HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013

Transcription

1 HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013 The Smart Card Alliance hereby submits the following comments regarding the Health Information Technology Policy Committee (HITPC) Request for Comments (Request) regarding the Stage 3 definition of meaningful use of electronic health records (EHRs). We have limited our comments to Section III. Privacy and Security: PSTT 01 In September 2012, the HITPC recommended that EHRs should be able to accept two factor (or higher) authentication for provider users to remotely access protected health information (PHI) in stage 3. 1 This included recommending that organizations/entities, as part of their HIPAA security risk analysis, should identify any other access environments that may require multiple factors to authenticate an asserted identity, and that organizations/entities should continue to identity proof provider users in compliance with Health Insurance Portability and Accountability Act (HIPAA). The HITPC would like input on the following questions related to multi-factor provider authentication: How can the HITPC s recommendation be reconciled with the National Strategy for Trusted Identities in Cyberspace (NSTIC) approach to identification which strongly encourages the re-use of third party credentials? HHS should not put all of its eggs in the NSTIC basket. Once created, the Identity Ecosystem will offer a marketplace of digital credentials. However, going from a strategy to a ecosystem may take several years beyond the implementation requirements for Stage 3. Two-factor authentication comes in a variety of flavors with methods offering varying levels of assurance in the asserted identity and security. Members of the FACAs and ONC should not assume that all two-factor solutions are equal. In the meantime, we recommend HHS consider leveraging existing standards defined in NIST s Special Publication Electronic Authentication Guideline. Moreover, it is the benefit to providers to utilize a single credential that can be used for multiplepurposes for both online and offline uses. Today healthcare organizations spend a lot of money managing identities. For example, a hospital may issue a flash pass to all employees, a proximity card for physical access into certain areas, and a one-time-password token for remote access or DEA compliance for electronic prescribing controlled substances, to name a few. As you are aware, physicians often are affiliated with more than one hospital, meaning that they may have several credentials per hospital; these all cost money and are an ordeal for some physicians to manage.

2 In May 2009, the Federal CIO Council published Personal Identity Verification Interoperability for Non- Federal Issuers. This guidance was developed because non-federal organizations wanted to issue identity cards that are (a) technically interoperable with Federal government PIV systems, and (b) issued in a manner that allows Federal government relying parties to trust the cards -- the PIV Interoperable smart card (PIV-I). PIV-I has been recommended by FEMA in the National Incident Management System (NIMS) Guideline for the Credentialing of Personnel (July 2011) and is the credential being deployed as the First Responder Authentication Credential (FRAC) by several state and local governments, because it is standards-based, non-proprietary, trusted by the federal government, and can be used for multiple purposes. The first responder population encompasses approximately 20 million people in the U.S.; healthcare professionals represent a significant percentage of this population including the nation s one million physicians, three million nurses and EMTs. By putting a FRAC in the hands of the medical community, local authorities will be able to rapidly grant access only to qualified individuals during emergency situations like Hurricane Katrina & Hurricane Sandy. If followed, the PIV-I guidance provides a supporting framework for technical interoperability with the nearly 10 million federally-credentialed uniformed and civilian employees and contractors. It supports enhanced integration and reduced costs in day-to-day operations as well as during response and incident management. PIV-I would enable providers to carry a single credential that can be programmed for use in multiple facilities. As a multi-application credential, the PIV-I credential can be used for physical access and also two-factor or three-factor authentication into networks. The PIV-I credential exceeds every authentication requirement being discussed or already mandated for providers. Additionally, at the Trusted Identity of Physicians in Cyberspace Public Hearing held by the Privacy & Security Tiger Team on July 11, 2012, Tony Trenkle, CIO of the Centers for Medicare and Medicaid Services, stated, We have a number of others outside what we call our inner circle (at CMS) who have direct access to our systems. Some may be providers. In that case we may decide to issue a PIV-I card (for authentication) or some type of credential. This will have to be worked in with the FICAM infrastructure. As stated in NIST s Special Publication Electronic Authentication Guideline, These technical guidelines supplement OMB guidance, E-Authentication Guidance for Federal Agencies [OMB M-04-04] and supersede NIST SP OMB M defines four levels of assurance, Levels 1 to 4, in terms of the consequences of authentication errors and misuse of credentials. Level 1 is the lowest assurance level, and Level 4 is the highest. The OMB guidance defines the required level of authentication assurance in terms of the likely consequences of an authentication error. As the consequences of an authentication error become more serious, the required level of assurance increases. Ideally, Level of Assurance (LoA) 3 for authentication will be sufficient to protect patients privacy and security in most instances. However, if the Meaningful Use Stage 3 requirements reference only LoA 3, there is no doubt that the majority of healthcare organizations will seek only LoA 3 solutions without considering LoA 4 solutions. In our opinion, this is a mistake and we urge your office to encourage health organizations to issue LoA 4 credentials which provide the highest level of assurance. Meaningful Use Stage 3 requirements should clearly state that LoA 3 or LoA 4 shall be required for remote access and clearly explain the differences and the additional security and multiple purposes that an LoA 4 solution can offer to reduce fraud, protect patient privacy and secure access to the EHRs.

