Read an interesting article yesterday on the Supreme Court’s ruling in favour of the province’s right to enforce photos on driver’s licenses — see my post at the Canadiam blog.
I came across this interesting headline a while back: Healthcare Identity Management Is Necessary First Step to Electronic Health Record Interchange. The article has a link to a briefing from the Smart Card Alliance. While this is an American organization, the context is similar enough to the Canadian identity management issues in health service delivery. The briefing has a fascinating statistic:
More than 195,000 deaths occur in the United States because of medical error, with 10 out of 17 medical error deaths due to “wrong patient errors.”
The implication is that a large number of lives could be saved by improving identity management, and the brief’s answer to this is, predictiably, to implement smart cards. The Smart Card Alliance feels that all citizens and health services professionals should be issued cards.
First of all, I think that smart card technology is very well suited to high-value transactions like those carried out in the health sector. The form factor is convenient, the technology is robust and there are some good solutions out there that make session switching on shared computers fast and easy.
But in health service delivery, particularly in Canada, the identity and access issues are not the real concerns for physicians — whether I am insured or not, whether my health information is online or not, the physician’s job is to diagnose and treat. This is particularly true in acute care situations such as emergency. My understanding is that doctors and nurses in those environments are reluctant to use systems if those systems get in the way of treating sick or injured people, even if those systems contain in-depth medical records. Implementations of smart cards — or any other technology — need to be slick and flexible to be adopted.
On the patient side, I agree that it makes sense for patients to access their own electronic health record over the Internet. Smart cards are touted by the Smart Card Alliance as being a secure solution for strong authentication over the web, and although I’m aware of some exploits, it is a proven technology. The issue then becomes how to provision all those millions of users. There are certainly some good processes out there for identifying individuals, but because most of them require in-person registration (or some other form of corroboration) there is the question of cost. I know in Alberta we have recently empowered our network of registry agents to perform eligibibility services (i.e. identification) for the health system and presumably this could be used to issue a smart card or other second-factor credential.
How would a fractured American system handle this provisioning? Who would be responsible for issuance, changes, revokation, ruling on eligibility, etc.? And who will pay for the smart cards and readers?
And what privacy issues would emerge from such a solution? Keep in mind that a strong credential such as a health services smart card would have the potential to become a national credential for Americans. Identity fraudsters would seek out weak links in the on-boarding process to obtain this valuable credential. And future governments would have the ability to link medical and other records to a host of other databases…
Clearly, users would need to have clear rights and remedies, something that may be difficult in a country that does not have national privacy legislation.
It is a complicated topic, one that the Smart Card Alliance’s brief does not properly address in its zeal to promote their specific technology.
I’ll try to get a better post out later this week, but I thought I’d share some initial information from today’s briefing via Twitter.
E-Girl (aka my teenage daughter) is your typical 21st century teenager with a bevy of gadgets and skills to match. She has her own phone (of course), is a blossoming food blogger and has never owned music on physical media.
E-Girl is also the hockey pool organizer. A quick trip to officepools.com, a round of poolster recruitment and she has a tidy collection of teams and picks entered and ready to go for the opening night puck-drop.
E-Girl is learning to be net-savvy and she has privacy awareness that belies her youthfulness. (Yes, she’s endured a few privacy and Internet-safety lectures from me…) For example, with the exception of email, she doesn’t use her last name online.
So it was with some surprise that I noticed a wee pink sticky note attached to her PC this evening… yes, a sticky note with her hockey pool login credentials on it for all to see.
You can read the damning words for yourself:
It is shocking.
Most of my consulting work consists of advisory, planning and delivery services in identity management. So it is no surprise that one of my interests is in seeing how the Pan-Canadian Identity Management & Authentication Strategy can be applied to a variety of IdM projects. This strategy holds promise for the future development of a national identity framework, one that can cross government jurisdictions and programs.
The Task Force that developed the strategy established a clear vision:
The overarching vision of the Task Force has been a Pan-Canadian IdM&A Framework that supports access by citizens and businesses to a seamless, cross-jurisdictional, user-centric, multi-channel service delivery experience when interacting with government.
For those of us (all of us?) that have had dealings with federal, provincial and municipal governments, this is clearly an ambitious vision. It is fair to say that even working within a single government department today — let alone across jurisdictions — is not seamless and rarely is it multi-channel. When working between different government departments we encounter a patch-work of online, phone and in-person services that require us to present identification at each step and in inconsistent ways. Improvements in these areas are clearly in our best interest as citizens and tax payers.
The Pan-Canadian vision promotes standards collaboration. There must be a basis for establishing ‘trusted, collaborative relationships across jurisdictions’, and only through agreed-to standards can we make this goal a reality. This is particularly true in the high-value online service delivery channel. Identities for use with applications that require high levels of identity assurance must be well supported by issued organizations to be effective in a cross-jurisdictional use case.
The vision also recognizes the importance of leveraging existing IdM infrastructures — clearly many jurisdictions (and departments within) have IdM services in place that can be adapted and leveraged. The Pan-Canadian vision does not compel organizations to discard functioning systems, and this shows up in one of the service delivery design principles:
The ability to leverage existing infrastructure and the increased interoperability of systems.
So how does such a vision get realized? How does a country that is famous for regionalism and inter-jurisdictional disputes move towards a unified and collaborative model?
- First, governments can improve the chances of realizing this vision by making identity management a priority. In a country as prosperous as ours, the issue is rarely funding but rather one of priority. Establishing that e-government and e-business need IdM to fuel economic and social development in Canada is key to moving forward.
- Second, the momentum that we are now seeing in implementing the Pan-Canadian strategy needs to be maintained. In-flight projects need to be completed, new ones identified and communications between all parties increased. Flexibility in the establishment of standards — recognizing differences and allowing for variances — is necessary if all parties are going to participate fully.
