Record security 'only as good as weakest link'
Working on health information exchange led Paul Tuten, PhD, senior consultant at the State HIE Program of the Office of the National Coordinator for HIT (ONC), to quickly recognize that trust and, by extension, privacy and security, is only as good as the weakest link in the chain of exchange. “Getting these issues right is very important.” Tuten was one of several speakers that participated in the National eHealth Collaborative’s program Sept. 19 on Increasing Medical Record Security.
To that end, there has been much debate and discussion about just how to get these issues right. Identity proofing is a very critical step, Tuten said. “If you don’t have that established up front in an authoritative way, the rest of the work further downstream becomes quite problematic.”
The State HIE Program issued recommended guidelines for exchange to its grantees, including steps of identity proofing. “We felt compelled to issue those so there would be a common baseline,” said Tuten. This has been an active area of interest and work for the ONC as well as various policy bodies that have participated within ONC and through ONC programs.
The National Strategy for Trusted Identities in Cyberspace (NSTIC), a White House initiative, asked a Tiger team to focus on guidelines for trusted identity. Are you whom you claim to be? and How do we know? are just two of the questions the team considered. “When you start talking about the risk of security and privacy, it becomes a matter of degree of certainty” rather than a concrete yes or no, Tuten explained.
Policy recommendation challenges
One challenge in policy recommendations is recognizing that technology changes over time, Tuten said. The HIT Policy Committee recommended that ONC continue to monitor what’s going on in the market and update policies appropriately. The ONC’s work to implement this recommendation should continue to be informed by the work going on in the context of NSTIC, taking into account provider workflow needs. Related to that, ONC should continue to consult with NIST with respect to future iterations of NIST 800-63-1 to identify any unique needs in the healthcare environment that must be specifically addressed.
NIST guidelines allow for identity proofing to be done in person or in a remote capacity. Authentification levels build on one another as levels of assurance go higher.
Meanwhile, initiatives like Blue Button suggest that patients are going to be active participants as well in the context of HIE. “There is a fairly active discussion going on in different communities with respect to what level of identity proofing is really appropriate and should be required with respect to patients,” Tuten said. One camp thinks the same level should be required of everyone while another thinks that a different level is appropriate in cases where a patient is transacting healthcare information about him- or herself, not others. The Tiger team and Privacy and Security Workgroup will hold a joint hearing on the topic in late October.
Next up: Bill Braithwaite, MD, PhD, CMO for Anakam, an authentication and verification technology provider, discussed the decline of the U.S. healthcare system and what privacy and security measures are needed for improvement. “We’ve known for over a decade that we have a failed healthcare system. We’re killing people by accident in hospitals, at close to 100,000 per year, and wasting $750 billion per year. As a nation, we spend twice the amount per capita as other industrialized nations but rank last in outcomes. The public has a fear of identity loss and privacy. These are major issues. If we want to get to better care at lower cost, we have to do something.”
Braithwaite cited the recent Institute of Medicine report that includes a statement that regulators are going to be involved to clarify and improve rules about how patient data can be safeguarded and better coordinated through HIE. Expect more regulatory requirements for compliance to result, he said. The report goes into some detail about the problem, including unnecessary services, inefficient delivery of services, excessive administrative costs and fraud, contributing to a total of $765 billion in waste. “It’s absolutely incredible.”
Healthcare has to evolve from practicing in an exam room with paper records, he said. “We’re very slowly getting rid of paper records and bringing in EHR systems."
But, soon clinicians and patients are not going to be in the same room at the same time. They will connect securely with this health information network, cooperating, coordinating and communicating over the network to provide care remotely. “The future of healthcare, in my view, to get the best care at lower cost, has to be clinicians and patients directly interacting with clinical decision support systems. This is the underlying concept of Meaningful Use--HIE with EHR and active CDS systems actually save lives and dollars. The key is that interoperable HIE. If that doesn’t work, we cannot reform the healthcare system.”
The whole system depends on the following:
Difficult to attain
“With so much suspicion and apprehension on the part of patients regarding data breaches, trust is a very difficult thing to attain,” said Michael L. Nelson, DPM, VP of healthcare strategy and business development, Equifax, a credit protection provider. “As more and more providers are using remote access to see PHI, the federal government wants to make sure that the public feels that their information is being safeguarded appropriately.”
