The Identity Management Arms Race – The Next eHealth Hurdle, By John Casillas, September/October 2006, The Medical Banking Report, Vol. 3, No.5
As we build out a “medical internet” a key element that leaders are wrestling with today revolves around identity management. How can we verify beyond a shadow of doubt that the person presenting at the doctor’s office, or jumping online to check out the lab results, is really who they say they are?
This issue has emerged as a critical path issue in our collective march towards a digital ecosystem in healthcare. And not just healthcare! Its also becoming a hot topic in other industries – like banking, telecommunications and others.
This was one of the key findings after two high impact workdays with a group of the nation’s prominent RHIO leaders (Regional Health Information Organization) at the Privacy & Confidentiality Workshop hosted at the Vanderbilt Center for Better Health in late September (cosponsored by the eHealth Initiative). The group sent a clear message: we need to understand how to implement identity management as a key building block in the overall framework for electronic healthcare records.
The issue has ignited a flurry of activity at the highest levels in government and industry. The September Federal Register announced that the American Health Information Community (AHIC), chaired by HHS Secretary Michael Leavitt, is hosting a session on September 29 that will focus on “Identity Proofing and Authentication” (MBProject was asked to assist finding organizations that could testify but couldn’t respond in the time length given.)
“The issue of identity is central to building out a National Healthcare Information Network,” said Mark Frisse, Executive Director of the Vanderbilt Center for Better Health, “and interestingly, it looks like there are groups working on this in 2007 from the healthcare side, medical banking, financial and government areas.”
In fact, the identity management arms race is on. The ‘bad guys’ are becoming increasingly sophisticated through session hijacking, keystroke logging, etc. New practices, from biometrics like key, thumb and voice print, to site authentication via “site stamping” are evolving rapidly and the criminals aren’t too far behind. Identity management and authentication will become a critical ongoing issue in a digital world. Its best viewed not as a “one-time” but an “all-the-time” budget item in today’s emerging digital world.
MBProject told the Vanderbilt attendees that five of the nation’s leading banking agencies – the Federal Financial Institutions Examination Council (FFIEC) – collaborated on the issue of authentication in online banking and created a best practices document which could be instructive to healthcare. In fact, the FDIC, one of the FFIEC members along with the Federal Reserve, Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision, isolated the issue of online ID management in 2004 and has been actively involved in isolating best practices for banks.
Whether Banking or Healthcare, ID is Core
As in banking, healthcare information is ultra-sensitive. A bank simply wouldn’t last very long without a world class identity management solution. Every banker knows this, and banks have acted accordingly via sizeable budgets to combat fraud from ID theft.
Today’s healthcare organizations are just starting to embrace identity proofing and authentication. It’s safe to say that as providers build out online services for filling prescription drugs, paying medical bills, making appointments and more, providers must engage the ID management arms race head on. But the reality of the situation is sobering: how can they do this with relatively weak IT budgets?
At a recent meeting with the Tennessee Hospital Association, MBR learned that 40% of Tennessee’s rural hospitals are operating in the red. In round figures, there are 6,000 hospitals in America of which about 4,500 are rural. If Tennessee hospitals are a barometer of fiscal condition at least 2,000 of the nation’s hospitals are struggling to meet the next payroll, much less acquiring world class ID management solutions.
Yet this is precisely what is required and frankly, the market is relentless on this point. ID theft isn’t just a banking phenomenon; consider that recent ID theft cases involve illegal acquisition of medical records that include Social Security Numbers, which were in turn used to rack up credit card debt. Clearly, the battle against ID theft is cross-domain. Healthcare organizations are already on the battle lines, even if they don’t have a solid grasp of what’s required to combat the advanced weaponry of the enemy.
Banks Forever On Front Lines
Thinking like an enemy can be painful. What’s worse however is that when you get into an active dialogue about the possibilities, many eyes roll over as if to ask “why is this important?” Everyone knows its important of course, but few are willing to engage the often esoteric dialogue that helps to keep the good guys in front of the bad guys.
In 2002, MBProject launched its Cyberwar Workgroup after receiving a request from the White House National Infrastructure Protection Board run by the now infamous Richard Clarke. Although there are diverse feelings about the man, most in the industry agree he is an authority in IT security. The White House was trying to get a handle on how an enemy might use the medical payments system to advance a war plan.
Delving into the topic was hard because one tends to think of existing structures, processes and systems as supporting well-defined functions in a workflow, as opposed to containing reservoir of data that can be siphoned off to support an enemy.
An interesting example is the lockbox, a payment outsourcing service involving a physical structure that houses personnel, IT infrastructure and mail transport components. Some people think of a lockbox as a security safe used for jewelry or important documents but that’s not the one we’re referring too.
