{"type":"data","nodes":[{"type":"data","data":[{"mainNavPagesCollection":1,"subnavPagesCollection":26},{"currentSlug":2,"topLevelSlug":-1,"total":3,"items":4},"achieving-identity-resiliency",6,[5,8,11,14,17,20,23],{"title":6,"slug":7},"Home","",{"title":9,"slug":10},"About GPII","about-gpii",{"title":12,"slug":13},"Why the Need?","why-the-need",{"title":15,"slug":16},"Our Services ","our-services",{"title":18,"slug":19},"Privacy Protection","privacy-protection",{"title":21,"slug":22},"Contact Us","contact-us",{"title":24,"slug":25},"Articles","articles",{"currentSlug":2,"total":27,"items":28},0,[]],"uses":{"params":["slug"]}},{"type":"data","data":[{"title":1,"sanitizedBodyMarkup":2,"published":3,"author":4,"category":7,"tagsCollection":10,"pdf":13,"link":15},"Achieving Identity Resiliency","\u003Cp>A white paper for the healthcare identity ecosystem steering group\u003C/p>\u003Ch2>Executive summary\u003C/h2>\u003Cp>The recent massive Equifax breach has exposed a fundamental flaw in the methodology used to\nidentify individuals including all healthcare providers and consumers. Once an individual’s\nidentity has been compromised there is no mechanism in place to restore that person’s identity\nto wholeness. This document discusses why that strategic deficiency is no longer acceptable. It\ndescribes what is necessary to rectify this omission and provides an example of how this can be\naccomplished.\u003C/p>\u003Ch2>Introduction\u003C/h2>\u003Cp>For at least the past 15 years the healthcare industry in the United States has been debating\nhow to solve the patient identification problem. It is universally acknowledged that being 100%\ncertain about the identity of a patient and the information linked to that identity is a\nprerequisite to providing appropriate care for that individual and avoid potentially very serious\nerror and harm. It is also universally acknowledged that, despite years of effort, healthcare has\nbeen unable to achieve that critical goal. Patient identification, especially across disparate\nhealthcare sites, continues to encounter error rates from 10% to as much as 40% or more.\nThese errors lead to an incredible burden in the healthcare system. As many as 300 avoidable\ndeaths each day, unnecessary complications, delayed recovery, excessive costs, unnecessary\nmalpractice litigation, patient and physician dissatisfaction, . . . the list goes on and on.\u003C/p>\u003Cp>On September 7 of this year a new twist was added to this sad story when Equifax publicly\nannounced that its database had been hacked and that the Personally Identifiable Information\n(PII) of 143 million Americans (representing roughly 40% of the adult population) had been\nstolen. The size of this incident is breathtaking but equally breathtaking is its scope. As one of\nthe three primary US credit bureaus, the data stored by Equifax covers an incredible spectrum\nof information from personal data to financial transactions to history of residence all the way\ndown to personal ‘secrets’ like the name of your first girlfriend.\n\u003C/p>\u003Cp>There are two crucially important observations about this Equifax data breach.\u003C/p>\u003Col>\u003Cli>\u003Cp>It is inexcusable that apparently none of this information was encrypted. That means\nthat this episode represents a virtually irretrievable breach of identifying information for\nroughly 40% of the US population.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Despite years of struggling with the United States identification challenge there is no\neffective mechanism in place to enable a compromised identity to be restored to\nwholeness. In other words, it is not clear whether the affected individuals will ever be\nable to resume ‘normal’ activities with respect to identification.\u003C/p>\u003C/li>\u003C/ol>\u003Ch2>Resiliency proposal\u003C/h2>\u003Cp>This is not acceptable. One of the IDESG’s four founding principles is that identity solutions\nmust be “secure and resilient.” We propose that healthcare must begin immediately to take steps\ntowards establishing an error-resilient method for patient identification. It is the purpose of this\nwhite paper to propose strategies and options that might be used to mitigate and eventually\neliminate the inability of healthcare to restore compromised identities to wholeness.\u003C/p>\u003Ch2>Definition: identity resiliency\u003C/h2>\u003Cp>Within healthcare, ‘identity resiliency’ means that the overall system which manages\nidentification functions can restore the integrity of an individual’s identity even though that\nperson’s information has experienced events that ‘break the rules’. Identity theft, data\nbreaches, ransomware, insider malfeasance, and hacking all represent examples of such\nincidents. Note that there already are a wide variety of procedures, technologies, regulations,\netc. aimed at making sure that identity-compromising incidents do not occur. Those efforts are\nlaudable and must continue. However, despite that work, violations of identity integrity\ncontinue to be experienced. It is the goal of this document to discuss how to upgrade the\nhealthcare identification system so that it can readily recover, even when one of these\nunfortunate events occurs.\u003C/p>\u003Ch2>The current healthcare identification paradigm\u003C/h2>\u003Cp>The bedrock of healthcare’s current identification strategy is demographic matching. Multiple\npieces of Personable Identifiable Information (PII) concerning an individual are assembled into a\nquery that is submitted to an Enterprise Master Person Index (EMPI). Searching through the\nrecords in its database the EMPI finds the record with the data elements that provide the best\nmatch to the query parameters by using its internal matching algorithm. Inside a single\nhealthcare organization, experience indicates that this process is accurate approximately 95%\nof the time. When the matching occurs across independent organizations the accuracy drops\nsubstantially. Neither of these accuracy rates is sufficient for healthcare where an accuracy of\n100% is required to achieve patient safety and efficient operation.