Secure Patient Access to Health Records: The ChallengesDirectTrust CEO Scott Stuewe on Overcoming IAM Obstacles
As the healthcare sector works to provide patients with secure access to their health information via smartphones and other devices, it must address critical identity and trust issues, says DirectTrust president and CEO Scott Stuewe.
The Department of Health and Human Services is promoting the use of the Fast Healthcare Interoperability Resources and SMART interoperability standards to enable patients to access records via smartphone applications, as is required under provisions of the 21st Century Cures Act for which compliance is required in April.
But HHS regulations requiring secure patient access to records appear to be based upon "the simplified assumption … that I'm going to depend upon the healthcare provider having met the patient, established their identity, and issued them a credential to the healthcare portal of that health system," Stuewe says in an interview with Information Security Media Group.
The patient will then use that same credential when accessing their data using a smartphone app, he says. The challenge, however, is making this secure identity and access process "interoperable" among healthcare systems.
"What you would like to imagine is that the patient could get identity proofed and be issued a credential that could be good in more than one [healthcare] location," he says. "The challenge is establishing trust between those locations. You're going to need a mechanism for issuing identities that is considered highly reliable that can also solve the problem of ensuring that the records being released to this patient are - in fact - that patient's information."
In the interview (see audio link below photo), Stuewe discusses:
- Other obstacles involving interoperable, secure health information exchange and patient access to records;
- The status of DirectTrust's secure real-time texting initiative, Trusted Instant Messaging+, or TIM+;
- Recent DirectTrust milestones, and how the COVID-19 pandemic has affected the use of Direct secure messaging;
- Other projects underway at DirectTrust.
DirectTrust is best known for creating and maintaining the Direct protocol-based security and trust framework for secure email messaging in healthcare.
Stuewe is a 27-year veteran of the healthcare IT industry. Before becoming the president and CEO of DirectTrust in 2018, he was director of strategy and interoperability at DataFile Technologies, a provider of health information management software and services. Previously, Stuewe spent 24 years at Cerner Corp., most recently as director of national interoperability strategy.