Upload
dorothy-ball
View
214
Download
1
Embed Size (px)
Citation preview
© 2015 MedImpact, Inc. All rights reserved.
The contents of this presentation are confidential and proprietary to MedImpact Healthcare Systems, Inc. and may contain material MedImpact considers Trade Secrets. This presentation may not be reproduced, transmitted, published, or disclosed to others without MedImpact’s prior written authorization.
MedImpact and FIDOA Case Study of a UAF DeploymentFIDO Alliance SeminarWashington DCOct 6th 2015
Presented by Steven Secker
MedImpact Healthcare Systems, Inc.
© 2015 MedImpact, Inc. All rights reserved.
Topics for this Case Study
•Why FIDO for MedImpact?•Our Use Cases•Deployment Strategy: Where to Start & Why•Why FIDO UAF rather than FIDO U2F?• Future Plans•Discussion / Q & A
© 2015 MedImpact, Inc. All rights reserved.
What MedImpact Does: PBM
MedImpact manages pharmacy benefits for more than 50 million lives around the globe
Pharmacy Benefit Manager
$Claim
ApprovalCopay Amount
Drug-to-Drug Warnings
Invoice
$
Health Insurance Company
Pay Pharmacy for Approved Claims
© 2015 MedImpact, Inc. All rights reserved.
So Why FIDO?
Pharmacy Benefit Manager
$Claim
ApprovalCopay Amount
Drug-to-Drug Warnings
Invoice
$
Health Insurance Company
Pay Pharmacy for Approved Claims
All of this stuff is behind the scenes as far as the
average consumer is concerned.
So where does FIDO fit?
© 2015 MedImpact, Inc. All rights reserved.
Our Business Requires Data Access
© 2015 MedImpact, Inc. All rights reserved.
IT Security in Healthcare: HIGH PRIORITY!
2015 is already the year of the
health-care hack — and it’s
only going to get worse.
© 2015 MedImpact, Inc. All rights reserved.
Healthcare Data Targeted SpecificallyYour medical record is worth more
to hackers than your credit card
NEW YORK/BOSTON | BY CAROLINE HUMER AND JIM FINKLE
“Your medical information is
worth 10 times more than your credit card number on the black market.”
© 2015 MedImpact, Inc. All rights reserved.
Like Everyone Else, We’ve Relied on Passwords
For years we’ve know this is broken, but there wasn’t a clearly better way until FIDO!
© 2015 MedImpact, Inc. All rights reserved.
Use Cases for MedImpact
Members of Health Insurance Plans:
• What drugs are covered? • What’s my copay for this drug? • Do I need a Prior Authorization?• Have I met my deductible?• What pharmacies are in my network?• How much did I spend on prescriptions for taxes or
Flex Spending Account (FSA) reimbursement?• How good have I been about taking my maintenance
meds (getting them refilled on time)?
© 2015 MedImpact, Inc. All rights reserved.
Use Cases for MedImpact
Healthcare Providers:
• What other drugs is my patient taking that other doctors prescribed?
• Has my patient been taking his or her maintenance meds (getting them refilled on time)?
© 2015 MedImpact, Inc. All rights reserved.
Use Cases for MedImpact
Pharmacists:
• Have I been accurately reimbursed for all the claims I’ve submitted?
© 2015 MedImpact, Inc. All rights reserved.
Use Cases for MedImpact
Health Insurance Companies, MCOs, HMOs, Self-Insured Plans:
• Manage Member Eligibility• Benefit Design• Formulary Management• Prior Authorization Management• Manage Denied Claims Appeals• All manor of reporting
© 2015 MedImpact, Inc. All rights reserved.
Use Cases for MedImpact
MedImpact Employees authorized to access
production data
© 2015 MedImpact, Inc. All rights reserved.
User Community Profiles – Where to Start?# of Users Frequency of Use OS/Browser Mobile
BrowerApp
Potentially Millions
+90 days between visits
AllUncontrolled Yes Future
PotentiallyThousands
Varies Greatly
WindowsIE11/Firefox
No No Plans
Tens of Thousands
Weekly to Monthly WindowsIE11/Firefox No No
Plans
Thousands Daily WindowsIE11/Firefox
No Future
Thousands Daily WindowsIE11/Firefox
No Plans
No Plans
© 2015 MedImpact, Inc. All rights reserved.
Security and Usability – ROI for User Communities
© 2015 MedImpact, Inc. All rights reserved.
UAF vs. U2F• Follow the lead of early
deployments (Google, Dropbox)
• User experience builds on top of on good old, familiar username password
• Less potential for confusion about using multiple computers
U2F
UAF
• Gets rid of the password completely
• Users always have their phones, and millions of those phones have fingerprint readers
Arguably, U2F would have been an easier path given our target user community and their use cases for the initial deployment. But you still force users to chose and remember a password
“Gets rid of the password completely” won the day for us
© 2015 MedImpact, Inc. All rights reserved.
Device Knows You, Website Knows Your Device
Access Website1
Swipes Fingerprint3
FIDO Authentication Request Sent to
Laptop
2
© 2015 MedImpact, Inc. All rights reserved.
Device Knows You, Website Knows Your Device
Access Granted
5
Cryptographically signed message
confirms user back to website
4
© 2015 MedImpact, Inc. All rights reserved.
Long Term Vision: Works with Phone Too
Access Website1
Swipes Fingerprint3
FIDO Authentication Request Sent to
Phone
2
© 2015 MedImpact, Inc. All rights reserved.
Challenges / Discussion Points
• Prioritization: getting the business to agree to allocate development cycles to adding FIDO support requires education, internal and external marketing, evangelism and high-level executive sponsorship
• Fallback Solution: what do users do if they need to login and don’t have their laptop (or in the future, phone) with the fingerprint reader?
• Messaging: how do you explain this to users who are not likely to go read www.fidoalliance.org and realize what a great solution this is? Do you call attention to the FIDO brand? How do you overcome fears like “I can reset a password if it’s stolen from your server, but I can’t reset my fingerprint!”
• Client-Side Obstacles: Lack of built-in support for FIDO client at OS level means users need install/configure a FIDO client for their browser (FIDO 2.0 I believe aims to solve this and already Win10 has built-in support)
• Support: Rolling out FIDO successfully requires educating the entire IT support team, from front-line call center staff to Level 2 and 3 engineers.
© 2014 MedImpact, Inc. All rights reserved.
Questions