Identity crisis looms for US healthcare
While the U.S. continues digitizing its healthcare industry, a huge challenge is arising: not only securing those systems but verifying identities.
With a steady stream of HIPAA-covered data breaches continuing over the past few years, not to mention the debacle of Target’s recent customer financial information loss, some argue that current identity security approaches just aren’t adequate -- especially considering that criminal attacks on hospitals are increasing substantially.
“Protecting sensitive personal information with passwords is akin to building a massive stone fortress and then securing the front door with the kind of lock I use to keep my two-year-old out of my bathroom,” said Jeremy Grant, a senior advisor on identity management at the National Institute of Standards and Technology, heading up the National Strategy for Trusted Identities in Cyberspace.
April 2014 marks three years since the Obama Administration launched the NSTIC, a public-private initiative aimed at spurring the private sector to increase privacy, security and trust in online transactions across industries.
Speaking at a public hearing held by the federal Health IT Standards Committee’s Privacy and Security Workgroup on March 12, Grant argued that while there has been progress in a number of pilots -- with six of 12 relating to healthcare -- the private sector, particularly health organizations, need to start agreeing on standards.
The National Strategy “will only succeed if sectors in need of better identity solutions step forward and demonstrate a willingness to roll up their sleeves in support of the collaborative effort,” said Grant, the former chief development officer at ASI Government.
[See also: Patient identity theft proves costly.]
Personal health record sharing options like the Blue Button will only work “if patients have an easy way to assert that they really are themselves online," Grant explained.
Though not the only layer of security needed, identity is perhaps the most important and difficult, Grant argued. Identity solutions “can’t simply be secure,” he said; they have “to be easy to use, or else users won’t bother.”
Grant urged the Private and Security Work Group to bring a message back to the rest of the Health IT Standards Committee and the broader health and health IT communities: Even though standards may not be as mature or technologies as widely-available as some would hope, don’t wait.
“If the Workgroup or the broader health sector are of the view that this marketplace will soon be created while everybody sits back and watches," Grant continued, "I believe folks are going to be waiting for a long time."
[See also: CIOs push for patient ID progress.]
Bringing that vision of secure and accessible identification technology to reality is going to take a lot of work, though.