Connecting the Identity and Authentication Dots
Although physicians will be required to use a digital credential to exchange electronic health records, a specific credential was not included in the Tiger Team's recommendation. This is in-line with the Policy & Standards Committees' objective to remain technology neutral.
What is interesting is that this announcement comes on the heels of the Drug Enforcement Agency's March 25 Interim Final Rule for electronically prescribing controlled substances. The ruling specifies a username and password combination is not strong enough identity verification to authenticate prescribing physicians into e-Prescribing software applications. Username and password is known as single factor authentication, meaning they are both "something you know." Instead, the DEA will require, at a minimum, two-factor authentication, which could be a combination of "something you know," "something you have" such as a smart card, hard token or one-time password device and/or "something you are" - a biometric, such as a fingerprint.
The most cost-effective and secure path forward is to consolidate identity verification to a single credential.
Also on June 25, the White House published the first public draft of the National Strategy for Trusted Identities in Cyberspace. Below is an extract from the Executive Summary"
"One key step in reducing online fraud and identity theft is to increase the level of trust associated with identities in cyberspace. While this Strategy recognizes the value of anonymity for many online transactions (e.g., blog postings), for other types of transactions (e.g., online banking or accessing electronic health records) it is important that the parties to that transaction have a high degree of trust that they are interacting with known entities. Spoofed websites, stolen passwords, and compromised login accounts are all symptoms of an untrustworthy computing environment. This Strategy seeks to identify ways to raise the level of trust associated with the identities of individuals, organizations, services, and devices involved in certain types of online transactions."
On June 28, the Federal CIO Council finalized the specification for the Personal Identity Verification - Interoperable credential commonly referred to as PIV-I. PIV cards are the electronic identity credentials being deployed throughout the federal government as required by Homeland Security Presidential Directive #12 (HSPD-12) to be interoperable and trusted throughout every federal agency. They will ultimately be used for both physical access into federal buildings and logical access into federal computers and networks. Published in May 2009, the initial PIV-I spec was developed as a credential trusted by the federal government for issuance by non-federal issuers. The initial specification raised several questions and comments but these have since been resolved.
PIV-I is the credential being deployed as the First Responder Authentication Credential (FRAC) by several state and local governments because it is standards-based, non-proprietary, trusted by the federal government and can be used for multiple purposes. The first responder population encompasses approximately 20 million people in the U.S. A significant portion of this population is every physician, nurse and EMT. By putting a FRAC in the hands of the medical community, local authorities will be able to rapidly grant access only to qualified individuals during emergency situations like Hurricane Katrina.
Given these federal initiatives impacting the U.S. healthcare system, it is clear that healthcare organizations and providers will need to strengthen their identity and authentication methods and obtain digital identity credentials. During these harsh economic times, organizations are cognizant of expenses and are looking for a return on their investment while minimally impacting provider workflow. The last thing providers want is to carry yet another ID badge or token. To minimize impact, a single credential should meet or exceed all the identity and authentication requirements listed above.
Does one exist? The answer is YES.
The PIV-I credential is a multi-purpose electronic identity credential, built on international and domestic standards and is available today from several manufacturers. The PIV-I exceeds the recommendations presented by the HIT Policy Committee for network authentication for the exchange of electronic health records. It meets the needs of the DEA's e-Prescribing rule; it is being deployed today at the FRAC and is trusted by the federal government. As a NIST Level 4 credential, it also meets or exceeds all of the examples provided in the National Strategy for Trusted Identities in Cyberspace.
The most cost-effective and secure path forward is to consolidate identity verification to a single credential. PIV-I provides this capability and should be adopted as the standard for identity verification in the U.S. healthcare ecosystem.
For more information about PIV-I please visit idmanagement.gov.