A significant aspect of that desire is that the government is counting on the private sector to drive this effort, he said. The government doesn’t want to take the responsibility or mandate how it’s done. Rather, they’d like private industry to identify the main challenges and come up with creative solutions. “The government is going to provide support by means of policy suggestions and facilitate the deployment of interoperable standards.”
Challenges with security already exist. For example, NIST Level 3 authentication requirements call for verification of a government-issued ID and a financial account number. Not everyone has a driver’s license, he pointed out. Plus, states don’t share driver’s license information. The Coalition for a Secure Driver’s License reported that 18 of the 19 September 11 terrorists held 30 licenses and identification cards that were issued by only five states. It’s pretty easy to purchase a counterfeit license for between $100 and $400. Each year in the U.S., between 200,000 and 300,000 counterfeit licenses are introduced. “That’s significant,” Nelson said.
But, Level 4 authentication is a pretty big burden to place on doctors who already feel put out by all of the regulations for Meaningful Use and other initiatives, he said. It’s one thing for large hospital systems or large medical groups with their own human resources and credentialing departments to take on the challenge. But, another inconvenience for rural and small practices is going to turn them off to participating in HIE.
Meanwhile, provider verification offers its own challenges. Both their personal and professional identifications must be verified in order to issue the right credentials. First, one must establish that the identity exists and the next step is authenticating that that identity belongs to the person requesting access to PHI. Numerous questions can arise through this process: What is the status of my credentials at that moment in time I’m requesting access to PHI? Suppose I have a clean slate in one state but had my license suspended in an abutting state. What policies are in place on whether you allow me to access PHI? How often should that be checked?
A lot of organizations are relying on the national provider identifier (NPI) as the end-all identifier to authenticate providers, Nelson said. Unfortunately, the National Plan and Provider Enumeration System (the organization behind NPI) is not a credentialing organization. Plus, a lot of doctors practice under a different name than what they’re known as by the Social Security Administration. The result is that anyone with a Social Security number, date of birth and place of birth can fraudulently obtain an NPI. “Once they have that they can bill for medical services, write prescriptions and seek access to PHI. NPI is not a reliable means of authenticating a provider,” Nelson said.
When a provider dies, unless the estate or family notifies the state license board, the provider’s license stays active until the expiration date. Anyone can read through the obituaries, look up an NPI or medical license number and steal the provider’s identity, he said. “There has to be a process in place to authenticate that the identity is real, it exists and it belongs to that specific person.”
A potential tool is knowledge-based authentication, Nelson explained, which relies on the use of challenge questions that only the real person would know the answer to. The questions are guess-resistant and unpredictable to prevent people from scamming the system and augment identity proofing and the authentication process.
Nelson wrapped up his talk by sharing that he and his team analyzed provider data for a large payer. They identified 3,000 fraudulent providers who were barred from the program in the first month. “That’s a significant number.”
The two-factor approach
Lastly, Drew McNichol, technology director of HEALTHeLINK, a clinical information exchange launched in 2006, discussed the two-factor approach to authentication.
HEALTHeLINK has experienced “phenomenal growth,” he said. “We’re averaging about 30,000 record look-ups on a monthly basis.” The exchange has 2,500 provider participants, 7,000 total users and about 600 active users on a daily basis.
The exchange was forced to update its privacy and security when key data sources and several stakeholders insisted on the same level of security as their own remote users: a two-factor approach. They convened a workgroup to define the requirements and develop a solution that could be leveraged by all. The result was a portal, or a landing spot, for providers to perform their two-factor authentication. “We wanted to provide our providers with the ability to get to clinical information on HEALTHeLINK,” McNichol said.
The group worked to eliminate multiple user names, establish single user names and a one-time password through a secure mechanism. They also now use the Healthecommunity portal, a lightweight web application that handles three responsibilities: “navigation and user interface, calls for two-factor authentication and provide assertion out to applications and other systems we’re connected to.”
One big lesson, McNichol said, was the importance of balancing stronger authentication against increased adoption. The group is working on a new look and feel for the portal, such as only prompting users when they are accessing applications that require two-factor authentication. “We’re looking to our stakeholders to provide access either to their remote users or their providers that need access to their apps and put that behind our two-factor approach. We want to develop one solution that’s scalable, cost effective and provides authentication capability. We’re looking at the portal as an opportunity to work with others.”
With more Meaningful Use requirements on deck and increased privacy and security auditing, there should be no shortage of opportunities for various stakeholders to work with each other to make improvements.
