On Wednesday, November 14, 2018, the Centers for Medicare & Medicaid Services' (CMS') Retiree Drug Subsidy (RDS) Center hosted a webinar about the upcoming Secure Website Modernization initiative and how this project will impact the RDS Program. Both Plan Sponsors and Vendors were in attendance.
A copy of the slide deck has been published for your reference: RDS Secure Website Modernization Webinar and Feedback Session Slide Deck (pdf, 509KB)
CMS' RDS Center discussed the following topics:
- RDS Secure Website Modernization
- RDS Secure Website Data Archival
- Implementing Multi-Factor Authentication (MFA) and the impact to RDS Secure Website users
- RDS Program Reminders
- Open forum Q&A
RDS Secure Website Modernization Overview
During this portion of the presentation, CMS discussed a high-level overview of the initial scope of the Secure Website Modernization initiative. This information can be found on slide 4. While the full scope of the project has not been finalized, CMS' RDS Center discussed the following:
- Estimated implementation throughout 2019.
- New design.
- Modified screen flows for all sections of the application.
- Modification to Support Request feature to include on-screen suggested resolutions based on Topic and Category.
- Multi-Factor Authentication will be required for all user accounts in the RDS Secure Website, per CMS' increased security requirements.
- Data archival for applications that are no longer eligible for Appeal.
- Updated educational materials including user guide documentation and on-demand training videos.
The polling question "What is your role in the RDS Secure Website?" was posed to participants. Results of the poll were as follows:
| Answer | Results | Percentage |
|---|---|---|
| Account Manager | 67/206 | 33% |
| Authorized Representative | 29/206 | 14% |
| Designee | 45/206 | 22% |
| Actuary | 5/206 | 2% |
| Vendor Designee | 9/206 | 4% |
| N/A | 14/206 | 7% |
| No Answer | 37/206 | 18% |
RDS Secure Website Data Archival
Following the Secure Website Modernization Overview, CMS' RDS Center reviewed the impact of a potential data archiving strategy for older applications in Secure Website. This information can be found on slide 5.
- CMS' RDS Center is considering archiving RDS Secure Website applications whose most recent post-reconciliation determination is greater than 4 years old. Applications that are no longer eligible for appeal will be archived.
- Archived applications will not be visible on the RDS Secure Website. However, if data from an archived application is needed, it can be requested by sending a request to CMS' RDS Center.
- Benefits of this initiative include simplification of the Application List page and faster application response times due to lower data retrieval volumes.
The polling question "If archived applications were not accessible via the RDS Secure Website, would this pose concerns for your organization?" was posed to participants. Results of the poll were as follows:
| Answer | Results | Percentage |
|---|---|---|
| Yes | 32/213 | 15% |
| No | 72/213 | 34% |
| I don't know | 63/213 | 30% |
| No Answer | 46/213 | 22% |
Implementing Multi-Factor Authentication (MFA) and the impact to RDS Secure Website users
Following the Data Archival discussion, CMS' RDS Center introduced Multi-Factor Authentication (MFA) and its current intended impact on the RDS Program. This information can be found on slides 6-9.
- What is Multi-Factor Authentication (MFA)?
- MFA is a security architecture which requires more than one method of authentication derived from independent sources. It adds a level of security by requiring something the user knows (password) and something the user has (randomly generated token).
- MFA has become an industry standard for websites containing sensitive information, Personal Health Information (PHI), and/or Personally Identifiable Information (PII).
- Examples of MFA include a user logging into their bank account online with a username and password, and then entering an additional token code that is sent to them via email or text message. Another example includes a user logging into a computer or application with a username and password, and then entering an additional token generated by an application such as Google Authenticator.
- MFA Impact to RDS Secure Website Users
- All RDS Secure Website users will be required to activate MFA.
- RDS will implement Google Authenticator as the primary MFA mechanism.
- MFA only needs to be activated once per user account. Switching roles or re-registering will require users to activate MFA again for the new account.
- CMS' RDS Center will provide step-by-step instructions and training materials prior to the implementation of MFA. These materials will be disseminated via email and the RDS Program Website.
- What is Google Authenticator?
- Google Authenticator is a free tool that generates a unique token every 30 seconds.
- Phone app for IOS and Android available from App Store or Google Play.
- Google Authenticator generates the token based on multiple factors including a secret key associated with your user account.
- A token generated with Google Authenticator will only work with the user account to which it is associated during activation.
- Google Authenticator can only be activated on one device per user account.
- Once implemented, a field will be present on the login screen that prompts the user for the current token displayed by Google Authenticator.
- Google Authenticator does not share or transfer data between your device and the RDS Center; it simply generates a code which will be manually typed into the login page.
