national association for trusted identities in cyberspace - establishing trusted identities in...
DESCRIPTION
The digitalization of the world economy has created demand for privacy enhancing identity solutions that support civil liberties and improve security. Running parallel to the need for trusted identities in cyberspace is the need for identities to be interoperable so that individuals can manage multiple credentials and choose which to use for a particular transaction or activity. The demand to establish a more secure identity ecosystem requires solutions to be user friendly and convenient including equitable access to the tools that establish this online identity credential for everyone, not only the affluent. Learn more about NSTIC’s work to help advance the initiative of establishing a trusted identity in cyberspace, what implications this could have on patient identification in healthcare, why choosing a patient identification platform that is standardized is critical, and more!TRANSCRIPT
M2SYS Healthcare Solutions Free Online Learning Podcasts
Podcast length – 38:56
Topic: “Establishing a Trusted Identity in Cyberspace” Background on NSTIC, Creating an Identity “Ecosystem,” The Impact of Identity Theft, Right to Privacy, Value of Standards Based Patient ID in Healthcare, NSTIC and the ONC, Interoperability, Trusted ID Reducing
Medical ID Theft, NSTIC Pilot Projects
Jim Shiere, Senior Advisor with the National Strategy for Trusted Identities in Cyberspace (NSTIC)
and
Topics Covered in Podcast:
NSTIC Mission & Objectives – What is an Identity Ecosystem?
Processes & Structure to Meet NSTIC Goals
Trusted Identities – Why is Now the Right Time?
Balance Between Identities and Privacy
Value of a Trusted Identity for Patients in Healthcare
Identity Theft Implications
Topics Covered in Podcast (continued):
NSTIC and the ONC – Working Together to Created Trusted Identities for Patients
The Value of A Standardized Biometric Patient Identification Solution
Trusted Identity Impact on Medical Identity Theft
NSTIC Pilot Projects
NSTIC – National Strategy for Trusted Identities in Cyberspace
• Launched by the White House in 2011 • Main goal is to establish an “identity ecosystem”
• Individuals can voluntarily choose from a single or multiple digital identities of their choice to conduct business on the Internet anywhere at anytime
• Based on 4 fundamental guiding principles: • Interoperability – If you choose an identity (Google for example) – you
have the opportunity to interoperably use it anywhere. Helps alleviate the problem of creating a user name and password for each new site you visit. Idea is to create one credential to be used anywhere.
• Security & Resiliency – Single factor authentication (e.g. – passwords) are “hopelessly” broken and increasingly are a vector of attack – 60% of network intrusions are a result of bad password management. NSTIC envisions a way to replace the password with better
methods
NSTIC Mission & Objectives – What is a “Trusted Identity?”
NSTIC Mission & Objectives – What is a “Trusted Identity?” (continued)
• Multi-factor authentication seen as a more secure identity • Privacy – How can we foster the creation of an identity ecosystem that
presents privacy enhancing options to individuals? • Current interoperable sign on credentials don’t allow for a clear
understanding of what privacy controls are in place to protect information
• NSTIC looking to enshrine better privacy policies to foster more control over personal information
• Usability – any online, interoperable credential solution should be easy to use and convenient
Processes and Structure • What is NSTIC doing to foster the vision of an identity ecosystem?
• Thrust #1: Funding – providing pilot project funding to private company projects who are innovating and launching initiatives to help advance the principles of an identity ecosystem and catalyze the market for
these solutions
Processes & Structure to Meet NSTIC Goals
• Pilot Example – American Association of Motor Vehicle Administration (AAMVA) and the INOVA Healthcare System (based in Virginia) • Pilot basis – How can INOVA patients access their online records
using a Google or Microsoft account for login to avoid having to create a new account. The AAMVA will automatically proof your identity so INOVA can grant authorization.
• NSTIC has awarded over $17 in funding to the private sector and several states for pilots
• Thrust #2: Lead federal government – rallying the government sector to be early adopters to the “identity ecosystem” • Example – “Federal Cloud Credential Exchange” – government is
deploying a platform to accept third party credentialing to access government services. Idea is to move more government services online in a cost effective and efficient way but still follow security and privacy guidelines.
Processes & Structure to Meet NSTIC Goals
• Expect to hear more in the coming months about which government agencies will be deploying the trusted identity initiative
• Thrust #3: Facilitating private sector led groups – referred to as “The Identity Ecosystem Steering Group” (IDSG) to convene the private sector to establish a framework of rules, policies and standards which will provide the policy foundation for how the private sector can leverage the identity ecosystem • NSTIC provided grant funding to support the group for the first two
years, the group has since transformed into an independent entity • If individuals or business are looking to play a larger role in the
initiative, participation in the IDSG is a great place to engage (www.idecosystem.org) – open to all (businesses, individuals, non-profits, etc.)
• Many IDSG stakeholders groups exist that cover a range of topics (state and local governments, privacy, etc.)
Trusted Identities – Why is Now the Right Time?
