Use Cases for FIPS 201, Multi-use Interoperable Health Credentials

IDmachines supports an investment to bring health credentials into a PIV-I world. Interoperability among health care providers, payers and patients provides a great use case for high assurance interoperable credentials. It’s a widely required application for an identity credential.

Any investment in healthcare IT has to realize this. Healthcare needs strong identity assurance yet most systems in the US don’t make the investment in an identity infrastructure. The United States Government needs to invest in infrastructure to support item 10 (in the Cyberspace Policy Review) identity management/privacy and civil liberties.

Some organizations have begun this, Mt. Sinai being a leader (see below). Many countries have also done this; the US has not. Unless the US invests in strong identity, we won’t get the cost saving or improve healthcare and the US will continue to be a laggard. Please don’t give me another bar code or magnetic stripe ID card, web account(s), user names and passwords. Even scarier don’t accept federated IDs that don’t have any way of knowing who is establishing the accounts. Don’t make me get more certificates either. Can someone commit to identity infrastructure as part of the Health IT stimulus? That’s the gist of this post.

IDmachines supports the efforts of the Smart Card Alliance and the Secure ID Coalition when they combined to deliver message that strong identity matters for any health IT effort at National Press Club briefing in Washington DC May 19th.

Credentialing matters when millions of individuals are involved in a program, surely this is the case as state and national health insurance programs grow. Strong privacy and security, interoperability and multi-use would be good things to have in a credential. I don’t see any in the health market place. I access my health accounts (also Microsoft and Google “Vaults”) with un/pw or a bar code/number at a desk. Why can’t I use my government issued digital ID to log into these sites?

These are strong assurance credentials, background investigation and breeder document checks. The process is well defined and in my case the issuance procedures worked. I want to be able to use it. Organizations can have greater assurance of my identity when I use it. I have an ability to log on, digitally sign communications, and encrypt sensitive information. Please spare me from my endless usernames and passwords and changing them on a frequent basis, what a pain. Give me my PIN and biometric and chip and certificate(s) private keys that I use for everything. Sounds uber-tech, well it’s the way in dozens of countries.

Estonia, despite (or mayber as a result of) getting cyber attacked is making a renewed investment. As I said, dozens of large scale programs including England, Italy, Belgium, Austrian health cards, German health cards, Brisbane driver license, Angola, Nigeria, Ivory Coast, it’s a long list. A lot of places are making the identity investment that will then be leveraged.

In the United States without a funded program, in the current economic conditions it’s not about whether it’s the “right” thing to do. The real question is why invest when you can just print a flash pass or bar code. I refer to why Mount Sinai would do it. I have heard Paul Contino before but he repeated the rationale at the National Press Club. It always makes sense. To repeat again…

“Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions", Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York. Paul cautioned that identity management must be addressed correctly up front or “we’re going to have problems with the linkages of electronic medical records” on a regional or even national basis. Mount Sinai revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records.

In fact it’s completely irresponsible to invest in health information technology without doing it. The financial arguments are well established. Organizations that implement new health IT applications can use PKI and PIV credentials. Soon the entire US Government will use it and a lot of people interact with it.

More information is available in Smart Card Alliance publications. ”Effective Healthcare Identity Management: A Necessary First Step for Improving U.S. Healthcare Information Systems” explains the current problems with identity management in healthcare and its costs. It also proposes solutions that leverage existing standards developed for other federal identity programs. The newly published ”Smart Card Technology in Healthcare” frequently asked questions document outlines how the technology is used to manage patient identity and protect a healthcare consumer’s personal information.