1 / 9

Consumer identity and Personal Health

Consumer identity and Personal Health. May 2014 Working Group Meeting May 6, 2014. Presented by : Tim McKay, Ph.D., CISSP Kaiser Permanente. Agenda. State of Online Consumer Identity Identity and Healthcare The Value of Individually Identifiable Health I nformation Identity Standards.

isla
Télécharger la présentation

Consumer identity and Personal Health

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Consumer identity and Personal Health May 2014 Working Group Meeting May 6, 2014 Presented by: Tim McKay, Ph.D., CISSP Kaiser Permanente

  2. Agenda • State of Online Consumer Identity • Identity and Healthcare • The Value of Individually Identifiable Health Information • Identity Standards

  3. Consumer Identity in 2014 • A fragmented space of N of 1 solutions • One set of credentials = access to one service • Exceptions: facebook, Google • One factor dominant • Exceptions: Google, ebay, some financial institutions • No population sensitivity • A (largely) self-asserted space • Convenience over privacy • Site driven • Consumer driven

  4. Consumer Identity in Healthcare • Who you are matters . . . sometimes • Stand-alone app vs. connections to medical records • Privacy matters . . . sometimes • HIPAA and non-HIPAA entities • Metadata and “anonymous” uses of data • Social media credential use • Portability matters . . . sometimes • HIE initiated • Consumer initiated • Zero reuse of consumer credentials between health systems • No metadata standards to enable accurate record matching. • No accepted standards for account creation and maintenance.

  5. Why is an individual’s health information of value to others? • Use to obtain health care services • Physical • Virtual • Use to market goods and services • Use for general identity spoofing for financial gain • Demographic information • Financial information • Health information for targeted individuals • Sale of celebrity information • Blackmail • Exercise control over another

  6. Developing standards for consumer health identities • Why are identity standards important? • Reduce inappropriate disclosure • Ensure the integrity of an individual’s medical record • National Institute of Standards and Technology (NIST) • 800-63-2 (Electronic Authorization) • 800-162 (Role Based Access) • National Solution for Trusted Identities in Cyberspace (NSTIC): Identity Solutions will be • Privacy enhancing and voluntary • Secure and resilient • Interoperable • Cost effective and easy to use • Identity Ecosystem Steering Group • Promotes goals of NSTIC • Quarterly plenary—ongoing workgroups (including healthcare) • Focus on demonstration projects and an identity framework • Not currently planning to be a standards organization

  7. Creating Consumer Health Identity Standards • Account Creation and Identity Provisioning • Identity proofing • User ID rules • Password rules . . . or maybe not • Authentication • Account controls • Multi-factor authentication • Biometric use • Establishment of Account Proxy Identities • Account Maintenance • Forgot user ID and forgot password • Account de-provisioning • Account reinstatement • Suspected fraudulent use • Identity portability • Meta data for identity assertion • “Home” and “Guest” account rules

  8. Issues Consumer Health Identity Standards Must Address • Controls which backfire • Increasing password strength and length • Password expiration • Controls which are population relevant • Who is the target user? • How are needs of vulnerable populations addressed? • Controls which respect autonomy • Set minimum bars • Raise the bars for higher-risk transactions • Data transfer to third parties • New cross-entity identity assertions • Provide enhanced controls on an elective basis

  9. Consumer Identity and Personal Health THANK YOU Tim McKay tim.a.mckay@kp.org

More Related