why we need a single token for user authentication and how do we get there?
TRANSCRIPT
Why we need a single token for user authentication and how do we get there?
Background
Background
2
HOW HITRUST Got Interest
How HITRUST Got Interest in Digital Identities
3 © 2012 HITRUST Identity Services. All rights reserved
• Approached in April 2009 by organizations adopting CSF indicating that complaints specific to information security were increasing − Specifically around authentication and access controls− Meeting in Washington DC
• Surveys confirmed that implementation of stronger authentication (deemed appropriate based on risk) did significantly decrease user satisfaction with systems− Password complexity− Password refresh− Multifactor authentication
• Created a program to address user satisfaction issues• Collaborated with a number of organizations from across the nation on development
of requirements• Partnered with Baylor Health Care System and Dallas County Medical Society to make
it a reality and bring it to market• Strong technology partnership with Computer Associates, Gemalto and others
What problems are we trying to solve?
What problems are we trying to solve?
4
• Growing dissatisfaction among healthcare professionals coinciding with the increasing number of badges, tokens, usernames and passwords
• Healthcare organizations are struggling with the inefficiencies, complexities and costs of token and authentication mechanisms
© 2012 HITRUST Identity Services. All rights reserved
Multiple Perspectives on the situation
Multiple Perspectives on the situation
5
Physicians
Payers
I pay the full cost of registration, ID and card issuance and password maintenance process that is almost identical as every other organization
I service nearly the same providers as everyone else
It seems like all my help desk does is reset passwords and call physicians to provide information they should already have access
It costs me time and money to maintain access to all the services; and they are all a little different to deal with
It is ridiculous that my staff and I need to have a different logon to access every different organizations we work with and sometimes multiple per organization
Hospitals
New compliance requirements are a moving target. I need an easy way to keep up
Between my own systems, ePrescribing, payer systems, & HIEs. My physicians are asking us to make it easier for them to access our facilities and systems
Implementing and maintaining token and identity management systems is costly and complex
© 2012 HITRUST Identity Services. All rights reserved
End User Realities
End User Realities
6
• Users are issued 6 - 66 user names, tokens and badges• High level of dissatisfaction with authentication process that
extends to users applications experience
Users want a simplified authentication solution that is UNIVERSAL across information systems and organizations
© 2012 HITRUST Identity Services. All rights reserved
Accepting Entity Realities
Accepting Entity Realities
7
• Increased costs• Each organization is issuing and supporting IDs, tokens and badges• Average costs associated with supporting PROX cards and user IDs in a
healthcare organization are over $110/year in security administration1
• Greater complexity• Organizations are working with an assortment of technologies and
applications• Technology limitations and restrictions• Unique myriad of regulations and compliance requirements
• Decreased user satisfaction• End-user frustration is increasing, coinciding with the number of user
names, tokens, badges and support numbers to remember and the increasing requirements for stronger passwords and authentication as well as change frequency
• Reduced policy enforcement and increased risk• Organizations compromise information security to accommodate end user
complaints
1 Source: Gartner Research report and does not include OTP tokens
© 2012 HITRUST Identity Services. All rights reserved
Accepting Entity objectives
8
Accepting Entity Objectives
Implement an authentication approach that simplifies the end user experience while meeting and complying with stated information protection standards, regulations, and policies in a cost effective and manageable manner
• Reduce number of times a user has to login and use the simplest method possible based on risk
• Provide flexibility with authentication options• Meet compliance requirements • Provided as a service that combines technology,
operations and support• Pay-for-use on an annual basis
© 2012 HITRUST Identity Services. All rights reserved
What is the HITRUST ID?
9
What is the HITRUST ID?
© 2012 HITRUST Identity Services. All rights reserved
HITRUST ID
HITRUST ID
10
• Single strong identification and authentication solution• Issued to individuals in the healthcare community• Can be accepted by multiple organizations• Offered in multiple form factors• Available with multiple grades of vetting and proofing• Incorporates technology, operations and policy
© 2012 HITRUST Identity Services. All rights reserved
HITRUST ID – Authentication Suite
HITRUST ID - Authentication Suite
11
HITRUST Username/Password
Mobile Device APP One Time Password (OTP)
HITRUST ID Smartcard(Universal and
Organization Specific)
SMS/text basedOne Time Password
(OTP)
Adaptive Authentication
Risk BasedAuthentication
© 2012 HITRUST Identity Services. All rights reserved
HITRUST ID - Smartcar
d
12
HITRUST ID – Smartcard
Picture1.33 in x 1
in
Name
Smartcard 64k v7
CHIP with X.509 Cert.
