Blog

A Busy Week at Both HIMSS and RSA Conferences

Share

 

 I am just returning from a week of travel and conference activity, which start for me in Newark, NJ on Monday March 1, from there to Atlanta, GA for the HIMSS Conference 2010 (north of 25,000 attendees), and then on to San Francisco, CA on Wednesday March 3 for the last 2 days of RSA Conference 2010 (about 16,000 attendees), and then back home in NJ on Friday March 5. In all, last week was very busy but very productive for me.

It was good to see a lot of familiar faces as well as new ones, and to see that despite the economy, both of these conferences seem to be well-attended, with tons of vendor participation, and great sessions all around. Maybe this is an uncommon economic indicator (worthy of mention in the NY NPR radio show by Brian Lehrer). This time around I must confess that I spent most of my time outside of the conference session and exhibits meeting with colleagues, prospective customers and friends. For me, this was one of the most productive conference trips I've had in a few years.  Since my focus is always on identity and access management, it is exciting to see the convergence of business [and in many cases technical] requirements and various trends across industries, which drive the need for identity and access management as both an enabler and risk mitigation approach.

At the HIMSS conference, a theme that was very top of mind was "meaningful use" which is driving a lot of vendors and healthcare providers towards electronic health record (EHR) technology, and specifically, the 45 CFR Part 170 specifications. It is clear the US Government incentives for those providers (both professionals and hospitals) that can demonstrate adherence to the meaningful use guidelines is generating momentum.

I had the opportunity to present at HIMSS, thanks to our partner Novell. My topic was "Identity Assurance in Healthcare: what does it mean to you?" (below is my slide deck)

While the 45 CFR Part 170 criteria was published on December 30, 2009, it is interesting to see that at the heart of the requirements regarding authentication, specifically §170.210 "Standards for health information technology to protect electronic health information created, maintained, and exchanged", is the issue of identity assurance, which was captured very cleverly in the 1993 New Yorker cartoon by Peter Steiner, where one dog with a paw on a computer's keyboard tells another: "On the Internet, nobody knows you're a dog".  For well over 15 years, this very issue: knowing, with certainty, who is at the end of the keyboard, has been one of the biggest challenges in the enablement of true paperless transactions and trusted online services in all industry verticals. And healthcare has been no exception.

Inevitably, these requirements and standards will impact the way healthcare information systems will operate and interconnect, whether they are new or legacy, and inaction will most likely not be an option.

Identity Assurance in the Nationwide Health Information Network (NHIN)... a cross roads of sorts

Share

 

On Thursday January 7, 2010 (last week), I had the privilege of representing Kantara Initiative, in my role as Chair of the Identity Assurance[1] Work Group (also proxying for the Healthcare Identity Assurance Work Group) as a panelist in the Nationwide Health Information Network (NHIN) Workgroup hearings.

NHIN focuses on the definition of standards, guidelines and specifications on both technology and legal areas to enable the secure exchange of health information over the Internet. The focus of last week's session was authentication.

It was a great experience for me, particularly given the significance that NHIN's efforts will have in the way healthcare services are provided in the US over the next few years. The session made it clear that we are reaching a convergence of various efforts in identity management, which have reached the maturity level needed to address very real and critical business problems, and that the time to execute has come. Many of these efforts have been evolving over many years thanks to extraordinary contributions and leadership in both private and public sectors. This realization conveyed a sense of purpose and responsibility that quite frankly was not evident to me until the session actually started. Yes, I realize that at times I get very existentialist.

The format NHIN adopted for the hearings was very effective. It started with a viewpoint from US Government panelists followed by two sets of private sector panelists (I was part of the last round).  My fellow panelists did a really good job of providing their viewpoints in a clear and focused manner, and engaging in a very productive and dynamic round of Q&A after each round. This format made the sessions more productive, covered a wide range of viewpoints, and also helped identify themes and synergies. I commend NHIN on this.

Transcripts of the entire session, including audio voice-over and written testimonies, are available online. Also, Kantara published my written testimony in their blog area.

In this blog post, I intend to provide my summation of the event, and speculate on its potential outcomes.

