Verizon Outlines Authentication Plans

Offering Digital Credentials to 2.3 Million Clinicians
As it expands its presence in healthcare, Verizon has set the ambitious goal of issuing free digital credentials to authenticate the identities of 2.3 million clinicians, says Steven Archer, who heads the innovation incubator group at Verizon Business.

Verizon will offer digital credentials for authentication of physicians, physicians' assistants and nurse practitioners who want to use various networks -- including the company's new medical network -- to access electronic health records and other information.

In an interview (transcript below), Archer:

  • Describes the company's game plan for issuing millions of digital credentials starting next year;
  • Provides the technical details behind the network-based roaming credentials, which meet NIST Level 3 standards and comply with FIPS 140-2;
  • Outlines how the credentials can be used to access any health information exchange or hospital network as well as Verizon's new medical network;
  • Explains Verizon's Medical Data Exchange, a national network that the company envisions as enabling the transfer of information among various HIEs as well as physicians and hospitals;
  • Offers details on Verizon's physician portal, which enables doctors to link, via the exchange, to others to share information.

As head of Verizon's Innovation Incubator Group, Archer supports thought leadership in enterprise marketing's verticals, security services, network intelligence, network forensics and horizontal service organizations. He has more than 18 years of global technology, telecommunications, security and business experience. He holds, or has pending, more than 25 patents in a wide range of technology areas.

HOWARD ANDERSON: Verizon recently announced that it will issue free medical identity credentials to 2.3 million US physicians, physician assistants, and nurse practitioners. Why did you decide to make that move?

STEVEN ARCHER: One thing that people may not realize is that Verizon is actually a global leader in offering personal identity credentials and systems. We already service the governments of more than 26 countries in dealing with their citizens and organizations. We support the federal government with management solutions for many different departments and organizations, and we've got hundreds of private global enterprises for which we manage systems.

By issuing the 2.3 million credentials ... we want to bring the entire system up to where it can start to use and leverage these credentials. Doctors work in many different hospitals. Within one hospital, in one area they may have one log-in credential and they can go to a different ward or a different floor or department and have to have something else. So the average is about 17 different identities that they manage. ... If you've got 17 identities and all of sudden you have to make them stronger and have multi-factor authentications and all these other requirements, it becomes a much more daunting exercise.

What we hope to accomplish with issuing this single identity ... is to really make their lives simpler, but at the same time offer the ecosystem something that is stronger and better and offers the additional security and benefits.

2.3 Million Credentials

ANDERSON: So the main question I have is, how are you going to go about getting credentials into the hands of that many millions of clinicians?

ARCHER: Well we're going to start in January, and we've actually got a multi-pronged approach to how we are going to do it. First off, Verizon has what we're calling our medical data exchange. And that is already supporting a pretty big number of healthcare ecosystems. We started out with the medical transcription companies, and what we're going to do is service the members of the medical data exchange and their end-users first. ... Ninety-five percent of doctors use dictation and transcription as their means of entering data into healthcare systems. So by servicing that part of the healthcare ecosystem, we've already got a vast number of users that we're going to be interfacing with. So we will start with our members of the data exchange and their users, and then also those that they communicate with.

If they are reaching out and communicating with somebody that is not part of the network, we'll credential them as the next step. In addition, the data exchange has what we're calling our physicians' portal, which is a way for each individual doctor to access the exchange and start to share information electronically. If they do not have the existing credentials when they first come to the data exchange, at the end of their vetting process and creating their account, they'll actually be issued a credential.

Then finally, beginning in January, we are going to have multiple campaigns that are going to be reaching out to the healthcare community and the doctors, raising awareness, talking about the benefits and offering them instructions on how to approach Verizon for accessing their credentials.

NIST Credentials

ANDERSON: Could you briefly describe the technical nature of these credentials and how clinicians will use them?

ARCHER: They are NIST Level 3 credentials that support multi-factor authentication, and they are compliant with the guidelines that are set forth in FIPS 140-2, the Federal Information Processing Standard. That is the publication for cryptography modules that includes both hardware and software components ... the guidelines and the standards for how to do strong credentials in the digital space. These credentials are network-based. They're calling roaming credentials that can be leveraged in the authentication process, and Verizon is going to have many different ways or form factors for doing that authentication...

ANDERSON: So can the credentials be used by physicians and others when they want to access any health information exchange, or to use a hospital's own network to access electronic health records?

ARCHER: Absolutely the answer is yes. By looking to support the entire ecosystem, we've created a system that already has the links and the capabilities to support the common interfaces or protocols that are used in the authentication process. ... The business entities should be able to leverage the existing business and technical workflow that they have in place today, but redirect the authentication verification request to our servers. ...

ANDERSON: So how would this credential help enable someone to move to two-factor authentication? Could they layer biometrics or a hardware token system on top of this?

ARCHER: Exactly. When I said that Verizon was going to have many different form factors or ways of doing the authentication, those are perfect examples. We intend to have 14 or 15 to begin with that the doctors or the practitioners would be able to leverage. It can be whatever is the simplest or easiest for them. ...

HIE and Portal

ANDERSON: You mentioned earlier Verizon's medical data exchange and its healthcare provider portal. Do physicians access each of those directly on their own, or are those technologies that a health information exchange or a provider organization might use?

ARCHER: It's really all of the above. The data exchange is "push" technology. So it's really looking at moving information from one application or end-user to another specific user. hat's different than an HIE that uses "pull" technology and has a store of healthcare information you're trying to retrieve from. ... We've actually got many different types of interfaces that we can do. We can connect a hospital's applications to the exchange. ... We'll go through and check the security and methodology of what they're doing within their walls and the application itself so that we're not jeopardizing the security of other members of the exchange. Then we'll create a digital certificate and issue that to that business. They would then use that certificate in order to interface and connect to the exchange. Then once they're connected, it's secured and encrypted and passing secure information and then they can reach out to the other members of the exchange to interface and send documents.

With the creation of the physicians' portal, what we're actually doing is saying you don't have to go from application to application to send and share information; you can actually go straight to the end-users. So individual doctors are now going to be able to log in at the physicians' portal, sign in to the exchange and either send or receive information via that exchange. ...

ANDERSON: And so might existing health information exchanges link to either one of these services?

ARCHER: Absolutely. Each of the 50 states is doing their own HIE. Even within the states we're ending up with different regional pockets that have their own HIE. And as those individual islands or individual areas of data are trying to reach out and share that information beyond their current footprint ... they can build one interface to our exchange and they don't have to ... try and build multiple interfaces.

ANDERSON: So it sounds like the offering of free identity credentials could help jump-start interest in your medical data exchange and portal technologies. Is that part of the mission?

ARCHER: We believe that it absolutely will be leveraged with our medical data exchange, but we also think that it is going to be leveraged across the entire healthcare ecosystem. ...




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.