I wanted to spend a few minutes, and introduced some vocabulary around a few court challenges in managing identity in healthcare and beyond. I want to argue that today. Things are pretty broken. Even when they seem to be working kind of OK and then point forward to a set of emerging specifications that are the first thing I've seen in a long time that really look like they could actually make a dent in the problem.
I think a little bit about a road map towards getting there so to start I want to introduce a few pieces of vocabulary. All around the issue of identity and maybe the way I would state this to begin with is that today. Every time we have a new relationship. It starts with a blank slate online. So this could be a relationship between a patient health care provider or a patient who is a beneficiary of insurance program or it could even be in organizational relationship between health care provider and the health system where they work all kinds of these individual relationships and every time we start one. It's a blank slate where people have to convey information about who they are. And and how they can sign it, and make decisions about what kind of data. They want to share so I want to introduce these 3 points of vocabulary to start
First off is identity. So these are really questions about who are you and what qualifications do you have so are you licensed physician? Are you a licensed driver? Are you a citizen or resident of a given territory and how do you present this information? What kind of documentation is required to get that across those are all issues about identity and other related issue is authentication. This is really about how do you sign in to website? What kind of account do you use? How do you make sure that other people can't sign into that website and I get access to your account. If you don't want them to what kinds of protections second factor passwords additional devices. All those kinds of things have to do with problem of authentication and then there's a set of issues about, sharing and privacy so if you're giving me access to some of your data. What am I allowed to do with those data. Can I share them with whom? Can I share them? Where are those data allowed? Go do you want to be notified when those data do flow basically? What should I be doing to protect your privacy? How do we set up those expectations and these 3 issues together identity and authentication and sharing represent a set of core infrastructure that today, really doesn't work that well on the web. I want to dig into each of these quickly starting with identity so today.
I would argue things are kind of a mess when it comes to answering this question of who are you and in the healthcare space. We basically have two ways that we do this. The first one is in person identity proofing so I'm going to come into the healthcare office and show my drivers license to front office staff to clerk behind the desk the good thing about this is there's sort of a high trust environment there you can build on Top of these existing relationships but the bad thing is that it's very slow and expensive to do this in person that you have to do it again every time you have a new relationship with a different hospital or clinic or health system you gotta drive across town it show them the right kind of documentation before you can. Get on board in that process and especially if you've moved and you no longer able to drive across town, but can become very difficult. The other major approach that we take to identity and health care is. Knowledge based identity proofing so these are often the kinds of online workflows where you're redirected to an identity. Proofing service like the ones that are run by experience for example, you answer a bunch of detailed questions like? What color is your folks wagon and what County did you use to live in 17 years ago and all these kinds of things and the nice thing about these workflows is that they're fast in their automatic so you don't have to drive across town, but there's a couple of real downsides. One is that they're actually quite expensive for the relying parties. Every time you go through a flow like that. It costs dollars somewhere in the Order of 1 to $5 to go through that flow. But the more insidious challenge here is really that this kind of identity. Proofing system relies on quote Unquote proof that are really just guessable and these are data that are subject to breach and more and more reliance on these kinds of identity. Proofing systems based on knowledge means that there's an incentive for organizations that run. These systems to pile up as much data about individual consumers about individual people as they can. Because the bigger and the more differentiated that pile becomes the more valuable. The identity proofing service becomes so it offers this sort of incentivization for hoarding data and we've seen over and over again that when these piles of data get created they tend to leak overtime so that's a little bit about the mess that we're in with respect to identity.
