BOX 5.4
Token-Based Authentication System: A Scenario

Laura visits BestCare hospital for a chronic illness that requires many laboratory tests and radiological examinations. Dr. Jones, her physician, inquires whether Laura has an Internet-connected computer at her home that she can use to connect to BestCare’s Web-based patient information portal. This portal can be used to check results, communicate with various health care providers, request and check clinic scheduling information, view physician-recommended literature, and join health-care-related chat groups. Since Laura has been having a difficult time scheduling her visits by phone and is finding it hard to ask informed questions of her physician during her visits, she eagerly accepts the offer. Dr. Jones then records Laura’s acceptance in her computerized record and tells her she will have to click on some health-related pop-up advertisements to receive free access.

BestCare’s Web-based patient information center allows patients to check their records and communicate with doctors at their convenience, without having to schedule an appointment. Such a utility saves time for both doctor and patient and helps BestCare honor its commitment to providing continuous care to patients with chronic illnesses. Statistics collected from patients’ visits to the site help Dr. Jones with her research in chronic disease management, and BestCare receives additional revenue from healthcare companies in exchange for posting their advertisements on the site.

Because BestCare has decided to require additional security measures protecting patient records from unauthorized access through its Web site, Laura is given a token card in addition to a user ID and a password. At home, Laura asks her son to help; he configures the Web browser, enables the token, and changes the password from the one given to her at the hospital. From now on, Laura will enter her new password in her token card, which then displays a different password that she enters with her user ID to access the portal. She is required to read and accept the privacy notice, which she only skims in her rush to get to the portal. When the portal displays a message that her test results are pending, her son—who is still looking over her shoulder—is curious about the tests. Not wanting to upset her son with information about her unconfirmed diagnosis, Laura decides that she will keep the token in a secure place so that only she can access the portal in the future.

Dr. Jones carries a similar token card to access clinical information about her patients. The system only requires her to use the token when she is not accessing the information from a workstation directly connected to the BestCare network. This reduces the human-effort cost for the care providers but means that the BestCare network must maintain good security with standard firewalls and intrusion detection.

Several parties have been involved in setting up and maintaining the patient information portal. BestCare has outsourced its information technology to HelpfulIT, Inc., and has set up its Internet portal business with its medical records vendor, GoodMedRec Co., which hosts its Web servers and databases with BetterASP, Inc. BestCare has also contracted with several pharmaceutical, nursing home, and other health care companies to advertise their services on its site. It arranged the contracts through an Internet advertising management company named FineClick.

In this scenario, several sets of information are collected. HelpfulIT manages user ID/token/password information in an authentication database. GoodMedRec manages user ID and user demographic information and clinical information in a database. Every time Laura signs on, BetterASP maintains user ID/IP address mappings in its audit systems for performance and billing purposes. On behalf of BestCare, GoodMedRec provides FineClick with an abbreviated set of “clinical codes of interest” in order to conduct customized marketing, and FineClick maintains clinical codes and IP address information for billing.

Authentication/Authorization/Identification

Laura is authorized to view only her own records, not those of other patients. Two-factor authentication, using something she knows (the password) and something she has (the token card), prevents Laura from accessing information that she does not have permission to see. The system records Laura’s user ID and date and time of access every time she looks at her records online. Such identification protects BestCare from liability. Laura might also need to identify herself if she wants to ask a doctor a question that pertains to her own medical record. She is not required to identify herself when she searches for general health information, uses the chat groups, or explores advertisements.

Because it is time-consuming for BestCare staff to continually update the Web portal’s record of which patient is assigned to which physician, all physicians using the system have been given access to all patient files. Again, it is important for legal reasons to know who has looked at a patient’s records, so when Dr. Jones accesses Laura’s record using the system, she must be identified and logged as the person who has seen the record.

Two-factor authentication also protects doctor and patient from unauthorized access by outsiders. Even if Laura’s token card is stolen, her medical record is safe as long as the thief does not know Laura’s password. Unfortunately, Laura has written down her password because she is afraid she might forget it; in doing so, she has made her information more vulnerable.

Dr. Jones is similarly protected from token card theft. However, Dr. Jones has shared her user ID and password with her assistant, who is not otherwise authorized to view confidential patient records. Although Dr. Jones has no reason to doubt her assistant’s trustworthiness, such sharing exposes the medical records of all BestCare’s patients to unauthorized access and tampering, whether malicious or purely accidental.

There is a downside to using tokens as extra security measures to protect against unauthorized access to medical records; authorized users might be denied access at inconvenient times because of a lost or malfunctioning token. In this scenario, if Dr. Jones is away from the office and her token card is lost or broken, she cannot view Laura’s questions as soon as they are asked and Laura’s health might be compromised. However, if it becomes common practice for Dr. Jones and her colleagues to circumvent such security measures by calling the office and asking another physician or an administrative assistant to access the record, Laura’s privacy may be compromised. Although BestCare’s privacy policies may explicitly address this issue, Laura may not understand its implications.

Breaches

The vice president of HelpfulIT, Inc., is told that patients are having problems accessing its systems from home, and he suspects these problems are associated with FineClick’s advertisement-download process. An audit log analysis is initiated, and a staff programmer correlates user IDs, IP addresses, clinical codes, and advertisement clicks from different sources in a spreadsheet. A problem is found in specific codes and advertisements, and it is fixed. The spreadsheet is posted to the help desk as a solution for a possible problem.

Now Laura’s clinical data are being used, shared, and cited to resolve an operational problem. The staff member at HelpfulIT, Inc., who resolved the problem does not have medical records access for patients but is now able to combine the user ID, IP address, and types of advertisements (each collected from different interactions) to determine which patient suffers from which illness.

Another major problem relates to the safekeeping of the databases. In light of the increasing number of identified vulnerabilities in systems such as BetterASP’s Web servers, the increasing sophistication of attack methods, and the inertia of system administrators when it comes to patching their systems, it is easier than ever to compromise many information systems. Sometimes, inadvertent mistakes lead to the publication of private information over the Internet without adequate authentication and encryption. Misuse and accidental errors by insiders contribute to serious privacy problems.

Although such potential breaches of security and compromises to privacy are sobering to consider, Laura’s main concern is that her family remain unaware of her condition until she knows more facts and can share them at the time of her choosing. Back home, Laura’s son uses the computer after she is finished exploring BestCare’s portal. He clicks the “Back” button on the open browser window and, curious, clicks several more times, eventually reaching a disease management site that Laura had been browsing. His level of concern rising, he checks the browser’s history file to identify the last sites visited. On the basis of this indirect and incomplete information, he concludes that his mother is seriously ill and, in a state of great emotion, confronts her. Laura is forced to explain her disease to her son before she is ready to do so.

Privacy Intrusiveness

Token cards are reasonable authentication methods from a security perspective, and this scenario describes how they might be used in a particular context. Potential privacy violations, however, are a result of faults in overall system protection. The scenario demonstrates that the choice of information delivery technology, the decision to allow access by ostensibly uninterested parties for maintenance purposes, and human factors such as password sharing for the sake of convenience, may open up unforeseen vulnerabilities. Many of these same privacy concerns could, however, arise with authentication technologies not based on token cards. How systems are implemented and deployed, and what policies are put in place to govern their usage, all bear on what the privacy implications of authentication systems will be.