The Future of Digital Healthcare Services: Improving Convenience, Cost and Security

Max Borchard:
All righty. Well, we'll go ahead and get started then. Thank you very much. Everyone is able to join us today. My name is Max Borchard and I'll be talking us through this talk on the future of identity within the healthcare space. We're talking about improving convenience, cost, security, meeting, regulatory requirements, all those sorts of things. And I'm the guest here today with 1Kosmos who will be also talking through some of their specific use cases and how they're helping to solve some of these challenges. You want to move to the next one here? So as I mentioned, my name is Max Borchard. I'm with iC Consult. I'm our director in our advisory practice here. iC Consult is the world's largest identity and access management only focused professional services firm. So we're in 18 countries, about a thousand consultants globally, and our focus is purely on identity and access management. So within that space, we provide advisory services, implementation services, and services within the identity security space. Sheetal?

Sheetal:
Sure. Hi everyone, my name is Sheetal. I'm a product manager here at 1Kosmos. We are a company that is focused on identity-based authentication. I specifically focus on the workforce side of the product, how do you enable anyone who's in the workforce to pair with every authentication. I also focus on the credential service provider side of the product where if you're a business or you're a customer or a government who needs a verified digital identity, how do we enable somebody to get a verified digital identity? I've been with 1Kosmos for a little over two years now, and I've grown very passionate about the topic of identity authentication, privacy preservation. So I'm very excited to be here with Max and talk about healthcare and what we see is going to be the future in this particular space. So as we were putting these slides together, Max and me had a lot of opportunity to speak together, speak with each other, understand his background, what kind of implementations he's been in. So we're excited. I'm excited to be here.

Max Borchard:
Awesome. Very excited too. Let's get started.

Sheetal:
Okay. We actually wanted to start off by calling out a couple of events on both 1Kosmos and iC Consult. The first one is a very interesting webinar. Definitely encourage a lot of people who are here attending with us. This one is specifically focused on a large demographic today is considered unbanked, unfiled, right, who have a thin file. So for these customers, how do you make sure that they are who they say they are? How can we make sure that challenges for organizations who are meeting with hard to verify customers can sort of be mitigated? So definitely attend this session. It's in partnership between 1Kosmos and Enformion coming up in June.

Here's another one. So Max and me, both of us are going to be at Identiverse, so if you are going to be at Identiverse, definitely come visit us at the booth or even at the cocktail reception that we're hosting together on May 30th. We'd love to see and have conversations with any of you about the topics that we're going to talk about or anything else that's on the horizon. We have a specific session that's being hosted between 1Kosmos and AWS, talking about how can you bring passwordless to the masses. So that's a great topic and specifically around bringing identity and passwordless to a large group. Okay, another exciting one here. Max, you want to go for it?

Max Borchard:
Sure. So Sheetal mentioned I'll be at Identiverse as well, and while I'm there, I'll be doing a talk on ChatGPT, AI and Identity. Specifically, we'll be talking about some of the use cases that our consultants are facing, how they're using identity tools within the... Or sorry, how they're using AI tools within the identity security space. So if you're able to stop by, if you're at Identiverse and you come by our theater session, we'd love to share a little bit of hands on knowledge about how our consultants are using the tools, and hopefully you'll learn something useful.

Sheetal:
That sounds exciting, Max. I'm sure you're going to get a lot of people for this one.

Max Borchard:
I'm hoping so. Yeah, it's definitely an exciting space and there's a lot to talk about.

Sheetal:
Yep. Okay, so we are ready to get started. And I think the first thing that we're going to talk about is mostly around what are the increasing pressures that we see in the healthcare industry?

Max Borchard:
Yep, absolutely. So I think the first thing to talk about in the healthcare space is going to be the regulatory environment. As most folks are aware, the healthcare space has a lot of unique regulations that don't apply in other places and other verticals. And so navigating those controls, implementing those controls in a way that doesn't interfere with patient's ability to access healthcare services with doctor's abilities to do their job, those sorts of things is a key challenge in the space. And some of the things we'll talk about in this call are the NIST identity assurance level requirements, GDPR requirements, HIPAA requirements, and how some of the tools and processes that we're talking about here can help an organization to meet those requirements.

And we'll also talk a little bit about, coming back to the ease of access part, we'll start to begin talk about frictionless access for healthcare workers. So how is it that both workforce users, so consider traveling nurses, physicians, folks like that who have maybe a quick turnaround for onboarding and offboarding, can do their job, get the appropriate access to do their job, that you understand who the person is who's actually being onboarded to organization or a sub-organization. And we'll talk through some of the B2B and B2B2B use cases there where you may have a delegated group that can onboard and offboard folks, and how some of these processes and tools can really help make that a more frictionless process where healthcare workers, contractors, traveling nurses can focus on doing their job and not on fighting through IT Security controls.

