Authentication: Balancing Act for HIEsConsidering Adequate Security and Ease of Use
"There's utmost need for security in knowing that who you're giving access through the network is who they say they are, and [knowing] what access they should have," says Whitlinger, executive director of the New York eHealth Collaborative, which oversees the Statewide Health Information Network of New York.
However, the trick is figuring out "how hard and how far do you challenge [for identity verification] before you've created too many barriers for doctors, clinicians and other users of the system," he says.
Making it too difficult to access patient data via HIEs, Whitlinger says, could push some busy clinicians into shunning the exchanges and concluding: "This is too hard, I'll just get my information some other way."
Building an ID and access management strategy involves carefully determining when to require the use of two-factor authentication, he notes. And that will require "significant policy work" within each state, Whitlinger says in an interview with Information Security Media Group.
"Where we might likely land is that within a controlled environment, a strong password might be an acceptable level of authentication, but when you're outside of a controlled environment, which has physical control over [a patient's data], two-factor authentication might be necessary," he says.
While the policy is debated, the Statewide Health Information Network of New York is offering member clinicians two authentication options: a strong password or two-factor authentication, featuring a password plus a PIN code that's sent to a mobile device. Those same options will be offered to patients when the exchange's new patient portal goes live early next year, he says.
In the interview, Whitlinger also discusses:
- The challenges involved with providing mobile users access to HIE data;
- The role that biometrics technologies could eventually could play for ID and access management.
- The statewide HIE's ongoing development of its patient portal.
As executive director of the New York eHealth Collaborative, Whitlinger leads its various HIE-related efforts and its work as a regional extension center assisting healthcare providers making the shift to electronic health records. Previously, Whitlinger was director of healthcare device standards and interoperability for Intel in its digital health group. He also led the cross-industry consortium, the Continua Health Alliance, focused on establishing an ecosystem of interoperable, personal telehealth systems.