On the Road to Trusted Identities in Healthcare, or just more Compliance Work?

Michael Magrath,

On Feb 9th, the Senate health committee unanimously (22-0) approved wide-ranging legislation designed to improve health IT by modifying requirements relating to the development and use of electronic health records (EHR). Senate Bill S. 2511, “To improve Federal requirements relating to the development and use of electronic health records technology” is clearly a result of Congress’ displeasure with the lack of interoperability, data sharing and security in our healthcare system after close to $30 billion has been spent funded in large part by the HITECH Act.

Being a very timely act by the Congress, the Bill still raises a question; is this just more legislation that will likely result in more “compliance panic” for all stakeholders and lead to more spending and a more expensive healthcare system overall? Or, are there true possibilities to improve one of the bulkiest systems in health IT? The silver lining of senate Bill S.2511 is that it pushes for a full network-to-network exchange of health information, implying nationwide corroboration.

There is a clear need to establish digital trust in the healthcare ecosystem that is completely lacking today. Since electronic health record systems were adopted, breaches and hacking attacks have escalated. Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis, cites that 112.8 million healthcare records were breached, lead by Anthem, Premera and Excellus. Trust in the security of our electronic health records is waning and the lack of interoperability is contributing to escalating costs and inefficiencies in the U.S. healthcare system.

S. 2511 includes a ”trusted exchange” meaning that certified health information technology will have the technical capability to enable a secure health information exchange between users and multiple certified health information technology systems.

In support of interoperability, the bill reads, “The National Coordinator shall, in collaboration with the National Institute of Standards and Technology and other relevant agencies within the Department of Health and Human Services, for the purpose of ensuring full network-to-network exchange of health information, convene public-private and public-public partnerships to build consensus and develop a trusted exchange framework, including a common agreement among health information networks nationally.”

The common agreement includes a common method for authenticating trusted health information network participants and utilizing a common set of rules for trusted exchange.

Today, there is a common method for authenticating trusted participants for the electronic prescribing of controlled substances (EPCS). The DEA requires all EPCS prescribers to be identity proofed and use two-factor authentication in accordance with NIST’s Electronic Authentication Guideline (SP 800-63). Regardless if the bill passes , a good start would be to have anyone touching protected health information (PHI) be identity proofed and use two-factor authentication. In addition, there needs to be a strong audit trail in all systems to know the who, what, where, why and when PHI is accessed. It is also imperative that healthcare continuously advances in this area and adopt all future revisions of SP-800-63.

It is my hope this bill passes and Congress and ONC leverage the countless hours already spent by the IDESG’s Healthcare Committee, the HIMSS Identity Management Task Force, the HEART Working Group and other organizations who have defined recommendations to enhance identity management in healthcare to secure and protect our health records.

Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).