medimpact and fido a case study of a uaf deploymentthis presentation may not be reproduced,...
Post on 14-Sep-2020
1 Views
Preview:
TRANSCRIPT
©2015MedImpact,Inc.Allrightsreserved.
ThecontentsofthispresentationareconfidentialandproprietarytoMedImpactHealthcareSystems,Inc.andmaycontainmaterialMedImpactconsidersTradeSecrets.Thispresentationmaynotbereproduced,transmitted,published,ordisclosedtootherswithoutMedImpact’spriorwrittenauthorization.
MedImpactandFIDOACaseStudyofaUAFDeploymentFIDO Alliance SeminarWashington DCOct 6th 2015
Presented by Steven Secker
MedImpactHealthcareSystems,Inc.
©2015MedImpact,Inc.Allrightsreserved.
TopicsforthisCaseStudy
•WhyFIDOforMedImpact?•OurUseCases•DeploymentStrategy:WheretoStart&Why•WhyFIDOUAFratherthanFIDOU2F?• FuturePlans•Discussion/Q&A
©2015MedImpact,Inc.Allrightsreserved.
WhatMedImpactDoes:PBMMedImpactmanagespharmacybenefitsformorethan50millionlivesaroundtheglobe
PharmacyBenefitManager
Claim
ApprovalCopayAmount
Drug-to-DrugWarnings
Invoice
Health InsuranceCompany
PayPharmacyforApprovedClaims
©2015MedImpact,Inc.Allrightsreserved.
SoWhyFIDO?
PharmacyBenefitManager
Claim
ApprovalCopayAmount
Drug-to-DrugWarnings
Invoice
Health InsuranceCompany
PayPharmacyforApprovedClaims
Allofthisstuffisbehindthescenesasfarastheaverageconsumeris
concerned.
SowheredoesFIDOfit?
©2015MedImpact,Inc.Allrightsreserved.
OurBusinessRequiresDataAccess
©2015MedImpact,Inc.Allrightsreserved.
ITSecurityinHealthcare:HIGHPRIORITY!
©2015MedImpact,Inc.Allrightsreserved.
HealthcareDataTargetedSpecifically
“Yourmedicalinformationisworth10timesmorethanyourcreditcardnumberontheblackmarket.”
©2015MedImpact,Inc.Allrightsreserved.
LikeEveryoneElse,We’veReliedonPasswords
Foryearswe’veknowthisisbroken,buttherewasn’taclearlybetterwayuntilFIDO!
©2015MedImpact,Inc.Allrightsreserved.
UseCasesforMedImpact
MembersofHealthInsurancePlans:
• Whatdrugsarecovered?• What’smycopayforthisdrug?• DoIneedaPriorAuthorization?• HaveImetmydeductible?• Whatpharmaciesareinmynetwork?• HowmuchdidIspendonprescriptionsfortaxesor
FlexSpendingAccount(FSA)reimbursement?• HowgoodhaveIbeenabouttakingmymaintenance
meds(gettingthemrefilledontime)?
©2015MedImpact,Inc.Allrightsreserved.
UseCasesforMedImpact
HealthcareProviders:
• Whatotherdrugsismypatienttakingthatotherdoctorsprescribed?
• Hasmypatientbeentakinghisorhermaintenancemeds(gettingthemrefilledontime)?
©2015MedImpact,Inc.Allrightsreserved.
UseCasesforMedImpact
Pharmacists:
• HaveIbeenaccuratelyreimbursedforalltheclaimsI’vesubmitted?
©2015MedImpact,Inc.Allrightsreserved.
UseCasesforMedImpact
HealthInsuranceCompanies,MCOs,HMOs,Self-InsuredPlans:
• ManageMemberEligibility• BenefitDesign• FormularyManagement• PriorAuthorizationManagement• ManageDeniedClaimsAppeals• Allmanorofreporting
©2015MedImpact,Inc.Allrightsreserved.
UseCasesforMedImpact
MedImpactEmployeesauthorizedtoaccessproductiondata
©2015MedImpact,Inc.Allrightsreserved.
UserCommunityProfiles– WheretoStart?#ofUsers FrequencyofUse OS/Browser Mobile
BrowerApp
PotentiallyMillions
+90daysbetweenvisits
AllUncontrolled Yes Future
PotentiallyThousands
VariesGreatly
WindowsIE11/Firefox
No NoPlans
TensofThousands
WeeklytoMonthly WindowsIE11/Firefox No
NoPlans
Thousands Daily WindowsIE11/Firefox
No Future
Thousands Daily WindowsIE11/Firefox
NoPlans
NoPlans
©2015MedImpact,Inc.Allrightsreserved.
SecurityandUsability– ROIforUserCommunities
©2015MedImpact,Inc.Allrightsreserved.
UAFvs.U2F• Followtheleadofearly
deployments (Google,Dropbox)
• Userexperience buildsontopofongoodold,familiarusernamepassword
• Lesspotential forconfusionaboutusingmultiple computers
U2F
UAF
• Getsridofthepasswordcompletely
• Usersalwayshavetheirphones,andmillions ofthosephoneshavefingerprintreaders
Arguably,U2Fwouldhavebeenaneasierpathgivenourtargetusercommunityandtheirusecasesforthe initialdeployment. Butyoustill forceuserstochoseandrememberapassword
“Getsridofthepasswordcompletely”wonthedayforus
©2015MedImpact,Inc.Allrightsreserved.
DeviceKnowsYou,WebsiteKnowsYourDevice
AccessWebsite1
SwipesFingerprint3
FIDOAuthenticationRequest Sentto
Laptop
2
©2015MedImpact,Inc.Allrightsreserved.
DeviceKnowsYou,WebsiteKnowsYourDevice
AccessGranted
5
Cryptographicallysignedmessage
confirmsuserbacktowebsite
4
©2015MedImpact,Inc.Allrightsreserved.
LongTermVision:WorkswithPhoneToo
AccessWebsite1
SwipesFingerprint3
FIDOAuthenticationRequest Sentto
Phone
2
©2015MedImpact,Inc.Allrightsreserved.
Challenges/DiscussionPoints
• Prioritization:gettingthebusinesstoagreetoallocatedevelopmentcyclestoaddingFIDOsupportrequireseducation,internalandexternalmarketing,evangelismandhigh-levelexecutivesponsorship
• FallbackSolution:whatdousersdoiftheyneedtologinanddon’thavetheirlaptop(orinthefuture,phone)withthefingerprintreader?
• Messaging:howdoyouexplainthistouserswhoarenotlikelytogoreadwww.fidoalliance.organdrealizewhatagreatsolutionthisis?DoyoucallattentiontotheFIDObrand?Howdoyouovercomefearslike“Icanresetapasswordifit’sstolenfromyourserver,butIcan’tresetmyfingerprint!”
• Client-SideObstacles:Lackofbuilt-insupportforFIDOclientatOSlevelmeansusersneedinstall/configureaFIDOclientfortheirbrowser(FIDO2.0IbelieveaimstosolvethisandalreadyWin10hasbuilt-insupport)
• Support:RollingoutFIDOsuccessfullyrequireseducatingtheentireITsupportteam,fromfront-linecallcenterstafftoLevel2and3engineers.
©2014MedImpact,Inc.Allrightsreserved.
Questions
top related