June 26, 2009


Office of the National Coordinator for Health Information Technology
Policy Committee
200 Independence Avenue, SW
Suite 729-D
Washington, DC 20201

Re: HIT Policy Committee - Meaningful Use

Dear HIT Policy Committee Members:

The Secure ID Coalition respectfully submits comments in response to the Office of the National Coordinator for Health Information Technology’s request for comments regarding the HIT Policy Committee’s discussion of draft recommendations for meaningful use of certified EHR. The Secure ID Coalition is an affiliation of companies providing digital security solutions for identity management. Our mission is to promote the understanding and appropriate use technologies that achieve enhanced security for identity management systems while maintaining user privacy.

While the Office of National Coordinator’s mandate is to develop the best ways to improve the efficiency of information systems in the healthcare industry, the Policy Committee’s efforts are a critical extension providing a policy framework for the development and adoption of a nationwide health information infrastructure, including standards for the exchange of patient medical information. The ability to exchange electronic health records of every American at the regional, state, and national levels requires protections for both security and privacy reasons. Such an effort must start with the accurate identification of each person receiving healthcare services or participating in healthcare benefit programs. There must also be a way to uniquely and securely authenticate that person across the healthcare system, including over the Internet, in a secure and privacy sensitive way. Accordingly, the Secure ID Coalition supports that meaningful use must incorporate multi-factor authentication processes meeting the National Institute of Standards and Technology (NIST) Level 4 assurance.

Dependably accurate identification and authentication should be a process that already exists in healthcare, however, it does not. Accurately linking patients with their personal medical information is a significant problem today for hospitals, other healthcare providers, and healthcare payers, including the government. Until this problem can be solved no health IT system, program or implementation will meet the required threshold of meaningful use.What causes the problem? Failure to collect complete patient information at registration, redundant information entry, language barriers, common names, misspellings or phonetic spellings can all lead to errors and improper patient identification. A recent report sponsored by the U.S. Department of Health and Human Services, “Medical Identity Theft Report,” prepared by Booze Allen Hamilton stated that little is done to authenticate the identity of individuals throughout the healthcare delivery chain and concluded that medical identity theft is a significant problem in which consumers have the most to lose.¹ Other HHS studies by Rand Corporation and Booz Allen Hamilton support this statement.²

The impact and cost of inaccurate information and authentication in the health care industry is significant. For example:

-More than 195,000 deaths in the United States are caused because of medical error; almost 60 percent  (115,000 deaths) of them are attributable to a failure to correctly identify the patient (The Institute of Medicine).

-Delayed or lost billing resulting from claims denials can cost up to one million dollars per week at a major hospital; patient registration errors, leading to inaccurate records, typically accounts for 70 percent     of those claims denials (Mt. Sinai Hospital, NY).

-Duplicate records can cause problems with quality and continuity of patient care and redundant testing (Rand Corporation Report, “Identity Crisis”).

-Correcting database patient records can cost large hospitals more than a million dollars per year (Rand Corporation Report, “Identity Crisis”).

-Healthcare identity theft and fraud are significant and growing problems; approximately $60 billion was lost in 2007 to outright fraud (estimated by The National Health Care Anti-Fraud Association).
 

The current proposed approach to improving healthcare information management focuses on exchanging patients' electronic medical records over the Internet at the regional and state level via Health Information Exchanges (HIEs) and Regional Health Information Organizations (RHIOs) and then connecting the nation’s HIEs and RHIOs to form the National Health Information Network (NHIN). Correctly identifying individuals—and protecting their  privacy—in these exchange networks will be harder, not easier, than it is today. A healthcare identity management  infrastructure needs to be the cornerstone of any health IT implementation in order to achieve the real benefits of improving healthcare and controlling costs.

Technology Solution to Implement Healthcare Identity Management
Identity and authentication solutions based on a smart card or secure token provides the best foundation for improving healthcare information systems in a secure, privacy-sensitive way. This foundation can be put in place without reinventing the wheel. The federal government has already established a set of best practices, standards, and technology solutions for multi-factor authentication smart-card identity management that can be adapted to healthcare.

What is the advantage of using smart card technology?
A smart card is a card with a small computer in it. The smart card's computer provides high levels of security and privacy protection, making the technology ideal for complying with HIPAA and preventing fraud. Smart cards can be readily used online and across networks and deliver very high levels of security over the Internet. Smart cards are also very convenient and easy for people to use.

