I came across this interesting headline a while back: Healthcare Identity Management Is Necessary First Step to Electronic Health Record Interchange. The article has a link to a briefing from the Smart Card Alliance. While this is an American organization, the context is similar enough to the Canadian identity management issues in health service delivery. The briefing has a fascinating statistic:
More than 195,000 deaths occur in the United States because of medical error, with 10 out of 17 medical error deaths due to “wrong patient errors.”
The implication is that a large number of lives could be saved by improving identity management, and the brief’s answer to this is, predictiably, to implement smart cards. The Smart Card Alliance feels that all citizens and health services professionals should be issued cards.
First of all, I think that smart card technology is very well suited to high-value transactions like those carried out in the health sector. The form factor is convenient, the technology is robust and there are some good solutions out there that make session switching on shared computers fast and easy.
But in health service delivery, particularly in Canada, the identity and access issues are not the real concerns for physicians — whether I am insured or not, whether my health information is online or not, the physician’s job is to diagnose and treat. This is particularly true in acute care situations such as emergency. My understanding is that doctors and nurses in those environments are reluctant to use systems if those systems get in the way of treating sick or injured people, even if those systems contain in-depth medical records. Implementations of smart cards — or any other technology — need to be slick and flexible to be adopted.
On the patient side, I agree that it makes sense for patients to access their own electronic health record over the Internet. Smart cards are touted by the Smart Card Alliance as being a secure solution for strong authentication over the web, and although I’m aware of some exploits, it is a proven technology. The issue then becomes how to provision all those millions of users. There are certainly some good processes out there for identifying individuals, but because most of them require in-person registration (or some other form of corroboration) there is the question of cost. I know in Alberta we have recently empowered our network of registry agents to perform eligibibility services (i.e. identification) for the health system and presumably this could be used to issue a smart card or other second-factor credential.
How would a fractured American system handle this provisioning? Who would be responsible for issuance, changes, revokation, ruling on eligibility, etc.? And who will pay for the smart cards and readers?
And what privacy issues would emerge from such a solution? Keep in mind that a strong credential such as a health services smart card would have the potential to become a national credential for Americans. Identity fraudsters would seek out weak links in the on-boarding process to obtain this valuable credential. And future governments would have the ability to link medical and other records to a host of other databases…
Clearly, users would need to have clear rights and remedies, something that may be difficult in a country that does not have national privacy legislation.
It is a complicated topic, one that the Smart Card Alliance’s brief does not properly address in its zeal to promote their specific technology.