ONC, Inova look to NSTIC for healthcare identity management


The healthcare industry could greatly benefit from innovations in digital identity authenticiation, said Jeremy Grant, senior executive advisor for identity management at the National Institute of Standards and Technology.

Because providers and patients juggle multiple credentials to access various systems and identity verification is important for care delivery and privacy, the healtcare industry needs a repeatable, standards-based identity solutions, he said during a Feb. 25 presentation (.pdf) at the HIMMS annual conference in Orlando, Fla.

Rather than create a one-off solution specific to healthcare, the industry can leverage other work being done to support the National Strategy for Trusted Identities in Cyberspace.

For example, the Office of the National Coordinator for Health Information Technology's Direct Project aims to establish a standards-based way for EHR vendors, medical organizations and others to send authenticated, encrypted health information to trusted parties over the Internet. Direct currently uses secure email standards and relies on PKI encryption, but not for long, said Doug Fridsma, ONC chief technology officer, during the presentation.

Direct plans to move from a PKI-based infrastructure to federated NSTIC compliant approaches, he said. ONC is also developing new pilots to align with NSTIC, Fridsma told attendees.

NIST funds 12 pilot projects (with more on the way) that implement the principles set out in NSTIC, one of which is the Cross-Sector Digital Identity Initiative. Inova Health System is partnering with CSDII as part of the pilot, said Inova CTO Marshall Ruffin, while speaking at HIMMS

CSDII is a consortium that includes relying parties, identity providers and credential service providers, to name a few – among them, Virginia's Department of Motor Vehicles and the American Association of Motor Vehicle Administrators. Ruffin said a patient's driver's license number is being tested as part of the health system's PHR log-in process.

"We're working with [Inova] to use CSDII to actually authenticate them versus having their traditional user ID and password," said Michael Farnsworth, technical lead for CSDII, during a Dec. 16, 2013 webinar.

Farnsworth said access to Inova's MyChart is a three-part process. First the patient would choose a login for an existing web account, such as Google or Yahoo!. Next he can enter his driver's license number, and finally an instant, automated confirmation phone call is sent to the phone number on file with Inova. Upon confirmation, the patient is allowed access to his account.

MyChart is one of two Inova use cases in the CSDII pilot.

"We have two use cases that we're targeting with them. One being patient access to health records and the other one being provider access to their electronic health record system," said Farnsworth.

Ruffin said Inova realizes the business value for the patient. CSDII is more convenient and comfortable for the patient, he said. For the provider, it reduces the burden of managing authentication on its own by relying on a reusable, consistent system – all while providing reduced cost and increased security, he said.

For more:
- download the presentation slides (.pdf)
- watch a video clip from the Dec. 16 NSTIC pilots webinar

Related Articles: 
FICAM trust framework update opens door to federal credentials from financial institutions 
NIST opens third round of NSTIC pilots 
USPS offers a peek at cloud credential exchange