\u003C/p>\u003Cp>In addition to the fact that demographic matching cannot achieve the required accuracy, there\nis a deficiency from an identity resilience perspective which is equally troubling. It is usually not\npossible for a patient to change their demographic information. Items such as name, birthdate,\ncurrent address, etc. are reasonably static. Therefore, if the patient’s identity is based on this\nset of data, it cannot be replaced should an episode such as identity theft occur. And yet that is\nexactly what is required if healthcare is going to achieve identity resilience. It must be possible\nto give the patient a new identifier that corresponds to the true person if the old identifier(s)\nhave been compromised.\u003C/p>\u003Ch2>Identity resiliency\u003C/h2>\u003Cp>We use the term \u003Cb>identity resiliency\u003C/b> to describe this critical improvement in the country’s\napproach to identification. The essence of identity resiliency is that \u003Cb>if an individual experiences some event that compromises the integrity of their identity, there is a mechanism available\nthat allows them to restore their identity to wholeness\u003C/b>. This is the core property of an\nidentity resilient system. In this document, we focus on how to accomplish this within the\nhealthcare domain but believe that these remedies are applicable to the entire US\nidentification domain.\u003C/p>\u003Cp>A truly resilient identification system will also exhibit many other properties and capabilities.\nSome of them are listed here.\u003C/p>\u003Cul>\u003Cli>\u003Cp>Simplicity – it must be simple and straightforward to restore the integrity of an identity.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Patient empowerment – each individual patient (or their surrogate) must be able to\nrestore their identity integrity at any point in time.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Complete – the identity integrity restoration process must result in the patient’s identity\nbeing restored to the same integrity and functionality it had prior to the compromising\nincident.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Rapid – correction of identity integrity errors should occur at “electronic” speeds to\nenable real-time remediation once an error has been detected.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Network-based – due to the dispersed nature of modern healthcare, a patient’s identity\nwill typically be distributed across a wide array of geographically distinct locations. Any\nmechanism to restore identity integrity must operate across all those disparate\nlocations.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Secure – all the components and processes involved in identity integrity restoration\nmust be protected from electronic malfeasance. To the extent possible the system must\nresist attempts at counterfeiting, ransomware, hacking, and well-intentioned but\nerroneous patient and provider actions.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Synergistic – the system responsible for maintaining identity integrity must be able to\nwork synergistically with existing and planned identity capabilities such as EMPIs,\nbiometrics, interoperability capabilities and other emerging technologies.\n\u003C/p>\u003C/li>\u003C/ul>\u003Cp>It is also important to note features and capabilities that are not part of a resilient identity\nsystem.\u003C/p>\u003Cul>\u003Cli>\u003Cp>Retroactive repair – even a resilient system cannot retroactively correct the effect of a\ncompromising incident. It is not possible to go back in time and “undo” the damage\ncaused by the incident. Those repairs will depend on manual efforts outside the scope\nof the identification system.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Compromising incident detection – the identification system cannot itself determine\nthat an identity-compromising event has occurred. This will remain the domain of fraud\nand error detection capabilities external to the identification system including informed\npatients, alert providers and staff, and highly trained identity professionals.\u003C/p>\u003C/li>\u003C/ul>\u003Ch2>A new paradigm\u003C/h2>\u003Cp>In the words of the Chinese proverb “If we don’t change direction, we might end up where we\nare headed.” Healthcare needs to migrate to a new identification paradigm that does not use\ndemographic information as the primary attributes. At the same time, in light of the enormous\nsize and substantial complexity of the existing healthcare computing environment, we must\ntake extreme care to ensure that any changes needed to implement the new system are as\nminimal as possible while still ensuring effective resilience. We believe that this set of\nconstraints leads to the conclusion that any attempt to achieve identity resiliency must focus on\nadditive approaches rather than trying to repair existing techniques.\u003C/p>\u003Cp>It is easier to add something new than ‘fix’ something already in place. A simple example shows\nwhy. Up until the present time the Social Security number (SSN) has been the closest thing to a\nunique healthcare identifier. As a data element, it is incorporated into literally tens of\nthousands of healthcare applications using dozens and dozens of different software languages.