Sheetal:
Absolutely right. Not fighting through IT security controls. So I was just reading the statistics somewhere, Max. So it says that in a single shift, a nurse may deal with at least 18 patient cases and she may shift between 14 software, different software applications and terminals in different locations. So that's what a nurse's day or a doctor's day looks like, right, on the ground. And they definitely want to be in a position where they're never losing time, are always able to give the best care. So frictionless access for healthcare workers has become a big deal at the industry. And as Max mentioned, right, doctors, nurses, they're no longer in one space. Their locations have changed. It's changed. The devices that they're accessing this information from has grown multifold. So that's what we are working with in terms of security as well as access. It's also important to realize that while we're providing frictionless access, we also need to make sure we are introducing friction in the right spots. Would you agree, Max?

Max Borchard:
Absolutely. Now there's a need to make sure that you actually understand who the person is to really have a solid idea, the identity proofing and process that's occurred there, not just in order to provide good security, but also to meet the regulatory requirements of NIST, HIPAA, things like that.

Sheetal:
And I think finally, we were going to talk about improving the patient experience. Every one of us here on this call today, we're all patients. And I think we're also caregivers too other people, either elderly or dependents who were dependent on us. So it's important to make sure that we as patients, we are able to have access to our health records, people's health records, so we need access to and efficiently transfer them to the right people so that they are able to give us the right kind of advice that we need at the right time. So this has become of at most importance in a healthcare environment.

Max Borchard:
Absolutely. Anyone who's had to go through the experience recently of maybe elder care, taking care of elderly relative who's maybe older, something like that. The challenge of getting access to their records, being able to maybe take actions on their part, getting their records transferred from one healthcare provider to another, from one healthcare facility to another is definitely going to be something I think everyone on this call at some point or another can relate to.

Sheetal:
Yep, absolutely. It's painful to say the least, right?

Max Borchard:
Absolutely. All right. So as we talk through a few of these use cases, the first thing we're going to talk through is that identity verification experience. So most organizations are going to have lots of different channels. You're going to have mobile portals or mobile applications, web portals, other sorts of systems, right, the folks need to have access to. And this goes to be patients, they could be healthcare providers. As I was just talking about with elderly care, you could have a patient delegate, power of attorney, someone who has the ability to take actions on behalf of someone. And all these organizations have a couple different steps they need to go through in order to meet those regulatory requirements as well as kind of provide a more frictionless experience. So in addition to those channels, typically behind those channels, you're going to have identity services that are actually performing the verifications that need to occur.

So we'll talk a little bit about what are the types of verification that are required, how some of these tools can facilitate better identity proofing, better authentication experiences, as well as how those things can help provide better interoperability. When we think about the healthcare space, if we think about, for instance, the NIST requirements, there's a very strong requirement for identity assurance as a need in order to meet those requirements. So there's a need to understand who the person is, who's attempting to get access to systems, attempting to be authenticated. There's a need to meet variable levels of assurance depending on the situation. And there's also a need to consider the highly variable populations here. So as you can see on the left there, there's a lot of different populations. They may have variable levels of technological competency, and so there's a need to make this a frictionless experience.

And so as we move into the next slide here and talk a little bit about identity assurance, typically the approach is going to be that there's going to be a need for strong identity proofing. So that's going to be that first step is, how do you know who the person is who's applying? They've supplied some documents, maybe they've supplied some images, things like that. So having a strong identity proofing scheme is the first step in a strong identity security setup for healthcare organization. NIST in particular, if you look at their requirements, has three levels of identity assurance. IAL1, IAL2, IAL3, and the IAL2, which is the most typical healthcare requirement that you'll see requires one superior or one strong piece of evidence.

So for instance, a passport or a driver's license, but that one piece is only going to be good enough if you've also checked it with the issuing body. So there's a need to understand who the person is, be sure the person and the device they're using are who they think they are, and then also check that with an issuing body. Once that's been done, then you can create the credentials that that person will need to access your systems and proceed through some of the next steps here. So using an authenticator to access websites, those sorts of steps.

And this is a use case that's not just relevant in the B2C space. So you think about patients, you think about providers, those sorts of folks, but it's also a use case that's relevant in the B2B space. So if you move to our next slide here. In the B2B space, a lot of organizations will have multiple hospitals as a result of mergers, acquisitions, things like that, and multiple sub-organization below them that might be responsible for onboarding traveling nurses, for instance, onboarding contractors. So having a strong identity proofing allows you to not only identity proof, the person who manages those systems does that onboarding, those things, but also have transferable records for those folks as they move from place to place to place. So they may be able to do their identity proofing once, confirm their device, confirm that you know who they are, and then they can share those records as they move from one hospital to the next and need access to different systems. So this is a model that's not just in the B2C space, but also in the B2B space. Very, very applicable.

Sheetal:
So what you're showing here, Max, is a scenario where a doctor can prove themselves once, carry the credential with themselves and really move across from one provider to the next provider to the next provider, right?

Max Borchard:
Exactly, exactly. So the physician has and controls their own identity in this scenario. They get their identity proofing done. A third party such as 1Kosmos or another organization is the store for that, is the third party that's verifying that. And they say, yes, we know who this doctor is, they provided this documentation, we've checked that documentation against, for instance, the issuer in the case of a passport or a driver's license looking at state issuers. And we trust both the device and the person accessing and here's the unique identifier for them. So it allows that person to pretty quickly just do the identity proofing once, but let's say they're a traveling nurse, they're at a different hospital each month, they're able to go from one hospital to the next to the next without having to go through that experience again.

