Misuse/Fraud ID Proofing (including re: attributes, in-person, online and delegated registration) Authentication (including re: attributes and online challenges, two-factor authentication, credentialing, third-party authentication) Usability (including workability of solutions, complexity for patients)
I am a member of the HIT Standards Privacy and Security workgroup, so I eagerly await this testimony GE Healthcare has been invited and will speak to the experience with the Patient Portal that is part of our Centricity EHR product. I will leave this testimony stand alone.
From my perspective I look at this with RISK in mind. I certainly hope that 2-factor authentication is not needed by patients. I, as a patient, would be very annoyed by that, and it is simply not justified. Healthcare Providers are different, and I could get behind a multi-factor effort there for specific workflows (use-cases).
The difference is that a patient only has access to their own data, thus a failure exposes only ONE individual. Where providers have access to a very large number of patient data, one might say ALL possible patients. Thus a failure on provider is high risk. The Risk profile for Healthcare Providers and others using an EHR are clearly higher, but so are the ability of their environment to sustain more complexity. Note that I am not saying that ONE individual exposure is acceptable, I am saying that the risk profile is simply different and thus should be assessed.
I want to make sure that whatever is presented as ‘current state’; and that the healthcare industry continue to pursue the NSTIC efforts currently underway (for which I am participating). I want healthcare to NOT do something special, thus non-standard.
UPDATE: The GE testimony to the HIT Standards committees is published.
User Identity and Authentication
- Level setting on Level of Assurance
- Advanced Access Controls to support sensitive health topics – a simple solution to sensitive health.
- Direct addresses- Trusted vs Trustable
- Identity - - Proofing
- The Emperor has no clothes - De-Identification and User Provisioning
- What User Authentication to use?
- IHE - Privacy and Security Profiles - Enterprise User Authentication
- IHE - Privacy and Security Profiles - Cross-Enterprise User Assertion
- Healthcare use of Identity Federation
- Federated ID is not a universal ID
- Separation of Layers: Security Error Codes
- Authentication and Level of Assurance