why we need a single token for user authentication and how do we get there?

Why we need a single token for user authentication and how do we get there?

Background

Background

2

HOW HITRUST Got Interest

How HITRUST Got Interest in Digital Identities

3 © 2012 HITRUST Identity Services. All rights reserved

• Approached in April 2009 by organizations adopting CSF indicating that complaints specific to information security were increasing − Specifically around authentication and access controls− Meeting in Washington DC

• Surveys confirmed that implementation of stronger authentication (deemed appropriate based on risk) did significantly decrease user satisfaction with systems− Password complexity− Password refresh− Multifactor authentication

• Created a program to address user satisfaction issues• Collaborated with a number of organizations from across the nation on development

of requirements• Partnered with Baylor Health Care System and Dallas County Medical Society to make

it a reality and bring it to market• Strong technology partnership with Computer Associates, Gemalto and others

What problems are we trying to solve?

What problems are we trying to solve?

4

• Growing dissatisfaction among healthcare professionals coinciding with the increasing number of badges, tokens, usernames and passwords

• Healthcare organizations are struggling with the inefficiencies, complexities and costs of token and authentication mechanisms

© 2012 HITRUST Identity Services. All rights reserved

Multiple Perspectives on the situation

Multiple Perspectives on the situation

5

Physicians

Payers

I pay the full cost of registration, ID and card issuance and password maintenance process that is almost identical as every other organization

I service nearly the same providers as everyone else

It seems like all my help desk does is reset passwords and call physicians to provide information they should already have access

It costs me time and money to maintain access to all the services; and they are all a little different to deal with

It is ridiculous that my staff and I need to have a different logon to access every different organizations we work with and sometimes multiple per organization

Hospitals

New compliance requirements are a moving target. I need an easy way to keep up

Between my own systems, ePrescribing, payer systems, & HIEs. My physicians are asking us to make it easier for them to access our facilities and systems

Implementing and maintaining token and identity management systems is costly and complex


End User Realities

End User Realities

6

• Users are issued 6 - 66 user names, tokens and badges• High level of dissatisfaction with authentication process that

extends to users applications experience

Users want a simplified authentication solution that is UNIVERSAL across information systems and organizations


Accepting Entity Realities

Accepting Entity Realities

7

• Increased costs• Each organization is issuing and supporting IDs, tokens and badges• Average costs associated with supporting PROX cards and user IDs in a

healthcare organization are over $110/year in security administration1

• Greater complexity• Organizations are working with an assortment of technologies and

applications• Technology limitations and restrictions• Unique myriad of regulations and compliance requirements

• Decreased user satisfaction• End-user frustration is increasing, coinciding with the number of user

names, tokens, badges and support numbers to remember and the increasing requirements for stronger passwords and authentication as well as change frequency

• Reduced policy enforcement and increased risk• Organizations compromise information security to accommodate end user

complaints

1 Source: Gartner Research report and does not include OTP tokens


Accepting Entity objectives

8

Accepting Entity Objectives

Implement an authentication approach that simplifies the end user experience while meeting and complying with stated information protection standards, regulations, and policies in a cost effective and manageable manner

• Reduce number of times a user has to login and use the simplest method possible based on risk

• Provide flexibility with authentication options• Meet compliance requirements • Provided as a service that combines technology,

operations and support• Pay-for-use on an annual basis


What is the HITRUST ID?

9

What is the HITRUST ID?


HITRUST ID

HITRUST ID

10

• Single strong identification and authentication solution• Issued to individuals in the healthcare community• Can be accepted by multiple organizations• Offered in multiple form factors• Available with multiple grades of vetting and proofing• Incorporates technology, operations and policy


HITRUST ID – Authentication Suite

HITRUST ID - Authentication Suite

11

HITRUST Username/Password

Mobile Device APP One Time Password (OTP)

HITRUST ID Smartcard(Universal and

Organization Specific)

SMS/text basedOne Time Password

(OTP)

Adaptive Authentication

Risk BasedAuthentication


HITRUST ID - Smartcar

d

12

HITRUST ID – Smartcard

Picture1.33 in x 1

in

Name

Smartcard 64k v7

CHIP with X.509 Cert.

