In preparation for the March issue of Health Management Technology, I interviewed Paul Calatayud, Chief Information Security Officer of Surescripts.
While we began with a general analysis of IT security, Mr. Calatayud unveiled a host of deeper issues that, if left unresolved, could prove to be far more impactful to the healthcare industry than any possible data breach.
Below is a partial transcript of our conversation.
Jason Free: From your perspective, what facet of IT security is trending upward in terms of its importance in healthcare?
Paul Calatayud: The most relevant to me, or topical, is the changing landscape of identity management and how credentials are being issued within the EHR space. I think credentialing is very common in provision and it has been very common in, we’ll call it, traditional EHR environments where you have employees that were hired and they were somewhat vetted. They were trusted as an employee would be trusted and you were really transitioning and provisioning that user to a trusted application. I think what’s challenging is that as IT ecosystems move from digital into mobile, and into a little bit more of a service provider and cloud, and just more of an extensible ecosystem, ertain relationships change and create new challenges that need to be considered. Through these questions, it will be determined whether a company has certain credentialing policies that may need to change or whether there is technology at the company that needs to be supplemented for those processes to still be considered credible and meaningful processes.
JF: Who would, on a daily basis, need to make these considerations?
PC: There are many different constituents that need to take interest in credentialing. The natural ones are the parties that are responsible for issuing credentials on their ecosystems. This is usually the hospital’s IT department that is accountable for having a suitable process in place to assure that the credentials that they are issuing are legitimate. While these departments need to be mindful of this process, there is a big opportunity for technology vendors and HIT vendors that support the ecosystem to also be mindful of ways to create opportunities within their platforms and their services to support these credentialing services. If this occurs, the burden does not always have to be on the end-point, in this case, a hospital. Finally, the facility’s management as a whole should be very interested in the development and implementation of their credentialing systems. They need to be mindful what the risks are and how to ensure that, as they do business with other parties, the credentialing responsibilities are being properly transferred because in healthcare these are very complex ecosystems. There is not usually a single vendor that is supplying the identities, as well as the services. So you have service providers and vendors providing platforms and consumer clinics that are the institutions that are essentially consuming the data on the information. You could have a very complex set of relationships that are responsible for agreeing and enforcing those relationships that should be mindful of how their ecosystem needs to operate with these concerns and these standards being present.
JF: How does the comsumerization of IT affect the credentialing process?
PC: Consumerization definitely has an impact on identity provisioning management. In the past, employees were accustomed to having a key fob or some token on hand to access a corporate environment. But the paradigm has changed due to consumerization to where those types of technologies may not be interoperability-friendly or just user-friendly. Consumerization creates a challenge when it comes to authentication because you now have dynamics to deal with in regards to platform connectivity and support as peripherals. For example, the military and defense sector very commonly had secure credentialing via CAC readers. As you overlay consumerization, some of those technologies were not designed to interoperate with iPads or with tablets. They do not have the device peripheral support like a laptop or a desktop. This is a challenge when thinking about how the ecosystem is changing and how mobility is more involved in the ecosystem, but also how devices are interacting with those ecosystems. That is where you get yet another dynamic and challenge in how you continuously trust these different devices. How do you create interactions that contribute and support those devices and the various types of devices you may have supporting it? Doctors may have different types of devices that access the same ecosystem because the ecosystem is now more Web-enabled, which then allows for different devices to access those portals. Identity becomes critical when it comes to continually trusting that robust environment, but also when you extend that trust in a way that is not impactful to those consumer expectations around user experience. That is a challenge because consumers become too accustomed to how they interact with these devices, and even if you embrace the device itself, if you do not overlay how those devices interact with your authentication mechanisms, you can cause some friction. Expecting to use a physical card on an iPad that doesn’t read the card is an obvious miss.
JF: What other “ecosystem” impacts do you see when thinking of the credentialing process?
PC: In traditional environments, in the past, the reason you were issued a credential could be because you were an employee of a large hospital or some sort of primary care facility, and so to gain access to the physically deployed systems was just a matter of issuing passwords to the system. What is changing, and really becomes a new concern, is when you open that architecture up to a more Web-facing infrastructure. You now have to create a level of trust and establish their identity. Who is that person that’s asking for those credentials? They may not be a full-time employee, and if the HR system is poll-driven and Web-based driven, the challenge becomes kind of two-fold. It’s trying to understand, are they who they say they are? Are they a licensed practitioner, and do they have all the credentials to be able to consume the information or input the information into the system? So, a hospital or some physical institution may validate the driver’s license with the person in front of them, which is very common, but if a service has to extend into the Web, in this case the doctor or the physician, and the only way you have to establish trust is that same document, in this case a driver’s license, and you expect your processes to just extend like, let’s say faxing your driver’s license. I think that is a big challenge. Those documents were never designed to withhold those types of transmissions. You know, a driver’s license, from a physical perspective, has a lot of fraud prevention and spoofing detection built in, but the minute you fax that image, you are now susceptible to manipulation, and that is the second challenge: the risk of having the consumers operating on your ecosystem and they are not really who they say they are, but still being able to take advantage of the information or the services that are being exposed.
Another impact to consider comes from the standards and regulatory bodies. So, the National Institute of Standards and Technology (NIST) published a strong document for levels of assurance and defining those levels of assurance. Surescripts is well aware of those levels because we offer Electronic Prescribing of Controlled Substances according to Level of Assurance 3, which is being influenced by the NIST standards. So I would say that the standards being developed by NIST and relied upon and enforced by the Office of the National Coordinator for Health Information Technology (ONC) and other institutions will continue to impact ecosystems, but as a natural response to the changes occurring.
JF: What will happen, in your estimation, if these issues are not considered and dealt with in an appropriate fashion?
PC: In short, the healthcare industry may lose control of setting the standards for its credentialing processes.
There are going to be constant credentialing concerns that are going to be identified by the stakeholders involved that have the most to lose, or have the most potential liability, and they are always in the position to set predominant expectations. For example, if you are the CIO of a large pharmacy, and you are trying to comply with standards as they are or risks as you see them, you may be pushing influence and you may become more vocal in respect to who you do business with. I call that the “more consumer-driven approach,” and this is the ideal setting for credentialing expectations. But there are other areas where you will see tremendous influence and change within the standards themselves. For example, if a change in the standards occurs around how credentials are issued electronically or how they are trusted, the industry will have to react to it. I would like to see the industry driving their own set of standards, much like the Payment Card Industry Data Security Standard (PCI DSS) that is an industry-led joint effort by the credit card companies to develop their own standards. Because of PCI DSS, there are now laws being created, at a state level, that back the credit card industry’s standards. At the end of the day, the most traction any standard can gain, whether it involves credentialing or any other vital process, is when the industry comes together to adopt and share its thought leadership. When this occurs, the results help drive the adoption of the agreed-upon standards and it makes the industry more proactive than reactive. When the standards and practices originate outside the industry, there is a tendency to have more instances of misinterpretations and noncompliance. If the healthcare industry was the one influencing its standards, I think they would just need to be mindful of their consumers’ needs, what technology is best suited to meet those needs and how to enable it. If the healthcare industry takes this leadership position, it will experience fewer pain points and friction. I am a firm believer that the healthcare industry needs to seize control of the issues surrounding credentialing before outside agencies and lawmakers step up and fill that void.