Within the medical payments workflow, a lockbox efficiently gathers payments and facilitates quicker access to funds. Indeed some lockboxes have specialized to offer much more advanced services that reduce costs in the patient accounting cycle. So, how would an enemy view the lockbox?
First, the lockbox contains valuable information. Payment information means access to the data points necessary to support identity theft – SSNs, addresses, names, checking and credit card information, etc. Thus an enemy could fund its organization by paying off individuals that can provide this information to them. Though rare, lockbox fraud has occurred. The typical payout for lockbox personnel, according to the National Check Fraud Center in Charleston, SC, is $50 for each stolen profile.
Second, when anthrax attacks were reported at a Baltimore lockbox facility it shut down and evacuated. One year later, according to the Baltimore Sun, the lockbox remained closed in order to ensure that all the anthrax was removed. In this scenario, an enemy that wanted to compromise healthcare in a particular region could, as part of war plan, attack a lockbox with anthrax (sending anthrax laden mail disguised as payment for medical services). In an environment where many hospitals have no more than 30 days cash on hand, this could spell disaster. Getting health plans to change the address for payments can be likened to “an act of Congress”. Clearly, a back up plan needs to be implemented as part of the lockbox program to thwart this scenario.
Another potential use of medical payments data (in lockboxes or otherwise) is blackmail. In this scenario, a person’s medical history is pieced together using the payments data (Explanation of Benefits). If the person can be instrumental to a war plan, the information may be used to coerce a person to do what they might not do otherwise in order to keep a lid on their sensitive health information. And the list goes on.
What’s interesting about this topic is not really that the workgroup was able to find multiple ways an enemy might support a war plan using information in the medical payments system, but that healthcare executives weren’t even talking about it. In fact, when the Cyberwar workgroup spoke to various bankers, they seemed well versed in some areas and exhibited much more advanced thinking; notwithstanding that the whole idea of a “medical banking” domain was new. At least it appeared that solution sets could be adapted to mitigate the risk of enemy exposure to sensitive information.
Banks have thought about equivalent scenarios, and continue to invest in esoteric thinking in order to keep in front of the enemy, fraudster or anyone that is willing to use banking information in an illegal manner. So it seems to make sense to ask the question: in the ground swell in healthcare today around ID management, does it make sense to engage the bank?
Its instructive to note that the FFIEC invited not just banks, but anyone that uses online technology to deliver services to learn from their work. Notably, banks must comply by December 2006, and although the FFIEC urges soft compliance (not a legal requirement), it indicates banking agencies will use the new standards in auditing and other banking examinations after December 2006. This is tantamount to JCAHO asking hospitals to comply with a new procedure and then including the procedure in their certification criteria – you’ve got to demonstrate compliance in any event. Many banks are on track to meet FFIEC online guidance by December 2006; specifically, implementing multifactor authentication in the online banking area.
Where do healthcare entities stand on this issue? It’s a fair question. And in this context, the Vanderbilt workshop was instructive. It seems that they are just getting started.
New Services for A New Environment
Dare we suggest that leveraging existing banking systems, processes and procedures to combat ID theft, fraud and indeed extortion and blackmail, is a compelling path forward for healthcare? Of course there are those that would say why not the telecommunications industry, or another industry. Why banks?
There are many reasons why banks provide a natural platform for the advancement of healthcare policy in America. Specializing the lockbox to reduce daily operational costs, however, will likely be the first “thrust” into this line of thinking. The first steps are really all about return on investment, some would argue.
But isn’t it interesting that along with positive ROI, the healthcare community can partner with global organizations with highly committed budgets to implement state-of-the-art ID management solutions? And isn’t it equally compelling that more consumers are doing online banking today than ever before and that this “channel” could become a natural and highly secure electronic conduit to reach patients?
Moreover, consider the critical need for cash management platforms to implement strong security and ID authentication programs. This area is a central touch point for hospitals, group practices, nursing homes, ambulance centers, a growing number of clinics and others. Within this context, an intermediary platform embedded with the latest ID management technology that links reservoir of healthcare data to requesting online banking customers seems plausible. The platform is likely using a federated identity management infrastructure that is not only in use today in other industries but has been “blessed” by the world’s leading ID management and security authorities (eg., The Liberty Alliance).
Today, we are moving rapidly into a digital healthcare world. Yet the costs are daunting. By leveraging an adjacent industry to help this process along, as has been done in other industries, we could leap frog countless hours of planning and related costs.
Learning and teaming with well capitalized and sophisticated banking partners isn’t such a bad idea. By the very nature of their business, banks will forever be in the front lines of ID management and security.