Sheetal:
Okay, great. With respect to your previous slide, Max, can you talk about some specific uses where use cases where an identity assurance would be of extreme importance inside our healthcare enterprise?

Max Borchard:
Sure, absolutely. So I think one good example we saw in the real world recently was that when healthcare records for an Australian healthcare firm were accessed, and then eventually they were shared and folks were extorted. Blackmail was attempted based on those records. So these records are extremely valuable. They can have information around mental health, they can have information around diagnoses for disease, things like that. And then someone who's able to get, a bad actor is able to get those records, can then go ahead and use them in a blackmail scenario. So you find the healthcare records of someone, a celebrity, someone important, and then say, "Hey, I'm going to release these records unless you send me some Bitcoin or something like that." So it's definitely, it's one of the most valuable records among any industry record in the space, and it's very important to understand who is that device, who is that person? It's not that hard nowadays to go purchase fake driver's licenses on the web, fake passports, things like that, and then use those and attempt to onboard as pretending to be someone else essentially.

Sheetal:
One of the other areas where we've seen identity assurance being used is with physicians. Now, let's say you are a physician and you have to prescribe controlled substances. A definite use case where we've seen identity assurance being of utmost importance is when a physician has to prescribe controlled substances. We're going to talk about that a little bit more, but this is just a precursor to that.

Max Borchard:
Absolutely. And that's actually a DEA requirement there. So speaking of all of our regulations and things, we didn't even touch on DEA requirements, but that's another great example. Healthcare has some very specific requirements that other industries might not face.

Sheetal:
Okay. We were just talking about breaches, and I think we were going to do a quick poll from our audience here. Specifically, we wanted to ask you guys, do you probably have any guesses around what the average cost of a data breach is currently within the healthcare industry? Any guesses there?

Max Borchard:
I tell you, you have to consider things other than just the cost of, say we're covering those records or the cost of covering identity protection. It's not just the $10 a month to get your credit protection or something like that. There's also operational costs for healthcare organizations too. I mean, very quickly, these things can become huge operational problems that either through ransomware stop your organization from operating or distract your entire IT and security team as they were scrambling to recover, scrambling to figure out which records were taken, things like that. So I think when you add all those things up, the costs pretty quickly grow.

Sheetal:
Okay, great. I think we have a winner right there. So I'm not sure if the audience could see the answer, but the answer was 10 million. We actually picked up this statistic from the IBM security report. So if you look at this bar graph right here, you'll see that the average cost of a data breach within the healthcare industry today is about 10 million. And if you look right here, you'll see that it's about 50% higher than what it would be inside the financial services industry. And consistently over the last 12 years, this number has been on the rise. It's 12 years in a row, Max. So that's how big this number is.

Max Borchard:
Absolutely. I believe it. It's one of those things where the healthcare industry is, it's an industry that also has a lot of disparate IT systems. So there oftentimes are many legacy IT systems that are challenging to integrate with and challenging to work with. So it also makes things more challenging when you're thinking about recovery from a breach. So when a breach happens, the actual audit, digging up what happened, what records were accessed, all those sorts of things make these breaches even more expensive.

Sheetal:
Yeah, absolutely. But it's probably a good cost to say the need for a strong IM program within the enterprise, the need for a strong multifactor authentication program within an enterprise, making sure that everybody who has access has the right kind of access, always doing it with MFA. So many times you read a breach article and they're like, oh, it could have been prevented with just simple MFA in place. So that's definitely, and of course we've been harping about this a little bit in the last few slides, it's about introducing identity into the mix. Today you only know our devices authenticating or sort of user is authenticating. You never know who's behind the device, and that's where we can really make sure that this impact is not as high as it is today.

Max Borchard:
Yup. And you hit it on a key point there. MFA, right? You can say, oh, simple MFA is in place, but MFA has changed a lot in terms of what's considered safe and what's not. At one time, SMS, text messages were considered a great second verification method, and as we know now, that's not really the case. That's definitely not a secure method as a second factor and the environment's changing all the time. If we look at some of the advances in generative AI, there have been postings by folks who are talking about breaking through voice verification systems using AI generated voices. So it's really important to use a lot of factors here to understand who is the person who's accessing your systems, on what device are they accessing those systems. All of those components have to come together in a strong multifactor authentication theme.

Sheetal:
Yep. Great point. Thanks. Okay, we were just talking about identity assurance and I think one of the key aspects was with respect to electronic prescriptions, now in 2010, the drug enforcement agency instituted a policy to make sure that especially with the rising opioid crisis, that there's always a strong identity in place. So they were mandated to follow all of the NIST guidelines to make sure that any physician who's prescribing an electronic prescription for controlled substances has been identity approved. So there's been a lot of development in this particular area. Over the entire COVID and pandemic period, we've seen doctors also move just from a physical location to a lot of locations. So this entire process of making sure somebody is able to remotely prove themselves and then go through an EPCS transaction has been enabled. How do you go through that?

