FIPS 201 for health credentials
09 June, 2009
category: Corporate, Digital ID, Government, Health
By Salvatore D’Agostino, IDmachines
Interoperability among health care providers, payers and patients provides a great use case for high assurance interoperable credentials. Health care is a perfect use case for an identity credential and is a great opportunity to use the new PIV-I specification.
Any investment in health care IT has to realize this. Health care needs strong identity assurance yet most systems in the U.S. don’t make the investment in an identity infrastructure. The United States government needs to invest in infrastructure to identity management/privacy and civil liberties.
Some organizations have begun this, Mt. Sinai being a leader. Many countries have also done this; the U.S. has not. Unless the U.S. invests in strong identity, we won’t get the cost saving or improve health care and the U.S. will continue to be a laggard.
Please don’t give me another ID card, Web account, user name and password. Even scarier don’t accept federated IDs that don’t have any way of knowing who is establishing the accounts. Don’t make me get more certificates either. Can someone commit to identity infrastructure as part of the Health IT stimulus? That’s the gist of this.
IDmachines supports the efforts of the Smart Card Alliance and the Secure ID Coalition when they combined to deliver message that strong identity matters for any health IT effort at National Press Club briefing in Washington DC.
Credentialing matters when millions of individuals are involved in a program, surely this is the case as state and national health insurance programs grow. Strong privacy and security, interoperability and multi-use would be good things to have in a credential.
I don’t see any in the health market place. I access my health accounts (also Microsoft and Google “Vaults”) with user name and password or a bar code/number at a desk. Why can’t I use my government issued digital ID to log into these sites?
These are strong assurance credentials, background investigation and breeder document checks. The process is well defined and in my case the issuance procedures worked. I want to be able to use it. Organizations can have greater assurance of my identity when I use it.
I have an ability to logon, digitally sign communications and encrypt sensitive information. Please spare me from my endless usernames and passwords and changing them on a frequent basis, what a pain. Give me my PIN and biometric and chip and certificate(s) private key’s that I use for everything. Sounds uber-tech, well it’s the way in dozens of countries.
Estonia, despite – or maybe as a result of – getting cyber attacked is making a renewed investment. As I said, dozens of large scale programs including England, Italy, Belgium, Austrian health cards, German health cards, Brisbane driver license, Angola, Nigeria, Ivory Coast, it’s a long list. A lot of places are making the identity investment that will then be leveraged.
In the United States without a funded program, in the current economic conditions it’s not about whether it’s the “right” thing to do. The real question is why invest when you can just print a flash pass or bar code. I refer to why Mount Sinai would do it. I have heard Paul Contino before but he repeated this week. It always makes sense. To repeat again…
“Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions, according to a leading practitioner and specialist on the subject,” said Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York.
Paul cautioned that identity management must be addressed correctly up front or “we’re going to have problems with the linkages of electronic medical records” on a regional or even national basis. Mount Sinai revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records.
In fact it’s completely irresponsible to invest in health information technology without doing it. The financial arguments are well established. Organizations implement new health IT applications can use PKI and PIV credentials. Soon the entire U.S. government will use it and a lot of people interact with it.
More information is available in Smart Card Alliance publications. “Effective Health care Identity Management: A Necessary First Step for Improving U.S. Health Care Information Systems” explains the current problems with identity management in health care and its costs. It also proposes solutions that leverage existing standards developed for other federal identity programs.
The newly published “Smart Card Technology in Health Care” frequently asked questions document outlines how the technology is used to manage patient identity and protect a health care consumer’s personal information.
Read more from D’Agostino here.