On Thursday January 7, 2010 (last week), I had the privilege of representing Kantara Initiative, in my role as Chair of the Identity Assurance[1] Work Group (also proxying for the Healthcare Identity Assurance Work Group) as a panelist in the Nationwide Health Information Network (NHIN) Workgroup hearings.

NHIN focuses on the definition of standards, guidelines and specifications on both technology and legal areas to enable the secure exchange of health information over the Internet. The focus of last week's session was authentication.

It was a great experience for me, particularly given the significance that NHIN's efforts will have in the way healthcare services are provided in the US over the next few years. The session made it clear that we are reaching a convergence of various efforts in identity management, which have reached the maturity level needed to address very real and critical business problems, and that the time to execute has come. Many of these efforts have been evolving over many years thanks to extraordinary contributions and leadership in both private and public sectors. This realization conveyed a sense of purpose and responsibility that quite frankly was not evident to me until the session actually started. Yes, I realize that at times I get very existentialist.

The format NHIN adopted for the hearings was very effective. It started with a viewpoint from US Government panelists followed by two sets of private sector panelists (I was part of the last round).  My fellow panelists did a really good job of providing their viewpoints in a clear and focused manner, and engaging in a very productive and dynamic round of Q&A after each round. This format made the sessions more productive, covered a wide range of viewpoints, and also helped identify themes and synergies. I commend NHIN on this.

Transcripts of the entire session, including audio voice-over and written testimonies, are available online. Also, Kantara published my written testimony in their blog area.

In this blog post, I intend to provide my summation of the event, and speculate on its potential outcomes.

Salient points

  1. Panelists discussed the definition of authentication and reached a common understanding. In the context of the panel, authentication consisted of three distinct processes:
    • Proofing or verifying an identity,
    • Issuing a credential to the individual once her identity was proofed, and
    • The real-time event of confirming the validity of the credential as a digital proxy of the individual during a digital transaction.
    GSA's David Temoshok clarified that this definition excluded authorization - the ability to determine the kind of operation or data the individual can access.
  2. I believe that the various panelists, including myself, converged on the notion that different assurance levels, as defined by NIST SP 800-63, provided a proven and practical approach to addressing different transaction risk levels. They also agreed that there is not a "one size fits all" approach that can address the broad range of use cases in scope for electronic healthcare. The discussions centered around the need to classify transactions and applications based on the risk profile, and avoiding the polarization on the highest assurance level for most use cases since it may be excessive and overkill.
  3. Some recommended to NHIN existing frameworks that have been in use and proven for many years should be leveraged, rather than creating a brand-new, healthcare-centric framework for authentication. Leveraging existing Government programs and partnering with private sector players will help NHIN reach its goals in a more scalable and faster manner. NIH's Peter Alterman recommended that NHIN avoiding creating a healthcare-specific framework, highlighting the benefits of adopting cross-industry, best-of-breed standards.
  4. There were great discussions on how to pragmatically reach the adoption rate required for the programs that HHS is driving forward. I particularly enjoyed the perspective provided by David McCallie, from Cerner Corporation; specifically, the statistics that show that in their network of 8,000 facilities, ~2,100 hospitals, 3,300 physician practices, 30,000 physicians, 500 ambulatory facilities, 600 home-health facilities, and 1,500 retail pharmacies; less than 30% of the systems use any form of SSO, and that provided the choice, less than 10% of the system adopt any sort of strong authentication technology. David also explained some of the challenges involved in achieving interoperability and federation across disparate system which were not designed to cross reference, and how much effort is truly involved in effectively mapping identities across different organizations.
  5. Peter Alterman pointed out that Assurance Level 3 (AL3) is the minimum required to protect transactions that may expose personally identifiable information (PII), according to the Privacy Act. Later, Anakam's J Brent Williams talked about the ability to provide AL3 solutions that can scale both in terms convenience and cost, which can reach high levels of adoption, and are already in use at some large Government internet facing services. SAFE BioPharma's Mollie Shield-Uehling, made good points on the use of antecedent identity proofing as a scalable approach to AL3 remote identity proofing, based on SAFE's experience in the pharmaceutical community. My viewpoint on this topic was that AL3 should be demystified from being unaffordable and overkill, to being more attainable nowadays, particularly with remote identity proofing options, as well as evolving options for two-factor authentication options that could leverage mobile phones as authentication devices.
  6. Brent raised two very good points that are worth mentioning:
    • There are scenarios in which being able to provide identity proofing at a specific level of assurance level, but not necessarily having to issue a credential at that level or at all, will be beneficial, especially in cases in which a patient is granting permission to a physician to access her own electronic health record.
    • PKI and SAML based authentication should not be viewed as orthogonal or in isolation in the context of identity federation and assurance levels. They are different ways to conduct and carry an authentication event, but in practice, they are techniques for conveying an authentication token. The real challenge in federating comes after the token is consumed, and particularly how the identity is actually "enrolled" in the target application (relying party).

My thoughts about the outcome

This was a worthwhile session with valuable insights and a broad range of important perspectives that rarely get discussed in a single sweep. I am very optimistic about the direction that NHIN could take in the aftermath of this event, and my read on some of the deliberations by the NHIN work group following the hearing fuels that optimism. My hope is that we do in fact see the convergence of approaches in healthcare that will allow for a faster pace of evolution and adoption, rather than a separate, healthcare-specific approach to authentication that may prove too ambitious and demand much longer timelines.

Here are my speculations on what may come out of this:

  • NHIN will not reinvent the wheel in the area of authentication, but rather provide guidelines that leverage existing programs, such as the Federal Government's Identity, Credential, and Access Management (ICAM). This direction will help NHIN to increase adoption and use of digital credentials at various levels of assurance, by partnering with both the government and the private sector, thus removing barriers to entry and immediately tapping into established networks and communities that already have large numbers of credentials issued. It will allow the programs to hit Internet-level scale much faster.
  • NHIN will focus on mapping various use cases and transactions to specific risk levels, equating them to assurance levels. It will also provide specific guidelines that will foster the development and rollout of digital solutions that leverage identity assurance within healthcare. These guidelines will lay a foundation for interoperability and risk-based models for these solutions.
  • NHIN will define minimum assurance level requirements for its most critical use cases. For instance, NHIN may require that physicians obtain at least one AL3 credential that complies with an accepted identity assurance framework to be able to digitalize common transactions. It may focus on scenarios in which a credential may need to be upgraded from one assurance level to the next.
  • NHIN will define acceptable models for performing identity proofing conforming to assurance levels for its most common actors. The idea here will be to clearly define options available to a physician for getting their identity proofed prior to obtaining credentials; likewise, to define acceptable models for how patients will get identity proofed [and credentialed], whether it is a responsibility that can be delegated to the patient's physician or some other stakeholder in the use case.
  • Several requirements that NHIN will define for authentication will help advance and evolve existing identity assurance programs both in the government and private sector, as there will be new services or more granular scenarios that will require special handling. Having said this, I predict that these requirements will not be specific to healthcare. Instead, they will have applicability on other industries. A good example will be the need to separate identity proofing from credentialing as consumable rather than encapsulated services.

I would love to hear your comments and feedback.

[1] Identity assurance, in an online context, is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity - whether a human or a machine, with which it interacts to effect a transaction, can be trusted to actually belong to the entity.  In the case the entity is a person, identity assurance is the level at which the credential being presented can be trusted to be a proxy for the individual to whom it was issued and not someone else.



Frank Villavicencio

Frank Villavicencio