NHIN begins to look at user-level authentication
During the 2008 trial implementations process and subsequent limited production operation of the Nationwide Health Information Network (NHIN), health information exchange between two participating entities relies on authentication at the entity (that is, organization) level, rather than at the individual user level. For the trial implementations, participating organizations were issued X.509 certificates from a single, centralized certificate authority in a public key infrastructure supporting authentication, basic authorization (there is a presumption than any authenticated request is authorized to receive the information being requested), and non-repudiation of origin. One of the security gaps identified during the trial implementation process was the future need to extend authentication and authorization to individual users, rather than the organizations with which they are affiliated, potentially including hundreds of millions of citizens, should the current administration’s vision for widespread adoption of electronic medial records and personal health records come to fruition. There are many technical and functional alternatives available that might be used to provide individual user authentication for health information exchange, but the only consensus seems to be that a solution relying on a single certificate issuer cannot scale to meet the need.
Last week, the NHIN workgroup of the Health IT Policy Committee met to hear testimony from public and private sector representatives on current activities on authentication and identity management, and to begin considering options for user-level authentication with the NHIN. As a federally led initiative, any NHIN authentication model must be consistent with appropriate government standards on electronic authentication, most importantly NIST Special Publication 800-63, which specified a four-level e-authentication framework against which online systems must be assessed. Given the sensitivity of health record data, security evaluations to date have suggested the NHIN falls under E-Authentication Level 3, the requirements for which include strong authentication and lay out specific requirements for identity proofing and subsequent authentication and authorization decisions. Any time the general public is considered part of the potential user base, e-authentication standards become complicated, as it is not uncommon for individuals conduct online transactions infrequently, posing challenges related to credential issuance, maintenance, and retrieval, as well as cost and logistical considerations about software or hardware token distribution. Among the vendors most likely to have answers to these challenges is Anakam, whose two-factor authentication solution leverages existing personal devices such as mobile phones as an alternative to purpose-specific smart cards or other hard tokens, and who was an active participant in the NHIN trial implementation process. Regardless of the technical solutions ultimately chosen, the fact that attention has turned to user authentication for the NHIN is a noteworthy development in itself. There remain a lot of moving pieces relevant to any solution in this area, including in-process revisions to the e-authentication guidance (a topic for another day), so this will be an interesting process to watch as it evolves.