I want to say a couple things about authentication as well. So when you want to securely sign into a website today. Still, the most common way. This happens is that through Pairwise accounts. Every new website that I'm going to have a relationship with. Each organization, I'm going to talk to. I'm going to create a new username in a new password and do my best to navigate through everybody's different password requirements. Some people require a certain amount of punctuation. Some people prohibit certain punctuation Marks and you have to sort of figure out something that's going to meet everybody's requirements and often what this means is people reuse passwords from site to site where they use password resets very heavily. They just assume they're going to forget their password each time and have a link email to them when they want to log in again and then password security really falls just back to email. Or people move over to password management tools tools like LastPass that let's you keep a collection of passwords for all the different sites that you want to sign into and then as long as you keep that secure you're in a little better shape and then on Top of just usernames and passwords. We see more and more prevalent support for second factor or 2 step authentication and this actually provides a meaningful and important layer of additional security. But it also brings quite varied workflows to the table, so every provider that's going to let you sign in with two factor. It's the provider, who decides what kind of factors are going to support lots of different individual applications here. Some that have custom apps that run in your Phone. Some that go by secure text message SMS rather or email as a consumer you basically have to deal with all of these different apps and approaches. If you want to opt into a higher level of security because you have to meet each service provider wherever they live. And then of course, we have a prevalent support for single sign-on across the web so if I want to sign into a website using a third party account like using my Facebook account or my Twitter or my Google account and this can be very convenient because it's effectively one click sign into a website using my existing account and the securities is actually quite good, too because those organizations are good at managing account security. The real challenge here is that your identity when you sign in with Google or when you sign in with Facebook really doesn't belong to you, it's sort of rent it to you, or least to you. By Facebook or by Google at any point if you lose access to your Facebook account or Google account. You also lose access to any of those downstream websites that you sign into through those accounts. So it's not really up to you. Whether you keep that account overtime. It's up to some 3rd party and also at the same time, the companies that lease your identity to you are charging a price even if it's not dollars. They're charging a price in privacy and tracking because every time you use that Facebook account to sign into a third party website Facebook learns? One more thing about where you're signing in what kind of services. You're using? How often There you are using them. They're part of that loop each time you sign in using your Facebook account, so there's a real loss of privacy in that context with single sign on. So that's a little bit about where we are today in security and then finally specifically for health care.
I wanted to share a couple thoughts about how data sharing and privacy and transparency work so the first thing to say here is that there are many kinds of data sharing that are allowed under HIPAA, including a very broad permission for a covered entity to share data for purposes of treatment or payment or health care operations and this leads to a kind of and on by default sort of share it in those contexts perfectly legal under HIPAA, but this is a kind of a data sharing that is. Totally opaque to consumers and what we found more and more recently is that it's surprising to consumers and it can be distasteful to consumers if their data are shared with organizations that they don't trust or organizations. They feel like they have a reason to mistrust and so more and more. We're bringing to light these kinds of data sharing pathways that work under HIPAA, but they don't necessarily work as society evolves doesn't really meet our societal expectations at the same time under HIPAA. There is the expectation that when an individual's data is shared outside of the covered entity. There's what's called an accounting of disclosures, so that individuals supposed to have a right to learn about the fact that their data has been disclosed. That's a right? That's provided under HIPAA, but it's really a right in theory, only nobody's figured out how to do this properly in the real world and the office for civil rights really doesn't penalize healthcare organizations for failing to meet this benchmark simply because it's not practical. But at the same time data can be D identified and then there's no accounting for disclosures required because the data. I have met a certain set of safe harbor to identification requirements. At that point they can be sold or shared pretty broadly and of course. This is a bit of a fiction because just reading. Those HIPAA safe hardware requirements doesn't mean that the data are really deidentified. They're not really anonymous. They can be re identified downstream so again perfectly legal under hip hop. It doesn't provide the kind of a privacy protection that we expect. And then even though there's many ways in which data are allowed to flow and do flow. Under HIPAA still healthcare data are not usually available when they're needed when they're needed the most so this is a problem with the office of the national coordinator for health. It is been trying to tackle for a long time. Relying on an ocean of national query networks, so that when health care provider can sort of broadcast a query to neighboring providers or even providers all around the country to say. I'm seeing a patient named Josh with such and such birth date do you have any records about this person and we've been working through sort of the same set of protocols over and over again. We've seen the LNC makes several attempts at most recently just in 2019 and 2020 through the trusted exchange framework and common agreement. Many attempts to have these kinds of query networks come up to speed and. Provide clinicians with a way to run these queries, but under the hood. It's all based on guesswork when it comes to identity, matching it's a set of probabilistic algorithms that have false positives and false negatives, so in the best case a clinician might get back instead of hits that are mostly about the patient. They have in front of them and they need to be really sceptical. They need to read each record carefully and think, to themselves is this really about my patient or is this just about someone with a similar name and they need to view every record with that kind of discerning eye. But doing any better is pretty untenable in this system validating each individual identity link manually requires buy in from across the ecosystem and it's pretty expensive. If you ask an individual patient to review those kinds of links. It introduces a lot of workflow challenges at what point should they be doing that and how does part of those results get shared so even though we've got kind of widespread support for sharing these data the shaky identity bedrock means that the sharing doesn't work, so well clinic to clinic.