\nIf healthcare attempted to achieve resilience by making a modification to the SSN – for example\nby adding some additional check digits – that change would need to be propagated across the\nentire installed base of applications that currently process SSNs. This would represent a\ngigantic software development project accompanied by phenomenal expense. Instead, we\npropose an additive approach to achieving resiliency. This strategy is much simpler, offers\noperational consistency across different environments, can be implemented relatively rapidly,\nand is orders of magnitude less expensive.\u003C/p>\u003Ch2>Identity proposal\u003C/h2>\u003Cp>The simplest, and perhaps only, way to achieve effective identity resilience in today’s\nenvironment is to assign each participating patient an identifier and then use that identifier as\nthe mechanism to link to all that person’s clinical information. In addition, it must be possible\nfor the patient or their surrogate to request that the identifier be deactivated and replaced with\na new, independent identifier in case an identity compromising event occurs.\u003C/p>\u003Ch2>Identity paradigm properties\u003C/h2>\u003Cp>Any proposed healthcare identifier must be supported by an infrastructure that makes the\nsystem operational and effective. Here’s a look at some of the properties that are required for\nsuch a system to succeed. These properties are shown in alphabetical order rather than any\nattempt to assign relative importance.\u003C/p>\u003Col>\u003Cli>\u003Cp>\u003Cb>Abstract\u003C/b>\nThe new approach must be abstract with respect to PII. The identification mechanism\nmust not incorporate any information – name, birthdate, sex, address… – that\nrepresents patient data.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Accurate\u003C/b>\nThe identification paradigm must enable 100% accurate patient identification across all\nhealthcare encounters for every individual.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Anonymizable\u003C/b>\nIn light of the numerous situations where healthcare demands privacy (e.g. treating a\nVIP), the resilient identification paradigm must provide full support for data sets that are\nanonymous as well as those that are fully identifiable.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Application- (and vendor-) independent\u003C/b>\nIt must be feasible to incorporate the new identification paradigm into all known\nhealthcare applications.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Atomic\u003C/b>\nIt should not be necessary to assemble a set of identification data elements to achieve\naccurate identification. Doing so would add complexity and ensure that the system\ncould not achieve 100% identity accuracy due to errors in set membership.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Automatable\u003C/b>\nThe mechanisms to assign, query, terminate, replace and merge identities must be\naccessible to fully automated as well as manually initiated processes.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Compact\u003C/b>\nThe strategies and technologies used for resilient identification must be compact to\npermit ready incorporation into both manual and automated healthcare artifacts.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Compatible with existing IT systems\u003C/b>\nIt must be as simple as possible to incorporate resilient identification into virtually every\nexisting healthcare information technology application.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Consistent\u003C/b>\nThe characteristics of the identification strategy (syntax, semantics, format) must be\nconsistent across all healthcare environments to ensure reliable performance.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Counterfeit resistant\u003C/b>\nThe identification mechanism must include features that make it difficult or impossible\nfor a hacker to create counterfeit identities that the system sees as valid.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Durable\u003C/b>\nAn identifier assigned to a patient should be valid for the lifetime of that individual\nunless they experience an identity compromising event.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Fungible\u003C/b>\nIt must be straightforward to replace an individual’s identifier if that is needed to\nrestore the integrity of their identity.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Future-proof\u003C/b>\nThe identification mechanism must incorporate the ability to adapt to currently\nunforeseen future requirements to avoid obsolescence.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Globally unique\u003C/b>\nTo provide 100% accuracy, the identification mechanism must be able to ensure that no\ntwo individuals participating in the system will ever be confused.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Inexpensive\u003C/b>\nConsidering the wide distribution of healthcare identification, the chosen\nimplementation strategy must be as cost-effective as possible.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Interoperable\u003C/b>\nA resilient patient identification strategy represents the core capability needed to make\nimplementation of a truly interoperable healthcare system feasible.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Longevity\u003C/b>\nThe identification system must be designed to function indefinitely. There must not be\nbuilt-in limits or restrictions that might cause the system to cease being valid.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Multilingual\u003C/b>\nThe implementation strategy for a resilient healthcare identification system should\nsupport a wide variety of languages.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Privacy enhancing\u003C/b>\nImplementation of a resilient patient identification mechanism should provably\nenhance, rather than diminish, the privacy of its associated medical information.