What are the key aspects of enabling this entire transaction? Making sure a physician is self-sufficient? We need to create an environment where a physician is able to easily enroll himself, easily able to identity prove himself. By that, in a real physical world, he would be presenting like a passport or a driver's license, that kind of documents. And at the same time, you also want them to have a strong multifactor authentication in place because there's a large scale impact to having any of these doctors' accounts being hacked. So the DEA mandates that you have a strong multifactor authentication in place. And of course, as with any IM system, you need to make sure that all of this activity can be audited and reported. So the DEA mandates all of these requirements to be in place before they can actually get to an EMR and then send out an e-prescription for that particular controlled substance. So that's how we've seen this entire... Again, this is very specific to the healthcare industry and DEA mandated.

Okay, so how can companies like 1Kosmos who specialize in identity-based authentication and identity and strong verification, how can we participate and make this less painful for healthcare and healthcare enterprise? They focus on providing the best services for their patients, but how can an entity like 1Kosmos sort of help in this scenario where everything needs to meet regulations? We've built out a system where a physician would be able to come in and he would be able to enroll himself. So he's going to receive an email from his IT or security. He would start the enrollment process. He can go ahead and opt to continue the entire process with an app or go without an app.

And the second step really is to make sure that this physician is getting himself to IAL2. In the real world, you'll be presenting a passport and you'll be presenting your live self, and that's how you get to IAL2 or IAL3. But with an automated system, how do we make this happen? We're scanning IDs, we're running checks behind the scenes, and then we're also able to run checks around the medical provider ID, which is again a DEA regulation and then elevate the user to an IAL2. The fun part of this is that we are able to combine both the identity verification as well as the authentication into the same mix. So while the doctor doesn't really realize that I have also enrolled my authenticator into the mix and I can just receive a push notification to log into my applications, he's all set up. So he just has to go through a few steps to make sure that he goes from onboarded to identity verification through being set up for multifactor authentication.

Max Borchard:
Sheetal, end to end, when you think about that, does that mean a doctor can go through all of these steps in a few minutes? Is that sort of what you're getting at here, is this a relatively quick process?

Sheetal:
Yup. This is a relatively quick process and this helps introduce identity into the mix really quickly. And this is really a recommended option not just for doctors, but for anyone even in a workforce where you need to have access to privileged systems, servers, anything. So we recommend this option for anyone who requires a high level of identity to be present in any interaction or transaction with an enterprise.

Max Borchard:
Okay, that makes sense. And you can see use cases there, like you said, beyond just physicians. Another great one we run into all the time is traveling nurses. So organizations that have groups of nurses that spend one month at one hospital, another month to the next because they report to an overarching contracting organization they're a part of. And this is going to allow them to very quickly go through this process once, do their selfie identification, provide their documentation, and then the next month when they need to go to the next hospital, their device is already registered. They've already created that IAL2, understanding of their identity that allows us then to quickly move to these steps.

Sheetal:
Yep, absolutely. Okay. So identity assurance level, when the DEA says they mandate NIST 800-63, what they're really asking enterprises to do is to make sure that their physicians or doctors are at IAL2, AAL2. They're authenticating at a high level of assurance as well as... Sorry, they're authenticating at a high level of assurance and their identity is of a high level of assurance. So this has put these guidelines out as to how you get a user to IAL2. We have algorithms in the background which sort of extract the data from a government document because you're doing all of this remotely and we're not in person, how do you check it? Sometimes it could even be better than a manual verification, right? Because we are able to do so much, we're able to leverage AI to collect document templates, collect, check if this is a photocopy or not, if the image is in the right placement, we are able to run those kind of checks.

The other check that we're able to run is, am I able to match the photo that I see on the ID to the selfie that is being presented in front of me, which immediately tells you if this is a live person, not a photo of somebody and you're able to do a quick match. So I can't be presenting someone else's ID and trying to enroll myself. So that kind of fraud is completely avoided in this kind of scenario and followed by third party checks. So the importance here is we're able to run this data against third party databases to triangulate data. So does this first name and last name match with the address to the DL number that's being presented?

We're also able to option optionally add in some other sources of information like from your SSN if that information is available and even your medical ID. DEA mandates that you need to have your medical ID and DEA license validated as part of this process. So getting to a high level of assurance in a completely remote environment is so much more possible with technologies like this, where hospitals can continue to focus on their caregiving and then you involve the right kind of providers to make sure that your doctors are compliant with the mandates that require them to be at IAL2, right.

Max Borchard:
An important aspect to think about here too is that this isn't just matching a single shot selfie to the ID. I remember five, eight years ago when folks were introducing these sorts of checks, someone would say, hackers would figure out that, oh, I can take a picture of my ID, which I faked, my fake ID, then I can take a fake selfie or I can take a picture I find of the person I'm impersonating on the internet and try and use that as my selfie for this sort of system.

But because this is a live check and actually requires the person to move to look around in different directions as it does that check against their identity photo, it's much harder to fake that sort of thing, if you're trying to impersonate identity. You're not going to have their whole body around to wave the phone around. So it's important to note, it's not just the ID checks. Does your driver's license exist? Is it valid? Those things, but also a selfie against that picture or other photo IDs that you provide that really steps up that level of identity assurance in a remote context, but in a way that's very similar to in person, the same sort of checks an in-person person would be doing when they see you and you hand them your identity.

