Smart Card Alliance Public Comments regarding Stage 2 of Meaningful Use

The Smart Card Alliance Healthcare Council comments below were submitted to the Office of the National Coordinator, U.S. Department of Health and Human Services, on February 24, 2011, in response to “HIT Policy Committee: Meaningful Use Workgroup Request for Comments Regarding Meaningful Use Stage 2.”

• Click here to the PDF version of the comments.

Identity Verification and Authentication of Healthcare Providers Accessing and Exchanging Electronic Health Records

Protecting an individual’s medical information and their privacy is the most important and fundamental element of an electronic health record (EHR) system. If those protections are omitted then the entire system is undermined. Personal health information (PHI) is highly sensitive information and warrants the need for very high confidence in the accuracy of the asserted identity of those who attempt to access it. Once it is compromised and in the wrong hands, the data contained in it is irreversible and the consequences can affect the victim for a lifetime.

Our primary concern is how individuals are allowed access to electronic health records. Although identity and authentication were discussed at length in the HIT Policy & Standards Committees throughout 2010, it was evident that ONC put this critical topic on the backburner in hopes of usage and adoption of health information exchange when it published its Stage 1 requirements:

HHS: “We have considered the concerns issued by commenters and agree that the burden associated with cross enterprise authentication is unnecessarily high and cross-network authentication should not be a condition of certification at the present time. As a result, we have removed this specific part of the certification criterion and the associated standard.”

It should be noted that Brookhaven National Labs states on its website that passwords are the single weakest point in the standard site-security model. [1] Password authentication has become a major target of hacker attacks; systems that rely solely on passwords will fail to provide adequate protection for computer networks and information systems.

Requiring strong, a.k.a. multi-factor, authentication needs to be incorporated into Stage 2 of Meaningful Use. Sadly, that won’t take effect until 2013, at the earliest. So for the next two years HHS is gambling by permitting username and password authentication to exchange health information.

The December 2010 PCAST report addresses identity and authentication:

“Identity is also a crucial aspect of security. Determining the identity of a principal is commonly called authentication. Except for patient-consumers, all of the principals in the health IT system can be authenticated using physical credentials (such as smartcards), biometrics (such as fingerprints), and a secret such as a password. Requiring two of these three methods, a possible design choice, is termed “two-factor authentication.” Credentials could be issued to healthcare professionals by participating institutions and medical-certification agencies. Whenever data are accessed, an audit mechanism records the actions taken by principals, along with the information used to authorize those actions. Credentials can be revoked when necessary.”

Should HHS require strong authentication in the future, the American Recovery and Reinvestment Act (ARRA) funding would have already been spent, and the physician community and healthcare organizations will view strong authentication as an unfunded mandate, when in reality, if it were required today, it would be viewed as part of the EHR system.

The Drug Enforcement Administration’s (DEA) Interim Final Rule for electronic prescribing controlled substances mandates a minimum of Level 3 authentication standards. [2] One could extrapolate from this that access to sensitive PHI data (for example, related to conditions or treatments such as psychiatric, cancer or HIV, or health records of celebrity or publicly recognizable patients) could warrant Level 4.

The nation’s health IT infrastructure is in a fledgling state. The ONC has an opportunity to utilize existing standards that have been proven to thwart hackers and provide very high confidence that the person requesting access to a network or an individual health record is who they claim they are.

Can you imagine the tabloids gaining access to a celebrity’s health information, a political candidate’s health information being used against them by the competing party, or a business or community leader’s health information being used against them in the court of public opinion? High profile citizens aren’t the only ones at risk; the average person’s employment, insurance eligibility, and community status may be affected if their health information compromised. Once the information is out there, it is out there forever.

With the proliferation of electronic health records and the sharing of this sensitive information through health information exchanges, increasing amounts of private medical information will be stored online and an ever=growing array of individuals and organizations will be granted access. Strong authentication combined with appropriate access and audit controls will be critical to ensure that we maintain a secure, private and trusted health information system. This will require a solid identity management infrastructure for healthcare.

Four Levels of Assurance were first specified in the Office of Management and Budget’s (OMB) memorandum M-04-04 dated December 16, 2003, which served as the basis of the National Institute of Standards and Technology (NIST) SP 800-63 “Electronic Authentication Guidelines.”

