To more fully appreciate ‘Level of Assurance’ as it relates to Identity and Authentication I provide a breakdown of the different layers where identity and authentication are used.
- a common email address on the internet has no identity proofing,
- a passport one must provide two prior government issued identities, a picture, and a criminal check
- Certificate Authority using multiple credentials to identity proof prior to issuing a Digital Certificate
- A military clearance requires a far more invasive background check. These more invasive identity proofing are going beyond proving that the individual is who they say they are, but also including verification that their past actions support that they are willing to abide by the rules.
- System or Organizational evaluation against policy – This is the critical part behind ATNA, that the identity issuer will verify that the system or organization is indeed the system or organization, but also that there are appropriate assurances that the policies will be enforced including user-level access control and user-level audit controls.
- Patient Identity – When organizations match up the identity that each has for a patient they need to have some level of assurance that they are making a proper match. This functionality is sometimes automated in a Patient Identity Cross-Reference system that is using algorithms that are tuned to the local needs (such as how often SSN is available). These identity cross-references do have a measure of confidence.
- Username and Password – Most common single factor authentication
- Two factor authentication is commonly done through a hardware token and a password/pin.
- Smartcards are also a common two factor authentication.
- an EHR application provides a doctor access to a patient chart.
- A Web server provides access to a document drop box
- An e-mail program provides access to the local mail storage
- A nice Microsoft presentation on their offering, but clearly also leveraging SAML and WS-Trust standards
- An e-mail application using an e-mail service provider – POP3 or IMAP
- Web Applications, such as Twitter or Facebook, using light weight federated Identity technology – Oauth
- A Health Information Network, using strong and flexible federated identity technology – SAML assertions
- NHIN Direct – Using S/MIME specifically targeted to an individual from the individual sender.
- Document Digital Signatures – These can be validated by anyone that uses the document to prove that the document is exactly the document that was signed.
Overall, we should NOT force a specific Level of Assurance; but rather use identity authentication standards that support communicating the Level of Assurance of that authenticated identity. For this there are standards in X.509 certificates, as well as SAML identity assertions. By mandating only that the Level of Assurance is communicated we are ENABLING the Healthcare services to make informed access control decisions.