Feds Consider Patient AuthenticationInput Offered for Securing Access to EHRs
What are the best methods to authenticate the identities of patients when they access their health records online?
At a joint hearing of the security and privacy workgroups of the HIT Policy and Standards Committees on Nov. 29, members heard public testimony from a diverse group of leaders in healthcare, technology and other industries. Discussions focused on possible methods and technologies to be considered for authenticating the IDs of patients and their authorized representatives.
The HIT Policy and Standards committees advise the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services that coordinates policy and technology standards related to the HITECH Act's electronic health record incentive program.
Testimony ranged from possible ways to verify the identities of patients, from using doctor office staff to tapping help from the U.S. Postal Service, to the various technologies that could be used in multifactor authentication. An objective of ONC is to identify best methods and technologies to verify and authenticate the ID of patients, while not being too cumbersome for patients to embrace (see: Patient IDs: Weighing the Options).
"The good news is that so much is happening in other spheres that helps us establish our identities online," said Farzad Mostashari, M.D., national coordinator for health IT in opening statements at the hearing. "Accessing medical records [should be] as easy as accessing banking records today. We have to make sure it's the patient on the other end of the keyboard" that's actually accessing the digital records.
New Challenge for Healthcare
While other industries such as banking have long embraced a variety of technologies and processes for securing the IDs of consumers when they conduct business online, the subject of patient ID credentialing is much newer in healthcare. Yet, authentication is becoming increasingly critical for a number of reasons.
For one, as part of patient engagement objectives of Stage 2 of the HITECH Act EHR incentive program, hospitals and doctors must provide patients the ability to access, download and transmit their health records online.
Meanwhile, as healthcare reform takes hold, other new opportunities are emerging for patients to access their health related information online (see: Patient Credentialing Now a Hot Topic).
Under healthcare reform, for example, new state health insurance exchanges will also raise the need for robust patient authentication, said Dave Walsh, co-chair of a technical committee of the Medicaid Information Technology Architecture.
"We're at a turning point with the Affordable Care Act and Medicaid expansion," he said. State insurance exchanges that are being built in compliance with healthcare reform will need to authenticate the ID of beneficiaries as they enroll in new health coverage programs.
Yet, in the healthcare industry today, robust, scalable, standards-based patient ID credentialing technologies and processes for multiple purpose use are lacking.
"Single sign-on solutions exist for some large [healthcare] organizations, but these solutions do not necessarily scale beyond the walls of the organization," said Joni Brennan, executive director of Kantara Initiative, a multi-stakeholder non-profit group focused on developing trusted identify framework criteria.
"Patients need trusted, safe, secure, interoperable and easy-to-use credentials to access their electronic health records," she said. "However, such patient credentials must not compromise security for convenience. The identity vetting and credential management of patient credentials must be scaled to appropriately match information transaction context and risk assessment."
Discussion at the hearing included possible ways for verifying the ID of patients before they are issued credentials to electronically access health information, as well as various combinations of multifactor authentication that could involve the use of passwords, biometrics, smart cards, hard tokens and mobile phones.
Chris Mickens, HIPAA security officer of the Indiana State Department of Health, explained how the state depends on healthcare providers to verify the ID of patients,as well as the IDs of parents and guardians of pediatric patients, before those individuals are issued a PIN to gain access to the state's MyVaxIndiana web portal for immunization records.
Mickens said she believes healthcare providers are well-suited to verify the ID of users before they are issued credentials for accessing health records such as immunization records from state sites online. That's in part because healthcare staffers are better able to track changes in relationships, such as divorces or guardianship that might affect whether an individual should be granted access to records. "The department [of health] wouldn't be privy to that information," she said.
Some at the hearing debated whether healthcare providers are adequately qualified to provide ID proofing for patients accessing records online. "The [advantage is] that patients trust their doctors," said Jonathan Hare, president and founder of Resilient Network Systems, a provider of cloud-based identity services. "The disadvantage is that a lot of doctor offices rely on the front desk person to proof IDs, and they might not be very good at it or well trained enough for it."
Another witness noted that a doctor verifying the ID of a patient could be more reliable than a public notary who's only encountered an individual one time.
Meanwhile, Clayton Bonnell, a program manager at the U.S. Postal Inspection Service, the law enforcement branch of the U.S. Postal Service, testified that his organization could be of assistance.
Touting the inspection services' work with soft tokens, biometrics and other technologies, as well as the fact that "mail fraud that involve false IDs can get [criminals] 25 years in prison", Bonnell asked committee members to consider how the postal service can be what he called "a reliable party in this new identity ecosystem."
Members of the HIT Standards and Policy Committee's privacy and security workgroups in their own upcoming meeting will further vet the hearing testimony, as well as public comments that were collected over the last several weeks online, as they consider making patient credentialing recommendations to ONC, said Deven McGraw, chair of the HIT Policy Committee privacy and security Tiger Team.
The work by the advisory groups follows Tiger Team recommendations for trusted IDs of healthcare providers in cyberspace that were endorsed this past summer by the HIT Policy Committee. Those recommendations include requiring multifactor authentication in certain cases involving clinicians remotely accessing patient information (see: Multi-Factor Authentication Gets a Boost).