Health IT

Electronic Medical Records – Why Authentication is Critical

Federal government policy makers are looking carefully at the best ways to improve the efficiency of information systems in the healthcare industry. Developing electronic health records (EHR) for all US citizens will require collaboration and coordination of not only the health care providers and the insurance industry but, also the privacy and technology communities. The current approach focuses on exchanging patients' electronic medical records over the Internet at the regional and state level via Health Information Exchanges (HIEs) and Regional Health Information Organizations (RHIOs), then connecting the nation’s HIEs and RHIOs to form the National Health Information Network (NHIN)

Our primary concern is how individuals will be allowed access to electronic health records. Thus far authentication and access has received little attention by policy makers, standards and certification organizations. Overlooking authentication of individuals to any health record systems is akin to not installing a lock on the front door to your home.

Health IT is a significant undertaking and authentication of identity is a vital element.

  1. Healthcare identity theft and fraud are also significant and growing problems; three percent of profits ($60 billion in 2007) was lost to outright fraud (estimated by The National Health Care Anti-Fraud Association).
  2. A recent report sponsored by the U.S. Department of Health and Human Services, “Medical Identity Theft Report,” stated that little is done to authenticate the identity of individuals throughout healthcare and concluded that medical identity theft is a significant problem and that consumers have the most to lose. Additional HHS studies by Rand Corporation and Booz Allen support this.
  3. At this time the use of two-factor authentication for HIEs and RHIOs to access Medicaid data is currently being debated in the State of New York. NY’s Dept. of Health (DOH) contracted Brookhaven National Labs (BNL) as a security consultant and BNL advised the DOH not to grant access to Medicaid data unless each user of the state’s (RHIOs) used (two-factor or three-factor) strong authentication via a smart card or hardware token.
  4. FY2008 Federal Budget included $1.3 billion in healthcare fraud prevention programs and initiatives. This amount does not include the dollar value of the fraud itself.

While the Health IT provisions in the Recovery Act go to great lengths to detail what is required in the unfortunate event of a data breech, there is almost no language addressing how data breech can be prevented from happening in the first place. Requiring strong authentication as a fundamental principle of any EHR system will ensure those who access medical records are those who are authorized. Strong authentication will further provide a process by which an audit trail can be established. Such a system would enable:

  1. Verification of health care professionals
  2. Verification of patients
  3. Processes for gaining access to electronic medical records
  4. Eliminate fraudulent claims

Protecting an individual’s medical information and their privacy is the most important and fundamental element of an electronic health record system. If those protections are omitted then the entire system is undermined. Personal health information is highly sensitive information and warrants the need for very high confidence in the accuracy of the asserted identity of those who attempt to access it. Once it is compromised and into the wrong hands the data contained in it is irreversible and the consequences can affect the victim for his or her lifetime. An NPR poll released the week of April 20 indicated that 76% of respondents had positive impressions of EHRs, however 72% believe their privacy would be violated through EHRs. The security of personal health information is far different compared to other types of personal information including financial. Unlike financial information, there are no policies and procedures in place to restore one’s health information once it is compromised. Additionally, organizations and professionals have a fiduciary obligation to ensure transmission of information is properly authenticated between respective parties.

Only Level 4 assurance (two or three factor authentication) as defined by National Institute of Standards and Technology (NIST) provides the highest practical assurance of remote network authentication. Level 4 authentication requires that the claimant prove through a secure authentication protocol that the claimant controls the token. Moreover, the HIEs and RHIOs will undoubtedly be targets of hackers given the nature of the information and those whose private and personal health information is contained. Level 4 authentication prevents eavesdropper, replay, online guessing, verifier impersonation, and man-in-the-middle attacks. Brookhaven National Labs states on its website that passwords are the single weakest point in the standard site-security model. The majority of security attacks are achieved through password access. User authentication that relies on passwords alone fails to provide adequate protection for network systems. Implementation of level 4 assurance by organizations in the US has resulted in a 50% reduction of such attacks.

