Identity Ecosystem Use Cases – Healthcare   Michael Magrath, CSCIP   Director, Business Development – Government & Healthcare   Gemalto, Inc.

Securing Electronic Healthcare Records

 A key driver to the creation of the NSTIC

Graphic Credit: Experian

2009 - 2012

Healthcare is different

• The security of personal health information is far different compared to other types of personal information including financial.

• Today there are no policies and procedures in place to restore one's health information.

• Personal health information and electronic medical records is highly sensitive information and warrants the need for very high confidence in the accuracy of the asserted identity.

• Once it is compromised and in the wrong hands the data contained is irreversible and the consequences can affect the victim for a lifetime.

IDESG Healthcare Committee

 Rationale  The goal of the Health Care Committee is to provide the coordination,

leadership, and technical support necessary to ensure widespread adoption of the Identity Ecosystem Framework across the entire Health Care community.

 Objectives •  Through communication with the community, citizens, and government, the

Health Care Committee will strive to support health care industry solutions in the Identity Ecosystem that: •  Promote efficiency •  Limit redundancy •  Reduce barriers to use/adoption •  Increase interoperability, privacy, and security •  Advance confidentiality, availability, and integrity particularly targeted

toward online systems •  Promote trust across the entire industry • 

To join and participate in the identity ecosystem formulation www.idecosystem.org

Provider Use Cases

PCP Referring Patient to a Specialist

•  The Medicare patient’s Primary Care Physician has made the determination that it is clinically and legally appropriate to send a referral and summary of care to the specialist. •  The referring PCP accesses the EHR system and initiates a referral message and attaches clinical documents as needed for reference. Using her Medicare provider card, she digitally signs the referral with his Medicare Provider Card and then sends the referral. •  The specialist sees the new referral in his local practice EHR. If this is a new patient for the practice, a new patient is created in the EHR. The core referral and the various documents are imported into the new patient's chart.

Provider ePrescribing a Controlled Substance

Provider identity proofed with high assurance remotely or in-person at NIST LOA 3

Two factor authentication of provider at

point of ‘signing’ prescription under DEA approved mechanisms.

Provider Accesses Hospital’s EMR System From Home

•  A radiologist needs to access patient record after hours

•  Using multi-factor authentication (likely required in 2016) the physician inserts her PIV-I credential issued by her hospital into her laptop and enters her PIN

•  She logs into the hospital’s VPN

•  She accesses the EMR system and views the patient’s x-ray.

Patient Use Cases

Patient logs into a Personal Health Record to access their lab results.

•  Patient has been seen previously in the facility and has given their email address. •  Patient logs into the PHR and is asked to use credentials from Google, Facebook, Yahoo, or Microsoft. •  Patient uses email address and Google account password to authenticate themselves and they are given access to their PHR from which the lab results can be viewed.

Patient logs into a Personal Health Record to access their lab results. #2

Patient has been seen previously in the facility and has been identity proofed and issued a eHealth card – a smart card for use at point of care and also logical access into the health system portals. Patient inserts eHealth card into reader and enters their PIN Patient is prompted to verify their information and agree to the Terms & Conditions. Once agreed, the lab results are displayed

Patient Logs into a Personal Health Record to Add His Blood Pressure Reading

•  Patient has been seen previously in the facility and has given their email address. •  Patient logs into the PHR using his email as his username and is asked to use credentials his smartphone service provider.

• A one-time password is generated on his phone, he completes the login •  Patient enters his blood pressure

You have a legal right to receive your personal health information. The Blue Button lets you go online and download your health records so you can use them to improve your health, have more control over your personal health information and your family’s healthcare. Where to store and protect the Blue Button download?

Numerous organizations – such as payers, providers, consumer advocacy groups, health-related associations, and nonprofits have pledged to offer the Blue Button. http://www.healthit.gov/patients-families/pledge-members

Medicare Patient logs into MyMedicare.gov site to access their records.

Patient has been registered with Medicare and been seen for healthcare services for which a provider has been paid.

Patient registers with MyMedicare.gov by entering their Medicare Number (SSN plus a letter, usually 'A'), their last name, birthdate, gender, and zipcode.

Patient can then choose a username and password under rules for complexity. Subsequent logins are authenticated using this username and password.

Once logged in, patient selects the 'Blue Button' and then can view and download their PHI in text or pdf formats.

Medicare Patient logs into MyMedicare.gov site to access their records.

•  Patient has been issued a Medicare eHealth card by CMS. The chip within the card includes the patient’s Medicare Number (SSN plus a letter, usually 'A'), their first and last name, birth date, gender, and zip code.

•  The patient can then choose a

username and password under rules for complexity. Subsequent logins are authenticated using this username and password.

•  Once logged in, patient selects the 'Blue Button' and then can view and download their PHI in text or pdf formats.

Patient logs into a PHR to download and transmit health record via the Blue Button

• Patient has been seen previously in the facility and has been identity proofed and issued a eHealth card – a smart card for use at point of care and also logical access into the health system portals.

• Patient uses eHealth card and enters PIN to log into patient portal

• Patient clicks on Blue Button to download recent medical history and asked what type of file and where to save it to • Patient selects and XML file and saves the data to her eHealth card

Summary

• Personal health information and electronic medical records contain highly sensitive information and warrant the need for very high confidence in the accuracy of the asserted identity.

• HHS may require two-factor authentication for providers accessing EHRs outside the four walls of a healthcare facility,

• Consumers/Patients will not be required to, but hopefully through education and awareness they will opt to use high assurance credentials to access PHRs

• To join and participate in the identity ecosystem formulation, visit www.idecosystem.org

Questions?

 Smart Card Alliance  191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828  www.smartcardalliance.org

Michael Magrath, CSCIP Director, Business Development - Government & Healthcare Gemalto, Inc. Office: 512-758-8911 Cell: 703-944-1090 Email: michael.magrath@gemalto.com http://twitter.com/healthITidmgt