• The “hopelessly broken” nature of user names and passwords • Increasingly a vector of attack for criminals to access sensitive
information to enable identity theft and other forms of fraud • NSTIC’s goals are aimed to provide more usable and secure identity
credentialing solutions to provide a safer way to do business online and build consumer trust
• NSTIC envisions a better way forward to authenticate ourselves online by playing more of a “facilitator” role and support entities
• Ultimately, it’s the private sector that will step up and provide tools and tech for more secure online transactions
• There needs to be a more open and comprehensive study and discussion on the issue of privacy and how it impacts the creation of an identity ecosystem
• Urgency exists to solidify a national strategy – now is the right time
Identity Theft Implications
• The proliferation of data available on individuals to provide better products and services online has fueled the rise in ID theft – in other words, the quest to improve product and service quality seeded the growth of ID theft cases
• NSTIC has stepped in to help change the thought process of online individual information and shift the focus to privacy and protection • NSTIC asks the question – if you are sharing information online for
business transactions, why is it necessary to share anything other than basic information necessary to complete the transaction?
• NSTIC is focusing on the concept of “data minimization” • Identity theft erodes consumer trust in online transactions • NSTIC believes it can build a better set of online identity tools to
minimize risk and increase privacy
Balance Between Identities and Privacy
• Privacy remains a fundamental guiding principle of the national strategy for online trusted identities
• NSTIC is focused on ensuring that privacy advocates have a seat at the table to help mold the online identity initiative and how the identity ecosystem will evolve
• Another way NSTIC is promoting privacy enhancing solutions is through the Federal Cloud Credential Exchange (FCCX) which enshrines the fair information practice princples – learn more at: www.nist.gov/nstic/fccx.html
Did you know? A copy of NSTIC’s strategy is available online. You can access a copy by following this link: www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_051511.pdf
• At heart of NSTIC and Office of the National Coordinator for Health Information Technology (NSTIC) collaboration is looking at how NSTIC’s drive to establish trusted identities (identities that provide security and privacy – both important in the context of HIPAA)
• Identity ecosystem that NSTIC envisions allows patients to have voluntary access to identity credentials with stronger privacy and security enhancing features
• This fits into the ONC strategy of open access to health data with more secure, safe, and privacy enhancing tools
• Viewing, downloading and exchange of health data information is enabled through a trusted identity ecosystem
• Patients want the assurance that their private health data is being adequately protected during the access and exchange process
• Trusted identities help to advance the goal of true interoperability • ONC is actively engaged in the IDSG and follow several pilots closely
(INNOVA)
Value of a Trusted Identity for Patients in Healthcare How the ONC and NSTIC are Working Together
The Value of A Standardized Biometric Patient Identification Solution
• NSTIC’s role isn’t to point to specific methods of authentication for the market – instead their role is a facilitator of pilot projects, opening dialog, and ensuring all stakeholders have a seat at the table
• NSTIC focuses on allowing private entities to factor in identity management technologies as part of the overall solution
• Most people understand the value of standards based identity management approaches – fundamentally important for the overall identity management ecosystem moving forward (enshrined in NSTIC interoperability principles)
• Overall, patient identification standards based solutions are getting a close look as a piece of the overall identity ecosystem
Most Effective Security Technologies to Protect Patient Data Access
• The shift from paper to electronic health records necessitates a shift change in how to effectively protect patient data
• Patient data information used to be limited and siloed – the advent of EHR’s, HIEs, Meaningful Use mandates, and an increased interest in leveraging the power of big data to perform population management has increased the availability of electronic information that is easier to transport (and steal)
• Critical that a security protocol be in established & observed to: • Validate a patient’s identity & ensure they are who they say they are
both in person and online (e.g. – patient portals) • Biometrics for patient identification is increasing and a viable tool to
verify a patient’s identity with near 100% accuracy – can also be used at each touch point along the continuum of care to authenticate identity before service/procedure is rendered
Trusted Identity Impact on Medical Identity Theft
• NSTIC is specifically coordinating its efforts to establish a trusted identity precisely to help stem the rising tide of medical ID theft
• Medical identity theft looming crisis demands better ways for patients to access health data online especially in the wake of increased adoption of electronic health records (EHRs)
• NSTIC timing was ideal for the healthcare industry as the struggles to protect identities increases
• NSTIC provides a set of tools and fosters an ecosystem that enables patient trust
• ONC’s vision of open, secure, and private access to health data is manifested in NSTIC’s initiatives with an improved approach to identity
• Pilots within federal government provide valuable case studies to help advance trusted identities in healthcare
• Expect to see continued dialog and collaboration between ONC and NSTIC to stem medical ID theft with more secure trusted identities
NSTIC Pilot Projects INNOVA
• Pilot premise is to help enable more convenient yet secure ways for patients to log in and access their health data online
• Prior to patients logging into a portal for access to health data, a customized list of questions only the patient would know the answers to is provided by the Virginia MVA
• Establishes much stricter security protocols for online healthcare data access
• Provides a much more authoritative resource for verifying patient identities
• Creating growing interest in healthcare for access to a powerful set of tools to better verify patient identities while creating convenience and fostering privacy
Thank you to Jim for his time and knowledge on this podcast!
Please follow NSTIC on Twitter (@nsticnpo) and visit their Web site at: www.nist.gov/nstic@nstic or check out their blog at: www.nist.gov/blog.html
John Trader Director of Communications M2SYS Healthcare Solutions
1050 Crown Pointe Pkwy. Suite 850
Atlanta, GA 30338 [email protected]
770-821-1734 www.m2sys.com/healthcare
Podcast home page: http://www.m2sys.com/healthcare/healthcare-biometrics-podcasts/
: twitter.com/rightpatient
: facebook.com/rightpatient : linkedin.com/company/m2sys-technology
Contact Information