NIST seeks to overcome significant issues with healthcare data security and access
Think about your healthcare history. Chances are, you have multiple different doctors today. And chances are even better that you’ve seen many, many different doctors over the course of your life. This is especially true if you’ve ever been in need of a specialist for a particular condition, or have required surgery and rehab for an injury.
But in today’s more connected world – and in the current age of electronic health records – this wide ecosystem of specialists, doctors and other care givers can create a new problem for patients that many people haven’t considered.
I recently had to see a specialist, myself. That doctor requested that I have some tests run, the results of which would be available at a later date. When the results came back from the lab, I was called and left an auto message saying my results were back and that I could see them by logging into the office’s online healthcare portal. That portal was unique to their office and required that I create a unique set of credentials for access.
And here is where the problem arises.
How many different “online portals” could a patient with significant health issues and conditions be required to access? How many different sets of credentials could they be forced to remember? And what is the impact of that on the patient and their care?
One unintended impact could be the creation of a serious security vulnerability. In cases where people have to remember multiple passwords – especially difficult passwords with multiple special characters, numbers and different cases – they result to password reuse to make them easier to remember. And these don’t necessarily have to be passwords that they only reuse across healthcare portals. These can be passwords that they repurpose from their own personal accounts, such as e-commerce sites and other hosted applications.
Password reuse is a significant problem that we’ve discussed previously on Access Granted. But it becomes a even bigger problem when a password compromised elsewhere can then give access to an individual’s healthcare data, test results and health records – some of the most valuable personal data that hackers can compromise.
For example, imagine if their email account credentials were compromised through phishing or malware. In that individual’s email account, they could then find email reminders about upcoming appointments or email notifications from a doctor’s office, click through to their online portal and use the same credentials they stole previously to access a patient’s personal health records. That’s a scary situation.
Now let’s look at a scarier one – a similar problem on the healthcare provider side.
Not all doctors and healthcare providers work in one healthcare setting. They could work in a private practice, a hospital, volunteer at a clinic, etc. And in each of these different settings, they need access to networks and that healthcare organization’s systems. In each case, they’re most likely asked to create a new, unique set of credentials. And the same problem arises. And the ramifications can be much worse, since these systems can give a malicious actor access to the private healthcare data of many different patients.
This is clearly a problem that can leave many patients, and their personal healthcare data, susceptible to breaches and malicious actors. Luckily, one federal government agency is taking steps to help overcome it.
In the next month, the National Institute of Standards and Technology (NIST) will be looking to identify and fund a new pilot program designed to implement federated identity credentials in healthcare that will help patients and doctors more easily and securely gain access to these multiple, disparate accounts.
According to NIST – which will be collaborating on the program with the Office of the National Coordinator for Health Information Technology (ONC) at the U.S. Department of Health and Human Services (HHS) – the pilot will look to accomplish the following:
- Pilot a federated credential solution in which at least two hospitals or regional healthcare systems accept a federated, verified identity that leverages multi-factor authentication and an effective identity proofing process.
- Enable online access to at least two organizationally separate healthcare organizations.
- Demonstrate that the federated credential solution aligns with the Identity Ecosystem Framework Requirements.
- Allow for interoperability with other identity federations in the healthcare sector and, where possible, other sectors.
- Include collecting metrics and other information about the implementation of the federated credential solution that can contribute to a best practices guidance document.
This is an exciting pilot program for its ability to make authentication across multiple healthcare entities easier for both the patient and the provider. And I applaud NIST for identifying this issue and taking steps to address it. However, there are some things that both NIST and the ONC should be looking for when choosing the recipient of the funding for this pilot.
The pilot calls for the solution to feature multifactor authentication (MFA), which is an excellent step in ensuring that the actual authentication process is secure. However, just implementing MFA isn’t enough. As we’ve discussed, healthcare data remains some of the most valuable for malicious actors – and some of the most damning for victims of data breaches. This means that simply asking for two factors for authentication isn’t security enough.
Instead, NIST should be looking for a solution that can gauge a user’s identity by more than just a handful of factors that can be compromised as easily as a user name and password. They should be looking for solutions that can gauge a user’s intent and can use data available to ensure that the person seeking access to data is who they claim to be.
NIST should also be seeking solutions that can verify a user’s identity without adding unnecessary steps and increasing the time and effort needed to access data. In the case of healthcare providers and patients, having access to these records and information quickly can literally be the difference between life and death. NIST has to ensure that any solution that they fund and pilot can deliver access to requisite information quickly, as well as securely, since every second matters.
Today’s connected healthcare industry is becoming a mess of different systems, online patient portals and online health records. And this mess of different log-ins and systems is creating a huge data risk for patients and health systems. NIST’s pilot to identify and implement federated identity credentials in healthcare is necessary to make access easier and keep records secure. But we need to ensure that we’re not sacrificing ease of use for security, or security for easy access.