The Work Group on Consumer Authentication and Health Information Exchange was charged with defining a framework to authenticate the identity of individual consumers consistent with Connecting for Health principles. This includes identifying a baseline of policies and technologies to assert, within acceptable thresholds of accuracy, the identity of an individual consumer requesting copies of her personal data in an electronically networked health information environment. The recommendations are intended to encourage a fresh approach to foster trust of all network participants, and specifically to protect the consumer, the health data holders, and the Consumer Access Services from the following threats:

• Defense against illegitimate access to health records: This is defined in this paper as externally targeted or automated attacks to gain access into an individual's health information. The attackers in this scenario could be either known to the consumer (as with a relative or colleague looking at material inappropriately), a targeted attack by someone not known to the patient (as with a private detective trying to access records), or an indiscriminate attack (someone looking for anyone's health records, possibly as a precursor to medical fraud).
• Defense against identity theft: The threat here is not to the clinical data per se, but to the consumer's identifiers and demographics – address, date of birth, Social Security Number, health benefit eligibility number, etc. Protecting against identity theft is an obvious goal. The key complication here is that it is very difficult to protect against family members posing as one another, and it is not possible to design a system that covers all state regulations of parental access to their children's data. Our Work Group did not focus on proxy access beyond the key principle that the identity of all proxies accessing the system be recorded, as well as the identities of people for whom they are proxies, so that, should a proxy later lose access, their authentication tokens can be revoked separately from the main account.

The following issues fell outside of the scope of this Work Group, but we list them here to acknowledge their importance in creating a trusted health information sharing environment for consumers:

• Consumer Issues:
  • Consumer Behavior: We are not addressing what consumers do with their copies of personal health data. We live in an age in which individuals are increasingly self-publishing on the Internet intimate details of their personal lives. It was outside the scope of this Work Group to attempt to address the complexities of individual behavior and choice. Nevertheless, these are relevant concepts. Consumers' own experiences and individual preferences will no doubt shape this emerging area.
  • Phishing: There is a parallel problem to consumer authentication, related to the assurances provided by the entity hosting the consumer's data. Mechanisms need to be in place to defend the consumer against "phishing" attacks, where a consumer is directed to log into a seemingly legitimate web site or service, but which is really a copy of an existing site, with a similar URL. The risk of such phishing in medical contexts is high; however, the defenses against the phishing problem require a different set of strategies than those outlined in this document.
• Data Storage Issues:
  • Data Security: Methods to encrypt and secure health data repositories are beyond the scope of this paper. We focus on defense against unauthorized users defeating authentication systems, not attacks on larger data stores. For purposes of this paper, we accept as a precondition that all actors have good physical security practices. The digital signing of records is also outside the scope of this paper.
  • Data Policies: Also out of scope of this paper are policies for data custodianship and data sharing other than those related to identity proofing and authentication. The parallel Connecting for Health Work Group on Consumer Access Policies for Networked Personal Health Information is working on recommendations for privacy policy, disclosure and consent, secondary use, etc. For purposes of this paper, we accept as a precondition that the consumer has voluntarily initiated a PHR account and authorized all uses and exchanges of personal health data consistent with Connecting for Health principles for privacy.Available online at: http://www.connectingforhealth.org/commonframework/docs/P1_CFH_Architecture.pdf
• Business Issues:
  • Business relationships: This paper does not address the necessary business relationships that would provide motivations for health data sources and PHR services to share data on the consumer's behalf, or for intermediaries to emerge between them.

In summary, this paper focuses on a framework for the authentication process when the individual wants to access or contribute personal health information electronically among health professionals or other health-related entities (HIPAA-covered or not).