NHIN begins to look at user-level authentication

During the 2008 trial implementations process and subsequent limited production operation of the Nationwide Health Information Network (NHIN), health information exchange between two participating entities relies on authentication at the entity (that is, organization) level, rather than at the individual user level. For the trial implementations, participating organizations were issued X.509 certificates from a single, centralized certificate authority in a public key infrastructure supporting authentication, basic authorization (there is a presumption than any authenticated request is authorized to receive the information being requested), and non-repudiation of origin. One of the security gaps identified during the trial implementation process was the future need to extend authentication and authorization to individual users, rather than the organizations with which they are affiliated, potentially including hundreds of millions of citizens, should the current administration’s vision for widespread adoption of electronic medial records and personal health records come to fruition. There are many technical and functional alternatives available that might be used to provide individual user authentication for health information exchange, but the only consensus seems to be that a solution relying on a single certificate issuer cannot scale to meet the need.

Last week, the NHIN workgroup of the Health IT Policy Committee met to hear testimony from public and private sector representatives on current activities on authentication and identity management, and to begin considering options for user-level authentication with the NHIN. As a federally led initiative, any NHIN authentication model must be consistent with appropriate government standards on electronic authentication, most importantly NIST Special Publication 800-63, which specified a four-level e-authentication framework against which online systems must be assessed. Given the sensitivity of health record data, security evaluations to date have suggested the NHIN falls under E-Authentication Level 3, the requirements for which include strong authentication and lay out specific requirements for identity proofing and subsequent authentication and authorization decisions. Any time the general public is considered part of the potential user base, e-authentication standards become complicated, as it is not uncommon for individuals conduct online transactions infrequently, posing challenges related to credential issuance, maintenance, and retrieval, as well as cost and logistical considerations about software or hardware token distribution. Among the vendors most likely to have answers to these challenges is Anakam, whose two-factor authentication solution leverages existing personal devices such as mobile phones as an alternative to purpose-specific smart cards or other hard tokens, and who was an active participant in the NHIN trial implementation process. Regardless of the technical solutions ultimately chosen, the fact that attention has turned to user authentication for the NHIN is a noteworthy development in itself. There remain a lot of moving pieces relevant to any solution in this area, including in-process revisions to the e-authentication guidance (a topic for another day), so this will be an interesting process to watch as it evolves.

2 Comments on “NHIN begins to look at user-level authentication

  1. I don’t quite understand why individual users would need to access the NHIN. Would it be to view their own personal health information? If so, I didn’t think this was a goal of the program.

    The NHIN is designed to allow the organizations to share your health information so that when you walk into your doctor’s office they can pull up any care provided elsewhere.

    Am I off base?

  2. You’re correct that the NHIN is intended to enable exchange of medical information among organizations, but specific requests for information may originate from individuals, whether health care providers, payers, health plan administrators, or the patients themselves who are the subject of the records being requested. Right now authentication is only based on the organization, but there are certainly potential uses of this information exchange model where you’d want to know and be able to verify the identity and credentials of the individual making the request. To the extent that personal health record providers like Google or Microsoft or Dossia (or any of the health insurance plans that offer this feature to members) become participants in the NHIN, you might well have an individual make a request about their own records that is handled through the NHIN. If that were to happen today, the PHR vendor would be authenticated (and might even pass the name and affiliation of the individual with the request), so verifying the identity of the individual is a responsibility delegated to the participating organization. Authentication credentials for individuals, alone or in addition to organizational credentials, might enhance the ability of receivers of requests to determine whether or not they should fulfill the request.