The opioid crisis and a growing demand for patient directed data exchange have created a perfect storm for trusted digital identity in healthcare. To combat the opioid crisis, states, including New York, Maine, Connecticut, and Minnesota, have passed legislation mandating electronic prescription only for controlled substances – a method of prescription that invokes DEA requirements for strong digital identity. At the same time, Health and Human Services’ Office of the National Coordinator (ONC) is completing work on the Trusted Exchange Framework and Common Agreement (TEFCA) to establish the conditions under which a patient can digitally authorize the movement of their healthcare data.
DEA and ONC both point to the NIST 800-63 standards for compliance with provider and patient authentication. Blake Hall, CEO of ID.me, spoke at HIMSS18 to explain how the new NIST 800-63-3 digital identity standards are being used to address the challenges of trusted digital identity in healthcare – specifically, to secure Electronic Prescriptions for Controlled Substances (EPCS) and to improve interoperability between patient portals.
Digital Identity to Power E-prescribing
Nothing is spurring healthcare systems to adopt stringent identity standards more than the opioid crisis. Hall shared that his wife, an otolaryngologist, experienced fraud connected to the opioid crisis firsthand. “Several years ago, her DEA number was stolen, and the thieves forged a prescription pad and her signature to issue fraudulent prescriptions,” he said.
To combat this type of fraud, New York, Minnesota, Maine, Connecticut, Virginia and North Carolina have passed legislation mandating EPCS, and several other states have legislation pending. Once a state has passed the law, providers may only prescribe controlled substances electronically and they must adhere to the DEA rule governing EPCS. In 2010, DEA mandated certain requirements for EPCS, including a NIST 800-63 certified authentication process as well as specific types of authenticators to confirm the provider is still in control of the digital account.
“The great thing about electronic prescription is that you keep the provider in the loop with a trusted device that represents that provider’s identity,” Hall said. “And, once the prescription has been filled, it’s voided. One prescription can’t be filled multiple times, or stolen, so this method stems the fraud driving the opioid crisis.”
Digital Identity to Improve Patient Access and Interoperability for Personal Health Information (PHI)
On the patient side, the Office of the National Coordinator for Health Information Technology is also looking to adopt NIST standards to authenticate patients. This move is part of a broader effort to establish interoperability across platforms and more easily enable patient access to PHI.
Today, there is no standard digital credential accepted across healthcare systems, so users must create new logins and re-authenticate their identities at each hospital or doctor’s office portal. These platforms do not talk to each other. This is a miserable experience for patients with multiple healthcare providers, such as the elderly, cancer patients, and patients with chronic health conditions.
Hall explained that health systems can solve this problem by following Visa’s model of credential portability.
“Before Visa existed, if you had a debit card from a small bank in Oklahoma and you tried to go to New York City to complete a transaction, they actually wouldn’t accept that because they didn’t know if they could trust the credential from that small bank,” Hall said. “In a similar way for identity, all the hospital systems have a login that only works within that siloed ecosystem. That means all the consumer’s data, all the provider’s data, is locked inside of one application and the data can’t move interoperably. The FHIR approach is good — but it requires the patient to login to each provider they visit directly and to authorize release over and over again. So what the industry really needs is a network with standards so a patient can login one time, verify their identity one time, and then direct that all providers that have their medical data release it to the place of their choosing. If FHIR works like a retailer’s store specific card with each provider’s proprietary login, then ID.me’s model works more like Visa as a widely accepted credential.”
NIST-certified health systems and identity providers can issue digital credentials to streamline PHI entry and access. Instead of submitting the same PHI multiple times or creating numerous logins, patients and providers can tie their identities and data to a single credential they can use interoperably between portals.
So, why is a NIST 800-63-3 credential important?
Similar to REAL ID standards for state DMVs issuing identification cards, NIST 800-63-3 establishes the federal government’s baseline standards for the issuance of a digital identification credential. NIST released a new version of the standards last June: key updates include eliminating knowledge based verification in favor of device and biometric methods of authentication.
Hall stressed that multiple methods of identity verification need to be used mitigate fraud. “There’s no silver bullet, but if you layer them all together, the probability of compromising all of them in sequence becomes very low.”
Currently, ID.me is one of only two federally accredited identity providers in the United States against the NIST 800-63 standards. More than 200 partners, including federal and state agencies, healthcare organizations, financial institutions, nonprofits, and retailers, use ID.me as a shared login service. ID.me powers online identity proofing for Vets.gov, issuing legally recognized digital credentials to veterans for access to medical information, services, and benefits. Through this partnership, VA became the first federal agency to successfully issue high-assurance NIST Level of Assurance 3 credentials at scale to online applicants.