OMB M-04-04 provides examples of when a Level 4 credential is warranted. Below are the 3 examples:

Level 4–Level 4 is appropriate for transactions needing very high confidence in the asserted identity’s accuracy. Users may present Level 4 credentials to assert identity and gain access to highly restricted web resources, without the need for further identity assertion controls.

Examples:

• A law enforcement official accesses a law enforcement database containing criminal records. Unauthorized access could raise privacy issues and/or compromise investigations.

• A Department of Veteran’s Affairs pharmacist dispenses a controlled drug. She would need full assurance that a qualified doctor prescribed it. She is criminally liable for any failure to validate the prescription and dispense the correct drug in the prescribed amount.

• An agency investigator uses a remote system giving her access to potentially sensitive personal client information. Using her laptop at client worksites, personal residences, and businesses, she accesses information over the Internet via various connections. The sensitive personal information she can access creates only a moderate potential impact for unauthorized release, but her laptop’s vulnerability and her non-secure Internet access raise the overall risk.

Modifying the first example to be healthcare-related instead of law enforcement-related is certainly appropriate. One can argue that health information is equal to or more sensitive than criminal records:

• A physician accesses a medical database containing health records. Unauthorized access could raise privacy issues and/or compromise care.

The second example was obviously the foundation for the DEA’s ePrescribing rule for controlled substances. The third example would certainly help in those breach instances where a laptop has been stolen or lost. This applies to the majority of the breaches reported to HHS. [3]

A little over a year ago, on November 12, 2009, the National Coordinator for Health IT, Dr. David Blumenthal stated:

“If we are to reap the benefit of information exchange, Americans must also be assured that the most advanced technology and proven business practices will be employed to secure the privacy and security of their personal health information, both within and across electronic systems, and that persons and organizations who hold personal health data are trustworthy custodians of the information.” [4]

If Level 4 authentication methods utilizing smart cards or hard tokens are the most advanced technology to assure the identity of persons holding personal health data is, what has changed since November 2009?

Patient Identity

Not addressed in Stage 1 of Meaningful Use is the issue of patient identity. The majority of the “identity” cards issued by the nation’s public and private health plans do nothing to prove the identity of the patient in the health system. Business practices may include asking for a photo ID at registration, but they are not always followed.

It has been reported that over 195,000 deaths in the United States occur annually because of medical errors. [5] Of those, almost 60 percent were attributable to a failure to correctly identify the patient. [6]

Accurately identifying patients and linking them with their medical records are significant challenges today for hospitals, healthcare providers and payers, with the government representing one of the largest stakeholders in this industry. Improper patient identification can occur for many reasons including common names, misspellings, phonetic spellings, numeric transpositions, fraud, as well as patient language barriers which can lead to errors in a patient identity. These identity errors result in undesirable financial and clinical issues for the hospital, provider, and patients.

In December, 2010, the Privacy and Security Tiger Team held a hearing on patient matching, also known as patient identity management. Part of the work of the Privacy and Security Tiger Team is to provide policy recommendations on privacy and security issues associated with linking or matching patients to their information within healthcare entities in order to support information exchange across healthcare entities.

According to their published presentation [7], information exchange between different healthcare entities depends on an ability to match patient identities without benefit of common identifiers. The presentation highlights the following:

• Correctly linking patients to their health data is a vital step in quality health care;

• Accuracy, integrity and quality of the patient data are also critically important; and

• Internal data issues must be resolved before tackling the larger issues involved in exchange.

The presentation concludes by stating the role of the Office of the National Coordinator (ONC) in privacy and security in patient identity is to:

• Broaden the discussion to cover data quality

• Define and understand the ecosystem and patient linkage opportunities

• Shift emphasis to data quality

• Support conversation about development of standards for minimum data set

• Promote transparency and consumer education/communication (addressing) a process for sharing how patient matching is conducted, accuracy of the matching, and challenges in health information exchange

A smart card can be used to securely hold patient identity information, and to provide two-factor or three-factor authentication. Smart card technology enables distributed and federated applications in lieu of a central database of all patient identity and other personal information. The use of smart cards and federated data with standards-based protocols would allow medical practitioners to have access to data across multiple data stores with an assurance that: a) the patient identity is authenticated; b) the records retrieved match the patient; and c) only those that have need of the data have access to it. In the case of data access, proper security controls must also be implemented around the applications, databases, and environments that house electronic medical data. Smart cards can be effective in supporting healthcare applications with or without a unique patient identifier. Smart cards can serve as a secure way to aggregate multiple identifiers across many different systems or organizations, linking them all on the smart card.