Salient points

1. Panelists discussed the definition of authentication and reached a common understanding. In the context of the panel, authentication consisted of three distinct processes:
   • Proofing or verifying an identity,
   • Issuing a credential to the individual once her identity was proofed, and
   • The real-time event of confirming the validity of the credential as a digital proxy of the individual during a digital transaction.
   GSA's David Temoshok clarified that this definition excluded authorization - the ability to determine the kind of operation or data the individual can access.
2. I believe that the various panelists, including myself, converged on the notion that different assurance levels, as defined by NIST SP 800-63, provided a proven and practical approach to addressing different transaction risk levels. They also agreed that there is not a "one size fits all" approach that can address the broad range of use cases in scope for electronic healthcare. The discussions centered around the need to classify transactions and applications based on the risk profile, and avoiding the polarization on the highest assurance level for most use cases since it may be excessive and overkill.
3. Some recommended to NHIN existing frameworks that have been in use and proven for many years should be leveraged, rather than creating a brand-new, healthcare-centric framework for authentication. Leveraging existing Government programs and partnering with private sector players will help NHIN reach its goals in a more scalable and faster manner. NIH's Peter Alterman recommended that NHIN avoiding creating a healthcare-specific framework, highlighting the benefits of adopting cross-industry, best-of-breed standards.
4. There were great discussions on how to pragmatically reach the adoption rate required for the programs that HHS is driving forward. I particularly enjoyed the perspective provided by David McCallie, from Cerner Corporation; specifically, the statistics that show that in their network of 8,000 facilities, ~2,100 hospitals, 3,300 physician practices, 30,000 physicians, 500 ambulatory facilities, 600 home-health facilities, and 1,500 retail pharmacies; less than 30% of the systems use any form of SSO, and that provided the choice, less than 10% of the system adopt any sort of strong authentication technology. David also explained some of the challenges involved in achieving interoperability and federation across disparate system which were not designed to cross reference, and how much effort is truly involved in effectively mapping identities across different organizations.
5. Peter Alterman pointed out that Assurance Level 3 (AL3) is the minimum required to protect transactions that may expose personally identifiable information (PII), according to the Privacy Act. Later, Anakam's J Brent Williams talked about the ability to provide AL3 solutions that can scale both in terms convenience and cost, which can reach high levels of adoption, and are already in use at some large Government internet facing services. SAFE BioPharma's Mollie Shield-Uehling, made good points on the use of antecedent identity proofing as a scalable approach to AL3 remote identity proofing, based on SAFE's experience in the pharmaceutical community. My viewpoint on this topic was that AL3 should be demystified from being unaffordable and overkill, to being more attainable nowadays, particularly with remote identity proofing options, as well as evolving options for two-factor authentication options that could leverage mobile phones as authentication devices.
6. Brent raised two very good points that are worth mentioning:
• There are scenarios in which being able to provide identity proofing at a specific level of assurance level, but not necessarily having to issue a credential at that level or at all, will be beneficial, especially in cases in which a patient is granting permission to a physician to access her own electronic health record.
• PKI and SAML based authentication should not be viewed as orthogonal or in isolation in the context of identity federation and assurance levels. They are different ways to conduct and carry an authentication event, but in practice, they are techniques for conveying an authentication token. The real challenge in federating comes after the token is consumed, and particularly how the identity is actually "enrolled" in the target application (relying party).

My thoughts about the outcome

This was a worthwhile session with valuable insights and a broad range of important perspectives that rarely get discussed in a single sweep. I am very optimistic about the direction that NHIN could take in the aftermath of this event, and my read on some of the deliberations by the NHIN work group following the hearing fuels that optimism. My hope is that we do in fact see the convergence of approaches in healthcare that will allow for a faster pace of evolution and adoption, rather than a separate, healthcare-specific approach to authentication that may prove too ambitious and demand much longer timelines.

Here are my speculations on what may come out of this:

• NHIN will not reinvent the wheel in the area of authentication, but rather provide guidelines that leverage existing programs, such as the Federal Government's Identity, Credential, and Access Management (ICAM). This direction will help NHIN to increase adoption and use of digital credentials at various levels of assurance, by partnering with both the government and the private sector, thus removing barriers to entry and immediately tapping into established networks and communities that already have large numbers of credentials issued. It will allow the programs to hit Internet-level scale much faster.
• NHIN will focus on mapping various use cases and transactions to specific risk levels, equating them to assurance levels. It will also provide specific guidelines that will foster the development and rollout of digital solutions that leverage identity assurance within healthcare. These guidelines will lay a foundation for interoperability and risk-based models for these solutions.
• NHIN will define minimum assurance level requirements for its most critical use cases. For instance, NHIN may require that physicians obtain at least one AL3 credential that complies with an accepted identity assurance framework to be able to digitalize common transactions. It may focus on scenarios in which a credential may need to be upgraded from one assurance level to the next.
• NHIN will define acceptable models for performing identity proofing conforming to assurance levels for its most common actors. The idea here will be to clearly define options available to a physician for getting their identity proofed prior to obtaining credentials; likewise, to define acceptable models for how patients will get identity proofed [and credentialed], whether it is a responsibility that can be delegated to the patient's physician or some other stakeholder in the use case.
• Several requirements that NHIN will define for authentication will help advance and evolve existing identity assurance programs both in the government and private sector, as there will be new services or more granular scenarios that will require special handling. Having said this, I predict that these requirements will not be specific to healthcare. Instead, they will have applicability on other industries. A good example will be the need to separate identity proofing from credentialing as consumable rather than encapsulated services.

I would love to hear your comments and feedback.

[1] Identity assurance, in an online context, is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity - whether a human or a machine, with which it interacts to effect a transaction, can be trusted to actually belong to the entity.  In the case the entity is a person, identity assurance is the level at which the credential being presented can be trusted to be a proxy for the individual to whom it was issued and not someone else.