Similar implementations using such frameworks are widely utilized around the world by developed and developing countries for health care. For well over a decade these nations have experienced lower per capita expenditures on health care than the U.S.

The Health Information Security and Privacy Collaboration’s (HISPC) Adoption of Standard Policies Collaborative (ASPC) report to HHS’ ONCHIT will establish the minimum requirements for authenticating users accessing electronic health records. Those minimum requirements are not two-factor or three-factor authentication via a smart card, an encrypted token or one-time password device, but rather Level 2 assurance via a “strong” password. The Secure ID Coalition has concerns that stronger authentication methods are not being adopted that would assure the privacy and confidentiality of medical records by having a higher level of assurance that the person accessing the information is who they claim to be and they have a genuine need to view and access the record. It is clear that HISPC is willing to sacrifice security in order to expedite the exchange of health information.

The Secure ID Coalition is concerned that HIEs will be architected only to meet the minimum standards of medium assurance rather than implementing strong authentication to have a very high level of assurance that the person accessing our health information is who they claim to be and have a genuine need to access the information. Any identity system requires strong authentication for the protection of personal information, especially when it is as sensitive as medical information, and consumer privacy.

We encourage policy makers to ensure our citizens personal health information is protected by mandating at a minimum two-factor authentication into any network containing electronic health records for the protection of consumer privacy.

Learn How

Secure ID News to Know

  • Making Medicare Smart

    Today the House of Representatives took a significant step forward to protect seniors and ensure the solvency of the Medicare program by unanimously passing the bipartisan Fighting Fraud to Protect Senior Care Act – HR.6690. The bill calls for a pilot program to test modernizing the Medicare card by incorporating smart card technology to prevent waste, fraud and abuse.

    This landmark program will enable front-end authentication of Medicare beneficiaries and providers at point of care and support back-end data analytics to ensure transactions are legitimate. The Government Accountability Office estimates that such a program can positively impact over 22% of all Medicare improper payment and fraud cases. With Medicare waste, fraud, and abuse costing US taxpayers an approximated $60 billion every year, the Fighting Fraud to Protect Senior Care Act will help prevent over $13.2 billion from being lost on a yearly basis.

    We thank Congressman Peter Roskam and Congressman Earl Blumenauer for their heroic effort to protect Medicare for all Americans: beneficiaries, providers, and taxpayers alike.

  • The Five Things IoT Manufacturers Can Do To Future-Proof the Industry

    If there’s one thing that we’ve learned over the past few days since the Internet of Things (IoT) distributed-denial-of-service attack (DDoS) attack gave the Internet brain freeze last Friday is that (1) IoT devices are insecure, (2) we have a really good idea what needs to be done to make them more secure, yet (3) it’s hard to get everyone on the same page in dedicating the resources to actually make them more secure.

    While that might seem like a stark truth, it only makes sense given how our economy and legal system works. Since no one company or device was responsible for allowing the attack, there’s no specific organization to shame or blame. Plus, it’s way too easy to point fingers at everyone else in the room and say there was nothing that could’ve been done, as everyone is responsible. Further, security costs money, and at the moment, companies want to pour their resources into grabbing IoT market share, not plugging holes that may or may not cause problems downstream. Unfortunately, this kind of thinking invites regulators and legislators to step in and attempt to dictate technology standards and best practices to address harms, both real and imagined.

  • Patient Identity: Getting Back to Basics for National Health IT Week

    Monday kicked off National Health IT week! While the United States has made progress in moving towards a more modern healthcare system, significant work remains. There’s no disputing that our medical device and health technology companies are the most advanced on the planet, developing the solutions that are diagnosing diseases earlier, expanding treatment options, and improving quality of life. However, when it comes to healthcare and identity—making sure that the correct data is associated with the right patient, and ensuring that that information is able to be shared, analyzed, and acted upon in a timely fashion—the United States lags woefully behind many other developed nations.