To that end, there has been much debate and discussion about just how to get these issues right. Identity proofing is a very critical step, Tuten said. “If you don’t have that established up front in an authoritative way, the rest of the work further downstream becomes quite problematic.”
The State HIE Program issued recommended guidelines for exchange to its grantees, including steps of identity proofing. “We felt compelled to issue those so there would be a common baseline,” said Tuten. This has been an active area of interest and work for the ONC as well as various policy bodies that have participated within ONC and through ONC programs.
The National Strategy for Trusted Identities in Cyberspace (NSTIC), a White House initiative, asked a Tiger team to focus on guidelines for trusted identity. Are you whom you claim to be? and How do we know? are just two of the questions the team considered. “When you start talking about the risk of security and privacy, it becomes a matter of degree of certainty” rather than a concrete yes or no, Tuten explained.
Policy recommendation challenges
One challenge in policy recommendations is recognizing that technology changes over time, Tuten said. The HIT Policy Committee recommended that ONC continue to monitor what’s going on in the market and update policies appropriately. The ONC’s work to implement this recommendation should continue to be informed by the work going on in the context of NSTIC, taking into account provider workflow needs. Related to that, ONC should continue to consult with NIST with respect to future iterations of NIST 800-63-1 to identify any unique needs in the healthcare environment that must be specifically addressed.
NIST guidelines allow for identity proofing to be done in person or in a remote capacity. Authentification levels build on one another as levels of assurance go higher.
Meanwhile, initiatives like Blue Button suggest that patients are going to be active participants as well in the context of HIE. “There is a fairly active discussion going on in different communities with respect to what level of identity proofing is really appropriate and should be required with respect to patients,” Tuten said. One camp thinks the same level should be required of everyone while another thinks that a different level is appropriate in cases where a patient is transacting healthcare information about him- or herself, not others. The Tiger team and Privacy and Security Workgroup will hold a joint hearing on the topic in late October.
Next up: Bill Braithwaite, MD, PhD, CMO for Anakam, an authentication and verification technology provider, discussed the decline of the U.S. healthcare system and what privacy and security measures are needed for improvement. “We’ve known for over a decade that we have a failed healthcare system. We’re killing people by accident in hospitals, at close to 100,000 per year, and wasting $750 billion per year. As a nation, we spend twice the amount per capita as other industrialized nations but rank last in outcomes. The public has a fear of identity loss and privacy. These are major issues. If we want to get to better care at lower cost, we have to do something.”
Braithwaite cited the recent Institute of Medicine report that includes a statement that regulators are going to be involved to clarify and improve rules about how patient data can be safeguarded and better coordinated through HIE. Expect more regulatory requirements for compliance to result, he said. The report goes into some detail about the problem, including unnecessary services, inefficient delivery of services, excessive administrative costs and fraud, contributing to a total of $765 billion in waste. “It’s absolutely incredible.”
Healthcare has to evolve from practicing in an exam room with paper records, he said. “We’re very slowly getting rid of paper records and bringing in EHR systems."
But, soon clinicians and patients are not going to be in the same room at the same time. They will connect securely with this health information network, cooperating, coordinating and communicating over the network to provide care remotely. “The future of healthcare, in my view, to get the best care at lower cost, has to be clinicians and patients directly interacting with clinical decision support systems. This is the underlying concept of Meaningful Use--HIE with EHR and active CDS systems actually save lives and dollars. The key is that interoperable HIE. If that doesn’t work, we cannot reform the healthcare system.”
The whole system depends on the following:
- Interoperability--standards;
- Incentives--resources to incorporate into healthcare practice;
- Investigations--what’s causing problems and errors; and
- Trust--through interoperable security and privacy, including patient consent. If patients don’t trust the system, they won’t give permission to include their records in the HIE. Lack of trust means no information exchange.
Difficult to attain
“With so much suspicion and apprehension on the part of patients regarding data breaches, trust is a very difficult thing to attain,” said Michael L. Nelson, DPM, VP of healthcare strategy and business development, Equifax, a credit protection provider. “As more and more providers are using remote access to see PHI, the federal government wants to make sure that the public feels that their information is being safeguarded appropriately.”
A significant aspect of that desire is that the government is counting on the private sector to drive this effort, he said. The government doesn’t want to take the responsibility or mandate how it’s done. Rather, they’d like private industry to identify the main challenges and come up with creative solutions. “The government is going to provide support by means of policy suggestions and facilitate the deployment of interoperable standards.”