Identity Authentication

A decision critical to the security of an identity system is the selection of an identification (ID) technology. Many current ID or badging systems rely on technologies such as magnetic stripes or bar codes. These technologies cannot fulfill the requirement to provide strong security while still guarding privacy. IDs based on these technologies are tamper-prone, can be counterfeited easily, and provide little or no protection for the information they carry.

IDs that use smart card technology have the security features required to enhance privacy protection in a well-designed and properly implemented system. Smart card technology incorporates a small computer chip in a card (or other form factor). The embedded chip provides smart cards with built-in tamper resistance and the unique ability to store large amounts of data securely, carry out functions on the card itself, and interact intelligently with a smart card reader.

Smart card technology therefore provides an identity management system with strong information and privacy protection, strong ID security, sophisticated “on-card” processing (e.g., encryption, decryption, biometric matching), and authenticated and authorized information access. Implemented properly, smart card technology strengthens the ability of any organization to protect the privacy of individuals whose identity the organization must verify. Unlike other IDs, smart card-based IDs can implement a personal “firewall,” releasing only required information and only when it is genuinely required, making them excellent guardians of personal information and individual privacy. Smart cards can be used readily online and across networks and deliver very high levels of security over the Internet. They are also convenient and easy to use.

Data encryption also plays an important role in the protection of PHI and is now mandated as part of the breach notification laws. Encrypting PHI protects against access by intruders; smart cards provide a robust set of encryption-enabling capabilities including key generation, secure key storage, hashing and digital signing.

Smart cards also add strong authentication capabilities that ensure only authorized users are able to access PHI. These capabilities can be used by a healthcare system to protect privacy in a number of ways. A doctor can use a smart card to digitally sign orders or prescriptions, protecting the information from subsequently being tampered with and providing assurance that the doctor was the originator of the information. The fact that the signing key originated from a smart card adds credibility and a greater legal stature to the record. The smart card provides two major benefits: one, it securely holds and protects the keys; and two, it is portable, so it stays with the doctor and not in the computer where someone else might be able to fraudulently use it.

Smart cards can also put patients in control of their private information. Patients can use their smart cards to securely store personal health information, authorize provider access to that information, and secure transmission of data to healthcare systems.

Conclusions

Issuing secure patient and provider identity credentials based on smart card technology will help to reduce medical identity theft, will also bring numerous efficiencies to existing healthcare administration systems, and is in line with the National Strategy for Trusted Identities in Cyberspace (NSTIC) for access to electronic health records. Authentication solutions based on smart card technology will provide an ideal foundation for improving the security and privacy of health information systems and electronic health records.

References

[1] Brookhaven web site, http://www.bnl.gov/cybersecurity/strong_auth.asp

[2] Code of Federal Regulations, 21* 1311.105

[3] “Breaches Affecting 500 or More Individuals,” HHS web site, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

[4] The HITECH Foundation for Information Exchange, A Message from Dr. David Blumenthal, National Coordinator for Health Information Technology, November 12, 2009, http://www.healthit.hhs.gov/portal/server.pt?open=512&objID=1406&parentname=CommunityPage&parentid=0&mode=2&in_hi_userid=10741&cached=true

[5] Healthgrades, “In-Hospital Deaths from Medical Errors at 195,000 per Year,” July 2004, http://www.healthgrades.com/media/DMS/pdf/InhosptialDeathsPatientSafetyPressRelease072704.pdf

[6] Robin Hess, “Identity Crisis,” For the Record, January 17, 2005

[7] http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_0_7258_2833_19477_43/http%3B/wci-pubcontent/publish/onc/public_communities/_content/files/slides_pstt_121010.ppt

[7] “Getting to Meaningful Use and Beyond: How Smart Card Technology Can Support Meaningful Use of Electronic Health Records,” Smart Card Alliance Healthcare Council white paper, February 2011, http://www.smartcardalliance.org

About the Smart Card Alliance

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org.

About the Smart Card Alliance Healthcare Council

The Smart Card Alliance Healthcare Council brings together payers, providers, and technologists to promote the adoption of smart cards in U.S. healthcare organizations. The Healthcare Council provides a forum where all stakeholders can collaborate to educate the market on how smart cards can be used and to work on issues inhibiting the industry. Healthcare Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.