Presentation is loading. Please wait.

Presentation is loading. Please wait.

Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal.

Published byLeona O’Neal’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal."— Presentation transcript:

1 Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal Health Technology Initiative, Markle Health Program

2 Common Framework for Networked Personal Health Information

3 Objectives The overall purpose: –To help open up private and secure data flows between health data sources and consumer-accessible applications (networked PHRs). –We call these “Consumer Data Streams” — the chain of handoffs of copies of personal health information destined for the consumer’s application. The focus is on policies: –Authentication: Trust across entities for ID proofing, online tokens, ongoing monitoring, and auditing. –Access: Broader focus on privacy, consent, data collection and use, transparency, enforcement, etc., across entities participating in Consumer Data Streams.

4 Many Simultaneous Activities Access policy efforts: Employers AHIC HITSP HISPC National Governors Ass’n Congress, etc. Authentication efforts: EAP/EAF AHIC HITSP Liberty Alliance VeriSign Private vendors AHIP/BCBS Dossia Intuit Revolution WebMD Google Microsoft VA/CMS Large IDNs Many smaller players Public and private PHR efforts

5 Consumer Authentication Overview Working Group set out to find a set of authentication methods and policies that would bring networked PHRs closer to reality. Two big barriers : 1.Proofing: We could not find Metric “X” for proofing accuracy. 2.Business issues: (i.e., competition, lack of business value, and fear of liability) may discourage data holders from accepting even well-executed proofing and authentication from remote parties.

6 Consumer Authentication Recommendations 1A: In-person proofing is a reasonable — although imperfect and poorly measured — default when there is no prior relationship with the consumer. But it’s not always feasible. 1B: Consider ‘bootstrapping’ in-person encounters with other sectors (financial institutions, post offices, retail pharmacies, notary publics, etc.). Part 1: Proofing

7 Consumer Authentication Recommendations 1C: Consider Remote Proofing: a.Rely on combinations of at least two alternative methods or sources for validating identity that use separate data (i.e., don't use two different sources relying on Social Security Number or the same account number). b.Are optimized to minimize the rate of false positives (i.e., when the wrong person is granted access based on an identity not his own). c.Provide an alternative identity-proofing protocol to mitigate false negatives (i.e., when the right person using his correct identity is denied access nonetheless). d.Take precautions to minimize risk to the consumer. Part 1: Proofing

8 Consumer Authentication Recommendations 1D: Begin Federal research on identity proofing quality. Federal studies to create proofing accuracy benchmarks. 1E: Do not use clinical information as validation data in an authentication process. Part 1: Proofing (continued)

9 Consumer Authentication Recommendations Part 2 & 3: Tokens and Monitoring 2A-2E: Follow Industry Practice in Binding, Use, and Re- use of Tokens 3A: Ongoing monitoring: Proofing is a process, not an event. Every authentication offers a chance at re-verification. 3B: Enable consumers to view audit trail: Consumers can help detect fraud when they have access to transaction history.

10 Consumer Authentication Recommendations Part 4: Auditing and Enforcement 4A: Ensure that third parties are “observable” in how and how well they are performing identity proofing, token- issuing and ongoing monitoring or any related services to authenticate consumers. 4B: Ensure a mechanism for enforcement and redress for bad actions. 4C: Consider federation and/or other contractual means to address Recommendations 4A and 4B.

11 Conclusion: A Path Forward Our next area of work is to establish policy rules and techniques that establish trust among participants, including consumers, over a “network of networks.” New trends — new threats, new business relationships, emerging technologies, and consumer awareness and behavior — all warrant close monitoring and all reinforce the idea that that the path forward on consumer authentication requires careful thinking, new research, and innovative approaches.

12 Closing Remarks Thank You!

Download ppt "Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal."

Similar presentations

Mobile Payments and the FTC Manas Mohapatra Director of Mobile Policy Mobile Technology Unit Federal Trade Commission The views expressed are not necessarily.

Mobile Payments and the FTC Manas Mohapatra Director of Mobile Policy Mobile Technology Unit Federal Trade Commission The views expressed are not necessarily.
Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.

Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Information Security Policies and Standards

Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.

Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.
RADM Ali S. Khan, MD, MPH Director, Office of Public Health Preparedness and Response Bridging the Gaps: Public Health and Radiation Emergency Preparedness.

RADM Ali S. Khan, MD, MPH Director, Office of Public Health Preparedness and Response Bridging the Gaps: Public Health and Radiation Emergency Preparedness.
Privacy and Security in the Direct Context Session 6 April 12, 2010.

Privacy and Security in the Direct Context Session 6 April 12, 2010.
FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.

FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.
Informed Consent and HIPAA Tim Noe Coordinating Center.

Informed Consent and HIPAA Tim Noe Coordinating Center.
A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality 2014-06-10.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality
Tackling the Policy Challenges of Health Information Exchange Carol Diamond, MD, MPH Managing Director, Markle Foundation.

Tackling the Policy Challenges of Health Information Exchange Carol Diamond, MD, MPH Managing Director, Markle Foundation.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
Understanding the Value of Identity in Government Social Networking A Framework of Identity Trust in Government Social Networking September 4, 2015.

Understanding the Value of Identity in Government Social Networking A Framework of Identity Trust in Government Social Networking September 4, 2015.
Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.

Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
1 Brett Roberts Director of Innovation | Microsoft NZ | 28 Aug 07 Technology and Privacy.

1 Brett Roberts Director of Innovation | Microsoft NZ | 28 Aug 07 Technology and Privacy.
Credit unions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback.

Credit unions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback.

Similar presentations

Ads by Google