Authentication and ID Management

David SnyderFraud and identity theft are concerns in both banking and healthcare. This year, the HIMSS Financial Privacy & Security Task Force is discussing the feasibility of leveraging banking Identity Management (ID) systems in healthcare. This article looks at current topics in banking ID systems and how they may relate to healthcare.

The key concepts are identity and authentication. Put simply, identification is determining who someone is and authentication is how you prove it. In banking, username and password are increasingly seen as not sufficient, so multi-factor authentication is becoming more popular. Multi-factor authentication involves at least two of the following:

  • Something you know (password, passphrase, etc.)
  • Something you have (USB key, hardware token, mobile phone, etc.)
  • Something you are (fingerprint, iris scan, voiceprint, etc.)

There area at least three areas in where identity and authentication are important:

  • Controls for access to personally identifiable information and personal health information
  • Authorization for individuals to receive services
  • Exchange of information between disparate systems

Using smart cards with a PIN for patient identification and authentication within a healthcare system is an idea that is already being borrowed from the banking industry. Another idea that can be adapted from the banking industry is so-called “out-of-band” confirmation, using a mobile phone message to verify whether a log in attempt is authorized. These are good for the “front-end” processes of access and authorization described above. 

It is harder to think of examples from banking for authenticating identities to support the exchange of patient information between “back-end” databases for care coordination. For back-end processes, the banking industry has evolved detailed standards for bank account and credit card numbers. For example, bank accounts are identified with bank routing numbers and account numbers (the Magnetic Ink Character Recognition numbers at the bottom of a check) and Bank Identification Numbers (BINs) are encoded as the first six digits of credit card accounts. Notwithstanding HL7, standards that are this simple have not yet emerged in healthcare where patient records are held in many different sizes and types of organizations.

Banking and healthcare have similarities, but also several differences. Personal Health Information is “…a many-to-many problem: we have many pieces of data which must be bundled up in different ways for many different audiences... many different groups need access to different subsets (or all) of it… And each audience needs a different slice of the data — but must not see the rest of the data.”  (Lane, Adrian, Securosis, LLC, “Tokenization vs. Encryption: Options for Compliance,” October 23, 2012.)

Another important difference is that, “The finance industry has a high degree of interaction between the consumer and its data to provide continued review and assessment of the currency and accuracy of the information.  In healthcare, the consumer (patient) does not control the accuracy of his/her own data.” [emphasis added] (HIMSS Patient Identity Integrity White Paper, 2009.)

In banking, the impacts of incorrect identity are mainly financial loss. In healthcare, impacts may be financial, but can also be delivery of wrong care, delivery to the wrong person, failure to deliver care or duplication of efforts.

A unique patient identifier was proposed in the original HIPAA legislation but effectively prohibited by subsequent legislation. Since then, the focus has shifted to patient-matching algorithms that compare multiple data elements – such as name, birthday and address – to confirm identity. Current algorithms are not always accurate so manual correction is often necessary.  Efforts are underway to improve reliability.  HIMSS is participating in ONC’s Patient Matching Initiative.

The financial industry is seeking to “up its game” with respect to identity and authentication. A recent meeting of a payments industry group featured identity and authentication solutions from four companies. There are various ways in which the area of identity is evolving. For example, one company has developed a consumer-provisioned, user-centric federated identity network that is based upon strong cryptographic secrets held in user devices, rather than shared secrets. Yet another enables complex device relationships and exposes fraud patterns, enabling businesses to instantly respond to online risk. Another firm is offering a hardware and software platform that authenticates the user, the device, the channel through which a transaction occurs, the transaction and the bank application that is being used to provide a real-time fraud detection service. Different versions of this include an alliance that is offering a biometric device that enables rapid two-factor authentication at the point of sale.

Although there are important differences between banking and healthcare, it appears some tools can be adapted for healthcare access and authorization, such as multi-factor authentication employing smartphones, smart cards and biometrics.

It remains to be seen whether standards like those used for bank accounts and credit cards can be developed for identifying patient records. Thus, authentication and ID management in healthcare will continue to be a fertile area. HIMSS has been involved with these topics for years and can continue to provide insights for the future.

For more thoughts on the work of the Financial Privacy & Security Task Force, see Mick Talley’s article HIMSS Financial Privacy & Security Task Force Update.

David Snyder is an independent consultant at 42TEK, Inc. and is active in both the electronic payments and health IT areas. He has helped both large and small organizations with implementing innovative technologies. He has clinical background in Respiratory Therapy and an MBA and is a California-registered engineer. Located in Silicon Valley, Mr. Snyder leads the SVForum Healthcare IT SIG.