Eric Rosenfeld

Who is your physician and how do you know? Solving questions of identity in healthcare.

Most of us take the concept of “identity” for granted. We know and recognize ourselves, our co-workers, family and friends and do not usually give a second thought to this phenomenon in our daily lives. We base these assumptions of identity on our memory and day-to-day interactions. More importantly, we trust these identities implicitly and act upon them automatically nearly every minute of our waking lives. Think about this — if everyone in your life was somehow magically removed from the Earth and replaced with an identical, look-alike copy, how would you be able to tell? You might be able to pick up on the change by asking questions or noticing a lack of knowledge of prior events, but some of the lesser players in your world might escape attention. Could you discern if the clerk at the local grocery was no longer the person you (fleetingly) knew, but rather someone else, posing as them? While it might be the basis for a science fiction story, the absurd nature of this example is actually close to the truth of the identity issue facing the healthcare industry today.
Within the healthcare industry, identity authentication poses perplexing issues for those engaged in creating transparency and interoperability for all parties in the healthcare ecosystem. Of course, the computer systems and databases used by physicians lack human empathy or insight. For them, identity is proven when a user presents some credential that gains them access to information. Hence, all access attempts to a system that use the same credential are indistinguishable from other attempts, despite who or what is behind them and whether they are presenting the credential honestly or with authorization. For example, how can we prove that a healthcare provider is who they purport to be? Who should prove that fact? How often should this proof be renewed?
The issue of identity becomes more complex as the number of credentials afforded a provider increases. In the past, providers have had one or two primary medical information systems with which they interact, usually located at their practice or place of work (hospital). Since the advent of Meaningful Use Stage 2, the rise of Health Insurance Exchanges (HIE) and Health Information Service (HIS) providers, the number of credentials a provider requires is rapidly rising. Despite recent pilot progress sponsored by the Identity Ecosystem Steering Group (IDESG) and the National Institute of Standards and Technology (NIST), we are still working to develop standards related to proving identity, and credentials that could be used to evidence that identity proof.
Proving identity is not easy, since it requires a number of cooperative steps and the willingness of a provider to answer questions or present existing identity proof that has already been established by a trusted source. In many cases, government issued photo identification may be used by a party to identify a physician. This is common practice in hiring, for example, and used in various other circumstances both within and outside of healthcare. Unfortunately, this level of proof has already been superseded by more rigorous processes, such as those required to enable a provider to electronically prescribe controlled substances (EPCS). Under controlled substance e-prescribing, a provider must be verified by a third party (not someone they work with or even the vendor offering e-prescribing). It must be based on financial data and verifiable with trusted sources.
As you can tell, trust is a central theme of the entire process. The essence of this trust is an acknowledgment of the certification given an organization and its processes to create a consistent and truthful result. The system or organization granting the provider access to a restricted process (as in controlled substance e-prescribing) or data (as would an HIE) must trust the entity doing the identity proofing of that provider. They must also trust the method by which that identity was proven. In turn, the identity provider must trust the answers to whatever criteria is placed before the healthcare provider (the subject). Usually, this process starts with a piece of private information supplied by the subject, such as an account number. Indeed, the subject must also trust that the identity provider is using information they are supplying only for purposes that the subject intends. Once the identity is proven, it is used by applications wishing to offer exclusive access to the subject/healthcare provider. Those applications must trust that the identity provider did their job effectively and indisputably. If any single link in this trust chain is broken, the entire chain fails and the subject’s identity is not conclusively proven.
Providing everything goes well, the fact that the identity has been proven is “bound” to a credential; a means to gain access to a system. We use the term “bound” to mean that the credential is assigned irrevocably to the identity of the person using it, the same person whose identity has just been proven.
Usernames and passwords have historically been popular credentials, but are now increasingly coming under fire due to their fragility and relatively insecure nature. Other credentials have emerged as more secure and less vulnerable, including two factor authentication devices (Public key infrastructure [PKI], one-time password, etc.) and multifactor devices that creatively use smart phones and other technology to avoid the use of passwords altogether. Regardless of the type of credential and its strength, it is the systemic equivalent of the identity it represents. That is, for purposes of system access, we assume that once the bound credential is validated, the intended provider is authenticated and allowed to enter that system. The credential and the identity are interchangeable, for purposes of access control.
In today’s healthcare environment, identity is ordinarily defined with a particular purpose in mind. That is, it’s defined separately by each application wishing to establish an identity control. This is unfortunate, because forming this identity and the trust that surrounds it is often time-consuming, expensive, and distracting to healthcare providers who must be intimately involved in the process. Consequently, providers often find themselves repeating the identity proofing process for each application that needs this level of assurance. Additionally, they are left with multiple credentials, one per application. This is quickly becoming untenable for several reasons:

• the process is expensive, and these costs are very often shifted to the provider or the hospital
• having multiple credentials that essentially prove the same fact can lead to inconsistencies as well as redundancies, since each application, identity proofer, and credential is separately managed and possibly vulnerable in different ways
• the provider must remember which credential is to be used with each application, since most credentials are not transferable
• there is no way to identify a fraudulent use of a credential across applications, since there is no gold standard for either identity or credential interoperability

The process of proving an identity and the trusting the provider, identity proofer and application is complex. The existing solutions in the marketplace do not meet a single standard, nor has such a standard been adequately articulated, at least not yet. There are many current workgroups addressing this deficiency, and all of them are reaching for the same brass ring: to create an interoperable, inexpensive, reusable identity standard that can be shared between applications without any degradation of trust; and, to identify an inexpensive solution to the federation of credentials, allowing them to be interchangeable with uniformly trustable results.
In the future, it should be unnecessary to create application access controls, security controls, and so on, for each application individually. Providers should not be forced to repeatedly prove their identity, nor wrestle with a host of application credential controls. The credentials that remain should include only those whose technology surpasses any password control, including biometric, multifactor, and similar approaches.
In future blog posts, I will expand on this theme and discuss the work at DrFirst and other leading firms that are addressing this issue. Together, we are forming answers to these difficult problems. Our success will signal the beginning of a new era in healthcare systems management.