Trusted identity management for the NHII
In November 2001 the National Committee on Vital and Health Statistics (NCVHS) issued the report that outlined the vision for a National Health Information Infrastructure (NHII), which put into motion a revolutionary effort to improve the effectiveness of healthcare delivery in our nation.
This effort, led by Health and Human Services Senior Advisor Dr. William Yasnoff, is centered on information availability and sharing at both the local and the national level. "Health information when and where it is needed" is Dr. Yasnoff's concise goal for the NHII.
The NHII is all about electronically exchanging health care information in a secure manner. By definition there's an information requestor and an information provider. The information provider must have a means of validating the electronic identity of the information requestor. The requestor needs to be confident that he or she is talking to the intended information provider. It would obviously be impractical for information owners to create a unique account for every potential requestor if the national vision is to be realized. Therefore, in addition to data standards, vocabularies, protocols, and policies, the NHII will require an identity management system that can be trusted on a national scale.
Let us consider electronic identities in the healthcare delivery world by using physicians as an example.
A provider organization selects the physician candidates and performs background checks for licensure confirmation and criminal history. They may also require photo identification to verify that the candidates are not imposters. When the candidates have passed these checks, they are given accounts on the organization's computer system and network in the form of user ids, or electronic IDs. They may also be issued credentials such as an X.509 certificate or a smart card.
For the NHII, the security policies and operational practices that were involved in creating this electronic ID and any digital credentials will determine the degree to which the identity can be trusted by others. An infrastructure is needed where questions concerning trust policies and identity authenticity can be asked and replied to.
For example, if a Dr. Jones from the Acme Hospital is requesting patient information from the Main St. Clinic, the Main St. Clinic needs to be able to ask Acme Hospital the following questions in order to trust Dr. Jones' electronic identity:
Does this electronic identity really belong to a Dr. Jones at your hospital and is it currently valid?
What policies and procedures were followed by the hospital when creating the ID?
What outside organization, or neutral third party, has verified that you are abiding by these policies?
As you can see, the NHII needs a national electronic ID authentication infrastructure, rules for creating these electronic IDs, and means to trust that the rules were followed.
A national authentication infrastructure would provide the means for any entity in the healthcare system to validate an electronic ID with the organization that created it, in real time. There is work currently being done by the federal government to provide this type of infrastructure to support the eGov initiatives called the E-Authentication Gateway. The gateway can be looked at as a trust broker. When an authentication request comes to the gateway from an eGov application, the gateway forwards the request to the organization that issued the electronic ID and returns the subsequent answer back to the application. In this way the application owner needs only to trust the gateway. The eGov initiative intends to open this infrastructure up to private industry as well as state and local governments.
Rules for creating the electronic IDs to be used in this system will require some standardization in order for them to be useful. Any entity in the system should be able to quickly determine if the identity was created in a way that meets its security requirements. A standard set of rules (identity issuing practices and procedures) that map varying assurance levels would address this requirement.
The result of this would be a set of NHII accounts management accreditation criteria. A new organization called the Electronic Authentication Partnership (EAP) has been formed to address this issue. The first order of business will be to establish accreditation requirements based on the four assurance levels of the eGov initiative. This work will lay a foundation for authentication for a broad cross section of industry segments such as financial and healthcare.
Over time, the EAP may also opt to create specific working groups to work with various industry segments.
Here is a possible scenario: If the NHII system participants agree to standardize on three assurance levels for data, say, non-sensitive, sensitive, and highly sensitive, then the rules for creating electronic identities that map to these assurance levels can be established. If a university publishes the results of a study and doesn't care who sees it, this would be non-sensitive and they wouldn't worry about how the user account of the person viewing the report was created. However, as in our "Dr. Jones" example, if sensitive patient information is being requested, access to this data could be classified as sensitive, which would require that a defined set of policies and procedures were used when creating Dr. Jones' account.
NHII participating organizations would have to subject themselves to a third party audit of their account management practices in order for their identities and credentials to be trusted within the NHII. An independent auditor would vouch that the organization is in compliance.
While this is only one description of a trusted identity management system for the NHII that could be deployed, it is clear that some sort of scalable system is needed if we are to have trustworthy and convenient healthcare information exchange at a national level.
Pete Palmer is a member of the HIMSS NHII Task Force and is principal security analyst with Guidant Corporation.