Should people share their web site credentials with their spouses? How about their Significant Others? According to a study on internet usage by the Pew Research Center, “Fully 67% of internet users in a marriage or committed relationship have shared an online password with their partner or spouse.” Whether or not access resulting from such credential sharing is problematic for the account owner, it does create an issue for organizations that want to move sensitive personal or financial information into the online channel. If credentials are shared, the organization has no way of knowing who has had access to the data, and this reduces its ability to detect fraud and other forms of inappropriate behavior.
There are, however, legitimate reasons for people to have access to each other’s data and to perform transactions on each other’s behalf. Many families have a Chief Medical Officer (often known as Mom), who schedules medical appointments, organizes medical forms for sports and camp, and makes sure that immunizations are up to date. Many families also have a Chief Financial Officer, whose job it is to take care of bills and other money matters. Some credential sharing takes place simply to enable families to function in the online environment they way they function in “the real world.”
It is important to set up account access in a way that allows relationship to work and, at the same time, permits fraud prevention and effective forensics when issues arise. Such access can be provided through a combination of strong authentication and proxy access. In this process, each user has her own account and is provided with strong authentication credentials. She can then grant access to other users. Those users can log in with their own credentials and have access to their own account as well as the account to which they have proxy access.
Proxy access can be as fine-grained as an organization wishes to make it, including read/write/modify or permitting access to specific types of data or sections of an account. If properly configured, every transaction by a proxy will be appropriately logged and available for analysis. Users will also benefit because they can revoke permissions if the nature of the relationship changes instead of having to re-register or change their own credentials.
Many healthcare organizations already have in place processes for proxy access to health information. Like many other business processes that move online, properly configured proxy access can enable data privacy, security and convenience for users, while decreasing costs and increasing efficiency for organizations.
The post Authentication and Permissions: Proxy Access appeared first on Insights.