One of the great challenges in providing connected portals for patients is proving that the person using the portal is the person he/she claims to be. It’s a problem known as identity proofing and getting it right or wrong greatly impacts the success of your portal.
The American Health Information Community (AHIC) looked into this challenge in 2007 through its Confidentiality, Privacy and Security (CPS) workgroup. We’re starting to see how some of these approaches are applied in real-world solutions.
The gold-standard for identity proofing is to have the patient appear, in person, with one or more government-issued photo identifications. This is nearly foolproof, but it’s also impractical and a significant barrier to adoption. And even when incorporated into a visit to the hospital or physician office, consumers are often not interested in the portal solution at that time or they’ll forget they have an account, login, and password.
Google Health approaches this with a solution that is a virtual parallel to the presentation of identification. To link a Google Health account to your hospital, lab or pharmacy, Google trusts the other facility’s judgment in connecting the accounts. Most of us have seen this approach applied with Facebook or Twitter. When you sign up for a related application, they often authenticate by passing you to Facebook, having you sign into your Facebook account, and then granting you rights or authorizing a link for the initiating application.
This is a good approach, but it still leaves the problem of authentication to the hospital, lab or pharmacy. If that’s you, where does that leave you?
One approach is to send information that will allow the patient to connect accounts together to a known address. Vanguard Investments takes this approach. It’s more convenient than appearing in person, but it takes a great deal of time and is still inconvenient.
A more practical approach involves a challenge-response system requiring the patient to provide answers to several questions that presumably only they would know. To be valid, this is needs to be a deeper interrogation than simply providing a mother’s maiden name or the name of your first pet.
You may have experienced this type of authentication procedure if you’ve requested your credit report online. This is the approach that Kaiser-Permanente has taken with its KP.org patient portal. Patients answer five questions in order to authenticate themselves.
As we see more applications taking on this challenge, this is currently the most practical approach to keeping clinical information secure while still engaging patients in their care.