could we use to secure user authentication in mobile healthcare applications?.
RIVERA SÁNCHEZ-10
CSE5810
Goal
Find and describe different approaches to do secure user authentication for mobile healthcare applications.
RIVERA SÁNCHEZ-11
CSE5810
Overview
Background
User Authentication Problem Goal
Approaches
Existing Mobile Applications
Limitations
Conclusion
RIVERA SÁNCHEZ-12
CSE5810
Check, Assurances, Protection (CAP) Framework
Directed towards: Ensuring secure interactions between mobile
applications by encrypting healthcare data when it is been exchanged.
Utilizing strong authentication protocols in order to determine what data needs to be exposed/stored on a system.
Proposed SSL and Shared Certificates combined with CIA (security tenets: confidentiality, integrity, availability) to do authentication.
RIVERA SÁNCHEZ-13
CSE5810
HealthPass
Secure access control model for PPHRs.
Extended digital certificate.
Dynamic interactions without using a classical authorization and authentication approach like username and password.
Overall PPHR architecture with XML-based PHR
– PHR certificate (HealthPass) issuing
RIVERA SÁNCHEZ-14
CSE5810
Generic Bootstrap Architecture
Mutual authentication of users and network applications.
Directed toward EHRs.
Mutual authentication Use of SIM card credentials.
PIN number in order to unlock the token.
GBA Reference Model
RIVERA SÁNCHEZ-15
CSE5810
Two-Factor Authentication
Encryption and a two-factor authentication method.
Secure authentication and communication between a mobile device and a healthcare service provider.
Provides multi-factor authentication without the need to have an authentication token.
Reference model of security architecture for mobile access to information from patient’s medical record
RIVERA SÁNCHEZ-16
CSE5810
Three-factor user authentication
Use of smartphone as whole identity No need for token.
Three-factor authentication: username/password combination, biometrics and smartphone.
Secure and hassle-free authentication.
Patient Authentication Framework
RIVERA SÁNCHEZ-17
CSE5810
Overview
Background
User Authentication Problem Goal
Approaches
Existing Mobile Applications
Limitations
Conclusion
RIVERA SÁNCHEZ-18
CSE5810
Medisoft
Requires the user to login with a username and password.
User can setup a time span where the application will automatically log off after that amount of time.
User can setup a four-digit security code (a PIN number) to login to the app again once the time span has expired.
HIPAA compliant.
RIVERA SÁNCHEZ-19
CSE5810
PatientKeeper
Users have to enter a PIN/Password to gain access to the application.
Incorrect password several times System can lock the user out of the account and could delete all the information that is stored in the device.
Encrypts the data that is sent to the device. It remains encrypted until the user accesses such data from the application.
AES + SSL/TLS = Secure transfer of data HIPAA compliant.
RIVERA SÁNCHEZ-20
CSE5810
Dr. Chrono
Authenticates a user utilizing the username/password combination.
Auto-logoff feature Automatically logs off users that are logged into the account but have been inactive for a certain period of time.
Digital certificate Used to verify that the user is authenticated correctly and is in the correct site.
HIPAA compliant.
RIVERA SÁNCHEZ-21
CSE5810
Overview
Background
User Authentication Problem Goal
Approaches
Existing Mobile Applications
Limitations & Conclusion
RIVERA SÁNCHEZ-22
CSE5810
Limitations Authentication:
Passwords: Widely used and acceptable by users. Doubts of level of security. More difficult for users to remember them.
Tokens: Use of digital certificates. Falsifying digital certificates.
Biometrics: Is currently limited. Privacy concerns: misuse of data, tracking,
additional data, etc.
RIVERA SÁNCHEZ-23
CSE5810
Limitations (Cont.)
Patient’s EHR might be fragmented and accessible from several places (they could be in different hospitals, providers, etc.).
Security defects on these systems could cause the
disclosure of information to unauthorized users.
Difficulties in maintaining data privacy. Example: Administrative staff could access the
information without the patient’s consent.
RIVERA SÁNCHEZ-24
CSE5810
Conclusion
Presented different authentication methods.
Problems and goals.
Discussed other approaches that researchers have done.
Existing mobile applications.
Limitations.
Still a long way to go…
RIVERA SÁNCHEZ-25
CSE5810
References
[1] http://searchsecurity.techtarget.com/definition/authentication
[2] http://www.webopedia.com/TERM/A/authentication.html
[3] Laurie A. Jones, Annie I. Antón, and Julia B. Earp. “Towards understanding user perceptions of authentication technologies”. In Proceedings of the 2007 ACM workshop on Privacy in electronic society (WPES '07). ACM, New York, NY, USA, 91-98. 2007.
RIVERA SÁNCHEZ-26
CSE5810
Questions?
Background
User Authentication Problem Goal
Approaches
Existing Mobile Applications
Limitations
Conclusion