As a major step forward in digitalization of the US health sector, patients are now entilted access to their electronic health records, following new rules.
While this is great news for patients, it amplifies a major identity and data access challenge in a sector handling highly sensitive information with relatively under-resourced IT infrastructure, along with fragmented systems and data silos.
Enabling secure and appropriate access is not a new challenge for the health sector, but one that continues to grow in size and complexity.
We see this not as a data sharing issue but as an identity management issue.
Digital identities are the interface in which data can be accessed and shared with the right people based on user consent and the designated authorization policies.
Once the identity workflow is established, there can also be great opportunity to extend into more value creation for both providers and patients.
Developing an identity workflow for 
e-health data
Know your patient
The first part of enabling access is ensuring the user is who they claim to be through identity verification and proofing. This challenge was highlighted through the rapid rise of telehealth (virtual appointments) during the pandemic. This could be solved through an identity proofing solution that employs face matching technology from your webcam or smart phone camera to a government issued identity document (such as drivers license or passport).
Access policies for data access
Once the user is verified, and has gone through the appropriate authentication steps to ensure secure access is established (SSO, multi factor authentication, biometric logins or a combination of these), the level and type of access they are granted in a system is determined by the underlying access policies. These policies would link the user and the data that relates to the verified digital identity.
Using IndyKite’s Knowledge Based Access Control (KBAC), we can establish access policies that consider contextual data as well as standard identity data. This can include relationships the patient has in the real world, either with people (i.e. family members), services and healthcare providers or with smart devices such as wearable medical devices.
This data builds valuable knowledge for driving policy decisions and can even facilitate third party authorization (particularly relevant in the context of prescription medication) and power of attorney.
Data sharing and consent
Another strength of a knowledge driven IAM approach is the flexible data sharing and consent options for the user. The user may wish to share some information and certain records with a new healthcare provider, but they may not wish to disclose their entire medical record. The identity knowledge graph can manage the varying levels of consent and can differentiate between reference or token data and the actual record (so the user can confirm certain aspects without providing the specific details e.g. confirm they are over a certain age without providing a birthdate).
For many patients (particularly in the US), each trip to the doctor or another healthcare provider begins with a form that you may be filling out for the umpteenth time.
A decentralized identity management system, as described above, invites a future where users can hold their entire medical history in their digital identity wallet and provide specific information required at the push of a button.
This choice is powerful. If they have access to their full medical history and wish to share it with a medical professional, they are likely to receive a better level of care by a more informed healthcare provider.
For many healthcare providers meeting this new regulatory requirement goes beyond their current infrastructure and systems. Using legacy IAM to achieve the above would require a complex and time consuming customization project that may not get them all of the way across the goal line.
IndyKite’s identity fabric, can integrate with existing infrastructure and other IAM systems as an orchestration layer to connect and enrich data while providing a consistent and secure user experience.
Want to learn more or have a discovery chat to see if this could work for you? Get in touch.









