While the U.S. continues digitizing its healthcare industry, a huge challenge is arising: not only securing those systems but verifying identities.
With a steady stream of HIPAA-covered data breaches continuing over the past few years, not to mention the debacle of Target’s recent customer financial information loss, some argue that current identity security approaches just aren’t adequate — especially considering that criminal attacks on hospitals are increasing substantially.
“Protecting sensitive personal information with passwords is akin to building a massive stone fortress and then securing the front door with the kind of lock I use to keep my two-year-old out of my bathroom,” said Jeremy Grant, a senior advisor on identity management at the National Institute of Standards and Technology, heading up the National Strategy for Trusted Identities in Cyberspace.
April 2014 marks three years since the Obama Administration launched the NSTIC, a public-private initiative aimed at spurring the private sector to increase privacy, security and trust in online transactions across industries.
Speaking at a public hearing held by the federal Health IT Standards Committee’s Privacy and Security Workgroup, Grant argued that while there has been progress in a number of pilots — with six of 12 relating to healthcare — the private sector, particularly health organizations, need to start agreeing on standards.
[See also: EHR incentive payments soar toward $22 billion.]
The National Strategy “will only succeed if sectors in need of better identity solutions step forward and demonstrate a willingness to roll up their sleeves in support of the collaborative effort,” said Grant, the former chief development officer at ASI Government.
Personal health record sharing options like the Blue Button will only work “if patients have an easy way to assert that they really are themselves online,” Grant explained.
Though not the only layer of security needed, identity is perhaps the most important and difficult, Grant argued. Identity solutions “can’t simply be secure,” he said; they have “to be easy to use, or else users won’t bother.”
Grant urged the Private and Security Work Group to bring a message back to the rest of the Health IT Standards Committee and the broader health and health IT communities: Even though standards may not be as mature or technologies as widely-available as some would hope, don’t wait.
“If the Workgroup or the broader health sector are of the view that this marketplace will soon be created while everybody sits back and watches,” Grant continued, “I believe folks are going to be waiting for a long time.”
Bringing that vision of secure and accessible identification technology to reality is going to take a lot of work, though.
“Privacy and Interoperability are among our most pressing concerns and they often conflict in the real world,” argued Thomas Sullivan, MD, the chief strategy officer at the e-prescribing company DrFirst, and a past president of the Massachusetts Medical Society. “There are far too many examples of unnecessary redundancy in IDP and identity management of both providers and patients,” leading to “higher costs, inefficiency, errors, fraud and frustration throughout the industry.”
The problem can manifest in multiple ways for patients and providers. Sullivan offered two examples.
For patients who decide what providers to share their information with, there is great privacy, yes, but also a “risk of danger and harm” if the information is incomplete or not shared in the event of emergencies.
For providers controlling identity attributes of patients, there are administrative efficiencies and “a certain element of patient safety added since it is easier to discover aggregate data that may bear on treatment decisions.” At the same time, “the patient loses a certain element of control regarding data sharing and thus, perhaps [there will be] less privacy protection,” Sullivan said.
Now, some see the solution to those identity and security problems as one with few risks, albeit with lingering controversy: a national patient identifier system.
While “some members have proposed that as one of several solutions, I’m sure we’re not trying to provide a national ID for all patients,” Sullivan said, referring to the Identity Ecosystem Steering Group he is also a member of. “Back when the HIPAA debate took place, it was clear we would not have a national patient identifier until Congress acted. But we are looking at ways to identity-proof patients and providers and to make those attributes a lot more usable.”
Indeed, the Healthcare Information and Management Systems Society (the parent organization of HIMSS Media, publisher of Government Health IT), the American Health Information Management Association and others are pushing a new idea as an alternative to a national patient ID system — a national patient matching system, options for which HIMSS in collaboration with HHS innovation fellows are currently exploring.
Whatever the outcome of those or other standards efforts, practitioners like Sullivan are just glad to see the problem of identity management starting to be addressed.
“It’s pretty rare that a physician would agree with anyone on anything,” he said, “but I completely agree that we need to collaborate more between commerce and HHS.”