Kantara hosted API to show what apps or developers meet the requirements
Supports due diligence
Jeff: Will there be testing of assertions? (not at the moment)
Rule only states app must be made by certified app developer, so the app needs a cert mark for the user to know if it used a certified developer
Self-assertion is US centric, outside third party assertion is normally required, can evolve to a third party process (precedents: CCHIT.org, DEA/NIST rules forbidding electronically prescribing controlled substances, Surescripts); Pete: CCHIT provided test suites
Healthcare record providers key grant beneficiary
ONC allows (in the commentary, not the rule) EHR to insist that the app used to access and transfer records is developed by a certified developer; Catherine will look at the rule
Sites are being sued for damages for releasing consumers private information. Expect CIOs to enforce requirement certified developer.
EHR creates “tethered patient portals” which are hard for patients or their proxies to access. Creates a conflict of interest.
Not identity, just aligning identifier string (like Covid contact tracing)
Looking at Nordic electronic identifier
Economy is using mobile device as identifier assertion with any app (banks, police, etc)
Strong reliant parties, standards/same rules
Flexible pricing, features, functionality
Low fraud rate
Part of the smartphone device itself, not just app
Identity verification like FaceID/facial biometric, Photo of physical ID, and others contribute to strong identity assurance when used with strong apps. Binds identity to the app.
Concern for App Developers
Fraud is a big issue, making sure the patient is insured, will get the payment in
Tax supported payors like Medicaid may have some difficulty, while they also have a huge need for combating fraud
Two processes
Proofing: Assure this person is who they say they are, outcome IAL1 or IAL2
Mobile phone app authentication
Phone containers segregate the code, digitally signed, virtual machine only allows the program to run in that container.
Ease of use, number of users that can apply this
Looks simple to use device as authenticator
Can be combined with second factor (facial or PiN)
Fast, simple UX, low friction
Branded app (insurance company, provider)
Confidence: trusted provider
Catherine is demoing Thursday at HIWJ, Jim will send invitation to this group
Action items
Jim Kragh to send info to group about Catherine’s presentation