Adrian Gropper co-authored this post.
After a short period of excitement and rosy prospects in the movement we’ve come to call the Internet of Things (IoT), designers are coming to realize that it will survive or implode around the twin issues of security and user control: a few electrical failures could scare people away for decades, while a nagging sense that someone is exploiting our data without our consent could sour our enthusiasm. Early indicators already point to a heightened level of scrutiny — Senator Ed Markey’s office, for example, recently put the automobile industry under the microscope for computer and network security.
In this context, what can the IoT draw from well-established technologies in federated trust? Federated trust in technologies as diverse as the Kerberos and SAML has allowed large groups of users to collaborate securely, never having to share passwords with people they don’t trust. OpenID was probably the first truly mass-market application of federated trust.
OpenID and OAuth, which have proven their value on the Web, have an equally vital role in the exchange of data in health care. This task — often cast as the interoperability of electronic health records — can reasonably be described as the primary challenge facing the health care industry today, at least in the IT space. Reformers across the health care industry (and even Congress) have pressured the federal government to make data exchange the top priority, and the Office of the National Coordinator for Health Information Technology has declared it the centerpiece of upcoming regulations.
Furthermore, other industries can learn from health care. The Internet of Things deals not only with distributed data, but with distributed responsibility for maintaining the quality of that data and authorizing the sharing of data. The use case we’ll discuss in this article, where an individual allows her medical device data to be shared with a provider, can show a way forward for many other industries. For instance, it can steer a path toward better security and user control for the auto industry.
Health care, like other vertical industries, does best by exploiting general technologies that cross industries. When it depends on localized solutions designed for a single industry, the results usually cost a lot more, lock the users into proprietary vendors, and suffer from lower quality. In pursuit of a standard solution, a working group of the OpenID Foundation called Health Relationship Trust (HEART) is putting together a set of technologies that would:
- Keep patient control over data and allow her to determine precisely which providers have access.
- Cut out middlemen, such as expensive health information exchanges that have trouble identifying patients and keeping information up to date.
- Avoid the need for a patient and provider to share secrets. Each maintains their credentials with their own trusted service, and connect with each other without having to reveal passwords.
- Allow data transfers directly (or through a patient-controlled proxy app) from fitness or medical devices to the provider’s electronic record, as specified by the patient.
Standard technologies used by HEART include the OpenID OAuth and OpenID Connect standards , and the Kantara Initiative‘s User-Managed Access (UMA) open standard.
A sophisticated use case developed by the HEART team describes two health care providers that are geographically remote from each other and do not know each other. The patient gets her routine care from one but needs treatment from the other during a trip. OAuth and OpenID Connect work here the way they do on countless popular websites: they extend the trust that a user invested in one site to cover another site with which the user wants to do business. The user has a password or credential with just a single trusted site; dedicated tokens (sometimes temporary) grant limited access to other sites.
Devices can also support OAuth and related technologies. The HEART use case suggests two hypothetical devices, one a consumer product and the other a more expensive, dedicated medical device. These become key links between the patient and her physicians. The patient can authorize the device to send her vital signs independently to the physician of her choice.
OpenID Connect can relieve the patient of the need to enter a password every time she wants access to her records. For instance, the patient might want to use her cell phone to verify her identity. This is sometimes called multisig technology and is designed to avoid a catastrophic loss of control over data and avoid a single point of failure.
One could think of identity federation via OpenID Connect as promoting cybersecurity.
UMA extends the possibilities for secure data sharing. It can allow a single authorization server to control access to data on many resource servers. UMA can also enforce any policy set up by the authorization server on behalf of the patient. If the patient wants to release surgical records without releasing mental health records, or wants records released only during business hours as a security measure, UMA enables the authorization server to design arbitrarily defined rules to support such practices. One could think of identity federation via OpenID Connect as promoting cybersecurity by replacing many weak passwords with one strong credential. On top of that, UMA promotes privacy by replacing many consent portals with one patient-selected authorization agent.
For instance, the patient can tell her devices to release data in the future without requiring another request to the patient, and can specify what data is available to each provider, and even when it’s available — if the patient is traveling, for example, and needs to see a doctor, she can tell the authentication server to shut off access to her data by that doctor on the day after she takes her flight back home. The patient could also require that anyone viewing her data submit credentials that demonstrate they have a certain medical degree.
Thus, low-cost services already in widespread use can cut the Gordian knot of information siloing in health care. There’s no duplication of data, either — the patient maintains it in her records, and the provider has access to the data released to them by the patient. Gropper, who initiated work on the HEART use case cited earlier, calls this “an HIE of One.” Federated authentication and authorization, with provision for direct user control over data sharing, provides the best security we currently know without the need to compromise private keys or share secrets, such as passwords.