Many hospitals and other healthcare organizations who have internal networks, web portals, and particularly electronic patient records that need to be made more accessible remotely are looking at additional “security” options such as Key Fobs (where a number linked to the user changes every 3 minutes) or Biometrics (finger prints, voice) and I believe that a few key questions need to be addressed before the “IT Security arm of an organization” pushes an operational strain that drives resources, dollars, support issues, and user satisfaction issues onto the backs of others.
The assumption behind these efforts should be made clear and, I believe, needs to be proven first. It is that the use of a user name and password, even if one has to change the password regularly, is insufficient to appropriately authenticate that another individual, who presumably has different “rights or privileges”, is not “falsely misrepresenting themselves” to the “system”. Given that these same “users” also interact with banking, legal, insurance, and other “medical” entities without requiring the use of a physical authentication device, and that the information in those “systems” is just as important to appropriately protect, the logic of all this rings very hollow.
While there have been many people smarter than me expounding about the pros, cons, methods and limitations of different approaches to physical authentication for information access, I would propose it is much simpler to look at the whole issue from the perspective of the “consumer” and the “supplier of support” for when things don’t go as expected. The “consumer” in this discussion is a physician, nurse, other healthcare provider, case manager, patient, family—anyone who needs to access information in order to carry out their job in a timely fashion and who presumably has been asked by some other entity to do that job (beyond the scope of any one IT organization to question whether that job is appropriate for that person). I would argue that the user has just as strong an incentive for authentication to work properly as the “system” does—as in the example of my personal bank or credit card account, which most people are far more worried about than their health information.
An important principle in dealing with an issue that intersects the presumed interests of “access vs security” and “organization vs client” is not to assume that everything will work as planned “most of the time”, but to assume that the “worst case scenario” that challenges all the assumptions of normality, is the “expected event” (ie.—I am in outer space and need immediate access to something that might be located in the Earth’s molten core right now)
So let’s look at the whole issue from the standpoint of protecting the interests of the “consumer” , or perhaps better to use the term “user”, though not optimal. What is the user and what do they want to accomplish?
When a request is made for me to take action about a particular “patient/client” or to respond to another professional/clinicians request for advice, or to carry out a task that was requested of me by a “system of care”—ie signing an order request from another professional/nurse, etc—(the main reasons one would need to bother “logging in”—here is what needs to happen…
The amount of time this takes needs to be defined as a Minimum (to keep me from making an unintended error in authenticating myself for my own personal interests) and a Maximum (to keep me from wasting time, resources or efficacy as a professional). I should be determining that time limit, since it is MY authentication we are discussing, not YOURS. But when I then try to interact with YOU, I would want to make sure the same standard applies and I know who you are.
The requirement that I be able to complete whatever task is on the other end of this “authentication” process is likely driven by the requestor just as much as by myself. (example, –Dr, we need you to look at this Xray online and give us an opinion before we take the person to surgery for an urgent procedure) or (This is a form we need signed within a week)
If the task has any sense of urgency, which we should assume is always the potential scenario, then we have to assume I have NOT been able to plan where I am, what time it is, what I was doing 2 minutes before the request, or whether I have any specific piece of equipment with me other than my brain and my body.
The task should take me the same time to complete regardless of time or location, with the understanding that acceptable barriers are those I would anticipate with any communication task-financial, legal, personal, medical, professional…
· Do I have a mobile phone and/or am I within “range” of a mobile network
· Do I have access to a reasonably functioning computer
· Do I have reliable high speed access to data through any open communications network
· Am I presently inside or outside the walls of the “organization” that “created the task request”
· Do I have access to some other device which can easily enhance the ability to “authenticate” myself without introducing new barriers to access
· How many different devices by how many different “organizations” are an acceptable limit without causing me neck pain or needing to carry a “device suitcase” around!
In the year 2008 I would suggest that there are only three (really just two) “devices” that we can assume are HIGHLY likely to be easily accessible to any professional at any time when they have any reasonable likelihood of needing to get to information:
· Their finger print (presumably on their own fingers at present!)