3 Perhaps the most critical liability that could very well be a reality in healthcare by mandating LoA 3 and not LoA 4 are man-in-the-middle attacks. Below are healthcare examples based on the examples described in SP An attacker breaks into a router that forwards messages between the EMR application or HIE and a provider. When forwarding messages, the attacker substitutes his or her own public key for that of the EMR or HIE. The provider is tricked into encrypting his or her password so that the attacker can decrypt it. An attacker sets up a fraudulent website impersonating the EMR/HIE. When an unwary provider tries to log in using his or her one-time password device, the attacker s website simultaneously uses the provider s one-time password to log in to the real EMR/HIE. LoA 4 provides end-to-end encryption without relying on the web browser. In addition, users are authenticated cryptographically to web sites with digital certificates. This prevents spoofed websites and man in the middle attacks. At this level, in-person identity proofing is required. LoA 4 is similar to LoA 3 except that only hard cryptographic tokens are allowed. The use of a LoA 4 credential would significantly reduce the risk of a fraudulent transaction, since the device has the ability to electronically authenticate both the rightful credential owner and the relying parties services. For patients It is critical that any healthcare identity solution support many different medical environments and is in a form factor that is easily adopted by U.S. citizens. Currently, most insurance companies issue some form of identity card to their members to identify them as policy holders and to provide some level of information required by medical staff for billing. The smart card is WEDI-compliant and provides a secure card-based form factor that not only can be widely accepted throughout the infrastructure, but by consumers as well. Many organizations agree that there is a strong need for a Unique Patient Identifier (UPI) to link medical records across multiple institutions and within multiple departments in large institutions. The smart card can be used to securely hold the UPI, along with other identity information, and to provide two-factor or three-factor authentication. Smart cards can be effective in supporting healthcare applications with or without a unique patient identifier. Smart cards can serve as a secure way to aggregate multiple identifiers across many different systems or organizations, linking them all on the smart card. Smart Cards: Preventing Medical Identity Theft and Medical Fraud In a report prepared for HHS by Booz Allen Hamilton, the need for strong patient authentication to combat medical identity theft and fraud was made clear. Many stakeholders in medical identity theft have noted that patient authentication can be one of the simplest yet most effective methods in preventing medical identity theft. Patient authentication consists of ensuring that patients receiving services are the individuals they claim to be. Currently, few providers require any strong evidence of patient identity at the point of service. Patients are often asked to provide only verbal assertions of identity and coverage. However, technology solutions such as biometrics, smart cards, or electronic patient records may be able to assist providers in verifying patients identities based on past histories, demographics, or facial photographs. Office of the National Coordinator for Health Information Technology Medical Identity Theft Final Report, pg. 16. January 15, 2009.

4 Smart card technology is the only mature solution supporting capabilities that can help address medical identity theft and fraud. Patient identification information can be securely stored on the smart card chip which has built-in tamper-resistance features that make it extremely difficult to duplicate, hack or forge. Smart cards support advanced cryptographic methods to secure data on the card. PSTT 02 How would ONC test the HITPC s recommendation in certification criteria? Since the Health IT Policy & Standards Committees were formed, we have heard that existing standards should be utilized rather than reinventing the wheel. Our federal government has spent a lot of time and money to engage NIST in developing identity and authentication standards. In addition to SP , NIST has published scores of guidance documents including FIPS-201, which is the technical guidance to support Homeland Security Presidential Directive 12 (HSPD-12) signed by President G.W. Bush calling for a policy for a common identification standard for Federal employees and contractors. FIPS-201 contains the minimum requirements for a Federal personal identity verification system that meets the control and security objectives of HSPD-12, including identity proofing, registration, and issuance. Defined in FIPS-201 is the Personal Identity Verification (PIV) credential, an interoperable electronic identity credential using standards-based smart card technology. PSTT 03 Should ONC permit certification of an EHR as stand-alone and/or an EHR along with a third party authentication service provider? HHS may want to consider contracting with external labs experienced in testing identity and authentication technologies under the FIPS-201 Evaluation Program. This is a core competency for these labs and they are not involved with EHR certification. PSTT 04 What, if any, security risk issues (or Health Insurance Portability and Accountability Act (HIPAA) Security Rule provisions) should be subject to Meaningful Use attestation in Stage 3? It is imperative that identity proofing of providers and patients be performed in a manner that will not put the individual to identity theft, including medical identity theft. When digital credentials are issued, it is recommended that the production, personalization and issuance of these credentials be performed in a central location for security purposes and to remove the insider threat to the fraudulent issuance of digital credentials. Currently state motor vehicle departments are migrating to central issuance of driver licenses due to insider fraud and HHS should follow this model to tighten security and reduce fraud. About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit

5 About the Smart Card Alliance Healthcare Council The Smart Card Alliance Healthcare Council brings together payers, providers, and technologists to promote the adoption of smart cards in U.S. healthcare organizations. The Healthcare Council provides a forum where all stakeholders can collaborate to educate the market on how smart cards can be used and to work on issues inhibiting the industry. Healthcare Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.