Public and Private Collaboration Tackles Identity Management Challenges

Sarah Squire is a Senior Identity Solution Architect with Engage Identity, a Seattle-based consultancy focused on people-centered solutions for identity and access management. Her work includes advising the HEAlth Relationship Trust (HEART) Initiative at the OpenID Foundation and the User Managed Access (UMA) working group at the Kantara Initiative.

UnboundID: Describe the unique identity management challenges in healthcare and the current efforts to resolve them?

Squire: One of the projects I work on at the OpenID Foundation is the HEART working group. We are a consortium of public and private entities. One of the use cases that we are working on right now is what we call the clipboard problem. A patient being treated for an illness might be seeing dozens of different providers and each time they go in for an office visit they have to fill out new intake forms. It’s tedious, and it’s a problem that is easy to solve with technology. Doing so can make the whole system more efficient and safer. There are many people such as the elderly, those with low literacy levels, and those for whom English is a second language who have difficulty completing these forms. Those individuals in particular could hugely benefit from being able to just click a button to release information from one provider to another.The second use case is for caregivers. Someone caring for an elderly person needs to have enough information to schedule appointments or discuss medications with the doctor. But the patient may not want to release all of their information to that person. There could be an application that allows a patient to release parts of the record securely to those caregivers.

Finally, the third case is a research scenario. The famous case of Henrietta Lacks shows what can go wrong in medical research when consent is not properly obtained, communicated, and tracked. Samples of Ms. Lacks’ cells were taken without her consent for medical research. We would like to enable a tool which allows patients to release parts of their record to researchers. That tool might also allow them to revoke access or charge for access, and that permission structure would be passed along to their heirs.

UnboundID: How do we get all this into place?

Squire: The clipboard problem has already been solved in other industries like banking. You can sign up for a bank account in a few minutes. However, given the sensitive nature of healthcare information, this process needs to be very secure. There’s hesitance on the part of both providers and payers to make any IT change which they do not understand from end to end. By making it simple and interoperable and replicating successful secure architectures from other industries, we can show that it’s possible to mitigate the risks.

The National Institute for Standards and Technology (NIST) is sponsoring grants to do pilot programs for companies that want to innovate on this problem and solve it at a small scale. In a few years, hopefully we will see broader adoption.

UnboundID: How would you describe the latest developments in identity systems, and how has the technology evolved to address mobile users, dispersed data sets, social media and more?

Squire: I just got back from Berlin where I attended the Internet Engineering Task Force meeting. Something people talked about there is the Proof Key for Code Exchange (PKCE). This method is being used to secure transactions using OAuth, the open standard for authorizing users on the Internet. PKCE makes the code simpler and more secure and is designed for mobile apps primarily, to prevent malicious mobile clients from being able to impersonate valid clients, which is a vulnerability that is increasingly common on mobile devices.

There’s also work right now on Token Binding, which reduces the security risks associated with bearer tokens. Token binding helps by linking the token to the user’s TLS session so that if a hacker steals the token, they cannot use it to improperly access the user’s information.

We also discussed the software statement concept defined in the OAuth Dynamic Registration specification, which will enable a software provider to gain a signed attestation of their metadata from a trusted entity in order to prove their validity and facilitate dynamic registration. A financial software firm could for instance show a bank that they are a trusted app by presenting a software statement signed by the FTC. It will allow a trust framework within a limited ecosystem of organizations that would allow faster, more trusted registration between clients and authorization servers.

UnboundID: What are some examples of effective collaboration between private industry and public sector in the area of user privacy and security?

Squire: I think the biggest success has been OAuth standard, which has been widely adopted across the Internet. It is important to note that government is intentionally taking a hands-off approach to these types of collaborations. The National Strategy for Trusted Identities in Cyberspace outlines how the private sector should be the driving force for innovation but they should work with the government on open standards. Government’s role is to ensure that companies are following privacy guidelines, but government is not outlining or mandating any particular identity solution.

UnboundID: You have been working in the identity management space for several years. How has the job changed for architects like yourself?

Squire: The biggest change is the scale of the work. We are now talking about more than one billion users of Single Sign-On every day. So we are really good at SSO now. The next challenge is enabling person-to-person delegation at scale. Without some sort of custom application, it’s not possible to do this across platforms such as from Google to Facebook. Today, I can share my photos on Flickr but not to a specific person on another app. It’s important to solve that challenge because the system we have currently incentivizes users to share their information with everyone, instead of just one person. With easier tools, we can facilitate private sharing much more effectively.

EXECUTIVE BRIEF: Top 3 CMO Challenges Only IAM Pros Can Solve

Discover three critical challenges CMOs face and how Identity and Access Management (IAM) teams can resolve them.