- Finally, the standards that emerge from the project work need to be quickly codified and become mandatory for inter-jurisdictional transactions. I realize that ‘quickly’ is a relative term, but we can’t be talking about standards development five years from now — we need the basic standards and protocols established in the next 12 months if we are going to catch up to what the rest of the world is doing.
A vision of a seamless, cross-jurisdictional, user-centric, multi-channel service delivery experience is very much in the ‘go big or go home’ category — and now that governments are starting to become engaged in the execution of the Pan-Canadian strategy, it will be interesting to see how the resulting solutions match up to this ambitious vision.
What is Identity & Access Management?
- The Free Dictionary provides this definition: “The management of a user’s identity. Within the enterprise, an identity management system comprises a system of directories and access control based on policies. It includes the maintenance of the system (adds, changes, deletes) and generally offers single sign-on so that the user only has to log in once to gain access to multiple resources.”
- The Internet 2 Middleware Initiative offers that “IAM ensures that the right people access the right services.”
- Wikipedia doesn’t have an IAM definition, their closest is for Identity Management: “a broad administrative area that deals with identifying individuals in a system (such as a country, a network or an organization) and controlling the access to the resources in that system by placing restrictions on the established identities.”
Identity & Access Management (IAM) allows an organization to do more online with their users and stakeholders. It provides assurance (to the degree requried) that the online user is whom they claim to be.
Bottom line: IAM enables meaningful e-commerce and e-government by providing much-needed identification and accountability.
I haven’t applied for a credit card in a while and so I wasn’t expecting this new identity proofing process from BMO MasterCard…
I called the customer service number to activate the card. In the past, you simply had to enter the 16-digit number and, assuming you are calling from a home phone number, the combination of the card number and phone number were sufficient to validate your identity.
Today, however, the system collected my card number and explained that I would need to participate in an identity proofing process based on my credit history.
After a few minutes on hold, the agent came online. Here is the transcript, somewhat paraphrased:
Agent: Hello, Mike, we need to confirm your identity using information from your credit history. We will ask you some questions and you can pick from three multiple-choice answers. Do you agree to this process?
Me: Uh, Sure.
Agent: Okay, from the following list of credit unions, who have you banked with in the past five years? <she then listed three credit unions.>
Me: <name of credit union.>
Agent: That is correct. Next, from the following apartment numbers, pick the one that corresponds to a previous residence.
Me: Uh, well I can’t recall the last time I’ve lived in an apartment…
Agent: Well… Let me list the numbers and see if you recognize any: 1101, 6A or 904.
Me: I’m not sure — is this my only option? The last time I lived in an apartment was 1987!
Agent: Well, we need an answer to this question.
Me: I can’t remember an apartment from 20 years ago… can you?
Agent: Uh, no, I see your point… but the credit bureau has this information…
Me: (sigh) I’m sure they do… and I’m sure it is accurate, but this isn’t much use to us if I can’t remember.
Agent: Well, if we can’t finish this process you can go to your bank in person with two pieces of identification to activate your card.
Me: I see. Well, can I guess? How about ‘1101’ ?
Agent: Yes! That worked; your card is now activated…
I’ve written about shared secrets and identity proofing before, and I knew that credit bureau information was a rich source of shared secrets. In fact, these types of questions are likely what is driving the Equifax Over 18 I-Card implementation (used to prove age of user among other things).
So what is new and worth commenting about all this?
- The questions are locked – the agent only had two questions and I had to get them correct on the first try to proceed. She was surprised when I asked for an alternate question.
- There were only three options to each question. I actually guessed at the apartment number and was successful. With only 2 questions and three options, my calculation is that a fraudster would have a 16.7% chance of guessing the right answer to both questions.
- Because my call had to be from my home phone, the threat they are attempting to thwart is (presumably) ‘an intercepted card by someone in the same household (or someone with caller ID spoofing capability)’. This is seemingly low probability occurance but it is obviously worth the bank’s efforts to implement this additional process.
My best guess is that they are having trouble with intercepted mail and caller ID spoofing. I wonder if the additional shared secrets presented in a multiple choice format are sufficient to overcome a determined (or lucky guesser!) fraud artist given that they’ve already stolen my mail and know my phone number…
I’ve just signed up for the Social Media Marketing Bootcamp that is taking place in downtown Edmonton on September 9th.
The idea is to see how my own business marketing stacks up against the best practices that are emerging. I’m already using the web, which of course includes many things now tagged as ‘social media’, and traditional media for marketing, but perhaps there is a set of practices and techniques that can help my business.
Maybe there is an identity angle to be discovered…
Update: no real identity angles, but a very worthwhile session — I learnt a lot about how to design and implement a social media program. They are running this again in October but already are nearing capacity, so sign up today if you are interested!
Unless you’ve been living in a cave over the past six months, you are probably aware that Cloud Computing is Next Big Thing. Of course, it isn’t new or unique — it is a form of centralized computing and application delivery has existed since the first time-sharing systems emerged in the 60s.
But the big vendors need a story to push their products and services, and Cloud Computing is it for 2009. It isn’t suprising that the information security and privacy protection aspects of cloud computing are starting to get a lot of attention as well.
What are the risks? How secure is my data in the Cloud? What privacy protections can I rely on? Do you really trust your service provider?
I like Ranum’s emphasis on limited data access and lack of portability. Locking clients into a hosted application and database is going to be a problem when the client wants to use another provider. Just how do you move five years of email from Gmail to your own mail server? Can you quickly extract and replatform your critical sales data from Salesforce.com if Salesforce gets bought out by one of your competitors?