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Scalable\u003C/b>\nThere should be no effective limits on the number of patients that can be supported by\na resilient patient identification system.\u003C/p>\u003C/li>\u003Cli>\u003Cp>]\u003Cb>Secure\u003C/b>\nUsers must have assurance that the system is well protected and does not represent a\nthreat of identifier compromise.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Simple\u003C/b>\nTo maximize the accuracy and efficiency of the patient identification system, it must be\ndesigned to function as simply as is feasible.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Standardized\u003C/b>\nA resilient patient identification strategy that is standardized maximizes the ability for a\nwide variety of vendors and care delivery organizations to benefit from its capabilities.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Tokenizeable/Authenticator friendly\u003C/b>\nWhatever mechanism is chosen to implement a resilient identification system, it must\nbe feasible to provide individual patients with tokens/authenticators that enable them\nto use the system, including tokens implemented on smart phones.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Trust\u003C/b>\nIt must be feasible for the majority of the population to trust the integrity and proper\noperation of the identity system. This will ensure that it is used and effective.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Unambiguous\u003C/b>\nThere should be no opportunity to misinterpret a resilient identifier, for example by\nconfusing the letter ‘o’ with the number zero.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Universal (no exclusions)\u003C/b>\nNo individual should ever be excluded from participation in the identification system\ndue to any personal characteristic.\u003C/p>\u003C/li>\u003Cli>\u003Cp>\u003Cb>Verifiable\u003C/b> \nIt must be feasible to verify the authenticity of an identifier electronically.\u003C/p>\u003C/li>\u003C/ol>\u003Ch2>Identity system workflow\u003C/h2>\u003Cp>Patient participation in the resilient identification system would begin when the patient enrolls.\nThe IDESG recommends (requires?) that enrollment include identity proofing to a minimum of\nIAL and AAL level 2. Once this has been achieved at a client organization the client can\nincorporate this patient into its local identification system and issue the client an appropriate\nidentity token.\u003C/p>\u003Cp>Once enrolled, a patient uses their identity token/authenticator to register for each medical\nencounter. They present the token which is read automatically. The system confirms the\npatient’s identity using some form of authentication – a biometric, a comparison of PII or some\nother form of Knowledge Based Authentication (KBA). This entire process should require less\nthan one minute and involves no typing on behalf of the registration staff.\u003C/p>\u003Cp>If an event occurs which compromises a patient’s identity the patient can request a\nreplacement of their existing identifier. Patient’s token is read automatically and the patient\nauthenticates themselves in the standard manner. The clerk then requests to have the\nidentifier replaced. The identifier system generates a new identifier and delivers it to the\nregistration clerk who creates a replacement token and hands it to the patient. At the same\ntime, the identification system notifies all locations where the old identifier has been used that\nit is no longer valid and that all information should be transferred to the new identifier. Once\nthis process has been completed the patient’s identity integrity has been restored and they can\nuse their new identity token in exactly the same way as their previous one.\u003C/p>\u003Ch2>Patient empowerment\u003C/h2>\u003Cp>Any attempt to achieve identification resiliency must be based on patient empowerment. The\npatient must be able to control the various functions and activities that are used to maintain\nthe integrity of their identity. This control forms the essential foundation needed to build\npatient trust, and trust will be essential if a resilient patient identification system is going to be\neffective. Physicians, healthcare administrators, and other ancillary personnel will play\nimportant roles in accomplishing this but the core driving force to maintain accurate patient\nidentification must come from the individual patient.\u003C/p>\u003Ch2>Summary\u003C/h2>\u003Cp>In today’s healthcare patient identification environment, the occurrence of a data breach such\nas the recent Equifax incident represents a potentially crippling event. The number of\nindividuals involved – 143 million - is staggering. The breadth of information compromised is\nequally intimidating. The coup de grace is that there is no systematic capability to restore the\nintegrity of the identities that have been compromised. We must move to a healthcare\nidentification system that offers true identity resiliency. It is not at all pleasant to contemplate\nthe task of trying to restore 143 million identities. But in a resilient environment that would at\nleast be feasible, and would hold out the prospect of effectively restoring wholeness to the\naffected individuals’ identities once the process was completed. None of that is feasible in\ntoday’s environment and as a result the healthcare identification system has been dealt a major\nblow from which it may not recover for decades. The time to take action is now to ensure that\nsuch a mistake is never repeated.\u003C/p>\u003Cp>For more information on achieving identity resiliency see www.gpii.info.\u003C/p>\u003Cp>\u003C/p>","2017-09-27T00:00:00.000Z",{"firstName":5,"lastName":6},"Rob","Macmillan",{"slug":8,"title":9},"industry-news","Industry News",{"total":11,"items":12},0,[],{"title":14,"url":14},"",{"title":14,"url":14}],"uses":{"params":["slug"]}}]}