Addressing Health IT privacy and security concerns are complicated. Often the focus is to zero in on a specific technical solution and leave the often more important issues – policy, privacy, business rules – for others to solve. But as we’ve seen, too many times these other issues are left unaddressed – and progress is hindered.
Identity is critical to Health IT privacy and security issues, particularly when it comes to putting patients at the center of sharing health information online. Patients and health providers both face challenges with solving the “identity conundrum” – how to validate that information is going to the right person, and that it is being done in a way that protects security and privacy.
The National Strategy for Trusted Identities in Cyberspace (NSTIC)
is a White House initiative that aims to solve the identity conundrum, through a collaborative effort between the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of online transactions. NSTIC focuses not just on identity technology, but on a range of other barriers that have inhibited the adoption of stronger identity solutions in the marketplace, such as usability, liability, privacy and interoperability.
Since its launch in 2011, the NSTIC National Program Office (NPO) has worked closely with the Office of the National Coordinator (ONC) for Health Information Technology to ensure that the identity solutions developed and adopted by industry align with both the NSTIC, as well as Health IT requirements.
In health, the emergence of data sharing APIs such as FHIR – and industry’s support for it – provides an ideal opportunity to
tackle the privacy and security concerns regarding access to information via APIs right from the start, while the market is still in the early stages of development and standardization.
We’re thrilled to be working with ONC and a host of industry partners to support a new effort to develop profiles of commonly used identity standards for health care and other “high trust” use cases: the Health Relationship Trust (HEART Working Group
). Launched in October, the HEART WG will take a patient centered approach by defining a set of security profiles that focus on securing patient/consumer RESTful health-related data sharing APIs, such as FHIR. The charter for the group can be found here
At the core of the effort is a suite of standard and profiles that will support authentication, authorization, and consent layers:
- Open ID Connect (OIDC) – Used to provide end-user/patient authentication information to all types of systems including Web-based, mobile, and computers.
- OAUTH 2.0 – Allows the patient to grant access from one service or provider to another without needing to share personal identifying information between services or resources.
- User Managed Access (UMA) 1.0 – Used to manage consent, person to person data sharing, and other authorizations.
It is important to note that these standards do not support Health IT requirements “out of the box” – what is needed is a set of profiles of these standards that meet Health IT and NSTIC requirements, so that developers have a robust toolkit to address the identity conundrum. Creating these profiles and toolkit is the focus of the HEART effort.
The HEART WG is a collaboration of the MIT Consortium for Kerberos and Internet Trust (MIT-KIT), ONC, and the OpenID Foundation; NIST is involved as well. The work will take place at the OpenID Foundation (OIDF)
and the privacy and security profiles produce by this effort will become part of the (OIDF) formal specifications. MIT-KIT will implement the HEART profiles in their MitreID reference implementation. This is the same reference implementation that supports the SMART on FHIR
From a national perspective, we are excited about the potential of the HEART efforts to not only address health use cases, but also other sectors focused on the same problems. We urge members of the developer community to get involved!
Follow us on Twitter: @NSTICNPO