Sheetal:
Yup. And one of the important things is, and I think we've been in conversation with many hospitals, is that what happens when an ID expires, right? We want to put the doctors through a re-verification because in a real world scenario, you can never present an expired ID anywhere, not an airport, not anywhere. So the same kind of use case can be facilitated completely in a remote world. If you are expired ID, then you go through verification all over again.

Max Borchard:
Yup.

Sheetal:
Okay. So we're going to quickly wrap up and summarize what we've been through. This is a specific case study that we saw at an EPCS subscriber whose happens to be one of our customers. Their strong need was that they had a legacy approach in place where all of their prescriptions were just going through written prescriptions and they wanted to shift to a completely electronic and automated kind of workflow. So the entire IAL2 verification flow was new to them. They were still understanding the standards and things like that. So they had to make sure that first of all, that they met all of the compliance requirements. They had to make sure that, and NIST IAL2 was decoded and presented to them. So these were some of the challenges that they had to face with them, that they had to overcome internally.

Some of the key results that we were able to drive in once we put in our EPCS solution in place was to make sure that this can become done completely remotely. Prior to this, their doctors did have to present notarized documents and they had no place to keep these notarized documents. Of course, it's not recommended to keep physical documents laying around. So that was sort of eliminated. And of course with doctors, the user experience becomes very important. It's hard to train them. They focused on their craft. So we want to make sure that adoption and usability is very easy. It's quick. So we were able to do a lot of improving usability with our doctor population. And finally the enterprise itself was able to implement an MFA program. So anytime a doctor was onboarded, they went through IT verification and they were always set up with MFA. They would receive push notifications just to log into any of their required systems and go to that particular floor. So some real good outcomes here, great learning experiences for us is a company with respect to the EPCS space.

Max Borchard:
Absolutely. What I really like about that too, when you think about that space, you hit on adoption there, that's really one of the biggest challenges in the healthcare space. And if you've had the experience of visiting a doctor, you can barely get the doctor to spend five or 10 minutes with you as a patient because they're so busy going patient to patient to patient. You can imagine if they have to spend five minutes logging in or authenticating for every patient, that could easily double the time that they spend every time they go to a new workstation or they need to access a new system with a new patient. So adoption, usability are two of the things that make this such a great solution. And also I think the fact that the push notifications are very, very familiar to folks. If you have a modern phone, you've been getting push notifications for other things. So it's a process that's very familiar to people and doesn't require a ton of retraining or retooling.

Sheetal:
Yep, absolutely. Absolutely. Okay, we were going to do a another poll, and I think our question was what is the cost of a healthcare record on the dark web. Especially on the dark web, a lot of things floating around, we just wanted to know.

Max Borchard:
And there are many cyber criminal markets out on the dark web where you can purchase records, whether they're healthcare records, credit card records, social security numbers, passports, things like that. And the price varies a lot. So some credit card numbers may only be one or $2 a piece. You don't know how good the credit card is, if the credit card's expired, what's its credit limit is, so if you're a cyber criminal, the value of the record is really in how much context it has and how much money you can eventually extort from that record. And I think healthcare is a particularly interesting space because you end up with lots of records that have a lot of context on people.

Sheetal:
Yup. A lot of privacy being this. So we have some results here and I think most people guess $60, which is obviously the right answer. We made that easy for you guys. Of course, it is $60 a record and probably upwards, right, Max?

Max Borchard:
Yeah, absolutely. There definitely are reports from Experian and others that talk about healthcare records being as expensive as a thousand dollars a record on the dark web. And a good reason for that, right, is if we think about some of the healthcare breaches that have involved actual full healthcare records, so records of treatment, records of prescriptions, immunology, things like that. There was that large Australian healthcare organization that was breached last year and full records were released. The attackers were able to exfiltrate full records for people, which doctors they'd seen, what they'd been diagnosed with, what they'd been prescribed with.

And what they started to see over the coming months is as those records entered the dark web and bad actors began to purchase them, they then began to perform extortion. So they would message folks whose private records were taken and say, "Hey, we know you have this disease, or we know that you have this mental health issue, whatever it might be, and if you don't send us money, we're going to release those records to to your employer or we're going to release those records to your family." Things like that. So you can see how for someone in the dark web, these records are extremely valuable from that perspective.

Sheetal:
And really has far-reaching consequences from a GDPR and a HIPAA perspective and how it can affect you personally. And clearly you can tell the difference between the price of an SSN versus a credit card. And this sort of ties back to what the value of a healthcare data breach is. When a healthcare record is this valuable, obviously the cost for healthcare data breach is going to be five times higher than what it is for another normal financial services form.

Max Borchard:
Yup. Absolutely.

Sheetal:
So this sort of brings us to the core part of our conversation, about digital identity and the future of having digital identity within the healthcare space. We really wanted to start off and talk about what is digital identity. Digital identity is you being able to say that I am who I say I am, being able to carry proofs with you that assert to a high level of assurance that this is my driver's license, this is my passport, and only revealing as much information as you need to and making it very easy for somebody else to verify who you are. And of course, with this comes trying to make sure that your digital identity is easily portable, you can walk around with it and of course, it's interoperable that you're able to move it around to different devices, different ecosystems as you need to.

