Karen Guenther
CONFIDENTIALITY

New techniques of verifying identity will allow sensitive information to be made available safely, conveniently, and expeditiously over the Internet.

Karen Guenther

Many people remember the great New Yorker cartoon from a few years ago in which a dog is seated in front of a computer, typing, as he thinks, "On the Internet, no one knows you're a dog." Too true, as recent events have shown. For example, no one knew that the eBay high roller making the winning bid on millions of dollars worth of luxury goods was in fact a 13-year-old boy who thought he was playing a game.

What's needed is a way to bring to online health care transactions the same interrelated ways in which humans verify identity. Fortunately, new advances in technology are starting to make this possible.

What's identity?

Think of the ways in which you identify someone. To some extent, we're born with the ability to do this. Research has shown that very young infants can recognize and remember faces. As we grow we add more and more cues to our identification checklist. We remember faces and voices, scent, physical size, gait, hand gestures, handwriting, sense of humor, type of personality, and other characteristics. In addition, we associate people with certain settings or times in our lives, giving us another way to consult our personal database to make an identification. Remember the time you met a med school classmate, years later, at a health care conference? Memory failed because you were in a different place, doing different things.

Degrees of openness

Now think for a moment about how we act once we've determined identity. Your internal dialogue varies greatly depending on the situation and who you're interacting with. Some examples include:

"That's the director of medicine — act as if everything's under control."

"That's my cynical coworker — gripe about the director of medicine."

"That's my research partner — be excited about renovations to our lab facilities."

"That's a new resident — be blandly pleasant but don't reveal anything personal."

Based on identity, we define and sometimes limit the information we're willing to expose, and the ways in which we present the information that we do expose.

Easy to hack

In the physical world, there are many interlocking and reinforcing cues that let you know who's who. But, as in the case of that now-famous dog on the Internet, if all you see on your workstation screen is standard ASCII text, how can you know who's on the other end? Today, most of the Internet is not really secure, and it's relatively easy for unscrupulous people to assume an electronic disguise successfully. Because of this, most security on the Internet has been built on a purely defensive assumption: People will break into online health care information, so we must restrict the information we make available.

Health care organizations put lots of effort into security for closed, online environments. These can include intranets (networks within the organization), E-mail, and other activities that go on behind a firewall. These technologies are well known, quite well developed, and widely implemented.

The more recent arrival of extranets — online activities that happen outside the institution's physical firewall — presents more serious challenges to the health care industry for ensuring security and correct identification of identity. Health care organizations, banks, and online retailers are all examples of businesses that have moved to an extranet-based way of conducting business, and their security needs are different and more demanding, because they allow outside access to highly sensitive information. Defensively restricting the types of information you make available on an extranet is fundamentally at odds with the reasons you want to build an extranet in the first place: to provide more efficient service through increased information access.

If you assume that you will be "hacked," and therefore you restrict information, you give up the advantage of putting your health care business online. Unfortunately, it is this very information — internal, proprietary, meaningful information --that could provide the greatest competitive advantage if you could share it with providers, insurers, patients and research colleagues. This is what happens today because of inadequate security, which in turn is caused by insufficient components of online identity.

Call it 'E-dentity'

What's a better solution than the PINs and passwords that we're all familiar with? We need a form of identity for the online health care world that is almost as complex and unique as the ways in which humans identify each other.

A fairly new technology called PKI, for public key infrastructure, comes closer to the type of multi-layered interlocking cues described earlier. Through PKI a "trusted source," which could be a hospital, an HMO, a bank, a government or some other organization, issues a "digital certificate" to a user. This organization is called the "certificate authority." The certificate itself is really a long, complex, random series of numbers and characters. Most often, it is placed on a "smart card" or some other form of electronic storage. Most are more than 200 characters long, not the six or seven characters typical of most PINs. This unique certificate is virtually unduplicable, in the same way that the combination of your face, voice, and personality together cannot be matched.

The certificate authority — the organization that issued the certificate to you — has another copy of the certificate in a database. Your identity is confirmed only when your copy and the authority's copy are engaged simultaneously, along with a password or some other form of identification. The combination of these variables creates a multilayered, interdependent form of security that is nearly as complex as those that make up the process of human identification. I call this "E-dentity."

Just as people can translate their recognition of identity unconsciously and instantly into a specific set of behavior guidelines based on that identity, online interactions based on E-dentity offer far more open and productive interactions than what are typical in today's online environment.

Imagine that a worldwide supplier of health care products wants to share key corporate information with a specific set of provider organizations. If those providers have an E-dentity with the worldwide supplier, they could be privy to much more useful information, perhaps reducing costs or shipping products more efficiently. Or imagine a health care organization that today must keep patient information under such tight wraps that often patients can't see information about their own cases. With E-dentity-level security, patients could see much more relevant information, make better-informed decisions and at the same time know that their personal information is secure.

With E-dentity-level online security, the much-sought-after days of "frictionless commerce" on the Internet could come much closer to reality, providing people with better customer service, access to more relevant information, and better, less-expensive products. By ensuring that transactions occur between the correct people, E-dentity security could revolutionize the way companies do business. Good news, unless you're a hacker dog.

Karen Guenther is global director of health industries at CyberTrust Solutions, Needham, Mass., a GTE company that deals with data security. She was recently reappointed to the board of the College of Health Information Management Executives.

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.