How to Authenticate Physicians' IDsTiger Team Drafting Recommendations
The Privacy and Security Tiger Team is hammering out recommendations for how best to authenticate the identities of physicians and other individuals who electronically exchange health information. The team will present its refined "trusted identities" recommendations at the Aug. 1 meeting of the Health IT Policy Committee, which advises the Department of Health and Human Services.
See Also: HIPAA Audits: A Revised Game Plan
At its July 24 meeting, the Tiger Team discussed authentication recommendations to help support the goals of future stages of the HITECH Act's electronic health record incentive program. For example, it plans to specify under what circumstances multi-factor authentication eventually should be required.
Deven McGraw, Tiger Team co-chair, described the recommendations as tackling the challenge of proving the identity of physicians and other users seeking to electronically query or exchange patient data, such as through a health information exchange.
The goal is to use authentication to verify identity "with sufficient assurances for the intended purposes of what you're asking to do," said Tiger Team member David McCallie, vice president of medical informatics at Cerner Corp., a software company.
The authentication is meant to help prevent "spoofing" of identities and unauthorized queries of patient information, said McGraw, who is director of the health privacy project at the Center for Democracy & Technology.
While the recommendations are dubbed "trusted identities of physicians in cyberspace," the proposals aren't actually limited to physicians; they also would apply to other individuals exchanging sensitive patient information, McGraw stressed.
The Tiger Team is drafting a plan that would spell out the different levels of authentication to be used in various circumstances. For instance, different authentication would be required for a data request being made within the four walls of a healthcare organization via a wired system than for a query from a remote office over a wireless network.
The team is considering recommending that by Stage 3 of the HITECH EHR incentive program, NIST 800-63 Level of Authentication 3 individual credentialing be used for riskier transactions, such as those that involve external data exchange via remote access.
The National Institute of Standards and Technology's 800-63 LOA-3 specification, "is appropriate for transactions that need high confidence in the accuracy of the asserted identity," according to NIST. Level 3 specifies the use of multifactor remote network authentication, with a minimum of two-factor authentication.
While NIST LOA3 is not healthcare industry specific, the Tiger Team wants to leverage the NIST- recommended levels of authentication in the healthcare context, McGraw said.
The Tiger Team expects to advocate a phased-in approach to authentication, gradually moving from today's widely used single-factor authentication to more sophisticated forms of authentication.
Acting on a Tiger Team request, Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT will investigate various scenarios for riskier transactions that could require the use of NIST LOA 3.
Assessing Impact on Physicians
The Tiger Team also is seeking insight from physicians about the possible impact of added authentication requirements on clinical workflow.
The proposed security measures should be weighed against quality of care, patient safety and disruptions to physician/clinician workflow, suggested team member Dixie Baker, senior vice president and chief technology officer for health and life sciences at Science Applications International Corp. "A huge part of getting [physician] adoption on anything is for them to understand the value," Baker said at the July 24 meeting.
McCallie noted: "If physicians think this is a hurdle in every day [processes], you'll get work-arounds to avoid this."