Officials in southwest Texas wanted to issue physicians a credential that they could use at emergency scenes to validate their identities. “We were going to issue a disaster card,” says Eric Epley, executive director at the Southwest Texas Regional Advisory Council (STRAC). “When a disaster happens your hospital might be cordoned off and we want to issue a card that would give doctors access to the facility.”

This was 2002, shortly after the Sept. 11 terrorist attacks, and first responder organizations across the country were scrambling to figure out how qualified individuals would access future emergency scenes. In the decade that has passed the movement to get high assurance credentials into the hands of first responders has been slow. But that is changing as states and local governments are seeing benefit from the use of interoperable IDs for multiple functions and technology issues are being solved.

STRAC is an advisory group for trauma and emergency health care workers in southwest Texas made up of 62 hospitals and 70 EMS agencies. It was among the first to actually issue IDs beginning way back in 2002.

The organization found an interesting way to tackle the demand problem. When Epley approached the security directors at the hospitals they said a disaster card simply wouldn’t work. “Doctors come to the hospital at 2 am and don’t even have their driver license,” he says.

But the doctors did always have their parking pass. Since the physicians often worked at multiple hospitals the sun visors in their cards would be filled with cards enabling access to different parking facilities, Epley explains. “Doctors would have anywhere from five to nine of these cards in their visors,” he says.

So in order to make the disaster card work, STRAC struck a deal with the hospitals in the region to have the credential used for access to all parking facilities. “We built a card management system that connects in real time with all the physical access control systems at the hospitals,” Epley says.

STRAC realized an important aspect of a credential to the end user. “If you don’t make their life easier with the card … people won’t carry the card,” Epley says.

History lesson

After the airplane hit the Pentagon numerous first responders from various jurisdictions arrived at the scene. There was no way to know what each was qualified to do or if they were qualified to be there at all.

In 2005 Hurricane Katrina reinforced the need for an interoperable ID. Physicians, nurses and other emergency workers were precluded from performing the tasks they were qualified to do because there was no way to confirm their training.

The first responder access credential could change all this. The smart card ID would store the cardholder’s biometric as well as other identifying information. In event of a disaster a first responder would show up at the scene, present the credential and authenticate with a biometric or PIN on a handheld device. Their identity and qualifications would be verified so their skills could be put to best use.

This has been the idea behind the credential. Many states investigated the credentials, but it’s only been the last couple of years where real progress has occurred, especially with PIV-I. The final PIV-I specification, which many jurisdictions wanted to use, was released in May 2009 giving all those involved the same starting point.

But budgets are tight and when it’s between a new fire truck or firefighter IDs, there seems to be just one choice. But monetary grants and additional use cases are convincing more jurisdictions to deploy the IDs.

Throughout the entire process there has been the PIV-I/FRAC Technology Transition Working Group. Almost half a dozen agencies within Homeland Security partnered to bring the group together. It is comprised of federal, state and local emergency management representatives, many of whom have already implemented secure identity-management solutions in their own jurisdictions.

The goals of the working group are to provide federal policy makers with a unified state emergency manager perspective on key areas including:

• Federal Emergency Response Official attributes,
• Baseline current identity infrastructure and best practices,
• Technological gaps where Homeland Security’s Cyber Security Division can provide test bed research and development support, and
• State-to-state, state-to-federal and federal-to-state information sharing.

There are other efforts pushing for interoperable credentials for first responders too. In July Homeland Security and FEMA released the National Incident Management System (NIMS) Guideline for the Credentialing of Personnel. This isn’t the first guidance released but it takes a much stronger stance recommending that state and local first responder issue PIV-I credentials, says Mike Magrath, director of business development for government and health care at Gemalto.

The guidance can’t mandate that states issue PIV-I credentials to first responders but it’s the strongest endorsement yet, Magrath says. “The underlying theme from the NIMS guidance is trust, consistency and interoperability,” he says. “You get all three of these things with PIV-I.”

The key to convincing states and locals to adopt is making sure the credential has utility beyond the disaster scene, Macgrath says. If the token is used for more than one purpose and can address some of the jurisdiction’s other identity and credentialing concerns, the cost can be better justified. “The credential needs to be used for multiple purposes,” he explains. “Local governments won’t have to issue flash badges, prox cards or one-time passcode tokens anymore if they go with PIV-I.”

This is the lesson the PIV-I/FRAC Technology Transition Working Group is preaching as well, says Craig Wilson, an employee at Unified Industries and a contractor to FEMA.

Having the credential used for more than one purpose can help justify the cost of the project, Wilson says. “States are able to save money by deploying standards-based technologies,” he explains.

This is how STRAC was able to get the credentials in the hands of their first responders, says Epley. The parking pass resonated with the physicians because it eliminated complications for them. Epley reassured the individual hospital security directors that while the identity with the card would be “global” they would still control the local access. Typically the card enabled access to the parking structure and the physician’s lounge.

“The card doesn’t automatically get them into every door,” Epley explains. “It doesn’t work at a hospital if you’re not affiliated, and hospitals can remove individuals from their access control system as needed.”

The links between the systems had to be built because multiple access control systems and card technologies were in place at the time. Since the hospitals weren’t willing to swap out card readers, the new IDs relied on magnetic stripes and bar codes to facilitate physical access functions, Epley says. While physicians were the first to receive these cards they were eventually issued to 12,000 medical personnel and first responders.

---

Homeland Security wants PIV-I for first responders

The Department of Homeland Security and the Federal Emergency Management Agency (FEMA) released the “National Incident Management System Guideline for the Credentialing of Personnel.”

This document describes credentialing and processes and that emergency response officials and managers at all levels of government may use to facilitate multi-jurisdictional coordinated responses. Through this guideline, DHS and FEMA encourage interoperability among federal, state, local, territorial, tribal, and private sector officials in order to facilitate emergency responder deployment.

The is an updated document from 2008, says Mike Magrath, director of business development for government and health care at Gemalto. One of the differences between this and the previous document is the endorsement of PIV-I. The previous guidance mentioned the standard but this one recommends that first responders actually use it.

FEMA can’t mandate that anyone outside the federal government use PIV-I but this is the strongest recommendation thus far, Magrath says.

The PIV and PIV-I solutions are recommended because it resolves four core process and technical barriers to establishing interoperability in identification and access control systems:

• Common terminology
• Technical requirements for how identity cards/media interact with controlling infrastructure
• A system of unique identifiers that enables individuals and organizations to be recognized across all identity cards and media
• Processes that enable issuance that supports the requisite level of trust in the identity of the holder, as well as attributes and privileges where applicable.

If jurisdictions deploy interoperable credentials it can help provide confidence that the personnel and resources provided under mutual aid match the request, the NIMS document states.

Credentialing can also help ensure that both requester and supplier are using the same criteria to certify personnel. It can alleviate one concern from communities already struggling with the effects of a disaster.