So what I wanted to do then is describe a set of emerging standards that are the first thing I've seen in a long time that really look like they could move the needle on this set of problems about identity and authentication and really transparency around sharing decisions that the privacy aspect. So these are the decentralized identity specifications that are emerging today in the World Wide Web Consortium. And in the decentralized identity foundation. It's a core set of standards that allow an individual to obtain what's called a verifiable credential. It works, a lot like a physical card that you might have in your wallet. Today, so in the physical world when you get a drivers license. You might have to show up in person to a state DMV and fill out some forms and then you get a physical card that you can carry with you for the next 5 years and anytime. You want to demonstrate who you are. You could take that card out of your wallet and add it over the counter and show it to someone and prove who you are, and the nice thing about this is it's totally explicit as a consumer you know exactly what you're using that drivers license. You could decide when you're willing to show it, and when you're not. And when you have that interaction and you hand it across the counter to a clerk the state is not involved at step. They don't learn the state doesn't learn everywhere. You go and everywhere. You present that drivers license. They just know that they've issued a credential. It's going to be valid for 5 years and so this set of open standards for verifiable credentials gives you very similar properties in the electronic world. It gives individuals a kind of electronic card that they can keep in a digital wallet and they can present those credentials. When and how they choose. Following a set of open standards and the nice thing here is the credentials can be mixed and matched so you might want to show proof that you have health care insurance as well as proof that you have a driver's license and you can pick. Those 2 digital cards out of your out of your virtual wallet and present them side by side you can decide what information you want to share and when you do it that is a conversation between you and the health care organization that you're talking. It doesn't require other actors from the outside world. The state doesn't need to be involved in those conversations and your insurance company doesn't need to be involved in that conversation. Unless you want them to be so that's a really powerful privacy. Preserving set of specifications. That gives consumers much more control over what aspects of their identity. They want to share and the nice thing. Here is that even if the individual initial identity. Proofing step happens in person and requires deep scrutiny. Even if that's a pretty expensive step. Those costs can be amortized over the next several years. When you have that credential when you present it at all. The different places that need to learn about you so the idea is let's do those expensive steps. Once and then reuse those identity cards. We use those virtual credentials as often as they are needed so it's a rich set of specifications for verifiable credentials and then this same technology allows individuals to do authentication or sign in using a set of specs from the open ID foundation again from the decentralized identity foundation so that just like you could pull out a digital card from your wallet. You can digitally sign into a website using a credential. That's created just for signing into that one website and those can be stored. Securely on a mobile device that can be protected using biometrics, so something like a fingerprint or face ID or just a pin and the nice thing about this? Is there's no built-in tracking by the identity providers. You can sign into any website that you want too. And that's just a conversation between you and the website that you're signing into there's no 3rd party involved at the time that you're dealing with signage. So this is a really powerful set of foundational standards that help individuals demonstrate aspects of their identity and it also just sign in or.
