From 3M Health Information Systems
AI Talk: Passwords and interoperability
This week’s blog explores the future of passwords and interoperability in health care.
The end of passwords
We have all seen the dreaded message: “Your password will expire in ** days. To avoid any issues please change your password prior to this date.” I don’t know of anyone who loves changing passwords. I wonder if anyone has done a study of the productivity loss associated with spending a half hour changing passwords in a half a dozen places.
We all get why we do it, but there ought to be better ways to enforce security. That’s why I was piqued by the latest issue of MIT Technology listing 10-breakthrough technologies, with one of them being “The end of passwords.” It does look like 2022 may prove to be a transition point for moving into a password-less future!
Passwords have been around, forever. Well, since 1961. Over the years it has been shown that passwords are not really all that secure. To avoid breaches of databases storing passwords impacting a large swath of people, passwords are stored, salted and encrypted. Salted? Well, that is the practice of adding a random string to the password and then encrypting (hashing it).
To ensure the passwords cannot be easily guessed, organizations have mandated requirements that force passwords to be constructed using capital and lowercase letters, numerals and special characters, virtually ensuring that no one can remember their password. They end up writing it down somewhere, essentially defeating the basic purpose of ensuring security. There are a slew of password storing apps that aim to reduce breach of passwords from the user – you can check this recent tech blog on CNET.
Authentication is fundamentally driven by three facets: what you know, what you have or what you are. The first one is typically the password, but more and more applications resort to storing and using security questions. What you have that is reliably with you in most contexts is your smartphone. What you are is driven by biometrics such as fingerprint, iris scanning, face recognition and voiceprint. Take a peek at this blog on biometric authentication trends and this blog to get a feel for all the ways in which AI is being used here.
Google, Microsoft, Apple and companies like Duo, are in the vanguard of eliminating passwords and relying on other methods to ensure proper security. I personally like Apple’s face recognition, as it has eliminated me remembering a slew of passwords, but occasionally, it forces me to enter the Apple password and I must reach out to my trusted store to retrieve the password. I wish they would quit doing that. I certainly hope we can eliminate passwords as a form of authentication. Let’s hope 2022 is the year for that transition to happen.
Interoperability and Office of National Coordinator (ONC) of Health Information Technology (HIT)
Dr. Tripathi, the current national coordinator of HIT for ONC, had an interesting article in Health Affairs last month: “Delivering On The Promise Of Health Information Technology In 2022“. He declares: “This year will be a transformative year.” What is the basis for his pronouncement? He refers to three specific statutes in regulation coming into play from the 21st Century Cures Act, this year. Let’s look at each.
Information blocking rule. All health care providers and payers will need to provide electronic access to “all” health care information starting in Oct 6, 2022. The keyword here is “all” and not just some of the information.
Fast Healthcare Interoperability Resources (FHIR) Application Programming Interface (API) certification. The regulations surrounding the 21st Century Cures Act Final Rule also require that when information is shared between patients, providers and payers, the API) must implement the FHIR protocol (see below) in 2022.
The Trusted Exchange Framework and Common Agreement (TEFCA). This provision of the 21st Century Cures Act, kick started January 2022, is to establish a nationwide clinical interoperability network that address both a technical and governance framework for exchanging clinical information in a secure manner.
All the above provisions are engineered to enhance interoperability and allow the easy sharing of data across providers, payers and most importantly, patients.
FHIR. This is a data standard from Health Level 7 (HL7) that has garnered widespread industry support. The current draft version of this standard that is being tested, version 5, can be seen here. FHIR is supported by all major electronic health record (her) vendors. Apple, Google, Microsoft and Amazon health care APIs also support this standard. Already, one can download EHR data to your smartphone. Soon, one should be able to share user collected data from devices to EHRs as well.
The app ecosystems are going to be turbocharged with all the patient data flowing through the system. The objective from the ONC standpoint has always been to enable applications to communicate freely and securely in order to deliver better care and enable better outcomes to one and all. All of the above 21st Century Cures Act provisions are aiming to do precisely that.
I am always looking for feedback and if you would like me to cover a story, please let me know! Leave me a comment below or ask a question on my blogger profile page.
V. “Juggy” Jagannathan, PhD, is Director of Research for 3M M*Modal and is an AI Evangelist with four decades of experience in AI and Computer Science research.