Now, that's what digital identity is. Now how can this be of value in the entire healthcare ecosystem? We believe that digital identity is going to be the next big transformation step for the healthcare space. And this is because when you have a strong identity in the mix, it's going to help improve your patient doctor interactions and improve efficiency. The first aspect is, it's going to promote interoperability. One of the big missing pieces today in our healthcare systems, even in the United States is that our EHR systems are siloed systems. Each one of them do not talk to each other. They haven't talked to each other. They've never talked to each other. So me as a patient, I have a single record in every EHR, which means my healthcare profile is split across so many of these systems, but it's really one person. Why is it so hard to know all of this information? So the first aspect that we wanted to talk about is how can we promote or enable this ecosystem where it is easy for me as a patient to transfer my healthcare records?

Max Borchard:
And I think that's something that's become more apparent problem as we've seen the first phase of digital transformation with healthcare organizations. So as many healthcare organizations made electronic their healthcare records from previous paper systems, they did so, but only within the silo of their own organization. So if you've ever had the experience of moving, having to switch to a new healthcare provider, you can probably relate to the challenge of having to go call various healthcare systems, get records sent to you from various systems all to your email or however they send them, perhaps even paper still, and then gathering those all together and providing them all to your new healthcare provider. So the goal here is to really provide or begin to create a standard for how healthcare records are going to be shared, transmitted, those sorts of things. Whether it's for a patient, a patient's delegate, maybe if someone is unconscious or a coma, something like that. But the challenge is built or was created by the fact that all of these healthcare systems weren't electronic originally. And so they very much operate in their own silos.

Sheetal:
So I think some of 1Kosmos has had the privilege of working with CARIN Alliance. The CARIN Alliance is a nonpartisan entity that brings together different players in the healthcare space. So there are hospitals, there are identity providers, there are brokers like the HHS and applications hospitals who are in the mix who are trying to work on the standard for making sure that it's easy for a person to prove themselves and be able to aggregate their healthcare data across different portals. As part of our proof of concept in the CARIN Alliance and in partnership with many of these companies here, we did demonstrate that an individual can voluntarily identity proof themselves and use that same credential, that IAL2 credential that we've been talking about to go ahead and access multiple data holders for their own data. So this is huge because me being able to aggregate my healthcare records into one particular place offers me the opportunity to make better informed decisions with my doctors. So that's the large scale version in working with somebody like the CARIN Alliance. And that's the large scale transformation that digital identity can bring into this particular space.

So with respect, again, from a regulation's perspective, we've seen in the last few years a lot of standards being developed with respect to TAFCA and FHIR APIs and things like that which promote standards around how data travels from one particular provider to the next provider. And every user, and there's large scale legislation that makes sure that users have the right to access their own healthcare data. They just have to verify themselves with that IAL2 credential. Why? Because it just makes it secure. You don't want your health record going and landing on somebody else's plate. So having an IAL2 credential helps you ensure that you are accessing only your data. So in terms of being a patient, what is it that you're doing right? You're going through the same identity verification flow, you're presenting an ID, and once you do it, you hold onto that credential somewhere and you're presenting it with the right kind of healthcare provider to find yourself there.

So this is a good workflow right here. So now, you, Max, let's say you want to see an aggregated health record. What you're doing with a credentialed service provider like 1Kosmos is going through identity verification services with us. So we as a credentialed service provider are the ones who are saying that Max is who he says he is. Because he has been through identity verification with us. And what makes us really unique over anybody else is the fact that we hold all of this data in a wallet, a secure wallet that can only be accessed by you and with permission from you. It's never on a database, it's always on a wallet that can be accessed by you. So you go through identity verification and then you are receiving a credential that says IAL2. And then you go ahead and say, okay, let me share some of my information with the healthcare provider because each one of these healthcare providers that you see here have individual identifier for Max.

So how do you say that this ID connects to this ID connects to this one, digital identity forms that core competent that's going to connect this. So I'm going to pass on the first name, last name, address, whatever the healthcare provider needs so that they can go fetch that unique record that you're being matched to and then come back and say, "Okay, fine, this is how we are able to aggregate a single user's record across multiple healthcare providers." So that's the kind of interaction or ecosystem that we believe we would be moving into to promote interoperability. It begins with digital identity in the mix.

Max Borchard:
And this will facilitate not just gathering your healthcare records, going to these providers and saying, "Hey, I need my healthcare records for immunology, for the shots I got last year because I need to prove them," but also distributing them. You can then go to your next healthcare provider and say, "I'd like to share my first name, last name, whatever, so that I can get set up and they recognize who I am." Then you can say, "I'd like to share my immunology records," or "I'd like to share the record of this surgery I had," or something like that. So your next healthcare provider, you choose what you're providing to them, but you're also able to quickly in this little friction, provide them the context they need to provide you good healthcare services. So really, it facilitates multi-directional information sharing, which is huge for patients.

