Higher levels of assurance a necessity
The health IT landscape appears to be changing for the better when it comes to strong authentication. The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health IT voted Sept. 6 to require multifactor authentication in certain cases involving remote access to patient health information.
When previous recommendations neglected to include stronger authentication requirements for health care professionals accessing electronic health records, the Office of the National Coordinator essentially put patient privacy and security at risk.
They essentially swept security and authentication under the rug in the hope of increasing physician adoption of electronic health records. The Coordinator’s Office did not want to impede adoption of electronic records by making it difficult to use them. The current minimum requirements for identity assurance are set low requiring only a strong password.
The reality is the Coordinator’s Office played Russian roulette, hoping that security breaches would not occur due to weak username and password authentication. Sadly security breaches did occur. As required by section 13402(e)(4) of the HITECH Act, the Secretary of U.S. Health and Human Services must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The list of breaches reported to the Secretary are posted at on the Department of Health and Human Services website.
As of late September, there have been 29 reported breaches classified as “Hacking/IT Incident” with more than 1.3 million individuals affected since the list was implemented in 2009.
The largest and most disturbing incident occurred on March 30, 2012 when a hacker from Eastern Europe illegally accessed a Utah Department of Technology Services server containing Social Security Numbers for Medicaid claims. More than 780,000 claims were accessed, 280,000 had their Social Security numbers stolen and 500,000 had less-sensitive personal data, such as name, date of birth and address, compromised. A weak password was to blame.
It is well documented that the majority of all network attacks occur at the account level, where user credentials are falsified to gain access to critical information. No matter how well a network is secured, the user is the weakest link particularly when the password is the primary means of protection.
Health care should consider the highest of assurance
With the Sept. 6 decision to require multifactor authentication, health IT systems will begin to align with NIST’s Level of Assurance Three for authentication. This will hopefully be sufficient to protect patients’ privacy and security. However, if the Coordinator’s Office references only Level of Assurance Three, the majority of health care organizations will seek only those solutions without considering the stronger Level of Assurance Four options.
The language should state Level of Assurance Three or Level of Assurance Four and clearly explain the differences. It should highlight the additional security and multipurpose capability a Level of Assurance Four solution can offer to reduce fraud, protect patient privacy and secure access to electronic health records.
A Level of Assurance Four system with smart card technology provides mechanisms for authenticating others who want to gain access to the card. These mechanisms can be used to authenticate users, devices or applications that want to use the data on the card’s chip. These features can be utilized by a system to protect privacy by, for example, ensuring that an electronic health record application has been authenticated for the appropriate access rights before accessing the health information or functions on the card.
Additional benefits provided by smart card technology include a robust set of encryption capabilities including key generation, secure key storage, hashing and digital signing. These capabilities can be used by a system to protect privacy in a number of ways. For example, a smart card system can produce a digital signature to validate the authenticity of an email when a health record is exchanged from provider to provider or an electronic prescription is transmitted to a pharmacy.
This protects the message from subsequent tampering and provides the recipient with an assurance of where it originated. The fact that the signing key originated from a smart card adds credibility to the origin and intent of the signer.
The reality is Stage Three requirements will not go into effect until 2015 leaving plenty of time for the breaches classified as “Hacking/IT Incident” to increase well past the 29 incidents already reported.
Health care organizations spend a lot of money managing identities. Each hospital may issue a flash pass, a proximity card for physical access into certain areas and a one-time-password token for remote access or electronic prescribing. Physicians often are affiliated with more than one hospital meaning they may have several credentials per hospital. These all cost money and can be difficult for physicians to manage.
Health care organizations are already purchasing Level of Assurance Three solutions to comply with the U.S. Drug Enforcement Agency’s requirement for the electronic prescription of controlled substances. In most cases they are additionally still issuing proximity cards and flash passes.
PIV-I: A multi-purpose, Level Four credential
As a Level of Assurance Four credential, PIV-I is available from multiple sources and meets or exceeds every authentication requirement already mandated or being discussed in Washington for the health care industry.
PIV-I has been recommended by FEMA and is the credential being deployed as the First Responder Authentication Credential by several state and local governments because it is standards-based, non-proprietary, trusted by the federal government and can be used for multiple purposes.
The first responder population encompasses approximately 20 million people in the U.S and health care professionals represent a significant percentage of this population including the nation’s four million physicians, nurses and emergency medical technicians. By putting a FRAC in the hands of the medical community, local authorities will be able to rapidly grant access to only qualified individuals during emergency situations like Hurricane Katrina.
As a patient in the U.S. health care system, it is pleasing to see that Office of the National Coordinator appears to be addressing security. Let’s hope the system isn’t undermined prior to 2015.
Health and Human Services recommendations for authentication in health IT systems
- The Coordinator’s Office should move toward requiring multi-factor authentication–meeting NIST Level of Assurance Three–for remote access to protected health information. Remote access includes the following scenarios:
- Access from outside of an organization’s private network.
- Access from an IP address not recognized as part of the organization/entity or that is outside of the organization’s compliance environment.
- Access across a network any part of which is or could be unsecure, such as the open Internet or an unsecure wireless connection.
- Organizations, as part of their HIPAA Security risk analysis, should identify any other access environments that may require multiple factors to authenticate an asserted identity.
- Organizations should continue to vet providers in compliance with HIPAA.
- Such policies should extend to all clinical users accessing/exchanging data remotely.
- Technology options for authentication continue to evolve and the Coordinator’s Office should continue to monitor and update policies as appropriate to reflect improved technological capabilities
- The Coordinator’s Office should work to implement this recommendation and continue to be informed by the National Strategy for Trusted Identities in Cyberspace and aim to establish trust within the health care system.
- For example, NSTIC also will focus on the capability to pass along key attributes that can be associated with an identity. The capability to pass key attributes–for example, valid professional license–may be critical to facilitating access to data.
Source: U.S. Department of Health and Human Services