With the annual Civitas Conference fast approaching, and compliance always on the minds of many of the attendees, now is an appropriate time to discuss the alphabet soup of identity terms thrown around the healthcare industry. Rest assured, I am not going to cover HIPAA since this audience knows HIPAA has two “A’s” and not two “P’s.”
I’ll begin with the National Institute of Standards and Technology (NIST), a physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. NIST develops standards that we all rely on. Think about when you buy a lamp; you don’t have to worry if the plug will fit into the outlet in your home because plugs and outlets are built on standards to assure interoperability. Thank NIST. NIST has several divisions, and its Computer Security Resource Center first published the “go to” guidance for identity proofing and online authentication back in 2004. The Guidance has gone through several revisions with the current version, Special Publication 800-63-3 “Digital Identity Guidance” being published in 2017. 800-63-4 is expected in 2023.
While federal government agencies and contractors must comply with 800-63-3 when issuing identity credentials to federal employees and accessing federal networks, for much of the private sector and non-federal government agencies compliance is not required. However, much has changed since June 2004.
The pandemic triggered a significant rise in online fraud and identity theft which exposed the nation’s lack of a cohesive digital identity strategy. According to the U.S. Dept of Labor, over $163 billion in unemployment benefits ended up in the wrong hands due to fraud. Today, state and county governments are making compliance with 800-63-3 a “must have” in procurement. Uncertified vendors are routinely disqualified and often turn to Kuma for certification since Kuma is the #1 assessor of companies in compliance with 800-63-3. Agencies can no longer just accept a vendor’s word that they comply. They need proof.
A portion of the healthcare industry has had to comply with NIST’s identity standards for over a decade. In 2010, the U.S. Drug Enforcement Administration published its interim final rule for electronic prescribing of controlled substances (EPCS). Twelve years later, it is still an interim final rule, but I’ll leave that for another day. The EPCS Rule requires any of the 1.8 million DEA registrants who e-prescribe a controlled substance must first be identity proofed in compliance with NIST’s guidance, and then when signing the prescription and sending it to the pharmacy, a form of multifactor authentication that has been bound to the registrant must be used.
Multifactor authentication (MFA) is a combination of something you know (a PIN or password), something you have (your phone, a FIDO security key or a hardware token generating a one-time password) and something you are (a biometric such as your fingerprint). A username and password is not MFA because both are something you know, aka just one factor.
Identity in healthcare has been a focus of the industry for years. This author served as the Chair of the HIMSS Identity Management Task Force over six years ago and there was a lot of work in this space long before. We can all thank Congress for annually renewing the blockade for HHS to spend a single dollar to research a unique national patient identifier for all Americans. Because of that, numerous vendors have developed sophisticated, yet not 100% accurate, centralized master patient indexing services.
The Trusted Exchange Framework and Common Agreement (TEFCA) was published in January 2022. Per the Sequoia Project, “TEFCA, outlines a common set of principles, terms, and conditions to support the development of a Common Agreement that would help enable nationwide exchange of electronic health information (EHI) across disparate health information networks (HINs).
For anything to be trusted online, one needs to know who is actually logged in and accessing and exchanging data. When it comes to ePHI (electronic protected health information), that is an absolute necessity. Covered entities must ensure health care information is sent to a specific, unique individual to avoid any disclosure issues under HIPAA.
After a decade of advocating for strong identity management practices in the U.S. healthcare system, I was excited to read that TEFCA requires compliance with NIST’s Special Publication 800-63-3, “Digital Identity Guidelines” – a suite of documents defining detailed requirements for:
- Enrollment and Identity Proofing Requirements (SP 800-63A)
- Authentication and Lifecycle Management (SP 800-63B)
- Federation and Assertions (SP 800-63C)
At the most basic level, the guidelines were developed based on the level of risk accessing a system or network poses. NIST refers to the risk levels as “levels of assurance” with three distinct levels. This post will highlight Identity Proofing and Authentication.
Key definitions to familiarize yourself with:
- Identity Proofing is the process by which a credential service provider (CSP) collects, validates, and verifies information about a person.
- Identity Evidence – Information or documentation provided by the applicant to support the claimed identity. Identity evidence may be physical (e.g., a driver license) or digital (e.g., an assertion generated and issued by a CSP based on the applicant successfully authenticating to the CSP).
- Identity Assurance Level (IAL) is the degree of confidence that one’s claimed identity is their real identity.
