Remember party lines? Telephones, at one time, were connected to multiple parties. One could pick up the handset to find out that the neighbor down the street was already tying up the line. Believe it or not, party lines and the lessons one learned about keeping secrets from others “on the line” are instructive today. Only today, the shared access is often access to data. As data bases grow in detail and points of access, there is a growing need to identify — and control — who has access to what information based on their role and rights. This identification, to be effective, also calls for methods to authenticate and authorize users of the system. In short, who is “on the line” and should they be there.
While many businesses have been grappling with the need to identify and grant access to information, healthcare has largely ignored these issues until confronted with them through government or regulatory authority. As a result, healthcare — as an industry — has yet to fully engage in the new frontier of identity management.
But, the need for identity management in healthcare is real, since identification errors can have tragic consequences. A misfiled document or an error in names can lead to deadly consequences. Consider the following:
The LA Times reports that 150 people have access to at least part of a patient’s records during a hospitalization, opening the door for misfiled or lost data.
Insurance cards — either for private or government benefits programs — are easily passed from one person to another.
Hospital staff members have gained access to and revealed medical files of a celebrity.
“Nancy Smith” is given medication intended for another Nancy Smith.
Identity management’s goal is to uniquely identify an individual. It becomes most important when one is identifying an individual within a system as a means to control their access to resources or establishing their rights or limitations within their system.
As healthcare providers reach outside of their own networks, the need to identify and authenticate individuals and assign roles and responsibilities becomes even more important. As systems become interoperable, the need for secure and private access to data, coupled with certainty of identity of users and their roles will take center stage.
One of the more ubiquitous — and frustrating — examples of identity management is the password. While dealing with multiple passwords is frustrating for individuals, the cost of administering and resetting passwords to business, including healthcare, is huge. A Siemens study found that a typical password related call averages $25, costing an enterprise of 2,000 as much as $152,620 per year. Identity management tools that reduce or eliminate reliance on passwords include single-sign on applications, smart cards and systems using biometric identification and readers.
Insurance plans have long used knowledge-based information as a means to identify beneficiaries. Not only must someone present an insurance benefit card, they must also provide a social security number or some other “fact” to verify eligibility. This reliance on personal data can be thwarted by either voluntarily sharing this data with someone else who uses it to obtain services and benefit or by identity thieves who sell this information so someone else can fraudulently obtain services. By tying in positive and robust identification, especially biometric identification, for each person requesting and receiving benefits, sharing or theft of services is ended.
The growth of data bases — and the ability to easily access data from multiple sites or via the Internet — has made breaches of data a problem for healthcare providers. When information is breached, such as a celebrity’s medical records, the challenge is often identifying who leaked the data. By positively identifying each and every person with access to data, identifying the leak is more readily accomplished. Data must be linked to identity rather than passwords, since passwords are easily divined or readily available as a “sticky note” on the monitor or a password list in the desk drawer.
Positive identification of a person can also reduce medical errors by ensuring that each and every “Nancy Smith” is uniquely identified. This ends the medication errors or misfiling of information that can occur when a hospital file is “touched” by as many as 150 people.
The new frontier of identity management must be crossed to restore trust to the healthcare system. Through robust credentialing of individuals — and the ability to share the results of that credentialing and authentication of the person and their rights and responsibilities — the healthcare industry will make dramatic leaps in quality of care and increase efficiency.
©Secure Services Corp. 2009