Thursday, September 25, 2008

E-prescribing and two factor authentication

The last two weeks have given any sentient American plenty to think about. At the global level, we have seen some remarkable statements about international relations, global warming, and the impact of the near-collapse of our financial system. New Yorkers first - and soon all of America - will be experiencing first-hand more of the adverse consequences of mathematical aerial palaces constructed by financial wizards who seem to have failed to notice the history associated with irrational financial instruments (see: Long-term Capital Management; the Great Depression, etc. etc.)

At these times perhaps the best one can do is focus on the small things first. For this reason, John Moore's September 26, 2008 Government Health IT article entitled "Doctors and the DEA" provides a good summary fo the inherent tension between the e-prescribing enthusiasts (call them the idealists) and the e-prescribing skeptics (call them the cynics). The enthusiasts believe that our current e-prescribing infrastructure - properly applied - will be no different in clinical outcome than the current paper system. Indeed, it should be more efficient, safe, and effective in the long-run. The cynics - noting particularly the consequences of controlled substance prescribing - ask "how do you know the prescriber is who they say they are?" (I know, how do you know that on paper...but people don't seem to compare e-anything with reality but instead with Utopia).

Let's focus on two-factor authentication. 

Some say two-factor authentication is costly.

Hmmm..... if it's that costly, why does my PayPal secureID (apparently used by some PHR models) cost me only $5? And it seems pretty secure to me. I'm unlikely to give it to someone who then could more easily, say, buy a vintage 1955 Gibson Les Paul guitar and leave me with the bill.  And why is my two-factor ID from e-trade free? And how does Bank of America do such a great job with security that includes using my cell phone as a second factor, texting me with a PIN before I can log on?

Identity management - knowing Dr. X is who they say they are - is costly if done de novo, but hospitals, medical associations, and others with longstanding interest in the identity and integrity of individual practitioners. David Miller - the very brilliant chief security officer at Covisint, says a one-time password "would cost a physician $100 to $500 a year to maintain."  I suggest local medical associations and providers seek less costly alternatives from banks and PayPal. Furthermore, the cost of these system should decrease dramatically as identity management - increasingly central to commerce and personal finance - is incorporated into health care in more consistent ways.

Some claim that two-factor authentication is onerous because systems  are expected to "time out" with disuse after two-minutes. These critics have a very real point. In particular, a time limit independent of context seems a little crazy. A two-minute time-out makes sense for NSA officials or bank clerks sitting in cubicles and typing all day. It makes sense for portable devices when one is doing refills from an airport and in settings where the device could quickly and easily fall into the wrong hands. But it is hard to conceive of such a requirement in secure practice settings. I would be worried of an anesthesiologist had to re-certify their identity every 2 minutes while keeping me alive through brain surgery.  Call me naive, but I'm willing to bet that whomever put me under is the same person who will be there two minutes later. Similarly, practitioners in their offices, clinicians in hospital settings, and health care professionals carrying home health devices should be given a little more slack. And some of the systems they use are very secure because even trained professionals have difficulty using them effectively! Perhaps the only secure information system is one that is turned off!

What are people thinking? Do they imagine that as a clinician working with her professional colleagues in a practice setting will turn away and, in a few brief moments, someone in a black mask will come in and deplete the country's supply of opiates with a few mouse clicks? Is the threat to the public so severe in fixed practice settings (in which much damage can be done through needles, scalpels, and drugs)? Isn't this why we have audits and remedies for irresponsible behavior and fraud?

Time-outs are important, but they have to be context sensitive, and knowing context is more straightforward these days of IP addresses and Wi-Fi.

Let's take an analogy from an industry that worries me more - guns. I still think I can attribute more deaths from guns than I can from illicit prescriptions. But we have developed some practical policies. If you are really afraid of the power of e-prescribing, think of these technologies as handguns.

  1. You can keep your gun loaded when standing in a shooting range
  2. You can keep your guns loaded when hunting (hopefully with the safety on)
  3. You should not keep your gun loaded in the home - indeed, you should keep it locked up away from ammunition (I'm guessing here; I'm not a gun guy).
  4. No matter what you do, some people are going to mess up; the task is to minimize the consequences, not to imagine they aren't somewhat inevitable.
As a Nation and as an industry we can develop low-cost, reliable, two-factor authentication infrastructures. It's just going to take us time to couple the new technologies with our existing organizations that manage prescriber identity for other reasons. Similarly, with a little common sense, we can arrive at context-specific guidelines for time-outs. Portable devices would have one limit, land-based devices would have others depending on their location. We can work this out. And our systems generally know where they are. 

Where are the common-sense approaches? I hope people are thinking them through. I would imagine in particular that the e-prescribing and EHR vendors have plenty of reason to figure this out. At some point a successful software has place more emphasis on creating valuable systems than on simply closing deals.  

Why are clinicians reluctant to adopt e-prescribing? Perhaps because they see polarity and conflict rather than middle-road common-sense, evolutionary approaches. Perhaps it our penchant for creating conflict and win-lose that leads to impasse. Perhaps its just our collective inability to get ahead of these problems and solve them. No matter what the behavioral cost, two-factor authentication devices should be commodities under a strong, federated identity management framework. Parties already certifying the identity and roles of health care professionals should find low-cost ways of embracing two-factor authentication. And common sense must prevail in all of this.

And I do not have the energy to elaborate on my confusion over the enormous discrepancies between practical audits and security checks and the alleged costs associated with SysTrust audits.

Where are the entrepreneurs here? If the whole world were run like some proposed eHealth constructs, my express mail package would cost $2,000 and my annual automotive emission test would cost $10,000. 

I am strongly in favor of solid authentication mechanisms, time-out requirements, security checks, and audits. We know what we have to do, we're just haggling about the real price.

We can do it well and inexpensively. We've only got to try.


Post a Comment

<< Home