90 likes | 225 Views
Consumer identity and Personal Health. May 2014 Working Group Meeting May 6, 2014. Presented by : Tim McKay, Ph.D., CISSP Kaiser Permanente. Agenda. State of Online Consumer Identity Identity and Healthcare The Value of Individually Identifiable Health I nformation Identity Standards.
E N D
Consumer identity and Personal Health May 2014 Working Group Meeting May 6, 2014 Presented by: Tim McKay, Ph.D., CISSP Kaiser Permanente
Agenda • State of Online Consumer Identity • Identity and Healthcare • The Value of Individually Identifiable Health Information • Identity Standards
Consumer Identity in 2014 • A fragmented space of N of 1 solutions • One set of credentials = access to one service • Exceptions: facebook, Google • One factor dominant • Exceptions: Google, ebay, some financial institutions • No population sensitivity • A (largely) self-asserted space • Convenience over privacy • Site driven • Consumer driven
Consumer Identity in Healthcare • Who you are matters . . . sometimes • Stand-alone app vs. connections to medical records • Privacy matters . . . sometimes • HIPAA and non-HIPAA entities • Metadata and “anonymous” uses of data • Social media credential use • Portability matters . . . sometimes • HIE initiated • Consumer initiated • Zero reuse of consumer credentials between health systems • No metadata standards to enable accurate record matching. • No accepted standards for account creation and maintenance.
Why is an individual’s health information of value to others? • Use to obtain health care services • Physical • Virtual • Use to market goods and services • Use for general identity spoofing for financial gain • Demographic information • Financial information • Health information for targeted individuals • Sale of celebrity information • Blackmail • Exercise control over another
Developing standards for consumer health identities • Why are identity standards important? • Reduce inappropriate disclosure • Ensure the integrity of an individual’s medical record • National Institute of Standards and Technology (NIST) • 800-63-2 (Electronic Authorization) • 800-162 (Role Based Access) • National Solution for Trusted Identities in Cyberspace (NSTIC): Identity Solutions will be • Privacy enhancing and voluntary • Secure and resilient • Interoperable • Cost effective and easy to use • Identity Ecosystem Steering Group • Promotes goals of NSTIC • Quarterly plenary—ongoing workgroups (including healthcare) • Focus on demonstration projects and an identity framework • Not currently planning to be a standards organization
Creating Consumer Health Identity Standards • Account Creation and Identity Provisioning • Identity proofing • User ID rules • Password rules . . . or maybe not • Authentication • Account controls • Multi-factor authentication • Biometric use • Establishment of Account Proxy Identities • Account Maintenance • Forgot user ID and forgot password • Account de-provisioning • Account reinstatement • Suspected fraudulent use • Identity portability • Meta data for identity assertion • “Home” and “Guest” account rules
Issues Consumer Health Identity Standards Must Address • Controls which backfire • Increasing password strength and length • Password expiration • Controls which are population relevant • Who is the target user? • How are needs of vulnerable populations addressed? • Controls which respect autonomy • Set minimum bars • Raise the bars for higher-risk transactions • Data transfer to third parties • New cross-entity identity assertions • Provide enhanced controls on an elective basis
Consumer Identity and Personal Health THANK YOU Tim McKay tim.a.mckay@kp.org