Transcript Meaningful Use Stage 2

Meaningful Use Stage 2
ID Verification Policies
And Authorized Access
Highlights of the November 29, 2012,
Trusted Identity of Patients in Cyberspace
Hearing – Policy: P&STT and the HITSC Privacy
& Security Workgroup
http://www.healthit.gov/policy-researchers-implementers/federal-advisorycommittees-facas/calendar/2012-11?tid=125
Introduction
•
•
•
•
Identity management is a fundamental issue for the healthcare industry, and
that any efforts to improve healthcare information systems, reduce
administrative costs, fight healthcare fraud and identity theft, and improve
patient care must start by building a solid healthcare identity foundation.
HHS should educate the general public on Levels of Assurance and recommend
the use of higher assurance credentials (Level 3 and Level 4).
The Blue Button Initiative makes it imperative that two-factor authentication be
offered to those who are utilizing the Blue Button to download their health
information.
Neither the FACAs nor ONC should endorse specific products; rather they
should approach the issue of patient authentication with an eye towards a
standards-based solution that utilizes non-proprietary, mature technologies that
have a proven track record.
The Problems: ‘Siloed’ Records and Access
Consent
• John Halamka, MD, tells the story of his mother’s
hospitalization:
– A fall resulted in a broken hip,
• IV morphine administered on admission
• Pain and morphine resulted in an inability to reconcile her own
medications
– No easy exchange of electronic records available
• Medication ‘reconciliation’ via examination of all medication bottles
in her name resulted in her being put on 22 medications
• Further deterioration of mental status limited capability to provide
informed consent for her son to act as her healthcare advocate
How Meaningful Use Stage 2 Helps
• Due to Dr. Halamka’s intervention:
– the care team understood the poor quality of the data they had reconciled
and the lack of coordination among caregivers, they agreed to discontinue
everything except Tylenol and an anti-hypertensive.
– The next morning, the patient was ‘foggy’ and had no recollection of the
previous two days, but regained her involvement with the rehabilitation
process and became a partner in her care planning.
• Under Stage 2 of meaningful use, patient and family
view/access/download/transmit to her various data sources will be
required:
– Data exchange at transitions of care will be required.
– Decision support that would likely have offered best practices for medication
management in the elderly would have prevented the cocktail that altered
her mental status.
Developing a Strong Health Information
Management System
• Starts with the accurate identification of each person receiving
or providing healthcare services, as well as anyone accessing
or using this information.
• Issues with establishing identity are compounded as
electronic medical records (EMRs) are used by many different
organizations at the regional, state, and national levels.
• There must be a way to uniquely and securely authenticate
each person across the healthcare infrastructure, whether
that interaction is in-person at point of care or over the
Internet.
Online Credentialing Solutions Issues
• In some cases, in-person single-factor authentication could be
sufficient.
– Providing patients with a username and password that would grant
them access to already-established patient portal profiles.
– Jonathan Hare, chairman and founder of Resilient Network Systems
testified that this system is not foolproof:
• Front desk staff responsible for issuing online credentials typically has
no training in ID verification
• Process relies too heavily on single-factor authentication, which is not
the most secure approach.
• "If you want to have high assurance you should be using multiple,
independent ways to verify identity"
Multifactor Authentication Not Foolproof
• Multifactor authentication may be more secure, but it has its
drawbacks
– Elizabeth Franchi, data quality program director at the Veterans Health
Administration who has worked on the VA's Blue Button initiatives:
• Adding more steps to the verification process typically causes users to drop out of
the system before completing verification, leading to low utilization of patient
portals and other online services.
• For example, the doctor may issue a username and password during a patient
visit, and then call the patient's personal phone number to make sure the patient
was in fact the person who entered the account before allowing full access.
• Patients often find this type of process onerous, making them less likely to follow
it through to the end.
– "Our biggest lesson learned is that burden has to be lessened for the patient.
In order to facilitate this, we need to streamline this.”
Smart Card Solutions
• Mature, trusted, and non-proprietary technologies
– Any technology deployed to modernize our healthcare system must perform
a number of tasks: it must improve the quality of patient care, reduce costs,
minimize provider workflow and address the concerns and efficiencies
required to justify investment.
– Being able to validate a person’s identity immediately introduces real
benefits to health care delivery and the ability to control cost and reduce
fraud.
• Identification and authentication are currently uncontrolled and not
standardized among medical systems, locations, and organizations
within the healthcare community.
• Smart Cards provide the easiest, most cost-efficient, secure, and
user-accepted method for solving the healthcare identity
management problem
Smart Cards and Emergency Medical
Information
• A secure, portable way to store
patient data that could be critical in case of an
emergency, such as:
– current medications,
– allergies, and
– blood type
American Medical Association’s (AMA)
Health Security Card (HSC)
• A three-year public health translational research
• In April 2012, a live simulation of a public health triage scenario
using the HSC was conducted. 40 patients were divided into two
equal groups:
– Group 1 carried a HSC containing name, gender, date of birth, allergies, current
medications, blood type.
– Group 2 did not have a HSC. Some had an ID card or health insurance card.
• The average length of patient encounter was
– 53 seconds for those not carrying a HSC
– 32 seconds when the HSC was presented
– Patient satisfaction was significantly higher
• 75% of individuals carrying a HSC rating the quality of their care to be Excellent or Very
Good
• 35% of those not carrying a card gave a rating of Excellent or Very Good
Combining Smart Card Technology,
Cryptographic Functions and Biometrics
• Digital signatures ensure that the biometric template being used has
not been altered.
• Encryption protects the biometric template and other personal
information stored on the smart card.
• The smart card compares the live biometric template with the
biometric template stored on the card. The biometric template never
leaves the card, protecting the information from being accessed
during transmission
• A cryptographic challenge authenticates the legitimacy of the card
and the reader, ensuring privacy for the cardholder, preventing
inappropriate disclosure of sensitive data, and thwarting
“skimming” of data that might be used for identity theft.
Sources
Burns, E. (12/3/2012). ID verification policies needed in stage 2 meaningful use. SearchHealthIT.
http://searchhealthit.techtarget.com/news/2240173745/ID-verification-policies-needed-instage-2-meaningful-use.
Halamka, J. (11/6/2012). Why meaningful use Stage 2 is so important. Healthcare IT News.
http://www.healthcareitnews.com/news/why-meaningful-use-stage-2-so-important.
Magrath, M. (November 29, 2012) Testimony at P&STT and the HITSC Privacy and Security
Workgroup Meeting. HealthIT.gov.
http://www.healthit.gov/sites/default/files/20121129_michael_magrath_testimony__gemalto_and_smart_card_alliance.docx.