Presentation is loading. Please wait.

Presentation is loading. Please wait.

Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal.

Similar presentations


Presentation on theme: "Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal."— Presentation transcript:

1 Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal Health Technology Initiative, Markle Health Program

2 Common Framework for Networked Personal Health Information

3 Objectives The overall purpose: –To help open up private and secure data flows between health data sources and consumer-accessible applications (networked PHRs). –We call these “Consumer Data Streams” — the chain of handoffs of copies of personal health information destined for the consumer’s application. The focus is on policies: –Authentication: Trust across entities for ID proofing, online tokens, ongoing monitoring, and auditing. –Access: Broader focus on privacy, consent, data collection and use, transparency, enforcement, etc., across entities participating in Consumer Data Streams.

4 Many Simultaneous Activities Access policy efforts: Employers AHIC HITSP HISPC National Governors Ass’n Congress, etc. Authentication efforts: EAP/EAF AHIC HITSP Liberty Alliance VeriSign Private vendors AHIP/BCBS Dossia Intuit Revolution WebMD Google Microsoft VA/CMS Large IDNs Many smaller players Public and private PHR efforts

5 Consumer Authentication Overview Working Group set out to find a set of authentication methods and policies that would bring networked PHRs closer to reality. Two big barriers : 1.Proofing: We could not find Metric “X” for proofing accuracy. 2.Business issues: (i.e., competition, lack of business value, and fear of liability) may discourage data holders from accepting even well-executed proofing and authentication from remote parties.

6 Consumer Authentication Recommendations 1A: In-person proofing is a reasonable — although imperfect and poorly measured — default when there is no prior relationship with the consumer. But it’s not always feasible. 1B: Consider ‘bootstrapping’ in-person encounters with other sectors (financial institutions, post offices, retail pharmacies, notary publics, etc.). Part 1: Proofing

7 Consumer Authentication Recommendations 1C: Consider Remote Proofing: a.Rely on combinations of at least two alternative methods or sources for validating identity that use separate data (i.e., don't use two different sources relying on Social Security Number or the same account number). b.Are optimized to minimize the rate of false positives (i.e., when the wrong person is granted access based on an identity not his own). c.Provide an alternative identity-proofing protocol to mitigate false negatives (i.e., when the right person using his correct identity is denied access nonetheless). d.Take precautions to minimize risk to the consumer. Part 1: Proofing

8 Consumer Authentication Recommendations 1D: Begin Federal research on identity proofing quality. Federal studies to create proofing accuracy benchmarks. 1E: Do not use clinical information as validation data in an authentication process. Part 1: Proofing (continued)

9 Consumer Authentication Recommendations Part 2 & 3: Tokens and Monitoring 2A-2E: Follow Industry Practice in Binding, Use, and Re- use of Tokens 3A: Ongoing monitoring: Proofing is a process, not an event. Every authentication offers a chance at re-verification. 3B: Enable consumers to view audit trail: Consumers can help detect fraud when they have access to transaction history.

10 Consumer Authentication Recommendations Part 4: Auditing and Enforcement 4A: Ensure that third parties are “observable” in how and how well they are performing identity proofing, token- issuing and ongoing monitoring or any related services to authenticate consumers. 4B: Ensure a mechanism for enforcement and redress for bad actions. 4C: Consider federation and/or other contractual means to address Recommendations 4A and 4B.

11 Conclusion: A Path Forward Our next area of work is to establish policy rules and techniques that establish trust among participants, including consumers, over a “network of networks.” New trends — new threats, new business relationships, emerging technologies, and consumer awareness and behavior — all warrant close monitoring and all reinforce the idea that that the path forward on consumer authentication requires careful thinking, new research, and innovative approaches.

12 Closing Remarks Thank You!


Download ppt "Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal."

Similar presentations


Ads by Google