|
|
 |
CT2: Authentication of Consumers
Introduction
Trust in an electronic network depends on several factors, including assurances to consumers and participating entities that the information they access and share will be kept confidential, i.e., only shared with authorized actors. One key policy for achieving this trust, which is the focus of this paper, is to make sure that consumers are properly authenticated.
This work is the product of the Connecting for Health Work Group on Consumer Authentication Policies for Networked Personal Health Information.
A Critical Problem of the Digital Age
At birth, a baby's hospital nametag is the first of several tokens that society will use to assert "identity" throughout the rest of life. For a child born into this Digital Age, countless electronic transactions will be based on assertions of identity. There is no practical or affordable technology – at least, not yet – to flawlessly identify each person for each transaction. So we use a variety of imperfect tokens (driver's licenses, passports, PINs, passwords, etc.) to validate an individual's claim to a particular identity. And that identity will be created over and over again in electronic systems throughout a person's life.
All business sectors and all individuals are challenged – and to some extent threatened – by this burden of proving identity, and of issuing and using authentication tokens. The increasing scattering of personally identifiable information makes identity management critical for business and consumer activities, yet at the same time problematic, costly, and sometimes risky. In the health care sector today, many important transactions occur daily with little rigor to confirm the identity of individual consumers.
This paper addresses the problem of authenticating consumers in electronic health information exchanges involving PHRs to ensure that each transaction is associated with the right person. These include concerns such as the growing public anxiety regarding privacy and security of personal health information, the fear by primary sources of data of increased risk to the information they hold, and loss of provenance of data, resulting from extensive sharing and duplication that could affect the trustworthiness of the system.
Because PHRs store sensitive personal health data, it is critical to develop reliable and trustworthy mechanisms to ascertain the identity of anyone accessing the information. Health information has several characteristics that make it even more sensitive than similar access to bank accounts and lines of credit, because someone who loses money through inappropriate access can be made financially whole. Someone who loses control of sensitive health data, by contrast, can never arrange to have that information returned to a purely private sphere. As part of handling this sensitive data, accurately identifying and authenticating consumers is an important hurdle to be overcome in enabling institutional health data sources to share electronic personal health information with consumer-accessible applications.
This paper offers a framework for processes by which participants in electronic health information networks can be assured that an individual consumer is who she claims to be. The framework includes these four components:
- Identity Proofing:
- This is our umbrella term for the steps by which a person's identity is verified. Specifically, it is the validation of independent evidence and/or credentials of "identity." It happens several times throughout life at various institutions. For example, to receive a driver's license, a person must present required documents in person at a state motor vehicle department.
- Identifiers or tokens:
- Once identity proofing is performed, organizations issue or require users to use tokens or identifiers, which could be physical documents (e.g., driver's license), biological markers (e.g., fingerprint), or be based on knowledge (e.g., passwords), or some combination (e.g., ATM card plus PIN).
- Ongoing monitoring:
- After tokens have been issued or identifiers linked to an identity, systems are put in place to establish behavior patterns of individuals and alert authorized parties if behavior changes suspiciously.
- Ongoing auditing and enforcement:
- If an organization relies upon third parties for identity proofing or the issuing of identifiers or tokens, then it must have mechanisms to audit those third parties and redress bad actions.
Note: The word "authentication" is sometimes used as an umbrella term for all of the above components to manage identity in an electronic environment.
Background
The Connecting for Health Work Group on Consumer Authentication Policies for Networked Personal Health Information focused on the authentication policies for private and secure consumer access to their health information routinely over the Internet to support important aims of consumer empowerment and improved health care quality and safety. Any framework for authentication in this environment must guard against opening up new vulnerabilities at a time in which medical identity theft already is a growing and serious problem. Our Work Group's recommendations are consistent with principles articulated in the Connecting for Health Architecture for Privacy in a Networked Health Information Environment.
- See Appendix A for the membership of the Connecting for Health Work Group on Consumer Authentication Policies for Networked Personal Health Information.
- See Appendix B for more detail on the scope and charge of this Work Group.
- See Appendix C for the background and principles of Connecting for Health.
- See Appendix D for a partial list of other groups working on the consumer authentication problem.
We use the following definitions in this paper:
- Personal Health Records (PHRs):
- PHRs encompass a wide variety of applications that enable people to collect, view, manage, or share their health information or health-related transactions electronically. Although there are many variants, PHRs are intended to facilitate an individual's ability to compile personal health information into an application that the individual (or a designee) controls. PHRs may contain copies of data held by health-related institutions as well as information contributed by the consumer or health monitoring devices. We do not envision PHRs as a substitute for the professional and legal obligation for recordkeeping by health care professionals and entities.
