Committee Considers How Best to Authorize, Identify NHIN Users
As is often the case, technology isn’t the real problem in figuring out how to exchange sensitive health data across town or across the country, said panelists to the Health IT Policy Committee’s Nationwide Health Information Network work group Thursday. The issues are about people: how much people want the government or the marketplace to lead the process of authentication and identity proofing, and how many security measures people in the workplace are willing to deal with before they start undermining them.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The bare minimum the committee could recommend would be to let the marketplace figure it out, said Dave Miller, chief security officer at Covisint. There would inevitably be some bad outcomes with that approach, but eventually the marketplace would sort it out, he said. If the federal government wants to kickstart the process, it would instruct doctors to protect and use their credentials the same way they protect their prescription pads: if they misuse their prescription authority, they face jail time, he said. Canada has taken a centralized approach to authentication, he said, by requiring people to go to a government office, get identity proofed there, then receive some token for which they face jail time if they misuse.
That type of government-driven approach isn’t likely to be accepted in the U.S., Miller said. Still, doctors could go to an “identity store” to be identity proofed, but they would still have to walk away with some “thing” that could be used in the authentication process. The question would then be who acts as the identity store. “The hard thing about face-to-face is the face,” he said. What government office would handle the identity proofing? Could the post office do it? Hospitals that handle Medicare patients might be an option, but doctors who've chosen to work outside hospitals might not want to be forced into going to the hospital for identity proofing, Miller said. Audience member Michael McGrath of Gemalto, however, urged the committee to look outside the health care system and make use of other identity-proofing measures in place or proposed. Legislation by Sen. Charles Schumer, D-N.Y., would make Social Security cards biometric, he said, which will require in-person identity proofing. These could then be used in the health care field, he said. The State Department uses the post office to do identity-proofing for passports. The post office could also identity-proof patients and providers, he said. In his former life as a stockbroker, he was required to go to the police station and provide fingerprints for the FBI, he said. If the SEC can mandate such measures, then HHS should utilize its authority to mandate similar measures, he said.
Transactions on the NHIN should require two-factor authentication, said Nicholas Piazzola, vice president of government programs at VeriSign. A NHIN that requires only username and password will only lead to the unauthorized release of information, he said. Most organizations will say they can’t do or can’t afford level 3 security according to the NIST standards, said Brent Williams, chief technology officer at Anakam. Level 3 is the second-highest level of security and requires face-to-face identity proofing. But level 3 is affordable, he said. “It’s doable. Don’t let people dumb down the information or call it level 2 when it’s not actually level 2,” he said. David McCallie, vice president for medical informatics at Cerner and also a member of the HIT Standards Committee, said less than 10 percent of the company’s clients opt for two-factor authentication, citing complexity, cost, the inability to use with legacy systems and, most importantly for providers, the burden on workflow and productivity. Miller suggested that in certain cases, context could act as the second factor. A doctor in the emergency room, for example, is in the building surrounded by people who recognize him. That’s a different scenario than a doctor who wants to access records from home at night, he said. He also warned that users find ways to get around security they find cumbersome because they see other people, not themselves, as the problem. They'll find the “most unbelievably unsecure way around” policies, he said, giving as an example an executive who had his children set up a webcam focused on his token with ever-changing passwords so he wouldn’t have to carry it around. One way to deal with the issue is to reduce the number of authentications a user must do, Miller said. For example, if a doctor prescribes three controlled substances to a patient, the DEA requires the doctor to enter his number three times rather than once, he said. Doctors naturally want to find a way around this extra entering of codes, he said.
Williams also cautioned that the idea of federation seemed to be lost in the debate. True federation, he said, means allowing in people from another organization and trusting them by virtue of trust in their organization. If an organization starts requiring those outsiders to become part of its own credentialing process, then it’s no longer in federation, he said.