A New Authentication StrategyRisk-Based Authentication Replacing Tokens
The Pennsylvania integrated delivery system is gradually phasing out secure ID tokens in favor of a new risk-based authentication technology to make it easier for physicians to sign on to remotely access electronic health records via portals, Young says.
Geisinger also is considering using knowledge-based authentication for its patient portals.
In an interview (transcript below), Young:
- Explains why the concerns of physicians led to the phasing out of secure ID tokens, or key fobs, which randomly generate a code that must be entered to gain access to records;
- Describes how risk-based authentication works, taking into account hundreds of factors, including user characteristics and habits;
- Advises other hospitals and delivery systems to make sure their authentication strategy evolves as available technology evolves.
Young has 25 years of information technology experience, including 12 years focusing on web technologies at Geisinger Health System. Young and his team built Geisinger's intranet and secure portals from the ground up and are instrumental in selecting and implementing security technologies for authentication, identity management and authorization of internal and external portal users.
HOWARD ANDERSON: For starters, why don't you tell us about the size and scope for Geisinger?
DAVE YOUNG: We were founded in 1915, and we're a physician-led integrated healthcare system. We span about 43 counties in north central Pennsylvania and serve close to 3 million people in the region. Our revenues last year were $2.3 billion. We have nearly 14,000 employees. As far as our electronic medical record, we started implementing that back in 1994 and launched our first patient portal probably about eight years ago.
Today we have six or eight portals. ... The My Geisinger patient portal has about 160,000 users, and it grows typically about a couple hundred users every week. One of our other big portals is our Geisinger Connect portal for external physicians. We have over 3,000 using that, and it's in over 500 physician practices across our region in Pennsylvania.
ANDERSON: What other portals do you have? And why is two-factor authentication an important element of your portal strategy?
YOUNG: We have a health plan, so we have portals for members and providers and employers over on the health plan side. As for two-factor, in our case that really means key fobs or secure ID tokens. We've been using key fobs for two-factor since the mid-1990s for outside access to some Geisinger resources, whether you are an IT person or a referring physician or an employee. Key fobs certainly are a proven, rock-solid means of authenticating users. It's not to say they don't have their drawbacks, but they provide an excellent second level of security of something you have over just a user ID and password, which, of course, is something you know.
One of our first decisions was we had to create an access policy, and with that we had to say, well if you're coming into Geisinger from the outside and you have read/write access to patient information, then we're going to require two-factor authentication. So that's what triggered implementing the key fobs for some of our portals. @h3>Evolving Authentication Strategy
ANDERSON: I understand your approach to authentication is evolving. Can you describe that for us?
YOUNG: Well first off, user ID and passwords aren't going to go away. So it boils down to how can you simplify or make it easier to do the two-factor layer of security that we would all like to have with our portals. Even though key fobs are reliable and a good approach to two-factor authentication, they do have their drawbacks in that they get lost. They typically have a three-year battery life to them, so that means they need to be replaced. In general, our physicians usually don't like to use them because it just slows them down when they are trying to get into the record, and if they don't have the tokens with them that can cause problems as well.
So probably for the last six to eight years, we've been looking at some sort of replacement for key fobs that would be less obtrusive for our users but still provide that good layer of authentication above just user ID and password. And what we landed on was a combination of risk-based authentication as well as knowledge-based authentication that has been used in the financial industry for some time. And we're also looking at maybe using a person's cell phone as a pseudo key fob for delivering one-time passwords directly to their cell phone.
ANDERSON: Help us to understand the risk-based authentication and knowledge-based authentication that you're using now. Are you in the early stages of testing both of those?
YOUNG: We're mainly using the risk-based authentication for our physician portal, and we're looking at using knowledge-based authentication for possibly quicker sign-up in registration with our patient portal.
ANDERSON: And what's the status of those efforts?
YOUNG: We currently have risk-based authentication rolled out to a subset of our physician population. In February, we're going to roll it out to the entire Geisinger Connect community of users, which would mean over 3,000 users. But with knowledge-based authentication, we're just at the point of investigating that and how we might tie that into our patient portal.
ANDERSON: Tell us about how that risk-based authentication works, and whether that is going to eventually replace the need for a key fob.
YOUNG: Risk-based authentication is probably the newest and most adaptive form of security that is out there in the marketplace. Basically it combines hundreds of factors into the mix, such as what device the user is on, where they are located and numerous characteristics of the users and habits of the users: Things like, is it normal for the user to be in Pennsylvania logging on in the morning and be in Ohio in the evening logging in to the same portal in the same day? If it isn't, it could generate a higher risk score. But the end result is that those hundreds of factors get generated into a risk score, and based on that risk score you can either allow access or you can challenge. And by challenge I mean it's kind of like step-up authentication, where you can maybe do knowledge-based authentication at that point or you ask them a question and verify their answer with a challenge. Beyond that, you can deny access if the risk score is really high. Typically the risk scores fall in a low-, medium- and high-risk categories, and then, based on that, you can do the appropriate access controls that you want to have in place.
