The Smart Card Alliance position is that the Department of Health and Human Services should require that any Personal Health Record (PHR) and Health Record Bank (HRB) organization make available strong authentication options such as smart cards, tokens or one-time password devices to their consumers/subscribers in order to access information in electronic personal health records.
To assure patient privacy and security, strong, multi-factor authentication should be required to access an electronic PHR and HRB. Using a combination of “something you know” (username/ password or personal identification number), “something you have” (a smart card or hardware token) and “something you are” (a biometric such as a fingerprint) will provide high assurance that the person is who he or she claims to be.
Maintaining consumer confidence in the security of electronic personal health records is critical for the success of PHR providers and HRBs. As the country moves rapidly to electronic health records, the overwhelming majority of PHR providers and HRBs have made very personal and private health information available online. Should any of these networks be compromised, the healthcare industry will suffer a tremendous setback that will undermine all of the investment and progress that has been made to date. Consumer confidence in these systems is essential if we are to realize the potential of electronic health records and information exchange. A key linchpin of this process is the requirement for patient consent for the exchange of health information between providers. Without trust, there will be no consent and without consent there will be no information exchange. The entire system will be undermined if security and privacy issue are not addressed now.
Unfortunately, access to this information by healthcare providers, administrators or patients themselves typically requires only a username/password.
“Too many times it has been proven that single-factor password authentication is the weak link that leads to large numbers of accounts being compromised,” said Vanderhoof.
Verizon Business analyzed payment card breaches from 2008-09 and determined that 35 percent of the time, breaches were attributed to either the use of stolen or guessed password login credentials. Compromised username/passwords were also the cause of a recent security breach in Puerto Rico that compromised 400,000 health records. In addition, stolen passwords are a significant component of the $60 billion in Medicare fraud, the 509 million records exposed in data breaches since 2005, and identity theft, the number one consumer complaint to the Federal Trade Commission for more than 10 years running.
"The facts speak for themselves. As policy makers move forward with guidelines for individual access to electronic personal health records, we should learn from past mistakes and not repeat them. It is essential that we start on a solid footing for security by requiring two factor authentication for all access to health records, whether by healthcare providers or administrators or individuals," said Vanderhoof.
President Obama's cybersecurity team seems to agree. The National Strategy for Trusted Identities in Cyberspace (NSTIC) draft—which aims to strengthen trust and security on the Internet—recognized that a high degree of trust is required when individuals access electronic personal health records. The NSTIC is expected to be signed by President Obama during Q1 2011. PHRs and HRBs should take the lead to re-architect their portals to offer high assurance options for accessing healthcare information as defined in the strategy.
In addition, the government's own guidelines for electronic authentication (NIST Special Publication 800-63), consider username/password as a low level of assurance. In order to protect patient privacy and security for electronic personal health records access, however, there should be very high confidence in the asserted identity of anyone accessing the information. For these types of uses, the guidelines recommend strong authentication such as those based on smart cards.
The federal government has put into practice the high assurance methodologies covered in these guidelines, having mandated smart card-based identity credentials, known as Personal Identity Verification (PIV) cards, for all of its employees and contractors to increase security for information access and identity credentials.
More healthcare identity management related information is available at the Smart Card Alliance website including white papers, webinars and executive briefs.
About the Smart Card Alliance
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.
Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org.