Wednesday, December 2, 2009

Strong Identity Management

In addition to audit trails, a key component of enforcing security policy is ensuring the identity of those who use applications. In the November 19th HIT Standards Committee testimony, we heard about the need for strong identity management.

Currently, most systems support username/password with various rules such as those we use as BIDMC:

Passwords must be at least eight (8) characters in length
Passwords must contain characters from at least three (3) of the following four (4) classes:
English upper case letters A,B,C,...Z
English lower case letters a,b,c,...z
Westernized Arabic numerals 0,1,2,...9
Non-alphanumeric ("special characters") such as punctuation symbols: !,@,#...
New passwords must be different from previously used passwords.
Under no circumstances should the Passwords contain your username or any part of your full name or other easily identifiable information.

However, it's clear that something stronger than a username/password will be needed for e-prescribing controlled substances. The DEA has insisted upon NIST Level 3 authentication. What do levels of authentication mean?

Level 1 is the lowest assurance and Level 4 is the highest. The levels are based on the degree of confidence needed in the process used to establish identity and in the proper use of the established credentials.

Level 1 - Little or no confidence in the asserted identity’s validity. Level 1 requires little or no confidence in the asserted identity. No identity proofing is required at this level, but the authentication mechanism should provide some assurance that the same claimant is accessing the protected transaction or data.

Level 2 - Some confidence in the asserted identity’s validity. Level 2 requires confidence that the asserted identity is accurate. Level 2 provides for single-factor remote network authentication, including identity-proofing requirements for presentation of identifying materials or information.

Level 3 - High confidence in the asserted identity’s validity. Level 3 is appropriate for transactions that need high confidence in the accuracy of the asserted identity. Level 3 provides multifactor remote network authentication.

Level 4 - Very high confidence in the asserted identity’s valid. Level 4 is for transactions that need very high confidence in the accuracy of the asserted identity. Level 4 provides the highest practical assurance of remote network authentication. Authentication is based on proof of possession of a key through a cryptographic protocol.

If Level 3 authentication is implemented in healthcare for prescribing controlled substances, strong identity management may be expanded to other aspects of healthcare such as signing notes, signing orders, or gaining physical access to restricted areas.

Given the workflow implications of an added authentication burden, it's important to choose the right technology approach.

There are a wide range of two-factor authentication methods, including security tokens, smart cards, biometrics, certificates, soft tokens, and cell phone-based approaches.

I've had experience with each of these. Here's a summary of my findings

Tokens - you'd think tokens would easy to use, but we had a high login failure rate, challenges with tokens getting lost/destroyed (in the laundry), time synchronization issues (as the battery begins to age, the clock inside the token may begin running slowly), and clinician dissatisfaction with having to carry yet another device. A clinician with multiple affiliations has an even worse problem - multiple tokens to carry around. Token and licensing costs were expensive.

Smart cards - we use smart cards for physical access and they work well. They are foolproof to use, can be laundered without an issue, and are inexpensive. The only problem with using them in software authentication is the expense of adding smart card readers to our 8000 workstations. Buying and maintaining 8000 USB devices is costly. However, they are still a serious consideration, since clinicians like the idea of walking up to a device and using something they already have - a badge - to authenticate.

Biometrics - I've written about our use of BIO-key in the Emergency Department. Biometrics are convenient because you can just swipe a finger, which you always have with you (we hope). Many laptops have built in finger print readers and the BIO-key software easily integrates web applications into Active Directory. As with smart cards, the only challenge is installing and maintaining fingerprint scanners on 8000 existing desktops. Biometrics have been very popular with our clinicians and we've had a very low false negative rate (and zero false positives).

Certificates - managing certificates for 20,000 users is painful. We've done it and although I am a strong believer in organization level certificates, I remain unconvinced that user level certificates are a good idea. Maybe new approaches like Microsoft's Infocard, which presents digitally signed XML-based credentials, will make storage and presentation of cryptographic credentials easier.

Soft tokens are just a software version of hardware token running on a mobile device or desktop. Since software must be installed and maintained on each device, they can be a challenge to support.

Cell phone based approaches - Harvard Medical School recently implemented two factor authentication with cell phones as a way of securing password reset functions. It's been popular, easy to support, and very low cost. Companies such as Anakam offer tools and technology to implement strong identify management in cell phones via text messaging, voice delivery of a PIN, or voice biometric verification. Per the Anakam website, their products achieve full compliance with NIST Level 3, are scalable to millions of users, cost less than hard tokens or smart codes, are installable in the enterprise without added client hardware/software, and are easy to use (all you have to do is answer a phone call or read a text message).