Sheetal:
Yup. Okay, we want to do a quick demo. We actually have a couple of videos here, but really from a patient perspective, what does this really look like, right. At the end of the day, many conversations are around how easy is this for a patient to do? So we'll see a quick video of what that identity proofing looks like with a CSP. This is a healthcare portal that the patient is trying to log into. They're trying to remotely onboard themselves. What they're trying to do is create an account and they're just providing their email address. They're going through an email verification. Pretty common. Because it's the healthcare space, you want to make sure that they working with a verified email, a verified phone number, and you'll see why you need a verified phone number in the mix because they're going to scan their IDs from a phone.

So you make sure you have a verified phone number in the mix. And after that the account has been created. So the phone number is verified and you'll see their account is being created. In this step, we're also setting them up for MFA, which is MFA with just a password and an email OTP. So you'll see in this instance that this user's profile has been created. My account at Acme Health has sort of been provision, but as we said previously, for a patient to be able to access certain parts of their record, they need to be at IAL2. So you are able to involve a credentials service provider at that time and say, "You know what? I want to put this person through an identity verification just to make sure that they are verified before they access certain sensitive parts of their record."

So you'll see them go through entire exercise to scan it, scan all of their information, and in this particular section you'll see that they are starting off with a driver's license. And with IAL2, sort of like a computation, we want to minimize the amount of private data that we have about a user. So you only ask them for as much data as they need to have to get to IAL2. If they don't need an SSN, don't put it in there. If you're not able to verify them, go for a second document. So that kind of intelligence in getting a user to IAL2 is what credential service providers can sort of offer. Keeping those records secure, making sure that there is no fraudulent documents, expired documents being presented. There's always a live biometric of the user that is available, that kind of workflows.

So you see that the user's been through a selfie at this point. So we've collected some good amount of detail of information about this user. We have their driver's license, their biometric. Optionally, if we've not been able to verify them well enough, we do ask for an SSN. NIST does mandate certain guidelines where you need to verify them against certain third party sources. And then here again, you'll see that they're being returned to Acme Health. Now what is Acme Health going to do with all of this information?

So what they're going to do is either be able to reach into an HIE to go ahead and say, okay, fine, what past records of this user are available and other systems. So they're able to pull information based on that. Of course, with consent. So those are the kind of workflows that we can enable when we have digital identity in the mix. And you can see that's a quick and easy process. Now this user has been proved once and they can carry this identity everywhere. So Max, when I have to go and enroll myself at an other healthcare organization, I don't have to go through verification. I'm just going to say, log in with a CSP and I present the same credential to them and they should be able to create an account. So it enables a completely remote experience, makes scheduling much easy, data sharing a lot more easier

Max Borchard:
And you hit on an important point there, I think. As part of being the CSP and verifying that person's identity, there are specific requirements like for NIST. So you may be able to provide one strong piece of evidence or two, but then you also have to verify that or you need to provide two strong identifiers or you may be able to provide one strong one and what are considered to bear pieces of evidence, right? So that's the CSP, right? All of that sort of thing is checked. So if the person maybe doesn't provide a strong form of verification at first, it'll go ahead and ask them that they need to include a stronger identity.

Sheetal:
Yup. Absolutely. So you don't have to worry about the verification piece. You're just towing it over the fence to a credential service provider who takes care of that entire computing of the IAL, right?

Max Borchard:
Absolutely.

Sheetal:
Another aspect that we wanted to talk about was, healthcare providers today are very siloed. Today, every time I go into, walk into a new healthcare provider or a pharmacy, I'm being asked to create a separate account. There is a need for every customer, for us to have a single unified ID that a patient is able to control, that focuses on me as a patient having access to all the places where I have an account. So that can be enabled through a probably unified digital medical ID. If there was one digital medical ID, there was a unique identifier and even possibly a W3C or decentralized identifier that every hospital or many healthcare providers can adopt. That way a user is able to have a unique ID that is tied back, that they can hold in a wallet on their device that is secure and that is going to act as the key that can unlock their access into multiple healthcare providers.

That will really eliminate the problem that we are having today, which is how do I make sure that the Max that I see in healthcare provider one is the same Max that I'm seeing in healthcare provider two, if I always presented you with the same medical ID and if this entire framework was powered by the federal government or even by a combination of private entities, it would make the entire healthcare space so much easier for patients, for caregivers and doctors to make sure that they have access to the right records at the right time to provide the best care.

We also have the opportunity to make sure that there is minimized fraud in this environment because you are always accessing, you are in control of your data. So anytime you need to access your records, you are making sure that it's with you. It's in possession with you, you are able to track your consent and you're always authenticating with that strong device or strong factor that you have. So in that format, having a universal medical ID we see will also change the entire healthcare ecosystem to be a more accessible environment. Everybody has the same kind of access when you put universal identifiers in place and promote interoperability.

Max Borchard:
You could really see some advantages there too. If you've ever had the struggle of waiting while you're trying to receive healthcare, as they process insurance information, as they gather that, those sorts of things, a lot of that other information you could imagine this future would be something you could share along with your unique ID. You could share your insurance information, who your insurance provider is, those things. So lots of advantages that come about from having this unique centralized ID.

