Lack of standards: While standards exist in many aspects within healthcare, is it almost void for vetting issuance, usage and acceptance of identity — especially in the context of going between separate organizations. Without this, organizations that use current technology to solve near-term challenges could be in jeopardy of being out of compliance in the future; thus, creating a much higher cost.
A big part of the success will hinge on the evolution of standards that will enable reusing previously issued identities rather than creating them all over again. There is important work going on here, but it needs more time and evolution.
Mobile technologies: Unfortunately, standards relating to the distribution and usage of identity credentials within mobile technologies are not yet mature. A new standard should incorporate a mobile roadmap to incorporate over-the-air transmission of credentials to mobile devices as an efficient and secure alternative to issuing cards.
Recommendations & Best Practices
For those healthcare organizations intent on moving forward with a federated identity plan in lieu of full standards development, here are some recommendations:
• Sponsorship is critical: Ensure high level support from your executive stakeholders.
• Form a cross functional stakeholder team consisting of domain expertise outside of IT (claims, etc).
• Build requirements by first understanding what problem is being solved.
• Determine the LOA (Level of Assurance) required for users, relying parties and stakeholders.
• Consider how workflows will be enabled or impacted — user adoption or mutiny depends on it.
• Other countries: Consider what they have done but realize the U.S. has a different model.
• Interact with vendors: Don’t just issue RFPs — vendors can help you innovate and provide insight.
• Filter out vendors that pitch generic products rather than a healthcare solution.
• Develop a risk matrix for long term viability and risks associated with each option. Estimate the full impact.
The healthcare industry — both private and public sectors — needs to come together and bring identity and security to the forefront at the boardroom level. When both sides of the table share the same vision and work together to achieve it, security and identity will transform from being viewed as a cost center to a significant business enablement platform in an industry and needs it most.
Terry Gold is Founder of IDanalyst, a vendor-neutral research and advisory firm focused on security, identity and privacy. He is an expert in advanced authentication, digital identity and services over connected devices and has developed core methodologies that assist corporate clients and investors simplify complex technology initiatives and investments. To read a longer white paper-version of this article, please visit www.idanalyst.com/healthcareid.