Smart cards have been around for over 30 years and offer a non-proprietary solution available through multiple digital security vendors. Smart cards are widely used as an identity management solution with over 50 million in circulation today just in the U.S. In addition, smart card technology is used in SIM cards in cell phones, in the majority of the world’s bank cards, and even in the electronic passports of more than 27 countries, including the United States. In many instances smart cards were implemented due to their ubiquity and demonstrated superiority in security to technologies such as magnetic stripe, bar code technology and RFID tags.
Significant work developing federal identity credentialing standards has been undertaken by the National Institute of Standards (NIST) culminating in the release of the FIPS 201-1 Federal ID Standard. This standard has resulted in government-wide access to certified commercial off-the-shelf (COTS) smart cards, readers, and identity management software. These existing government identity credentialing standards provide a foundation on which secure credentials can be based for the healthcare system. By implementing this smart card framework the Department of Defense experienced a drop in hacker attacks by over 50% - overnight.

Around the world, over 150 million smart card-based healthcare identity cards are protecting patient information every day. National healthcare programs in over 20 countries use smart card solutions for efficiency and to reduce medical errors. Each of these countries has a lower per capita expenditure on healthcare than the United States.

Privacy & Security Concerns Regarding Access to Electronic Medical Records
Currently states are architecting the nation’s health information exchanges (HIE) that will serve as the information superhighway for the sharing of our electronic medical records. Like our nation’s highways that are interconnected to enable the flow of people and goods, the HIEs, when connected to form the NHIN, will facilitate the delivery of information and records so that patients and health providers will have access to all the information necessary for critical care and treatment

The National Health Information Security and Privacy Collaboration's (HISPC) Adoption of Standard Policies Collaborative (ASPC) were recently published in Government Health IT (a HIMSS publication). However, accessing personal health information requires a very high assurance level, which ASPC’s recommendations fail to provide. At a minimum, the requirements for authenticating users accessing electronic medical records must include assurances that: (1) the person accessing the information is who they claim to be, and that (2) they have a genuine need to view and access the record. We support Level 4 assurance as defined by NIST. Level 4 assurance requires two-factor authentication (“something you have” such as a smart card, an encrypted token or one-time password device) and “something you know” such as a PIN or password. Unfortunately, ASPC is only recommending medium (Level 2) assurance via a "strong" password. ³

Brookhaven National Laboratories in New York recently addressed the issue of passwords in health care on its website, “Passwords are the single weakest point in the standard site-security model. The majority of security attacks are achieved through password access. User authentication that relies on passwords alone fails to provide adequate protection for network systems. When users make up their own passwords, they tend to choose ones which are easy to remember and, as a result, easy to guess. When passwords are created from randomly-generated characters, users tend to write them down because they're difficult to remember. Even if users are careful about the passwords they use, they are victim to a much more informed hacker community. A variety of easily accessible password-attack techniques can be used to guess user passwords or even decipher them when certain known encryption methods are used”⁴

We respectfully submit that in order to achieve meaningful use health IT systems and implementations must incorporate multi-factor authentication processes meeting NIST Level 4 assurance to ensure the person accessing the health information is who they claim to be and they have a legitimate need to view and access the record. Without this requirement not only is the local health IT system vulnerable to cyber attacks, medical identity theft, and misuse of information, but, the entire NHIN is open to the same vulnerabilities leaving all medical records at risk. The Secure ID Coalition is deeply concerned that in order to expedite the exchange of health information, privacy and security provisions will be sacrificed.

We have strong concerns that if HIEs are architected only to meet the minimum standards of medium assurance rather than implementing strong authentication to have a very high level of assurance the protection of consumer privacy will become a farce. Medium level assurance is frankly unacceptable, especially given the privacy language contained in the American Recovery and Reinvestment Act.

Thank you for the opportunity to express our concerns and provide input. We look forward to any hearings and discussions related to your critical mission of providing a policy framework for the development and adoption of nationwide health information infrastructure, including standards for the exchange of patient medical information. The Secure ID Coalition would be pleased to assist the HIT Policy Committee’s important effort in any way possible.

Should you have any questions regarding these comments please contact me directly at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or at 202-263-2575.

Respectfully Submitted,

Kelli A. Emerick
Executive Director
Secure ID Coalition
 

¹ Medical Identity Theft Final Report, Prepared for the Department of Health and Human Service; Office of the National Coordinator for Health Information Technology, January 16, 2009. http://healthit.hhs.gov/portal/server.pt?open=512&objID=1239&parentname=CommunityPage&parentid=2&mode=2&in_hi_userid=10741&cached=true

² Id. See also Identity Crisis; An Examination of the Costs and Benefits of a Unique Patient Identifier for the U.S. Health Care System Rand Corporation Reports http://www.rand.org/pubs/monographs/MG753/

³ The ASPC recommendations can be found in the following publication: http://healthit.hhs.gov/html/hispc/AIMReport.pdf

⁴ The full comments are found on the Brookhaven National Laboratories Website: http://www.bnl.gov/cybersecurity/strong_auth.asp