September 28, 2016 / by Catherine Schulten
The Office of the National Coordinator (ONC) published a nationwide interoperability roadmap that contains milestones, calls to action and commitments that healthcare organizations should be adopting in order to advance verifiable identity and authentication of all participants.
From today and into 2017, organizations should be focusing on improvements around how they send, receive, find and use priority data domains to improve health care quality. The objective states that 65% of Healthcare Organizations (HCOs) must permit patient access to patient portals via username and password plus KBA or emerging technologies in lieu of passwords to reduce vulnerabilities in identity theft.
Between 2018 and 2020, at least 50% of HCOs should have implemented identity proofing and developed authentication best practices. By 2024 90% of all HCOs need to be able to support the creation of accounts for caregivers, proxies and personal representatives.
The ONC's Roadmap specifically references National Strategy for Trusted Identities in Cyberspace (NSTIC) as a public-private collaborative whose overarching goal is the elimination of passwords because as they state “‘usernames and passwords are broken; most people have 25 different passwords, or use the same one over and over, ‘creating system vulnerabilities and increasing identity theft.”
These requirements are addressed through identity proofing, best practice authentication, and the replacement of a username/password paradigm with a multi-factor identity design that involves any one of a number of identity token modalities from card based to biometric to mobile.
Multi-factor authentication replaces the common and easy-to-hack username/password design with one that is easy for the patient to apply and is affordable for the HCO to implement and manage. The use of the patient’s own mobile phone running a secure mobile application allows the patient to assert their identity both in person or online without ever having to exchange a single piece o Personally Identifiable Information (PII). The 2nd factor in the form of a biometric or PIN code confirms the identity of the individual.
Identity proofing and authentication best practices requires that the HCO know who the individual is. This is accomplished today through the use of a NIST LOA3 design that allows the registration clerk to accurately and rapidly confirm the individual’s identity, address and identity documents (such as their driver’s license).
Healthcare delegates or proxies serve a crucial role in the care for their family members and ensuring that properly identified caregivers have the right to view, download and transmit the electronic information about the patient in their care is necessary to support patient privacy while promoting ease of data access when it is appropriate.
Fortunately, one need not wait until 2017 to begin addressing these milestones because solutions exist today.
About the Author
Catherine Schulten is VP of Product Management at LifeMed ID where she is responsible for orchestrating product roadmap initiatives and ensuring that LifeMed ID’s solution offering meets industry user needs. Catherine has over 25 years of health information technology experience addressing industry challenges from revenue cycle, HIPAA transactions, fraud, waste and abuse, and patient identity management. She has served as a WEDI board member and has co-chaired several WEDI workgroups.