Identity and access management (IAM) is a topic of increasing attention and importance across almost every industry. But perhaps nowhere is it more linked with life-changing innovation than in mHealth.
As a security discipline, IAM is intended to ensure that the correct people are able to access the correct resources at the times and for the reasons specified by policies. It's one of the critical foundational elements in the vision of standards-based mHealth that is coalescing globally.
With the rollout of portals and applications supporting the on-the-go monitoring of chronic diseases and other disorders (asthma, diabetes, congestive heart failure, pulmonary diseases, high blood pressure, stroke, atrial fibrillation, etc.), mHealth stands to revolutionize remote wellness monitoring and, in turn, help more people lead more active, more independent and longer lives. For example, authorized family and friends could be enabled to check and help ensure that an elderly patient continues to take medicines as prescribed by caregivers.
But in a scenario in which so much sensitive personal data is being shared across so many points, privacy and security issues are clearly at the fore. The ability to exchange information securely across wired and wireless connections among patients, caregivers and devices is an obvious requirement. This is why mHealth must leverage a reliable, robust and standards-based IAM solution, ensuring that the right information is being delivered to the right person at the right time.
Identity and Access Management 101
It's a quickly evolving field, but IAM’s core concepts underlying the relationships among devices and people are common to almost any identity and access control system. In considering IAM strategies, the practitioners, systems architects and device manufacturers in the burgeoning mHealth space must take into account each of these principles to bring about applications and services that exchange so much sensitive patient data:
- Authentication - the various tools and technologies, sometimes combined, for verifying the identity of a user (i.e., is the person who he or she claims to be?);
- Authorization - access control for data for user or institutional perspective, spanning enforcement of the policies and privileges that define what operations a given identity can do at a given time within a given application;
- Reporting and monitoring - logging and reporting capabilities for verifying what’s been happening and overseeing user activities end-to-end across an mHealth application;
- Provisioning - the processes around establishing identities, policies and privileges;
- Remediation - the techniques and strategies for handling issues among the different actors across an mHealth system in the event that something questionable does happen
Many things are changing in IAM. With the development of more sophisticated, efficient and secure authentication capabilities, for example, passwords might someday no longer be necessary. Also, context is becoming more entwined in IAM techniques: If a person does not typically travel, but suddenly that person’s identity is recognized as attempting to log in from another country, leading-edge IAM capabilities might be able to detect and thwart potential fraud.
But the concepts behind IAM’s core functionality figure to remain the same. Each of the five core concepts explained above must be underlined with privacy and security to establish verified trust in use of digital identities for e-health services.
The IEEE Standards Association (IEEE-SA) and Kantara Initiative are part of a global framework of organizations that are helping encourage the rollout of trustworthy and verifiable IAM services and other capabilities for mHealth applications such as remote wellness monitoring. Both are committed to open standards development and governance via principles of openness, consensus, due process, right to appeal and balance.
Open standards developed via processes that, for example, invite equitable participation from any interested stakeholder globally, that prevent any single person or entity from wielding undue power and that are transparent and easily navigated have a proven history of spurring life-changing innovation. The foundational standards that have enabled global proliferation of the Internet comprise one very strong example of open, market-driven standardization’s benefits. These underlying technical standards, including cyber-security protocols, are no less than the lifeblood of the Internet and the dramatic changes that it has brought about in the way that humanity lives, works and plays around the world.
Maintaining momentum in innovation in IAM and mHealth will demand a similar, globally open environment of standards development.
Bill Ash is strategic technology program director with the IEEE Standards Association (IEEE-SA), a globally recognized developer of consensus standards through an open process that engages industry and brings together a broad stakeholder community. For more information, please visit http://standards.ieee.org/.
Joni Brennan is executive director of Kantara Initiative, a non-profit organization enabling trust in identity services through compliance programs, requirements development and information sharing. For more information, please visit https://kantarainitiative.org/.
The IEEE-SA is a member of the Kantara Initiative board of trustees. Both the IEEE-SA and Kantara Initiative embrace the “OpenStand” principles and the universally open, fully transparent and broadly consensual standards development environment that they support.
