Concept of Operations: Relating to the introduction of a Personally Controlled Electronic Health Record System
5.4.2 Individuals and representatives
Authentication to the Consumer Portal and Conformant PortalsAll authentication to the consumer portal and other conformant portals shall be in accordance with the safeguards identified in the NEAF [DOFD2009].
The Consumer Portal and conformant portals will implement a range of safe guards to reduce the likelihood of threatening events occurring, enable their early detection or reduce the harm arising from them. These safeguards include:
- Informed use consent, including acknowledgement of the importance of protecting e-Authentication credentials.
- Continual reinforcement of the importance of protecting e-authentication credentials through user education, warnings or notices displayed or each online session.
- Implementing challenge-response questions for important transactions.
- Informing users of:
- The number of recent accesses and the date of last access.
- Access attempts using invalid passwords.
- Important categories of transactions that require verification by means of “out of band” channels such as Post or SMS.
The NEAF makes specific reference to safeguards in relation to health and safety including:
- Limiting transactions which can be conducted through particular channels
- Requiring stronger e-Authentication for sensitive data (for example, challenge-response using knowledge-based approach or using one-time password)
The Consumer Portal will make use of username/password authentication process combined with challenge-response using shared knowledge questions and one-time passwords.
It is envisaged that conformant portal providers may select from a number of mechanisms for delivering eAuthentication, which would be compliant with NEAF and PCEHR System requirements. Some conformant Portal providers may, for example, also support supplementary Authentication methods, such as smart card based authentication.
Authentication via Call CentreWhen contacting the call centre, individuals and their representatives will be required to authenticate themselves by providing sufficient identifying information to help the operator locate the individual’s PCEHR, and by answering a series of questions they have set at registration.
Top of page