Advocate to a variety of different kinds of websites or applications across this ecosystem. It's a very powerful set of technologies and then at a slightly earlier stage in the standards process are some really interesting aspects, so we talked about accounting for disclosures that we said. This is really impractical to do in today's paper world, but using a set of these decentralized identity standards. We have an emerging concept called consent receipts. The idea here is that if I give a website permission to use my data for some purpose. And the website gives back to me a consent receipt and this is a digitally signed document that says you've shared with us. The following information. Here's what you've allowed us to do with it here are the purposes of use that are permitted. All those kinds of details that are written down on that receipt and get it back to me and then I can keep a folder full of those digital receipts and at any point I can look through them and answer the question. Where are my data going today? He was allowed to use them and if I see something I don't like I can follow up on it, I can go back to the side or the service and revoke access in the future. So that's consent receipt is one really important. Emerging idea and the other one is this notion of a personal data hub so that anytime. I have a relationship with an outside business and they need to send me a bit of information that may be a consent receipt for example, maybe that happens over an email system. But maybe it happens through more secure digital transmission into a hub and I say anytime you got something to let me know. Here's a key that you can use to securely send it into my personal data hub so concentra seeds and data hubs are a couple of examples. Of specifications in this space of decentralized identity that are early, but very promising together. This set of Technologies, where they starts to get a few of those core challenges.
So I wanted to share a view on how we can make some progress in a practical way towards these challenges in a few different horizons so horizon. One is really just deploying sort of off the shelf tools in healthcare that are available from service providers. Today, things like Azure Active Directory fire servers and API gateways that just implement the best practices such as they exist here in 2020, but thinking ahead, especially in the health care of standards accelerator world. We've got a number of projects that simply leave. Identity out of scope they truly rely on identity under the hood but are trying to tackle identity and so there's a really nice opportunity to develop these specifications in tandem. I'll give you a couple of quick examples. One is a appointment scheduling guide. This is part of one of the argonaut projects to say if a consumer wants to schedule an appointment with the new health care provider. Maybe search across healthcare providers for available appointment slots and that consumer finds a slot but doesn't have any relationship with this health care provider. Well, it's a blank slate. We have to start by signing into that providers website, creating a new account uploading insurance documents all of that. This sort of distributed or decentralized identity technologies gives consumers now away to present an idea that they've already got maybe from a healthcare institution across the street. Or maybe from their insurance company and present that information in a standardized Digital Workflow. So we're not starting from a blank slate each time we want to create this relationship or similarly for these data query networks under teske so through specifications and groups like common well and care quality. Consumers are supposed to have access there. By law by regulation the expectation is that consumers can query for their own data inside of these networks and today the networks basically don't solve this problem. They hope that it can be outsourced to a third party some kind of trusted 3rd party who would be able to identity proof individuals. But even in that world what you get are these probabilistic links that health care organizations are going to be very hesitant to rely on so they'll say effectively. Oh, I see that you signed in as Josh an I'm only 85% sure this record belongs to you. My threshold is 99.9% and so instead of giving you a list of your records. I'm going to give you a list of 0 records and say we just couldn't be sure enough. That's effectively the kind of consumer access that we're heading towards today. In that space and there's an opportunity to really flip this on its head by putting consumers in control of maintaining these identities across the healthcare ecosystem. And once you've got your identity with a variety of different health care organizations. Now you've got a way to construct a 360 degree view of who you are thinking beyond some of these near term standards acceleration projects. There's an opportunity to build out specifications. That deal with information flows that were really just starting to recognize the need for today. In health care, but permissions that go deeper than and can sit behind or serve as a backstop to HIPAA is one really important aspect. So how does an individual consumer generate privacy expectations get something like a consent receipt and something like accounting for disclosures? When those data are shared that gives a transparent view about what information is being shared and then gives consumers away to come back and. Change those knobs and dials change the permissions that granted after the fact so that's a really quick view of how I see somebody specifications, both well developed and emerging laying out overtime and I think this is an area where the right kind of investment across the healthcare ecosystem can relay important foundation for making a difference in the way that consumers as well as health care providers interact with this ecosystem.