- Consumer Access Services:
- This is a set of functions that enable an individual consumer to securely access copies of their health data from multiple sources in an electronic environment. Consumers may be offered such services by a variety of organizations, ranging from existing health care entities to new entrants. Some will be covered under the Health Insurance Portability and Accountability Act (HIPAA), others will not. Consumer Access Services may combine both authentication services as well as data management services.
- Health Data Sources:
- For the purposes of this paper, a health data source is any entity that serves as custodian of the individual's personal health data. This may include health care providers and clinics, hospitals and health care systems, health insurance plans, clearinghouses, pharmacies and pharmacy benefit managers, laboratory networks, disease management companies, and others that hold data related to the personal health of individuals.
The diagram below depicts a highly simplified data flow. In the center are Consumer Access Services, which include a mechanism to authenticate the individual consumer to the satisfaction of both ends of the exchange. (Appendix F contains a more detailed discussion of alternate models for conducting this authentication.)
The simplicity of the diagram obscures a few important points about our vision for Consumer Access Services:
First, PHRs (i.e., consumer-facing applications) could be offered by entities at either end of the diagram. For example, an independent technology company (left side of diagram) could supply a PHR, and so could one or both of the health data sources (right side of diagram). The site of the application is not relevant. The aggregation of copies of data that the consumer collects could be stored at either end of the diagram, or by an intermediary. For any of the entities to exchange data, however, there needs to be what we call Consumer Access Services (including authentication and the provision of access to records).
Secondly and similarly, Consumer Access Services may be performed by a third-party intermediary, but they also could be performed by the PHR applications or the Health Data Sources, or both. In fact, the Consumer Access Services and the PHR may be offered by the same entity and therefore indistinguishable to the end user. Our concern is with getting the process of authentication right, without regard to what sort of entity is doing the authenticating.
Third, our recommendations are designed to be compatible with existing networks – health care providers forming electronic health information exchanges, pharmacy networks, or large non-geographic networks. As the Networked Personal Health Information paper points out, there is a great deal of electronically available personal health information in existing databases today. Existing networks (e.g., large scale pharmacy chains, the VA, Kaiser Permanente), Regional Health Information Organizations (RHIOs), or other new services (monitoring devices, disease management programs, etc.) emerging from continued innovation in the PHR space – all may eventually provide multiple avenues for consumers to receive copies of their health data.
Throughout its deliberations, our Work Group was fully cognizant that other issues – revenue models, business relationships and contracts, limitations of liabilities, enforcement mechanisms – are bigger hurdles to PHR development than consumer authentication, which is the narrow focus of this paper.
Working Principles and Assumptions of the Work Group
In addition to the Connecting for Health principles (see Appendix C), our Work Group agreed to the following guiding principles for solutions to the authentication problem:
Principle 1
Authentication systems should, as a whole, cover as much of the population currently using the U.S. health care sector as possible. Authentication processes that are ineffective or unavailable for particular groups of people (due to disability, expense to the user, lack of available credentials such as driver's licenses, etc.) should be balanced with alternatives appropriate for those groups, to the extent that such alternatives are available.
Principle 2
Consumers should have a choice in Consumer Access Services. Consumers should be entitled to a reasonable expectation of a choice of entities conforming to a published set of authentication standards. It's optimal, when feasible, to let informed consumers play a role in determining their Consumer Access Service provider and authentication stringency level of choice. However, given a widespread lack of consumer awareness about authentication techniques and identity threats, minimum consumer authentication standards for health information should provide relatively high security.
Principle 3
To be both effective and trustworthy, a distributed system of authentication needs oversight, accountability, and mechanisms of redress. The policies of the authentication system should be transparent. Systems should allow the consumer to understand who has potential access to her data as well as when it has been accessed and by whom, ideally on demand and in real-time.
We prefaced our deliberations by stating that:
- Our recommendations must be reasonably affordable and workable in today's environment.
- Our recommendations must not be tied to existing practices and technologies that may preclude future innovations.
- Our recommendations should not depend on the promise of future innovations in order for organizations to act on them now.
- Our recommendations must not favor any one technology or vendor, or any business model or business relationships.
- Our recommendations must be fully cognizant of any non-proprietary frameworks that are broadly accepted by at least large segments of the health sector.
Connecting for Health thanks Clay Shirky, New York University Graduate Interactive Telecommunications Program; Josh Lemieux, Markle Foundation; and Dan Combs, independent contractor, for drafting this paper.
©2008-2009, Markle Foundation. This work was originally published in January 2008 as part of a compendium called The Connecting for Health Common Framework for Private and Secure Health Information Exchange and is made available subject to the terms of a license (License) which may be viewed in its entirety at: http://www.connectingforhealth.org/license.html. You may make copies of this work; however, by copying or exercising any other rights to the work, you accept and agree to be bound by the terms of the License. All copies of this work must reproduce this copyright information and notice.
|
|
|
