Pharmacy benefit manager deploying FIDO framework
30 March, 2015
category: Biometrics, Digital ID, Health
Health care organizations are under increased scrutiny with the breaches at some insurance companies. Making access to systems secure can be difficult as physicians are often switching back and forth between multiple application and rooms per day.
Most consumers probably aren’t familiar with the role a pharmacy benefit manager plays in health care. The insurance company typically contracts with a pharmacy benefit manager to handle everything related to prescription drugs. This includes designing the benefit structure, claims adjudication and making sure that making sure prescriptions don’t have any harmful interactions.
They also work with physicians to make sure a patient meets all the benchmarks when an expensive drug is needed. “Patients are often taking medications prescribed by multiple doctors who can’t easily share medical records with each other in real time. To avoid dangerous drug-to-drug interactions or wasteful duplication of therapy, our health insurance clients rely on us to provide doctors with a complete picture of what the patient is or has recently been taking, regardless of who prescribed it or which pharmacies filled them,” says Steven Secker, application development manager at MedImpact Healthcare System Inc., a pharmacy benefit management company.
To enable physicians and their staff to access MedImpact pharmacy records easily and securely, the company this summer is rolling out FIDO authentication, Secker says. MedImpact will use Nok Nok Labs technology to enable its physician access portal with biometric fingerprint authentication using the FIDO Alliance standard.
The health insurance companies will identify different physicians for MedImpact to contact for the project. The physicians will be contact via email and given a confirmation code to enroll in a mobile device program. After completing enrollment the mobile device with fingerprint scanner will be used to grant access to patient prescription information.
Also, existing users of MedImpact’s Physician Portal will be able to switch to using FIDO to authenticate instead of a password if they have a compatible smartphone with a fingerprint sensor, or a Windows 7 — or later — computer with a fingerprint reader.
A high number of the physicians participating will likely have either iPhones –where the FIDO client app provided by Nok Nok Labs can be downloaded from the App Store — or Samsung Galaxy models with fingerprint scanners that have the FIDO client pre-installed, Secker says. For those that don’t, they can continue to use the same username/password and later switch to using FIDO when they get a compatible device.
Physicians will also be able to create proxy account for physician assistants or clerical staff to access the records, Secker says. They too will enroll their own fingerprint-enabled mobile devices, or use their computers with fingerprint readers built-in or attached via USB.
And while the authentication will take place on the mobile device, Secker expects most of the data to be viewed on workstations in the doctor’s office. When first enrolling a device into the program the doctor or staff will go to the portal and see a QR code, which they scan with the mobile device using the FIDO client. After the scan the individual will be promoted for a biometric and after successful authentication they will be able to use FIDO on subsequent logins.
When returning they just give their username click the “login with FIDO” button and enter their username. That triggers the server to push a message to the FIDO client on their device which then wakes up and prompts the user to authenticate with their fingerprint and then, upon success, sends a message back to our server telling us it’s OK to let the user in.
The ability to eliminate the password entirely is what has MedImpact excited about this system. “If there is no password, it can’t be phished, cracked by brute force, or stolen by any means because there simply is no password to steal. That is what is really a game changer,” Secker says. “To compromise a login account that is using FIDO UAF, one would have to get physical possession of my device AND be able to fool the fingerprint reader. While that’s not impossible, it’s definitely in the realm of ‘Mission Impossible’ stuff.’”
The portal will give the physician access to all prescription drug information for a particular patient, no matter where it was prescribed or what pharmacy filled it. This can help make sure that the patient is taking the necessary medication and make sure there are no harmful drug interactions.