WASHINGTON, DC—The critical challenge of validating each person’s identity online can be addressed through a mix of established and emerging techniques to help stimulate the growth of new electronic health services and personal health records, according to a new report released today by Markle Connecting for Health, a public-private collaborative group operated by the Markle Foundation.
“Your health information is likely scattered across several providers and organizations. To access your information in an electronic environment, all those organizations must be satisfied that you really are who you say you are,” said Clay Shirky, chair of the Markle Connecting for Health Work Group on Consumer Authentication Policies for Networked Health Information. “We found that there are several sound techniques for confirming users’ identities that can be generally adopted in health care to make it easier for consumers to connect to all of their data reliably.”
To make rapid progress toward enabling consumers to access their personal health information accurately and securely, the group recommends widespread adoption of several common practices for managing the identities of online consumers. Reliable means of verifying and validating consumers’ identities would significantly improve the ability of consumers to access and consolidate all of their electronic health information – such as test results, medication lists, treatment histories and other critical health information. The paper also recommends a federal commitment to research on the reliability of different forms of in-person and online identity management methods.
The report contains the recommendations of 38 health and technology leaders in health care, technology companies, government, consumer groups, and others. It is the latest addition to the Markle Connecting for Health Common Framework – a set of policy and technical resources for private and secure electronic health information exchange.
The report recommends that in-person proofing – checking government-issued identification documents in a face-to-face setting – continue to be one of the commonly used approaches, especially for organizations that lack an established relationship with the consumer. But it also encourages greater use of “knowledge-based authentication” – a set of methods that confirm a person’s identity through an electronic dialogue about facts that only the proper user should know. The group also recommended new efforts at “bootstrapping,” by allowing health care organizations to make use of confirmed identities managed by other reliable parties, such as financial institutions.
“People should not have to put their privacy at risk in order to participate in innovations that promise to improve health care, access to care, and consumer control over their own information. No solution is fool-proof, but we are calling on the government to take a more vigorous leadership role in measuring the accuracy of identity-proofing methods, so that we can be more secure that people are who they say they are when accessing and sharing their health information,” said Janlori Goldman, director of the Health Privacy Project, and research faculty at the Mailman School of Public Health at Columbia University.
“We conclude that the authentication challenge is manageable today,” said David Lansky, PhD, senior director of the Markle Foundation Health Program. “And we are encouraged that new technologies and even policy innovations will remove today’s barriers that prevent organizations from sharing electronic information with consumers.”
“We need to improve what we already know about current methods,” said Work Group member Donald Simborg, MD, a leading voice in electronic health information standards. “We must study and better measure the reliability of various methods of consumer authentication. We strongly recommend more research in this area from both government and the private sector.”
The group notes that even today’s most commonly used method – in-person identity proofing – has not been subject to stringent reliability testing. The absence of sound testing data makes it difficult to evaluate the relative benefits or drawbacks of innovative approaches. The Work Group calls on the National Institute of Standards and Technology, in collaboration with other interested agencies, to study current identity-proofing practices to help set benchmarks.
The paper further emphasizes the need for ongoing monitoring to detect fraud and to strengthen trust across entities sharing data based on the consumer’s authorization.
Markle Connecting for Health is a public-private collaborative with representatives from more than one hundred organizations across the spectrum of health care and information technology specialists. Its purpose is to catalyze the widespread changes necessary to realize the full benefits of health information technology while protecting patient privacy and the security of personal health information. Markle Connecting for Health tackles the key challenges to creating a networked health information environment that enables secure and private information sharing when and where it is needed to improve health and health care. Learn more about Markle Connecting for Health at www.markle.org/health.