Electronic Medical Records – Why Authentication is Critical
Federal government policy makers are looking carefully at the best ways to improve the efficiency of information systems in the healthcare industry. Developing electronic health records (EHR) for all US citizens will require collaboration and coordination of not only the health care providers and the insurance industry but, also the privacy and technology communities. The current approach focuses on exchanging patients' electronic medical records over the Internet at the regional and state level via Health Information Exchanges (HIEs) and Regional Health Information Organizations (RHIOs), then connecting the nation’s HIEs and RHIOs to form the National Health Information Network (NHIN)
Our primary concern is how individuals will be allowed access to electronic health records. Thus far authentication and access has received little attention by policy makers, standards and certification organizations. Overlooking authentication of individuals to any health record systems is akin to not installing a lock on the front door to your home.
Health IT is a significant undertaking and authentication of identity is a vital element.
- Healthcare identity theft and fraud are also significant and growing problems; three percent of profits ($60 billion in 2007) was lost to outright fraud (estimated by The National Health Care Anti-Fraud Association).
- A recent report sponsored by the U.S. Department of Health and Human Services, “Medical Identity Theft Report,” stated that little is done to authenticate the identity of individuals throughout healthcare and concluded that medical identity theft is a significant problem and that consumers have the most to lose. Additional HHS studies by Rand Corporation and Booz Allen support this.
- At this time the use of two-factor authentication for HIEs and RHIOs to access Medicaid data is currently being debated in the State of New York. NY’s Dept. of Health (DOH) contracted Brookhaven National Labs (BNL) as a security consultant and BNL advised the DOH not to grant access to Medicaid data unless each user of the state’s (RHIOs) used (two-factor or three-factor) strong authentication via a smart card or hardware token.
- FY2008 Federal Budget included $1.3 billion in healthcare fraud prevention programs and initiatives. This amount does not include the dollar value of the fraud itself.
While the Health IT provisions in the Recovery Act go to great lengths to detail what is required in the unfortunate event of a data breech, there is almost no language addressing how data breech can be prevented from happening in the first place. Requiring strong authentication as a fundamental principle of any EHR system will ensure those who access medical records are those who are authorized. Strong authentication will further provide a process by which an audit trail can be established. Such a system would enable:
- Verification of health care professionals
- Verification of patients
- Processes for gaining access to electronic medical records
- Eliminate fraudulent claims
Protecting an individual’s medical information and their privacy is the most important and fundamental element of an electronic health record system. If those protections are omitted then the entire system is undermined. Personal health information is highly sensitive information and warrants the need for very high confidence in the accuracy of the asserted identity of those who attempt to access it. Once it is compromised and into the wrong hands the data contained in it is irreversible and the consequences can affect the victim for his or her lifetime. An NPR poll released the week of April 20 indicated that 76% of respondents had positive impressions of EHRs, however 72% believe their privacy would be violated through EHRs. The security of personal health information is far different compared to other types of personal information including financial. Unlike financial information, there are no policies and procedures in place to restore one’s health information once it is compromised. Additionally, organizations and professionals have a fiduciary obligation to ensure transmission of information is properly authenticated between respective parties.
Only Level 4 assurance (two or three factor authentication) as defined by National Institute of Standards and Technology (NIST) provides the highest practical assurance of remote network authentication. Level 4 authentication requires that the claimant prove through a secure authentication protocol that the claimant controls the token. Moreover, the HIEs and RHIOs will undoubtedly be targets of hackers given the nature of the information and those whose private and personal health information is contained. Level 4 authentication prevents eavesdropper, replay, online guessing, verifier impersonation, and man-in-the-middle attacks. Brookhaven National Labs states on its website that passwords are the single weakest point in the standard site-security model. The majority of security attacks are achieved through password access. User authentication that relies on passwords alone fails to provide adequate protection for network systems. Implementation of level 4 assurance by organizations in the US has resulted in a 50% reduction of such attacks.
Similar implementations using such frameworks are widely utilized around the world by developed and developing countries for health care. For well over a decade these nations have experienced lower per capita expenditures on health care than the U.S.
The Health Information Security and Privacy Collaboration’s (HISPC) Adoption of Standard Policies Collaborative (ASPC) report to HHS’ ONCHIT will establish the minimum requirements for authenticating users accessing electronic health records. Those minimum requirements are not two-factor or three-factor authentication via a smart card, an encrypted token or one-time password device, but rather Level 2 assurance via a “strong” password. The Secure ID Coalition has concerns that stronger authentication methods are not being adopted that would assure the privacy and confidentiality of medical records by having a higher level of assurance that the person accessing the information is who they claim to be and they have a genuine need to view and access the record. It is clear that HISPC is willing to sacrifice security in order to expedite the exchange of health information.
The Secure ID Coalition is concerned that HIEs will be architected only to meet the minimum standards of medium assurance rather than implementing strong authentication to have a very high level of assurance that the person accessing our health information is who they claim to be and have a genuine need to access the information. Any identity system requires strong authentication for the protection of personal information, especially when it is as sensitive as medical information, and consumer privacy.
We encourage policy makers to ensure our citizens personal health information is protected by mandating at a minimum two-factor authentication into any network containing electronic health records for the protection of consumer privacy.
Secure ID News to Know
If there’s one thing that we’ve learned over the past few days since the Internet of Things (IoT) distributed-denial-of-service attack (DDoS) attack gave the Internet brain freeze last Friday is that (1) IoT devices are insecure, (2) we have a really good idea what needs to be done to make them more secure, yet (3) it’s hard to get everyone on the same page in dedicating the resources to actually make them more secure.
While that might seem like a stark truth, it only makes sense given how our economy and legal system works. Since no one company or device was responsible for allowing the attack, there’s no specific organization to shame or blame. Plus, it’s way too easy to point fingers at everyone else in the room and say there was nothing that could’ve been done, as everyone is responsible. Further, security costs money, and at the moment, companies want to pour their resources into grabbing IoT market share, not plugging holes that may or may not cause problems downstream. Unfortunately, this kind of thinking invites regulators and legislators to step in and attempt to dictate technology standards and best practices to address harms, both real and imagined.Read more...
Monday kicked off National Health IT week! While the United States has made progress in moving towards a more modern healthcare system, significant work remains. There’s no disputing that our medical device and health technology companies are the most advanced on the planet, developing the solutions that are diagnosing diseases earlier, expanding treatment options, and improving quality of life. However, when it comes to healthcare and identity—making sure that the correct data is associated with the right patient, and ensuring that that information is able to be shared, analyzed, and acted upon in a timely fashion—the United States lags woefully behind many other developed nations.Read more...
The Secure ID Coalition is thrilled to announce the launch of its new Action Center to build grassroots support for the Medicare Common Access Card Act (H.R.3220/S.1871), a bipartisan measure in Congress that will upgrade the current paper Medicare card with the same secure, electronic smart card trusted by the Department of Defense to authorize access to its most secure IT systems and facilities—including the Pentagon.
Members of Congress have begun to recognize that if we are going to get serious about stopping Medicare fraud, we have to start by modernizing the current paper Medicare card. Last week Bloomberg BNA reported on the latest efforts by members of the House Ways & Means Committee to bring Medicare into the 21st Century by upgrading the Medicare Card. The article summarized efforts in last week's House Ways & Means Committee hearing in which Rep. Peter Roskam highlighted the Medicare Common Access Card Act (click here to watch Rep. Roskam tackle the issue head on).Read more...