We’re pleased to announce that our advisory board member Tom Karson’s white paper introducing the Repository for Universal Biometric Identification (RUBI) framework is now available exclusively at Securlinx.com.
Request a free pdf copy using our contact form here.
The Problem—Who Are You Really?
Personal Identity has become a major problem in the complex digital world in which we live.
Every organization is wrestling with the fundamental question of how to reliably determine with whom they are dealing, whether that individual is already known to that organization, and that person’s relationship and role within that organization.
Tom Karson MD
Dr. Karson is a physician and healthcare IT executive who has served as Corporate Chief Medical Information Officer at Continuum Health Partners, Deputy CIO for Yeshiva University and Medical Director Information Systems at Mount Sinai Medical Center in New York City. He is a cardiologist, intensivist and Harvard-MIT trained informaticist who has been on the faculty at some of our nation’s most prestigious institutions including the Cleveland Clinic and the Brigham and Women’s Hospital.
“On February 11, 2019, the Office of the National Coordinator for Health Information Technology (ONC) released its Notice of Proposed Rulemaking for implementing data interoperability provisions of the 21st Century Cures Act. Under the proposed rule, all health information technology (HIT) vendors that sell ‘certified electronic health record technology’ (CEHRT) to health care providers will be required to meet new security, data governance and API standards, once final rules take effect. The proposed rule also describes steps to end business practices that emerged during the years when electronic health records were being adopted, which Congress viewed as anti-competitive.
In a related announcement, the Centers for Medicare and Medicaid Services (CMS) released a Proposed Rule to promote data interoperability by health plans that participate in the Medicare, Medicaid or the CHIP program, or that issue qualified health plans in the individual health insurance marketplace.”
“Aaron Wallace was sleeping when he was attacked in his bed.
The patient at the Arizona State Hospital was stabbed by Reuben Murray, a fellow patient with a murderous past, who was wandering the halls unsupervised in the middle of the night with a sharpened pencil, according to a recent lawsuit filed against the state.”
The hospital security environment is extremely complex. Making hospitals safer requires great technology properly integrated with efficient security staff.
“We discovered exposed medical systems — including those that store medical-related images, healthcare software interfaces, and even misconfigured hospital networks — which should not be viewable publicly. While a device or system being exposed does not necessarily mean that it is vulnerable, exposed devices and systems can potentially be used by cybercriminals and other threat actors to penetrate into organizations, steal data, run botnets, install ransomware, and so on. Furthermore, it shows that a massive amount of sensitive information is publicly available when they shouldn’t be.”
The article linked above and the companion Trend Micro blog post, along with the entire 61 page pdf report (available here) do a really good job of covering the range of threats confronting healthcare networks today.
The internet of things (IoT) offers so much of benefit — remote monitoring, diagnosis, collaboration, home healthcare, devices, etc. — to healthcare providers and patients that it is inconceivable that it will be abandoned. There are, however, significant privacy and health outcome risks associated with putting practically every software application, sensor, device and record within reach of the internet.
How large healthcare providers harness the IoT for better care delivery while minimizing the associated risks will go a long way toward sorting out the winners and losers in the business of healthcare.
Cyber security, identity assurance, and training are of critical importance if the promise of the healthcare IoT is to be kept for healthcare providers and patients alike.
“Using National Cancer Institute survey data, the study found that 52 percent of US citizens were offered access to an online medical record by a healthcare provider or insurer in 2017, up from 42 percent in 2014. Of those who were offered access, 53 percent viewed their records at least once in the past year.
However, of the individuals offered access to online medical record, one-quarter did not access that information because of privacy/security concerns.”
So, is it fair to imply that up to 25% more patients would access their online health record if they were more confident in the security of their access to it?
We are attending the HiMSS annual meeting this week and wanted to share a few observations. It’s a terrific event, and a reminder of how important personal contacts are in an age when we’re on our screens constantly.
Nearly every conversation here includes the issue of how to get data out of isolated, proprietary systems so it can be used more effectively. If data can be collected from many sources, then AI and machine learning tools can be applied to it, looking at both text and images to create a predictive system for clinicians. That offers a real opportunity to improve patient care.
This also seems to be driving talk of partnerships, another hot topic at the conference. People recognize there are lots of technologies trying to solve healthcare’s problems but they approach it in an isolated way. So they are trying to figure out how to make data actionable and link it to what others have. The idea of partnerships is a departure for big industry players who’ve mostly taken a go-it-alone approach in the past.
Interoperability is also getting a lot of buzz at HiMSS. Most people focus on its technological aspect but that’s only half the challenge. The other is culture.
From a technology perspective, there are lots of vendors battling for market share and holding on to data as part of their competitive strategy. But that’s running up against consumer behavior. People today get their health care from a variety of places – hospitals, outpatient centers, specialized clinics, even their home – and they are increasingly shopping around. Inevitably, they wind up in separate health systems, and none of them speak to each other. So the challenge is to get the data up a level so that it’s accessible to their doctor no matter where they go.
There are technologies that can do that, and more. But change is slow, and that’s where culture comes in. Many healthcare organizations are reluctant to change. Some still use fax machines and paper records. They want to be more efficient but are slow to embrace the technology that can help them get there. Of course, adoption has been the challenge for every technology innovation, from PCs to cell phones. Healthcare tech is no different.
