Trust and interoperability in healthcare identity systems

The view from Kantara’s Executive Director, Kay Chopard Cohen

“Often variations in interoperability are not due to technical issues but are caused by deficits in trust between organizations and by anti-competitive behavior that results in patient Electronic Health Information (EHI) [being held in silos].”
(Office of the National Coordinator for Health Information Technology; TEFCA Draft 2)

As with many aspects of identity management, the challenges we see in managing electronic health information often emanate from a lack of trust – not from a failure of technical capability.

  • Patients want to know that their personal information is held safely and securely and is only accessible to those with the right to access it.
  • Healthcare organizations, State and Federal agencies need confidence that the person presenting their health ID is who they claim to be.
  • And we all need to trust that any personal information shared between healthcare providers is being done in compliance with the most rigorous standards for data sharing and identity protection.

There are already strict mandates in healthcare for the assurance and accreditation of ID and the providers of ID systems. (See Section 6, Identity Proofing mandated assurance levels, TEFCA.) Increasing adoption of NIST-800-63 standards across the healthcare sector will undoubtedly make for more robust EHI sharing which will lead to greater trust in the whole sector. But the challenges seen around the rollout of the COVID-19 vaccination program shows there is still a long way to go.

The TECFA Trust Framework brings together healthcare organisations, ID and Authentication service providers and the relying parties who, ultimately, provide services to patients. In the case of the vaccine rollout, knowing that the patient in front of you is who they say they are, is secondary to understanding their full medical history – with alerts to any allergies or potential health risks. But we must also ensure the necessary patient consents and protocols are in place to allow us to share relevant data needed for the successful and inclusive development of the vaccination program.

It is vital that vendors and healthcare providers can openly demonstrate that they meet with the recognised standards for excellence in this area. Not only does this create a greater sense of trust in the identity services in use but they actively protect against privacy violations and security breaches. The NIST standard is a stringent one and is already recognised across other sectors including financial services. At Kantara Initiative, we focus on helping organizations – including healthcare providers – ensure they meet the necessary standards for ID and privacy. Together we help instil trust across the entire identity process. As a non-partisan, not-for-profit institution, we are well placed to carry out independent assessments of the ID products and processes that underpin our healthcare system. We don’t endorse vendors or products. But we do provide an independent assessment of what is good – and what needs to be changed – to maintain a high degree of trust across the health ecosystem.

The NIST standards offer the best possible protection for ID, data privacy and security. It is why TEFCA has mandated these assurance levels for the management of electronic health information.

We all need assurance that our identity and healthcare information is being shared transparently and within an ecosystem and framework that offers consistency and security. At the end of the day, in this sector, getting it wrong can make the difference between life and death.”

For further information, click on how to register for assessment and qualify for the Trust Mark through Kantara’s Service Provider Approval Process as required by TEFCA.