RoleIdentifierProfession
al Certificati
on
Personalized
Information
HID Username
Magnetic Strip(3T
XT4000)
1 D Barcode
(Code 39)
3.35 in x 2.12 in
Unique ID Number (ID number also embedded within
Magnetic Strip, 1 D and QR Barcode)
QR codeExpiration
• Uniquely designed to incorporate numerous technologies and safeguards
© 2012 HITRUST Identity Services. All rights reserved
Security features include
hologram and
tamper proof
laminate
ISO 14443 13.56 MHZ Type A and B
HITRUST ID – Colors and Departments
HITRUST ID – Colors and Departments
13
Respiratory
Transport
Pharmacy
Radiology
Lab
Social work/Pastoral care
© 2012 HITRUST Identity Services. All rights reserved
• Designed in collaboration with hospital, physician, nurse and regulatory representatives
• Intended to standardize the presentation of ID cards across facilities
Rehabilitation
Nutrition
Nursing
Admin/non-patient
Physician
Special Services
Designation
HITRUST ID – Mobile Device APP for OTP
HITRUST ID – Mobile Device APP for OTP
14
SMS generator for other cellular devices
Application available for multiple platforms:
iPhonesiPads
Android smart phonesBlackberry devices
Device security
using DDNA
One-time Password
Highly secure, easy to use,
one-time password generator
© 2012 HITRUST Identity Services. All rights reserved
HITRUST ID – Risk Based Authentication
HITRUST ID – Risk Based Authentication
15
• Provides the ability to meet strong authentication requirements without requiring additional user input or intervention • Based on HITRUST CSF Alternate Control and on-going risk assessment
• Ability to require stronger authentication based on the perceived risk• Ability to choose authentication method based on risk • Accepting entities can refine policies (i.e. location, resource, previous use)• Balances authentication convenience with the transaction risk
© 2012 HITRUST Identity Services. All rights reserved
Balancing convenien
ce and risk
Balancing Convenience and Risk
16
CONVENIENCELow High
RIS
K M
ITIG
AT
ION
High
Low
Smart card with digital certificate
Username/Password
APP based OTP
Adaptive Authentication
Risk based authentication analysis
SMS/text based OTP
© 2012 HITRUST Identity Services. All rights reserved
Typical solution uses – health system
Typical Solution Uses – Health System
17
Authentication Type HITRUST Identity Solution(s)
Facility access Smart Cards
Meal plans Smart Cards
Active Directory logon Soft IDs, Smart Cards, OTP
Device and VDI logon Soft IDs, SSO, Smart Cards
VPN logon Soft IDs, Smart Cards, OTP
Digital Signing of Documents Smart Cards, OTP
Application logon Smart Cards, Soft IDs, OTP
Application logon (specialized – eRX CS) OTP, Smart Cards
Portal/website logon Smart Cards, Soft IDs, OTP
© 2012 HITRUST Identity Services. All rights reserved
HITRUST ID – benefits to accepting entities
HITRUST ID – Benefits to Accepting Entities
18
• Decreased costs: lower start-up and operating costs achieved through outsourced approach, proofing, issuance, maintenance and support
• Reduced risk: Utilization and enforcement of appropriate authentication mechanism
• Lessened complexity: cloud-based service eliminates need for in-house supported complex systems that manage identities within organizations
• Increased end user satisfaction: improved experience coupled with greater familiarity – Leads to a decrease in support inquiries and self-service visits related to lost IDs, passwords and badges
• Future proof: flexibility and adaptability eliminate concerns over obsolete tokens or software due to requirement changes, regulations
• Higher system utilization: by simplifying the end user experience regarding access -- users are more inclined to use an online services
© 2012 HITRUST Identity Services. All rights reserved
Security becomes a satisfaction tool
Security Becomes a Satisfaction Tool
19 © 2012 HITRUST Identity Services. All rights reserved
HITRUST ID Level II Uses and Vetting
• Used in situations where a very high level of assurance is required about the user’s identity and token integrity
- NIST 800-63 Level 3 Proofing (Remote)- Users who do not require onsite access, but do require system access or as addition to those with smartcards
HITRUST ID Level II Uses and Vetting
HITRUST ID (Time Sensitive
Token)
Information System Access
Remote Access
© 2010 HITRUST Identity Services. All rights reserved 20
HITRUST ID level V uses and vetting
HITRUST ID Level V Uses and Vetting
HITRUST ID (Smart Card)
First Responders
Hospital Meal Plans
Facilities Access
Information System Access
Domain Access
ePrescribing of Controlled Substances
Secure eMail
eSignatures
© 2010 HITRUST Identity Services. All rights reserved 21
• Used in situations where a very high level of assurance is required about the user’s identity and token integrity, as well as ability for credential to support ePrescribing of controlled substances
- NIST 800-63 Level 4 Proofing- E-Prescribing controlled substance proofing
Questions
Questions
22 © 2012 HITRUST Identity Services. All rights reserved
?
For More Information
23 © 2012 HITRUST Identity Services. All rights reserved
• For more information:• www.HITRUSTID.com
For more information