“To (2)” Factor Authentication – or Not!

My heart goes out to those tiny electrons! Those tiny chaps have a tough living in the digital age, with all the racing around through cyberspace . . . and we are trying to make their lives tougher! On the SHIN-NY, billions will be traveling from one end of the state to another carrying patient data with them. So, in spite of our love for the electrons, the one thing we are trying to make sure is that the data that they carry on their shoulders travels within the boundaries of trust. An ecosystem that spreads as wide as the SHIN-NY needs a trust framework that allows the millions of patients and providers to feel comfortable that their information is secure.

So, what are we doing about it? Well, NYeC is putting together the foundations for an identity and access management solution that will be able to provide a high degree of confidence that the person accessing patient data from its systems is who they claim they are. The geeks already know this as “Two-Factor Authentication,” which, in plain English, means that a simple password is no longer appropriate to open the gates. The user has to present a second “factor,” which could be something you “know,” “have,” or “are.” For example, something you “know” is a password, something you “have” could be a one-time token that was sent to your mobile device, and something you “are” could be, well, your finger, with your unique imprint on its tip!

The debate that naturally begins when you consider such solutions is around the impact to existing workflow, and the resulting impact on adoption of health IT. Busy doctors, nurses, front desk staff, etc., having to jump through one more hoop to access data is seen as a non-starter. The doubters point to the health IT adoption curve and say that everybody will go back to the old ways of doing things. And that is a HUGE issue that NYeC (or, for that matter, any healthcare organization) cannot taken lightly.

We need to think of the problem statement slightly differently, though. People who handle patient data are well aware of the sensitivity surrounding it, and are willing to do anything they can to protect it: There is an underlying realization of the fact that we are all patients at some point or the other, and would like to have our information treated with all the safeguards that can be made available. And, stating the workflow challenge a different way: If a person were go to a doctor’s office, either as a patient or a provider, and ask for paper medical records, somebody would surely ask for proof that you are who you say you are. So why should the guard go down if one seeks that information electronically?

This is the reason that the solution should focus on making access easier, while keeping it secure; that there should be sufficient education on the value that SHIN-NY, the HIEs, the EHRs and the like, provide in providing better quality care to patients. And there should be honest discussion on the loss of credibility, and the big T – “trust.”

Any skepticism surrounding this should be viewed against the recent reports of unauthorized and inappropriate access, and this does not spare the big ones. It’s happened to LinkedIn, Google, and Twitter, to name some of the known names. And, surprise, surprise, they moved towards a two-factor authentication based identify management solution. We need to take a more proactive stance and embrace the approach that has been taken by Facebook and Google, and that is now being considered by Twitter. Last we checked their adoption rates weren’t falling through the roof!

Now, any reasonable organization that builds such barriers realizes that they do so with humility. An underestimation of the intent or prowess of folks seeking to penetrate these walls should never be taken lightly. At the same time, not doing anything can’t be an option. The cat and mouse game of erecting higher, stronger, more secure walls continues and we look to the marketplace to evolve to provide increasingly better options to organizations such as ours. So, while it is true that the biggest of locks and deepest of moats can’t keep all nefarious elements away, it does help organizations (and castles!) focus on the bigger issues to know that they are in fact major deterrents.

Stay tuned!