RoleIdentifierProfession

al Certificati

on

Personalized

Information

HID Username

Magnetic Strip(3T

XT4000)

1 D Barcode

(Code 39)

3.35 in x 2.12 in

Unique ID Number (ID number also embedded within

Magnetic Strip, 1 D and QR Barcode)

QR codeExpiration

• Uniquely designed to incorporate numerous technologies and safeguards


Security features include

hologram and

tamper proof

laminate

ISO 14443 13.56 MHZ Type A and B

HITRUST ID – Colors and Departments

HITRUST ID – Colors and Departments

13

Respiratory

Transport

Pharmacy

Radiology

Lab

Social work/Pastoral care


• Designed in collaboration with hospital, physician, nurse and regulatory representatives

• Intended to standardize the presentation of ID cards across facilities

Rehabilitation

Nutrition

Nursing

Admin/non-patient

Physician

Special Services

Designation

HITRUST ID – Mobile Device APP for OTP

HITRUST ID – Mobile Device APP for OTP

14

SMS generator for other cellular devices

Application available for multiple platforms:

iPhonesiPads

Android smart phonesBlackberry devices

Device security

using DDNA

One-time Password

Highly secure, easy to use,

one-time password generator


HITRUST ID – Risk Based Authentication

HITRUST ID – Risk Based Authentication

15

• Provides the ability to meet strong authentication requirements without requiring additional user input or intervention • Based on HITRUST CSF Alternate Control and on-going risk assessment

• Ability to require stronger authentication based on the perceived risk• Ability to choose authentication method based on risk • Accepting entities can refine policies (i.e. location, resource, previous use)• Balances authentication convenience with the transaction risk


Balancing convenien

ce and risk

Balancing Convenience and Risk

16

CONVENIENCELow High

RIS

K M

ITIG

AT

ION

High

Low

Smart card with digital certificate

Username/Password

APP based OTP

Adaptive Authentication

Risk based authentication analysis

SMS/text based OTP


Typical solution uses – health system

Typical Solution Uses – Health System

17

Authentication Type HITRUST Identity Solution(s)

Facility access Smart Cards

Meal plans Smart Cards

Active Directory logon Soft IDs, Smart Cards, OTP

Device and VDI logon Soft IDs, SSO, Smart Cards

VPN logon Soft IDs, Smart Cards, OTP

Digital Signing of Documents Smart Cards, OTP

Application logon Smart Cards, Soft IDs, OTP

Application logon (specialized – eRX CS) OTP, Smart Cards

Portal/website logon Smart Cards, Soft IDs, OTP


HITRUST ID – benefits to accepting entities

HITRUST ID – Benefits to Accepting Entities

18

• Decreased costs: lower start-up and operating costs achieved through outsourced approach, proofing, issuance, maintenance and support

• Reduced risk: Utilization and enforcement of appropriate authentication mechanism

• Lessened complexity: cloud-based service eliminates need for in-house supported complex systems that manage identities within organizations

• Increased end user satisfaction: improved experience coupled with greater familiarity – Leads to a decrease in support inquiries and self-service visits related to lost IDs, passwords and badges

• Future proof: flexibility and adaptability eliminate concerns over obsolete tokens or software due to requirement changes, regulations

• Higher system utilization: by simplifying the end user experience regarding access -- users are more inclined to use an online services


Security becomes a satisfaction tool

Security Becomes a Satisfaction Tool


HITRUST ID Level II Uses and Vetting

• Used in situations where a very high level of assurance is required about the user’s identity and token integrity

- NIST 800-63 Level 3 Proofing (Remote)- Users who do not require onsite access, but do require system access or as addition to those with smartcards

HITRUST ID Level II Uses and Vetting

HITRUST ID (Time Sensitive

Token)

Information System Access

Remote Access

© 2010 HITRUST Identity Services. All rights reserved 20

HITRUST ID level V uses and vetting

HITRUST ID Level V Uses and Vetting

HITRUST ID (Smart Card)

First Responders

Hospital Meal Plans

Facilities Access

Information System Access

Domain Access

ePrescribing of Controlled Substances

Secure eMail

eSignatures

© 2010 HITRUST Identity Services. All rights reserved 21

• Used in situations where a very high level of assurance is required about the user’s identity and token integrity, as well as ability for credential to support ePrescribing of controlled substances

- NIST 800-63 Level 4 Proofing- E-Prescribing controlled substance proofing

Questions

Questions


?

For More Information


• For more information:• www.HITRUSTID.com

For more information

http://www.HITRUSTID.com/

why we need a single token for user authentication and how do we get there?

Documents

user authentication

hitrust identity services

rights reserved slide

authentication process

multifactor authentication

authentication approach

authentication mechanisms

multiple organizations