· Their mobile phone or a mobile computing/communicating device of some sort(one could not be “available” for clinical communication of care without one in reality)
· A communications network (wireless, land line, etc)
And then there are the attributes of the task that should be determined by the “user”, not by the “system”
· How urgent do I feel this task is, and how comfortable am I not being able to complete it if I have any issues getting to the information
· How do I feel about the “organization’s” attitude toward my needs for access and urgency
· Do I know my current user name/password
· Do I need to access something that is so private that, if the information were about ME, that I would want someone else to be forced to “physically” authenticate themselves in order to see it or carry out the task
· Am I going to be interacting with other people, and how do I wish to know THEY have been identified or authenticated in order for me to carry out my task. (example..the industry pushes HIPAA compliant secure web messaging, but every consumer will sign a waiver form so that they can get their lab results sent to the email that they use all day long for other things and in which they are perfectly comfortable only having an “email address” as a way of identifying the other party)
Once the user has made these determinations I would suggest the following is the most pragmatic methodology of “enhancing” authentication where appropriate, because it addresses the most common denominators:
Eliminate the use of any physical device requirement other than that which has a high probability of being present and universally usable at that moment in time
· Voice/Finger print (Iris not quite, until camera on every phone)
· Mobile Phone/Text message
So now back to the focus of Key Fobs…
Such systems make an assumption that there is a reliable backend database that links a User, their Password, with the Physical ID of a Key Fob and system knowledge of the “current rotating randomly assigned number” that is displaying on that device. Since anyone who “finds or takes” a key fob from someone else is fairly likely to have found that on a key chain or in association with some other identifiers, then fraudulently using one’s user name and associating with the key fob is not as fool-proof as proposed, and not worth the inefficiency or expense.
· Have each “user” register with the organization or a central shared authority with a profile that contains (signed, online, just as with a bank)-
· Full name, address, etc
· Professional License identifier/Organizational identifier, etc
· Email address that is NOT going to be changed within the next 12 months and that the user reliably checks every day and in which they have assured that an organization’s outbound email will not be spam-blocked
· Mobile phone number that is NOT going to be changed within the next 12 months and in whom the user checks a box to confirm they promise to notify the organization if either mobile number or email address changes
· Option to accept text message notification of authentication codes
If a user is willing to register their mobile and confirm they receive text messages and, since other services use one’s mobile number in registration as a primary method to deliver initial passwords anyway…then have their personal mobile device serve as their authenticator
If the user logs into a website, portal, EMR system or even to a specific task within a specific “domain” within that “system” a trigger might pop up asking for further confirmation of “who they are” They are presented with the following options
· IF you have a registered key fob and it is with you, enter the number now and you get right in
· IF you have a registered physical device but it is NOT with you at present, but you HAVE registered your mobile device, click to have that key fob number text messaged to your mobile phone immediately
· IF you are a more intermittent “user” , or just do not have a registered physical device but have registered your mobile with us, click to have a special one-time access code text messaged to your phone (you will need to re enter your user name/password after you get this number)
· IF you have none of these options available but need urgently to get into the “system” that houses the “task” you have to perform, click here to “break the glass”, enter your user name and password and check the reason why you just don’t have access to any other mode of authentication at present.—we will EMAIL you a special access code
· IF for some reason you have full Web Access but no Email Access (this is highly unusual and very unlikely, so don’t expect too much here!!!—but it is truly an emergency to get in, call this number, we will ask you a few questions from your profile and grant you temporary access
· Down the road, as the finger print, iris scan or voice print “readers” are just as easily accessed as one’s mobile phone, then they would represent “user preferences” at some point as well
In Summary, I don’t believe the question is what the “system’s” needs are, those should strictly be limited to the physical security of the network, etc
The issue is what the “highly accountable professional, who is the “end-user” needs in order to satisfy their time/task requirements. If EMR systems and user interfaces were built from the ground-up in this manner we could stop using the term “user-friendly” anyway, because by definition it would be “user-centric” but that is a different blog discussion. The issue of authentication process should tie into the communication processes and methods that are already a part of peoples’ daily lives and for which they take appropriate levels of precaution around certain types of information and communications.
I am not an IT systems security expert, but if you were to add up the costs of the backend “database system” PLUS the costs of the physical devices PLUS the support costs of all those situations where the synchronization does not work as planned, and instead moved to where it is ONLY the “database system” that is required because the rest of the physical and communications infrastructure is already being used and paid for by the consumer—that this approach would also represent a true savings all around. Add to that the interest of telecom providers in participating at a sponsorship level, and this, from a neurologists perspective is a true No-Brainer.
AJB