I’ve been attending HiMSS for more than 15 years (do I get an award for that?), and every year I see a few things that surprise me. That’s what keeps it interesting.
One surprise is the number of vendors who claim to have a patient identity solution when what they actually do is patient identity for one specific application, like labs or payments. They don’t provide that identity outside of their system. There’s almost no one addressing the need for a universal identity repository – a database that would handle identity authentication for multiple applications. (That’s what Securlinx offers, and that’s why we are excited about the opportunities we are seeing to help healthcare organizations.)
The other surprise is the absence of the insurance industry. The major insurers are a huge part of healthcare, involved in everything from procedures and protocols to reimbursements and record-keeping. And they see how much money is lost every year from errors and fraud. Yet hey don’t have a presence here and don’t seem to collaborate with other organizations much right now. That will change, though. Collaborating to reduce costs and improve care would be a natural focus for them, not to mention a great marketing message. Insurers are a key component in all this.
Securlinx has a presence at the Healthcare Information and Management Systems Society (HiMSS) Conference currently underway in Las Vegas.
Our own Craig Workinger (LinkedIn, Twitter) and Securlinx Healthcare Advisory Board member Tom Karson, MD (LinkedIn) have found time to report some of their observations and insights from the conference. I will share what they have to say here as their reports come in.
“The company hasn’t said why residents of the two states can’t use it. One thing both have in common is laws allowing lawsuits for not protecting biometric information. A key difference, however, is any Illinoisan can file a lawsuit, whereas Texas’ attorney general would have to initiate one there. Washington state has a law similar to Texas but users there reportedly are able to access the function.”
“Conducted by AYTM Market Research, the study polled a thousand Canadian adults toward the end of last autumn. Fifty-seven percent of respondents said they were most familiar with fingerprint recognition, and a quarter said they use it regularly. Sixty-nine percent expressed interest in fingerprint-based authentication, and 61 percent reported being interested in using the technology for payments.”
“The crux of the matter, as reported by Tribune newspaper and corroborated by BuzzFeed News, is that there exists a portal on the Aadhaar website which gives anyone who has the login credentials access to the Aadhaar database. UIDAI says the portal is intended for government officials for addressing grievances such as rectifying spelling mistakes in a person’s name.
But somewhere in the chain, according to media reports, rogue agents have started to sell access to this portal to just anyone.”
It looks like a government employee was selling username/password(s) to access the government database at a fairly low level. It should be pretty easy to figure out who abused their position.
Amazon has filed a patent application for technology that will allow users to authenticate a payment using a photo or video in a seamless way that doesn’t necessarily require passwords.
“The user is identified using image information which is processed utilising facial recognition. The device verifies that the image information corresponds to a living human using one or more human-verification processes,” the patent reads.
The industry can be segment based on application as commercial, consumer electronics, military & defense, government, healthcare, banking & finance, and others. Government and commercial is anticipated to be key application segment over the forecast period.
Commercial fingerprint access control systems market is expected to be dominant over the next seven years, and accounted for over 30% of the overall revenue in 2014. Government application segment is expected to grow at a CAGR of over 6.5% from 2015 to 2022.
Consumers are feeling less secure about the reliability of usernames and passwords to protect their personal data and are increasingly frustrated with the often tedious and inconvenient process of having to manage and remember multiple passwords and usernames. To address this challenge, innovative biometric authentication methods for connecting to the internet, such as use of human finger and palm prints, irises and voice recognition, are being developed rapidly.
The landing page for Accenture’s Digital Trust in the IoT Era report is here.
…also known as anthropometry or Bertillonage, the Bertillon system was established in 1882 by Alphonse Bertillon.
Bertillionage relied upon recording various measurements of the human body that were assumed to remain constant over an adult’s lifetime. The example above from Jersey City, New Jersey shows ten measurements.
If one accepts “body measurement” as a rough translation of “biometrics,” it’s hard to argue that Bertillon wasn’t the very first proponent of biometrics for identity management.
Unfortunately for the Bertillion system, twin brothers with the same name, same measurements and at the same prison precipitated its abandonment for the new science of fingerprints, aka dactyloscopy.
All of which brings us to this news from Australia…
University of Adelaide forensic anatomy researchers are making advances in the use of “body recognition” for criminal and missing persons cases, to help with identification when a face is not clearly shown.
PhD student Teghan Lucas is studying a range of human anatomical features and body measurements that can help to identify a person, such as from closed circuit television (CCTV) security videos, no matter what clothing the person may be wearing.
As we have said before, any biometric modality can be useful, especially when it is the only piece if information available and this one is obviously conceived of being helpful in forensic investigations rather than in wide-scale identity management applications. Nevertheless, it’s good to see the work of one of the early giants of criminal investigation being carried forward into the 21st century.
Where one deploys a particular security feature can be an interesting call. For computers, most biometrics are deployed somewhere in the software at either the OS (operating system) or application layer. That makes a lot of sense in terms updates and trouble-shooting, but there are more secure approaches.
Is Intel/McAfee looking closer to the chip for the sweet spot to apply biometric ID for access to the computer? This would make a lot of sense, too. It’s very secure but it does foreclose some user support options. If the security is in the hardware, it really has to be completely reliable.
A useful metaphor might be a Microsoft update versus a product recall.