2023-03-07 Meeting notes

 Date

Mar 7, 2023

 Participants

Voting Participants  

Name 

Present 

Noreen Whysel 

Bev Corwin 

Y

Sal D'Agostino 

Thomas Sullivan 

Catherine Schulten 

N

Jim StClair 

James Kragh 

 

Non-Voting Participants  

Name 

Present 

Simone Alcorn 

Y

Thomas Jones 

Maria Vechino

N

Guests/non-Members

Name 

Present 

Jeff Brennan

Y

 Goals

  • How Organizations Serve the Underserved Populations

  • Review of March 2 NIST Digital Risk Management meeting

 Discussion topics

Time

Item

Presenter

Notes

Time

Item

Presenter

Notes

 

Organizations Serving underserved populations

Jim Kragh

From Jim’s email to WG-RIUP list:

  • In our last work group session each agreed to make an effort to reach out into our respective community in an attempt to gather some insight on how an organization, serving an underserved population was succeeding. Who is their target audience, how have they gained their trust, is there a network with other non-profit entities or faith-based entities, and what are their needs and challenges?

Discussion:

  • Jim K reporting on FL churches by Jim K
    Nurse practitioners
    Assessing identity needs? No, already knew then
    Once on service, not using phones for it
    Facial ID = a person recognizing another person

  • Boston:Dr Tom
    Many homeless on disability ,  Medicare, have phones and ID/SSN

  • Red Cross (Bev) takes IC voucher from Fire department, teacher, nurse who knows them.

  • Dr Tom: Kaiser Denver person knowledgeable about children’s ID issues (19 years ago)

  • Jeff: nothing new in our list that isn’t published in 800.63.4

  • Dr Tom: Knight Medical center provides food and supplies, no question asked.

  • Noreen: mutual aid and formal/informal services like CUNY food pantry, no IS no questions asked, just need to get in building so could be a guest.

  • Dr Tom: Healthcare is more disciplined due to potential harm to person.m

  • Simone: Going on foreign travel. Interested to see how 3rd world countries handle ID for various purposes.

  • Dr Tom: would like to see Kantara statement on 800.63.4. Especially federated identity. Wasn’t in v1 or 2.

  • TomJ: talking to United way in a strong. Concerned about deduplication to avoid fraud. Deduplication is contracted out to another entity. 2 methods: avoid killing patients, avoid fraud. Carmen at ONC working on patient matching.

  • Dr Tom: Gov mandate to share medical records. Lots of duplication of records that aren’t exactly in synch.

  • TomJ: Stochastic, probabilistic problem. Isn’t always precise. Doesn’t need to be precise.

 

NIST Digital Risk Management

 

Last week NIST held the 1st of 3 webinars on Digital Risk Management as it relates to SP 800-63-4 draft. Thanks to the CARIN Alliance/Leavitt Partners, they summarized the 90 minute session (below) which we will review today. It does provide our WG a foundation to build as you read through the document.  Also, important to note, one of the panelists, Maria Vachino, is on the Kantara Initiative Board, which reinforces our mission. 



Notes from NIST Webinar on Digital Identity Risk Management



Below are some takeaways from yesterday’s (March 2) NIST Webinar on Digital Identity Risk Management. The top portion captures the brief discussion of the base volume key changes. The rest is a recap from the panel discussion, which discussed broader topics generally.

NIST Webinar Summary - Digital Identity Risk Management

NIST SP 800-63-4: Base Volume Overview

·       David Temoshok and Connie LaSalle from NIST provided an overview of the webinar series and the key changes below.

·       The digital identity guidelines base volume has three primary functions:

o   It introduces and describes a set of foundational concepts and roles and responsibilities (referenced throughout the remaining volumes)

o   It enumerates the definitions and abbreviations relevant to the special publication

o   It provides a risk assessment methodology and a risk-based process of selecting assurance levels for identity proofing, authentication, and  remuneration.

·       Base Volume Key Changes:

o   Revamps the risk management approach to be more process-oriented, emphasizing the importance of considering potential impacts to individuals and communities

o   Updates the digital identity model to support more deployment options (and how this can work in a federated environment)

o   Focuses on continuous evaluation and improvement of identity systems

o   Amends the assurance level selection process and introduces tailoring

o   Introduces new terms and concepts throughout the other three volumes, including equity

o   Emphasizes a multi-disciplinary approach to assessing and managing risk (with an expectation that technology developers, system integrators, ICAN programs, etc. will interact with organizations in the privacy sphere)

o   Details equity considerations and elevates the evaluation of risks to individuals and communities within impact assessment and risk management processes.

Panel Discussion Members:

  • Kimberly Adams (Senior Advisor, Digital Cash & Voucher Technology, Technology for Development of Mercy Corps)

  • Safi Mojidi (Head of Information Security at FOLX Health; #STMIC Fellow at New America)

  • Maria Vachino (CEO of Cyntegra; VP of Assurance at the Kantara Initiative)

  • What are challenges to access for various communities?

    • There are vulnerable populations who do not have all the typical identifiers, such as a permanent address or a non-shared phone number, which are needed for identification.

    • There are some low-tech communities, and these cannot afford to be victims of fraud. It would be helpful to have a standardized identifier that is accepted widely regardless of the system used (since not all have cell phones, laptop/PC, or even internet access). Industry needs to

    • There are some situations where persons have gone through gender affirming care and do not look like the person in their identification photo. It would be helpful to take these communities into account when developing systems.

    • Drivers’ licenses are typically the default identification but there is variation among states for how verification happens. Also, there is not a good way to use passports.

  • What are some risks that need to be considered?

    • There are risks for fraudulent representation. Industry should try to balance how to provide services to both businesses and citizens that accounts for this issue.

    • Industry should be intentional about the tactics used to prevent improper health data sharing and be thoughtful about the mechanisms used on the back-end to verify identity.

  • How can we better balance equity and privacy?

    • More data is needed to help balance challenges between equity access and security/privacy. This will help to tailor controls to strike a better balance and measure impact.

    • There is a need for qualified technical individuals in this space.

    • There is a need to track additional information (the point was made that you cannot improve what you don’t measure, and you cannot measure things that are not tracked.) Decisions must be made on exactly which aspects of equity to track, what kind of questions to ask, what the opt in process is, and how to collect and process this information in a way that is policy preserving.

    • Efforts to educate the public that these decisions have been made “with you” rather than “for you” will help the public buy into and use the technology and help build trust within marginalized populations that may distrust the technology.

  • NIST is currently considering what to put in this revision of the special publication on digital identity regarding an approach/proposed common language that addresses security, privacy, equity, and usability. What should this language include/address?

    • The language should recognize industry specific needs.

    • It may make sense to combine equity and privacy as a singular category, but to also consider equity more explicitly when identifying the key issues that will have equity impacts for certain applications.

    • Risk assessments should not be done at the end of product completion – these should be integrated into the designs of the products. Security should be integrated into all aspects of the application, while considering how this impacts accessibility.

    • We may need profiles of the different identity assurance levels to give agencies the ability to tailor and move toward using the federated credentials (but still providing the flexibility that is needed).

  • How should we address false digital identities and deep fake technology?

    • Take a multi-faceted approach that looks comprehensively end to end, including reviewing patterns of behavior and recognizing there is an acceptable error rate.

 

 

 Action items

 Decisions