Challenges with security already exist. For example, NIST Level 3 authentication requirements call for verification of a government-issued ID and a financial account number. Not everyone has a driver’s license, he pointed out. Plus, states don’t share driver’s license information. The Coalition for a Secure Driver’s License reported that 18 of the 19 September 11 terrorists held 30 licenses and identification cards that were issued by only five states. It’s pretty easy to purchase a counterfeit license for between $100 and $400. Each year in the U.S., between 200,000 and 300,000 counterfeit licenses are introduced. “That’s significant,” Nelson said.
But, Level 4 authentication is a pretty big burden to place on doctors who already feel put out by all of the regulations for Meaningful Use and other initiatives, he said. It’s one thing for large hospital systems or large medical groups with their own human resources and credentialing departments to take on the challenge. But, another inconvenience for rural and small practices is going to turn them off to participating in HIE.
Meanwhile, provider verification offers its own challenges. Both their personal and professional identifications must be verified in order to issue the right credentials. First, one must establish that the identity exists and the next step is authenticating that that identity belongs to the person requesting access to PHI. Numerous questions can arise through this process: What is the status of my credentials at that moment in time I’m requesting access to PHI? Suppose I have a clean slate in one state but had my license suspended in an abutting state. What policies are in place on whether you allow me to access PHI? How often should that be checked?
A lot of organizations are relying on the national provider identifier (NPI) as the end-all identifier to authenticate providers, Nelson said. Unfortunately, the National Plan and Provider Enumeration System (the organization behind NPI) is not a credentialing organization. Plus, a lot of doctors practice under a different name than what they’re known as by the Social Security Administration. The result is that anyone with a Social Security number, date of birth and place of birth can fraudulently obtain an NPI. “Once they have that they can bill for medical services, write prescriptions and seek access to PHI. NPI is not a reliable means of authenticating a provider,” Nelson said.
When a provider dies, unless the estate or family notifies the state license board, the provider’s license stays active until the expiration date. Anyone can read through the obituaries, look up an NPI or medical license number and steal the provider’s identity, he said. “There has to be a process in place to authenticate that the identity is real, it exists and it belongs to that specific person.”
A potential tool is knowledge-based authentication, Nelson explained, which relies on the use of challenge questions that only the real person would know the answer to. The questions are guess-resistant and unpredictable to prevent people from scamming the system and augment identity proofing and the authentication process.
Nelson wrapped up his talk by sharing that he and his team analyzed provider data for a large payer. They identified 3,000 fraudulent providers who were barred from the program in the first month. “That’s a significant number.”
The two-factor approach
Lastly, Drew McNichol, technology director of HEALTHeLINK, a clinical information exchange launched in 2006, discussed the two-factor approach to authentication.
HEALTHeLINK has experienced “phenomenal growth,” he said. “We’re averaging about 30,000 record look-ups on a monthly basis.” The exchange has 2,500 provider participants, 7,000 total users and about 600 active users on a daily basis.
The exchange was forced to update its privacy and security when key data sources and several stakeholders insisted on the same level of security as their own remote users: a two-factor approach. They convened a workgroup to define the requirements and develop a solution that could be leveraged by all. The result was a portal, or a landing spot, for providers to perform their two-factor authentication. “We wanted to provide our providers with the ability to get to clinical information on HEALTHeLINK,” McNichol said.
The group worked to eliminate multiple user names, establish single user names and a one-time password through a secure mechanism. They also now use the Healthecommunity portal, a lightweight web application that handles three responsibilities: “navigation and user interface, calls for two-factor authentication and provide assertion out to applications and other systems we’re connected to.”
One big lesson, McNichol said, was the importance of balancing stronger authentication against increased adoption. The group is working on a new look and feel for the portal, such as only prompting users when they are accessing applications that require two-factor authentication. “We’re looking to our stakeholders to provide access either to their remote users or their providers that need access to their apps and put that behind our two-factor approach. We want to develop one solution that’s scalable, cost effective and provides authentication capability. We’re looking at the portal as an opportunity to work with others.”
With more Meaningful Use requirements on deck and increased privacy and security auditing, there should be no shortage of opportunities for various stakeholders to work with each other to make improvements.
Beth Walsh,
Editor
Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.