Healthcare has an identity problem. This is not a new problem but the need to solve it has reached critical mass. There are now three things in this world that can be said to be certain, death, taxes, and health information breaches. Health information security has to deal with more than just those curious about relatives or celebrities and the vengeful divorce participants. Today,
- Identity thieves are now paying a premium for health records.
- Passwords are passé. Because passwords are too easily guessed, hacked, or stolen, they are unable to provide adequate security for the digital identities that are used to access our health information.
- Government standards for secure healthcare identities have not been forthcoming and it is time for the private sector to define and implement practical, best practices to meet the need.
Healthcare’s identity problem is complex. The three cornerstones of traditional security, Confidentiality, Integrity, and Availability, can end up competing in the complex, pressured, emotional, and high-stakes field of healthcare. Let me explain…
- Confidentiality - Health information has to be kept confidential with a high degree of assurance, not just to comply with federal law (HIPAA) but so that patients will trust health information systems to preserve their privacy. The systems must know who is accessing a patient’s information with a high degree of confidence so that only those authorized to access the information are allowed to do so while monitoring and auditing such accesses. These identities have to be accurate enough to provide ‘non-repudiation,’ the assurance that the uses of a digital identity cannot be denied by its owner. At the same time they must be able to enable some patients to securely access their own information without revealing their true identities to the healthcare system, intended for those patients who wish to remain anonymous or who cannot prove who they are but who are served by the healthcare system.
- Integrity - The information also has to be as accurate and complete as possible and all of it has to be about the right patient to avoid potentially fatal decision errors. The integrity of this information is totally dependent on our ability to accurately identify the patient in every record as well as when they want to access the information electronically.
- Availability - Meanwhile, the information must be made available quickly and easily to the many healthcare providers and support staff required to keep the healthcare system running smoothly to deliver the best care to the patient. The identity of both the patient and the healthcare providers must be easily and quickly determined with high confidence for these criteria to be met.
Healthcare has a poor reputation for adopting information technology. Because healthcare practice is learned through an apprenticeship system, the workflow in each healthcare system can be quite different, which makes it very difficult to implement any information technology unless it has been designed for or modified to fit that specific environment. We need to define and adopt new secure identity technology that can be integrated into clinical workflows in a way that lowers overall costs without requiring significant amounts of time for implementation, training, and usage, and thus adopted rapidly. The question is, “Who is best equipped to lead the way for healthcare?”
HIMSS and its members are in the best position to lay out practical, best practices that set an industry standard requirement of high confidence in the asserted identity’s validity before allowing electronic access to protected health information (PHI). The HIMSS Identity Management Task Force (IDM TF) that I chair is as a multi-stakeholder industry liaison group that is starting to address this issue. We conducted educational environmental scan and level setting activities in which we learned about identity management techniques being used in other industries, particularly the financial industry, and about current and developing technology in digital identity assurance and federation. These exposures have convinced us that currently available identity technology and support infrastructure is ready to meet the challenges I have described.
The HIMSS IDF TF has created a policy level recommendation to:
Require all health information systems, such as patient portals and electronic health record (EHR) systems, to be capable of identity proofing and authenticating any person at NIST Level of Assurance 3 (LOA-3) or equivalent before giving them access to PHI.
This policy has now been adopted by HIMSS and is being used as the basis for comments HIMSS is making on proposed federal plans and regulations. Our recommendations are also being discussed in the Healthcare Committee at the Identity Ecosystem Steering Group (IDESG), a result of the National Strategy for Trusted Identities in Cyberspace (NSTIC) convened by the federal government to address identity issues more generally. We have also set our next steps to include drafting guidance to enable healthcare industry vendors and implementers to conduct and document identity proofing and authentication at this high level of confidence, to do and document a HIPAA risk analysis to justify alternative mechanisms, to enable authentication at a high level of confidence for a patient who is anonymous, and to designate a proxy or delegate with the same level of confidence. The intent of the resulting guidance documents will be to make it transparent and easy for healthcare environments to adopt and implement technologies that practically and effectively meet the high bar of identity assurance that we have set as an industry standard.
I encourage you to read and comment on the task force’s recommendations to this point at http://www.himss.org/files/HIMSS_IDMTF_IAPP_Recommendation_Final.pdf with constructive suggestions of approaches that might work. We will take all input seriously and do our best to address all major issues raised as we move forward with our deliberations. I encourage you to participate whenever you can. Learn how and when to participate at http://www.himss.org/identity-management-task-force.