- One-Time Token
- An option for a one-time token will be available in the event a user's Google Authenticator device is not available
- One-time token is for use in emergencies only and the number of times it may be used will be limited
- One-time token will be delivered via text message or email. CMS' RDS Center will only send a one-time token to the text enabled number or email address associated with the user's RDS Secure Website user account
- One-time tokens will only be valid for 10 minutes
- An optional field for Text Enabled Number will be added to all registration pages as well as the Manage User Information page
- It is imperative that each user keeps his/her account information up to date
Several polling questions were asked during the span of these slides and their results were as follows:
| Answer | Results | Percentage |
|---|---|---|
| Yes |
158/218 |
72% |
|
No |
24/218 |
11% |
|
No Answer |
36/218 |
17% |
| Answer | Results | Percentage |
|---|---|---|
| Yes, Google Authenticator | 20/220 | 9% |
| Yes, Authy | 3/220 | 1% |
| Yes, Microsoft Authenticator | 19/220 | 9% |
| Yes, RSA | 49/220 | 22% |
| Yes, other | 40/220 | 18% |
| No | 79/220 | 36% |
| No Answer | 39/220 | 18% |
| Answer | Results | Percentage |
|---|---|---|
| Yes, cell phone | 126/221 | 57% |
| Yes, iPad/tablet | 5/221 | 2% |
| Yes, other | 9/221 | 4% |
| No | 52/221 | 24% |
| No Answer | 29/221 | 13% |
RDS Center Reminders
Next, on slide 10, CMS' RDS Center provided the following reminders to the Plan Sponsor and Vendor community:
- Protect Your Secure Website Account
- It is a violation of Federal law to share or transfer user accounts or login and password information.
- Plan Sponsors are encouraged to protect account information and manage users responsibly.
- Keep Personal Information Up-To-Date
- Ensure that your email address is kept current. Email is the main form of communication from CMS' RDS Center. CMS' RDS Center is unable to update your Secure Website user account on your behalf.
- Keep Retiree Information Up-To-Date
- Regularly download Covered Retiree Lists, submit updated retiree files to CMS' RDS Center during the Plan Year, and review Retiree Response Files and Weekly Notification Files to ensure costs are being reported based on the latest retiree information.
Questions & Answers
Finally, CMS' RDS Center answered questions that had been submitted:
Question: Will the slide deck from the presentation be published?
Answer: Yes, it can be found here: RDS Secure Website Modernization Webinar and Feedback Session Slide Deck (pdf, 509KB)
Question: When will MFA be implemented?
Answer: The exact timeline for implementation has not been set. However, MFA will be implemented in two stages:
- Stage 1: MFA will not be require to log in, however, the configuration pages for MFA will be implemented allowing users to configure their devices ahead of time. This will prevent users from experiencing a delay once MFA for logging in is implemented.
- Stage2: MFA will be required to login. If a user previously configured MFA (Stage 1), they will be able to use the token configured without further action. If configuration of MFA did not occur, the user will need to go through the setup process before logging in. CMS' RDS Center does not anticipate requiring MFA until after the high volume March 2019 Reconciliation deadline timeframe.
Question: What if I don't have a mobile phone? How will I setup MFA?
Answer: CMS' RDS Center is currently considering this situation.
Question: Who will be required to setup MFA?
Answer: Everyone accessing the RDS Secure Website will be required to setup MFA. Without setting up MFA, users will not be able to log in.
Question: Is there an issue with using a personal cell phone for MFA.
Answer: No
Question: Can I receive a one-time token through email?
Answer: Yes, when requesting a one-time token, users will be able to specify if they would like the token delivered via email or text message.
Question: When will the data archiving process begin?
Answer: This strategy is in the early stages and has not yet been assigned an implementation date.
Question: Are there screenshots or examples of the new interface and/or MFA?
Answer: Not at this time. However, such materials will be made available to users once they are available.
Question: Can a user use the same MFA for different roles?
Answer: First and foremost, RDS Secure Website users are allowed to hold only one role at a time. A user may hold the same role for multiple Plan Sponsors and may use the same MFA for that single user account/role across all Plan Sponsors to which they are assigned.
Question: Will there be a phone number for assistance?
Answer: CMS' RDS Center Help Line closed in March, 2015. Assistance may be requested by submitting a support request or emailing rds@cms.hhs.gov.
Question: Will Recon steps change with the new design of the SWS?
Answer: The user interface for the entire Secure Website will change. We have not yet determined the impact to the individual Recon steps. This information will be communicated to users once it is available.
Question: Will "mainframe" change?
Answer: No. Processing of retiree and cost report files will continue as it is today whether submitted through the Secure Website or Connect:Direct.
Question: Can google authenticator be downloaded to a laptop if the user has no smart phone?
Answer: No, Google Authenticator is a free app for mobile devices.
Please submit any additional comments or questions by opening a RDS Secure Website Support Request or submitting an email to CMS' RDS Center: RDS@cms.hhs.gov.