Unless strong authentication (two-factor authentication using smart cards and one-time passwords (OTP), for example) is required to gain access to your medical information, the answer is no. Not very reassuring, is it?
There are several security solutions available today for accessing information on a local computer or the Internet. Most are adequate for low risk applications. For example, you may enter a username and password to gain access to member-only content on a news or sports Website. It is common knowledge that passwords are not secure and can easily be guessed with some very basic information of the person. Hackers gain access into networks all the time.
When it comes to trust, having the assurance that the person accessing the network containing your medical information is who they say they are is critical to protecting your health information.
In the summer of 2008, the U.S. Drug Enforcement Agency (DEA) issued proposed rules requiring two-factor authentication to electronically prescribe controlled substances. Under the proposed rules your doctor and the pharmacist filling the prescription are required to authenticate themselves into the e-Prescription web-based system using a strong authentication device such as a smart card, hardware token. Why? The DEA requires assurance that the persons on both ends of the prescription (physician and pharmacist) are who they say they are—having the trust and assurance of the person’s identity is critical, especially when it comes to knowing who is writing the prescriptions and who is filling them.
The DEA generated such a great idea from experience. As a government agency, DEA employees have been issued a Personal Identity Verification (PIV) credential – a smart card to serve as their ID badge. Under Presidential Directive HSPD-12 all government employees are to use their PIV credential to access government buildings and federal computers. There is a reason why civilian agencies of the U.S. Federal Government and the Department of Defense require two-factor authentication to access the government’s computer networks -- because two-factor (strong authentication) works.
Requiring strong authentication to secure access government networks or to write and fill prescriptions is effective and widely deployed. Don’t you want the assurance your medical information is protected in the same manner?
The American Recovery and Reinvestment Act of 2009 included $19 billion for health information technology. A portion of this money will go towards improving healthcare information management by focusing on exchanging patient electronic medical records online at the regional and state level via Health Information Exchanges (HIEs) and Regional Health Information Organizations (RHIOs) and connecting these to form the National Health Information Network (NHIN). Today, one can gain access to those networks by a username and password.
Identity management is a significant problem in the healthcare industry. Any efforts to improve healthcare information systems, reduce administrative costs, fight healthcare fraud and identity theft, and improve patient care must start by building a solid healthcare identity foundation.
The benefits of wider information exchange will not be realized without a solid identity management foundation. Worse, accurately linking patient records becomes exponentially harder as the size of the patient population grows, and resolving identity questions is very difficult without the involvement of the patient or healthcare provider. Healthcare identity management needs to be the foundational cornerstone. Without the identity foundation, information exchange initiatives cannot achieve the real benefits they seek of improving healthcare and improved controlling costs.
If strong authentication tools are widely deployed and have been proven effective, then why aren’t they widely used by healthcare providers and insurance companies in the U.S.? Unfortunately, it is a short-term financial issue.
The American Recovery and Reinvestment Act of 2009 will bring many changes to the U.S. healthcare system. Your medical record will become electronic and stored on a computer network. To protect your privacy you want reassurance that the strongest of authentication methods are utilized to access your information. Those protections will undoubtedly come from the U.S. Congress.