Some of the newer risk models out there also tie into a global e-fraud network, which is nice for pinpointing areas of the globe that may be at higher risks for certain transactions ... and again the end result is it generates a higher risk score.
ANDERSON: So do you anticipate being able to phase out the key fobs then as a result of using this approach?
YOUNG: Yes that is what we are doing with our physician portal right now. Once we get that rolled out in February, the ones that have a key fob will no longer have to use that. So our physicians got wind of that. They are very excited about it, and this risk- based authentication should be less obtrusive than having to carry around a key fob. Now they may have to answer a challenge question periodically, depending on what they are doing and where they are at. But again, it eliminates the need for that two-factor.
ANDERSON: What company's risk-based authentication are you using and why did you select it?
YOUNG: We're using RSA's adaptive authentication product, and we selected it mainly because we've been an RSA customer for quite some time and are using some of their other security products. There aren't a whole lot of other competitors out there for this kind of service. ... We want layers of security, or what others refer to as security-in-depth, so that we're not just relying on a user ID and password. It takes into account a lot of different factors, and based on that either allows the person in or denies or challenges them.
Authentication For Physicians
ANDERSON: Is your approach to authentication different for independent clinicians accessing clinical information remotely than it is for employed clinicians and other staff?
YOUNG: Today it is different. In the future, we're looking to make it more seamless and get both of those user populations through the same front door or the same portal. In today's world, our independent clinicians, who we refer to as affiliated physicians or referring physicians, access a portal called Geisinger Connect. ... We have different levels of access to patient data within the portal. So they may be able to have access to the last 90 days of patient encounters for their patients, and that may just require a user ID and password. But if they have the full access, which means full read/write access to patients' electronic medical record, then that requires a user ID and password plus a key fob. Now this is all changing based on our implementation of RSA adaptive authentication and risk-based authentication, but that is where we are at today.
For our employed physicians, when they access the Geisinger network at home or at a conference, they access a portal called Geisinger at Home. Being that they are employed, we have a closer relationship with them, so they get full access to the electronic medical record directly. When they access Geisinger at Home they put in the key fob right away to get that access. So it is required at log-in.
ANDERSON: How do you use authentication with your patient portal now and how might that change?
YOUNG: Today, for normal logins to the patient portal, we just use user ID and password. We do require strong password rules made up of letters, numbers, upper and lower case and all that. We also don't expire passwords for patients. That's a policy decision we made at the onset only due to the fact that healthcare is a little different than, say, your banking portal site because some folks may come into their healthcare portal like My Geisinger once or twice a year, or maybe once every other year. Certainly, others are in more frequently than that, but you can imagine how it can vary per patient in healthcare. So we have to adapt to that. We thought if we expired passwords, we would generate a lot of calls to our help desk, and with over 160,000 users now, we just don't have that big of a help desk.
We do provide a process for users of the patient portal to change their password online as well as reset their password if they forgot it. ... We allow our patients to self service without calling our help desk. It's been used quite heavily. We also, as part of the reset process, send a confirmation letter to the person who is changing the password, but we send it to the account holder's home address that we have on file. By doing that, it's been remarkably effective at catching fraud when folks out there are trying to creatively get into someone else's record.
We are also looking at wrapping knowledge-based authentication around the enrollment process to get folks in faster to their medical record online. Today, the user signs up and requests access to their own record, and we mail out a one-time use activation code to their home address on file. So they can request it online, but they have to wait a couple of days until they get that letter in the mail to activate the account. What we would like to do is get that down to maybe a matter of a couple of minutes by using knowledge-based authentication techniques to shorten that time frame.
Authentication Lessons Learned
ANDERSON: To wrap things up, what lessons have you learned as your authentication strategy has evolved?
YOUNG: Well with authentication, I think the biggest thing is you need to constantly evolve and research your authentication strategy. So today our approach is layered security and what some people will refer to as security-in-depth, using the three R's: rules, roles, and risk. Let me explain. The traditional security rules still apply and are embedded in just about all applications, things like password rules and even smart rules that can do certain things based upon a user's age. It may deny access to a healthcare portal to those under 18.
Then there are roles, and by that I mean a user role or a categorization of users and access rights based on those categories. We have patient roles, we have external versus internal provider roles, we have employee roles, health plan member roles, etc. And we manage all those roles. Each role has a set of access rights and policies to it. One of the policies on roles that we made was that we want to keep the roles separate from each other because a lot of times the roles overlap. I can be an employee and I also can be a patient of Geisinger. We keep the roles separate so that if you lose your employee role you still have your patient role. That's been a good thing for us as we evolved our strategy.
The last of the three R's is risk-based security. I've already talked about that a little bit, but that is a newer approach to layered security, and the uniqueness of this approach is that it's always self-learning and constantly changes. It changes and adapts to the threats that are out there in the online community. So to us that was a selling point and a key enabler of why we chose the risk-based approach as well.
With the three R's that I mentioned, we're also sprinkling into the mix some knowledge-based authentication.
To sum it all up, my message would be never be happy with where you are at in terms of authentication strategies as it always could be better than what it is.