Sheetal:
Yep. Yep. Okay. So that sort of brings us to the end of our session today. Max, did you want to take a stab at summarizing all the... I know we talked about a lot of things. So do you want to quickly summarize and open up for questions?

Max Borchard:
Yeah, yeah, absolutely. So I think we started off talking about some of the challenges we see in the healthcare space. Challenges that have existed for a long time in the healthcare space, whether those are regulatory challenges, challenges with the populations that are accessing systems, whether those are nurses, physicians, patients, and delegates. We talked through the requirements that some of those regulations and just good security practices in general, bring up. So whether it's identity proofing, whether it's authentication, whether it's authorization, all those things are challenges in the healthcare space as well as in other spaces. And then we walk through a couple examples here that I thought were really, really great around how 1Kosmos is working to improve interoperability within the healthcare space. Implement a system of meeting some of these regulatory requirements that isn't burdensome for the staff, for physicians, traveling nurses or for patients.

And how some of those solutions are applicable in multiple areas, whether it's workforce side, customers, those things. And I think most interestingly that the care and alliance was one of the things that you brought up here I thought was great. It is with the sort of thing that does require buy-in, it does require adoption. That's one of the challenges with healthcare in general, right? Is getting folks to adopt some new technologies, new approaches to things. So I think that's a great sort of approach that lots of different organizations are working together in order to build a standard for the future. And hopefully, it's going to be a future that's makes it a little bit easier next time you're trying to get some healthcare.

Sheetal:
Yep, absolutely, right. Just make it much better for the patient, right? That's the most important thing. At the end of the day, patient needs to get the right kind of care and make sure we are preserving their privacy. Just wanted to check in. I know we're at the last five minutes. Any questions that we can help answer? Rob? Maureen, did we have any questions from the audience? I know we're almost out of time.

Maureen:
I don't think we have any, no, just think we're good.

Sheetal:
Okay. Okay, so that's a wrap then, Max. I think this was a very interesting. It was a very exciting topic to really go through, right? Because with respect, as you said, with the CARIN Alliance, everybody stepped in to collaborate to really solve the problem. How can we make this space much better? So everybody stepped in with that intent. It was very nice to collaborate with a whole bunch of people and I hope we really push the boundaries on this one and we get patients the access that they need.

Speaker 4:
I actually have two questions. Sorry I couldn't get the mute button in time. Of course, now my phone's ringing as it should be. There we go. So in terms of government ID checks and getting a credential, so it sounds like you basically, I'm just summarizing because it's kind of a long question, it sounds like a doctor can go through an online verification, which includes government ID checks, get their credentials, and then get access into a system within five minutes. Is that what you guys are claiming?

Sheetal:
Yes. Yes. It's going to be pretty quick because we've been through this where a user receives an email, they're downloading an app or they're going through the web, they're scanning an ID, which is usually your front back and your selfie. Everything happens mostly in the background. So if you've been checked out for all of these and your fraud checks check out pretty normal, then you are pretty much set up. You have an IAL2 credential, you onboard yourself into a authenticator, so you make sure that you're set up for MFA as well as the receiving push notifications. So five minutes and under is what we're targeting in terms of user experience and getting the doctor set up.

Speaker 4:
Cool. And then the next question had to do with patients. So I'm a patient and I move to a different healthcare provider. What does that look like?

Sheetal:
So if there's a CSP that is starting this interaction, so then the CSP, you can go back to healthcare provider two and say I want to log in with a CSP, like 1Kosmos, right? 1Kosmos would already have your credential. We would know that you are already identity approved. We would be able to send over some information about you to healthcare provider two and let them know that you are verified. So your onboarding into healthcare provider is going to be really easy. Additionally, if both healthcare providers are connected through, are interoperable, we are able to make sure that both healthcare providers have the same identifier to pull up the records. We are able to facilitate that through API exchanges.

Speaker 4:
Max, from your perspective, just curiously, what's that look like from a consulting standpoint with iC Consult, what do you see?

Max Borchard:
Sure. So I mean think from a consulting perspective, we see a lot of clients who have this challenge of basically facilitating patient record access. And it's not just a matter of being able to provide records on their way out, but also being able to get accurate records to do better, to have better healthcare results. So I think this sort of solution is going to be able to, one, provide patients with a more modern approach that's more familiar to them. Like they are used to with more modern technologies, whether they're using their Gmail ID to log into other things or they're using their Facebook login to log into other things.

So I think it's going to provide for patients a much more familiar experience, but also provide better healthcare outcomes as well, which is really what the healthcare organizations want to hear. They're able to get records more easily, more accurately to understand and verify the validity of those records and then as a result, deliver better healthcare. So I think it's one of those things that is really helpful for the workforce side of things, but also really helpful for the patient side of things and it'll be very interesting going forward.

Speaker 4:
Cool. And you guys are right at the top of the hour, so that was all the questions we had as well.

Sheetal:
Okay. Okay. Thank you, Max. Thank you. Reen, Alexis, Robs, Andrea, everybody was here. Thank you to the audience as well.

Max Borchard:
Thanks very much folks. Take care. Have a good day. Bye-bye.

Speaker 5:
Thank you.