To have any degree of confidence, identity proofing must be performed. This involves the collection, validation, and verification of information about a person. What types of identity evidence did the person show to assert who they are? Did the person produce a passport or a driver license or Medicare card? Or a combination of all the above? Is the driver license valid or expired, and it is really an official license? Is it really them in the photo, or could it be their sister?
NIST has defined three identity assurance levels:
- Level 1 – (IAL1) has no requirement to link the person to a specific real-life identity. The person self-asserts their identity attributes, which are not verified. This is ideal for low-risk applications where anonymity is acceptable, like a “how to” chatroom.
- Level 2 – (IAL2) requires identity proofing of the individual which can be conducted remotely or in-person by a credential service provider. IAL2 also requires evidence to support the real-world existence of who the person claims to be and verifies that the person is appropriately associated with this real-world identity. Simply stated, the person needs to provide documentation to prove their identity and it needs to be verified.
- Level 3 – (IAL3) requires in-person identity proofing and the person’s identifying attributes must be verified by an authorized and trained representative of a credential service provider. If you have a driver’s license, passport, or Global Entry card, you have gone through IAL3 identity proofing.
TEFCA requires IAL2
In June, TEFCA’s Recognized Coordinating Entity, The Sequoia Project released draft Individual Access Services (IAS) Exchange Purpose Implementation SOP. It outlines the requirements for IAS Providers to follow for individual identity verification at IAL2.
IAS Providers must have an agreement with a credential service provider (CSP) who has been approved by an RCE-selected CSP approval organization. An example is the international non-for-profit, Kantara Initiative. The CSP approval organization must maintain a published list of CSPs who conduct identity proofing to IAL2. While the approval organization issues a trustmark for the CSP to display as conforming with IAL2 requirements, they rarely perform the audits themselves. Instead, they accredit independent third-party assessors, professional auditors like Kuma, to conduct the extensive audit for conformance at IAL2.
Authentication and Lifecycle Management
Per NIST, “Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. Authentication establishes that a subject attempting to access a digital service is in control of the technologies used to authenticate.” Simply stated, authentication is the key to opening the door to access a website, mobile app, or system.
Authentication Assurance Level (AAL) is defined by NIST as the “strength of an authentication transaction characterized by an ordinal measurement. Stronger authentication (a higher AAL) requires malicious actors to have better capabilities and expend greater resources to successfully subvert the authentication process. Higher AALs can effectively reduce the risk of attacks.”
A decade ago, high assurance level authenticators were limited to smart cards. Although very secure, they require a reader either contactless or contact, requiring you to insert it such as a payment terminal. Not everyone has a reader, nor should they be required to. That said, banks don’t require customers to log in to their account with their bank card. Today, there are many mobile-friendly and secure options, including those certified by the FIDO Alliance leveraging biometrics and other means.
Level 1 – (AAL1) provides some assurance that the person controls an authenticator bound to their account. An example is a static password. Although not secure, passwords do provide some assurance. account. AAL1 requires either single-factor or multifactor authentication using a wide range of available authentication technologies. Authentication requires that the claimant prove possession and control of the authenticator through a secure authentication protocol. Using the same chatroom example as above, username and password – although not secure – is ideally suited for AAL1.
Level 2 – (AAL2) provides high confidence that the person accessing an account controls authenticator(s) bound to their account. Proof of possession and control of two different authentication factors is required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above.
Level 3 – (AAL3) provides very high confidence that the person controls authenticator(s) bound to their account. Per NIST, “Authentication is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication requires a hardware-based authenticator and an authenticator that provides verifier impersonation resistance; the same device may fulfill both these requirements.”
Of note, while MFA is certainly better than single factor authentication, not all MFA approaches offer the same level of security. Although convenient, receiving a one-time code via a SMS text message on your phone – something you know (code) and something you have (phone) – is MFA, but cybercriminals can, and have, intercepted the code due to the insecurities of SMS. With phishing attacks on the rise and not waning anytime soon, healthcare organizations should seek phish-resistant authenticators such as those certified by the FIDO Alliance.
Since 800-63-3 was published, Level 2 has become the “sweet spot” for identity proofing and authentication outside of federal agencies, including healthcare, financial services, and automotive industries.
If you made it this far, thank you for reading. I realize there is a lot to digest (pun intended)! The world of digital identity can be confusing, so I hope you found this of value. If you are attending the Civitas 2023 Annual Conference, please stop by booth #813 and say hello. Have questions but not going to the conference? I’m just a quick message away and would love to support your journey.
