© 2015 MedImpact, Inc. All rights reserved. The contents of this presentation are confidential and proprietary to MedImpact Healthcare Systems, Inc. and

© 2015 MedImpact, Inc. All rights reserved.

The contents of this presentation are confidential and proprietary to MedImpact Healthcare Systems, Inc. and may contain material MedImpact considers Trade Secrets. This presentation may not be reproduced, transmitted, published, or disclosed to others without MedImpact’s prior written authorization.

MedImpact and FIDOA Case Study of a UAF DeploymentFIDO Alliance SeminarWashington DCOct 6th 2015

Presented by Steven Secker

MedImpact Healthcare Systems, Inc.


Topics for this Case Study

•Why FIDO for MedImpact?•Our Use Cases•Deployment Strategy: Where to Start & Why•Why FIDO UAF rather than FIDO U2F?• Future Plans•Discussion / Q & A


What MedImpact Does: PBM

MedImpact manages pharmacy benefits for more than 50 million lives around the globe

Pharmacy Benefit Manager

$Claim

ApprovalCopay Amount

Drug-to-Drug Warnings

Invoice

$

Health Insurance Company

Pay Pharmacy for Approved Claims


So Why FIDO?

Pharmacy Benefit Manager

$Claim

ApprovalCopay Amount

Drug-to-Drug Warnings

Invoice

$

Health Insurance Company

Pay Pharmacy for Approved Claims

All of this stuff is behind the scenes as far as the

average consumer is concerned.

So where does FIDO fit?


Our Business Requires Data Access


IT Security in Healthcare: HIGH PRIORITY!

2015 is already the year of the

health-care hack — and it’s

only going to get worse.


Healthcare Data Targeted SpecificallyYour medical record is worth more

to hackers than your credit card

NEW YORK/BOSTON | BY CAROLINE HUMER AND JIM FINKLE

“Your medical information is

worth 10 times more than your credit card number on the black market.”

http://blogs.reuters.com/search/journalist.php?edition=us&n=caroline.humer&

http://blogs.reuters.com/search/journalist.php?edition=us&n=jim.finkle&


Like Everyone Else, We’ve Relied on Passwords

For years we’ve know this is broken, but there wasn’t a clearly better way until FIDO!


Use Cases for MedImpact

Members of Health Insurance Plans:

• What drugs are covered? • What’s my copay for this drug? • Do I need a Prior Authorization?• Have I met my deductible?• What pharmacies are in my network?• How much did I spend on prescriptions for taxes or

Flex Spending Account (FSA) reimbursement?• How good have I been about taking my maintenance

meds (getting them refilled on time)?



Healthcare Providers:

• What other drugs is my patient taking that other doctors prescribed?

• Has my patient been taking his or her maintenance meds (getting them refilled on time)?



Pharmacists:

• Have I been accurately reimbursed for all the claims I’ve submitted?



Health Insurance Companies, MCOs, HMOs, Self-Insured Plans:

• Manage Member Eligibility• Benefit Design• Formulary Management• Prior Authorization Management• Manage Denied Claims Appeals• All manor of reporting



MedImpact Employees authorized to access

production data


User Community Profiles – Where to Start?# of Users Frequency of Use OS/Browser Mobile

BrowerApp

Potentially Millions

+90 days between visits

AllUncontrolled Yes Future

PotentiallyThousands

Varies Greatly

WindowsIE11/Firefox

No No Plans

Tens of Thousands

Weekly to Monthly WindowsIE11/Firefox No No

Plans

Thousands Daily WindowsIE11/Firefox

No Future

Thousands Daily WindowsIE11/Firefox

No Plans

No Plans


Security and Usability – ROI for User Communities


UAF vs. U2F• Follow the lead of early

deployments (Google, Dropbox)

• User experience builds on top of on good old, familiar username password

• Less potential for confusion about using multiple computers

U2F

UAF

• Gets rid of the password completely

• Users always have their phones, and millions of those phones have fingerprint readers

Arguably, U2F would have been an easier path given our target user community and their use cases for the initial deployment. But you still force users to chose and remember a password

“Gets rid of the password completely” won the day for us


Device Knows You, Website Knows Your Device

Access Website1

Swipes Fingerprint3

FIDO Authentication Request Sent to

Laptop

2


Device Knows You, Website Knows Your Device

Access Granted

5

Cryptographically signed message

confirms user back to website

4


Long Term Vision: Works with Phone Too

Access Website1

Swipes Fingerprint3

FIDO Authentication Request Sent to

Phone

2


Challenges / Discussion Points

• Prioritization: getting the business to agree to allocate development cycles to adding FIDO support requires education, internal and external marketing, evangelism and high-level executive sponsorship

• Fallback Solution: what do users do if they need to login and don’t have their laptop (or in the future, phone) with the fingerprint reader?

• Messaging: how do you explain this to users who are not likely to go read www.fidoalliance.org and realize what a great solution this is? Do you call attention to the FIDO brand? How do you overcome fears like “I can reset a password if it’s stolen from your server, but I can’t reset my fingerprint!”

• Client-Side Obstacles: Lack of built-in support for FIDO client at OS level means users need install/configure a FIDO client for their browser (FIDO 2.0 I believe aims to solve this and already Win10 has built-in support)

• Support: Rolling out FIDO successfully requires educating the entire IT support team, from front-line call center staff to Level 2 and 3 engineers.

http://www.fidoalliance.org/


Questions

Documents

© 2015 MedImpact, Inc. All rights reserved. The contents of this presentation are confidential and proprietary to MedImpact Healthcare Systems, Inc. and