Enable breadcrumbs token at /includes/pageheader.html.twig

Health Care Identity Management has a Prescription for Improvement

The federal government is working to increase patient access to digital health information.

The Internet of Things is impacting most industries, including the medical field. Portable, wireless devices are helping to monitor and diagnose patient health conditions. Hospital and other facilities provide remote monitoring, improved data analytics and automated systems. At the same time, while electronic health records have moved patient health information to the digital realm, patients continue to lack access to that health care information.

To provide a framework for change, the U.S. Department of Health and Human Services (HHS) is working to improve medical-related information technology, said Steve Posnack, executive director, Office of the National Coordinator for Health Information Technology, HHS, at a recent AFCEA International event.

Posnack shared his observations at AFCEA’s Federal Identity (FedID) Understanding of Identity Meetup at the National Cybersecurity Center of Excellence (NCCoE) in Rockville, Maryland, on June 20. Moderated by AFCEA’s FedID Planning Committee Co-Chair Duane Blackburn, S&T policy analyst at MITRE Corp., the event brought together government officials, military leaders and private sector professionals for a candid discussion of issues relating to the federal implementation of identity assurance in the digital world. In addition to hosting the Federal Identity Forum and Exposition in Tampa, Florida, September 25-27, the planning committee will be hosting more meetup events over the next year to help advance the dialogue of federal identification management issues across stakeholders, Blackburn noted. 

Speaking to the related activities in federal health care, Posnack offered that identity management improvements could impact more than 300 million patients across the United States. One important aspect of that is providing patients with electronic access to information about their health. “When you need a second opinion, you need to get that data from your health care providers,” Posnack shared. “You have the legal right to ask for a copy of that data. But how you get it, though, is still challenging. Most of the time it is printed and you have to pay for it. We are working to promote policies that will incentivize electronic access to your health information.”

In addition, Posnack’s office was tapped to facilitate the development of a so-called trusted exchange, through certain requirements of the 21st Century Cures Act. Signed into law in December 2016, the act directed the U.S. Food and Drug Administration (FDA) to accelerate innovation and develop advanced medical products as part of improving the quality of care of patients. To address health information technology needs, the law called for a interoperable network exchange for the purpose of “ensuring full network-to-network exchange of health information, convene public-private and public-public partnerships to build consensus and develop or support a trusted exchange framework, including a common agreement among health information networks nationally,” according to the law.

The exchange would aid patients as they go between different health care providers, Posnack said. “For example, if you go skiing in Lake Tahoe, and you hurt yourself and you are from New York, you would think that today your doctor would be able to use the Internet and look up your records from your health care provider in New York,” Posnack explained. “But it is not quite that simple. Often it is a lot of phone calls and a lot of faxing, as faxing is the default. So our charge under the 21st Century Cures Act is to help some of the burgeoning networks that exist today to connect on a national scale.” Currently, the office is working to authenticate the identity of health care providers wanting to access protected health information, he said.

Another major area of focus for HHS is “the burgeoning ecosystem” of available health-related applications, Posnack said. He shared that Apple Inc. has been making some advances that are affecting patient identity management and access to health care data. “With iOS 11.3, the company has released a new health records application that can connect to certain hospitals [currently about 500], which will allow you to sign into your patient portal to get your health information and download that onto your iPhone,” he said.

Posnack noted that Apple has taken this a step further by giving third party applications access to that downloaded health information, encrypted and stored on an iPhone through a Health Records API (applications program interface) called HealthKit. The company unveiled the platform to developers on June 4. According to the company, when consumers choose to share the data with the “trusted applications, the data flows directly from HealthKit to the third-party application and is not sent to Apple’s servers.” Developers can create digital tools to help manage medications, nutrition and disease, “helping patients improve their overall health,” Apple officials asserted.

To Posnack, this is an instance of evolving health care and identity management. “So you start to see an ecosystem where it is understanding who the patient is and their identity, and understanding who the providers are,” he noted. The tools have to provide identity verification so that patients and providers “are not being spoofed in their identities.”

He also explained that activities of the Drug Enforcement Agency (DEA) intersect in this space regarding the prescription of controlled substances. “For a long time it was illegal to prescribe this electronically,” Posnack stressed. However, DEA has issued rules to allow for electronic prescriptions of controlled substances. The process is part of the electronic health records software system, which requires providers to use two-factor authentication. “It really is a digital pen, just like when you would get a written paper prescription that could be checked for forgery before. For issuing an electronic prescription of controlled substances, you need to get credentialed,” Posnack stated.

Additionally, like any business sector, the health care industry is facing cybersecurity-related attacks, Posnack said. Although the United States hasn’t seen widespread ransomware and malware attacks like those faced by England’s National Health Service (NHS), U.S. electronic health record developers have had their software maliciously targeted, Posnack warned. There have been instances of data from health care providers that have been locked and encrypted for ransom, “so there are issues along those lines that affect us,” he said.