Thus, my vote for achieving NIST Level 3 is to chose among smart cards, biometrics or cell phone based approaches depending on the problem to be solved and the workflow that is being automated. Although we've not yet implemented cell phone approaches for EHR authentication, I can imagine that our 2011 authentication strategy might be

Physical Access (hundreds of existing doors that have smart card readers) - Smart cards

Fast trusted login in the Emergency Department (100 devices that are kept in a closed physical space) - Biometrics

Generalized two factor authentication for e-prescribing controlled substances (thousands of devices and hundreds of users) - Cell phone approaches

With strong identity management, our audit trails will have greater value. It will be challenging for a user to claim that they were not the person performing the transaction. The combination of trusted identity and complete audit trails is key to a multi-layered defense against privacy breeches.


Mark said...

From a long time "Lurker" :).

You've hit many of the traceability flashpoints (not just HIPAA...these are vexed questions in the UK, Europe and beyond).

John, at a number of our centres (including your San Francisco Alma Mater)we have to navigate (respond, prescribe -- dare I say proscribe) approaches to managing passwords and audit trails.

Nowhere are these issues more contested than in the world of Reproductive Medicine (gametes, shared, on a 'cycle-by-cycle' basis) where consents between Contributors -- manifested through 'relationships'(medical,biological AND social) -- are subject to validation and 'meaningful use'.

Sharing of information not only between Medical Practitioners, but 'Others': Let us not forget the Billing & Accounts Department. These Folk (when experienced)have a remarkably nuanced understanding of the context of treatment. After all, save for the [thankfully rare] occassions of medical misadventure what focuses an audit more than a patient (or insurance company) contested invoice?

Practically: I think bodily authentication best. But there are curve balls to field (not least of which cost). In the world of IVF labs, where you may have a 'one to many' relationship (few workstations for a multitude of [gloved] staff)) iris recognition would trump a fingerprint. Caveat: Like the critical patient in the emergency room...the 'out of incubator' embryos are not likely to tolerate anything less than instantaneous network response!

You've certainly piqued my curiosity about "cell phone approaches". Ah, but here too some hurdles:Potentially deleterious radio waves. Many IVF Laboratories (Boardrooms too?) require one to 'Off' the CrackBerry...

Mark Marcon, President, Mellowood Medical Inc.

Gerald Beuchelt said...

John -

In addition to InfoCard as an authentication mechanism, you might want to look at SAML 2.0 protocol for identity federation, specifically across enterprise boundaries.

Also, we are currently looking into profiling Oauth in a reasonable manner as cross-organizational authorization protocol for hData. This will obviously require a stronger authentication mechanism that username/password or OpenID, but - in the end - authentication could be delegated to the organizations participating in an exchange, as long as they trust each other's information security posture.

This important latter caveat could be confirmed (to some extent) by using protocol suites such as SCAP similarly to what NIST has been doing for the FDCC.


Gerald Beuchelt

IDmachines said...

There is no question that strong authentication matters across industries and that the self service and federation issues confronting health care put an emphasis on this need. Besides being a BIDMC customer/patient, I am also the Secretary of the Smart Card Alliance Identity Council. If you haven't seen it we produced the following in concert with our health care council, as well as other related white papers.

Apart from the identity token technologies (e.g. Open ID, SAML, biometrics, Smart Cards/Digital Certificates/cell phone SIM) the policy and process around identity creation matter equally. And quite honestly its more about the binding of the individual to the token than the type of strong authentication token (whether in band or out of band) or related authentication factors.

IDmachines works across industries to leverage COTS identity and credentialing solutions and given our Brookline location I would love to talk more about what is going on across industries and in health care in particular. If so my email is

Thanks for raising these important issues.

Nick Owen said...

Nice post! I have a comment though (FD: WiKID Systems offers both a cell phone token & a PC-based software token).

I disagree about the difficulty in software token distribution. The problem of software deployment has really been solved at the enterprise level. We also have come up with some solutions on how to allow users to perform self-service token registration based on existing trusted credentials. Further, we can perform this process securely across different enterprises, perfect for the multi-provider ehealth data sharing applications or contractors. Finally, we can add some security. our PC-based software token can do mutual https authentication (validating the ssl cert for the user cryptographically more here), thwarting network-based MITM attacks.

A question: what does HIPAA require? or is it not specific in that regard?

Ian Rudy said...


Very timely post. I'm currently working with a Health System locally that is taking some of the first steps into the EHR space and we are having a first step requirements gathering meeting in a couple weeks to start talking through the authentication and identity management issues. What are you currently using as an identity management solution for patients accessing EHR across the Internet? Do you see any of the two factor systems as viable in this space? I like the opportunity that cell phone based soft tokens could be an application here.