The authentication of identity has become a complex and sometimes unreliable process. The ability to obtain first hand information on an individual’s background is becoming expensive and available information is increasingly more unreliable. In order to maintain a high quality authentication program, multiple types of verification should consider in the identification process. The authentication verification process requires the establishment of standard criteria for the collection and confirmation of the data chosen to establish identification. These standards should be specific and written, outlining the hiring and retention of employees and their access privileges into security sensitive areas.
Authenticating an IdentityTraditionally, corporate entities utilize six potential avenues to authenticate an identity: job application, employment reference check, personal reference check, criminal background check, education check and check of permits, licenses and other governmental records. The key to the successful utilization of these identity checks is personal verification, the personal review of data with the candidate to ensure the completion of all required information and most importantly its accuracy. Specifically, the personal review of name, Social Security number, address, date of birth and all other employment demographics necessary to meet the employment criteria.
Additionally, collected background information should be corroborated through primary source and multiple source verification. Primary Source Verification is the utilization of original source documents to gather background information. For example, when conducting a primary source criminal background check, a court document check would be preferable over the use of a third party clearinghouse. Multiple Source Verification is the comparison of original source documents with the goal of obtaining consistent demographic information: name, Social Security number, current home address, date of birth, educational degree, etc.
The same holds true when conducting a personal or employment reference check. Primary and multiple source verification should be utilized. Reliance on third party contact should be avoided. Employment reference checks should be directed to the person within the organization that is responsible for providing those checks and all employers listed on the application should be contacted and asked to provide data. When it comes to personal references, the person listed as the reference should be contacted – not a roommate, parent or spouse. And again, all of the listed personal references should be contacted. When a reference is contacted, verification should be made on the name spelling and the current address of the applicant. Once all of the reference data is gathered, multiple verification should be completed comparing all of the reference data.
Using primary and multiple source verification will make the authentication process more reliable. Primary source documentation ensures that the data requested is trustworthy. Using multiple source verification authenticates the identity of an individual. Both practices together provide for a more dependable foundation in which to build an identification and access control program.
Establish ID StandardsIn addition to data verification, standards should be established that allow for continuous updates of the original data gathered. A reliable identification program should have the ability to detect and collect changes to the original background and reference data. It is necessary to be advised of changes to criminal convictions, loss or suspension of licenses, major change in credit rating, change of address or name changes.
Processes should be developed that establish regular updates to data and provide alerts when changes occur to an employee. Continuous monitoring of an individual’s activities is essential in the evaluation of access rights, especially when these rights are based on financial and other confidential criteria. Along with employment data, this data should be primary source verified to ensure it is correct. Updated data (like baseline data) requires personal confirmation with the employee and the agency that is reporting the change.
Working in a major metropolitan hospital, I sometimes encounter medical analogies which reinforce good security practice. In the case of authentication, the healthcare industry offers a good model to consider in the establishment of an identification program. Authentication relies on the collection of substantiated information. Hospitals today exemplify the practice of authentication through compliance with what are called the “National Patient Safety Goals.” These goals were developed to increase the safety of patients by instituting practices to reduce the possibilities of errors when providing care. Three Patient Safety Goals, in particular, demonstrate practices which should be considered in the implementation of identity programs: Accuracy of Patient Identification, Universal Protocol or Time Out, and Effective Communication.
According to the Accuracy of Patient Identification goal, all interaction with the patient from registration through discharge requires the use of at least two patient identifiers. The goals specifically states that every interaction, even if the same healthcare provider interacts with a patient several times during the course of treatment. In each and every encounter at least two methods must be used to verify identity. That means the provider must ask the patient his or her name and date of birth, look at the patient’s bracelet or their identification like driver’s license or credit card to confirm they are treating the correct patient. Multiple confirmations and the use of two or more verifiers is an excellent standard to consider when collecting data for any identification program.
The Effectiveness of Communication goal requires the reading back of verbal or telephone orders in the exchange of critical test values to ensure the information stated is correct. In addition, this standard requires a “hand-off” communication protocol. This protocol requires the development of a standard way to exchange necessary information from one care giver to another. This goal sets the standard for conducting personal or work references; continuous verification of data along with constant communication with the applicant sets the standard for reliable data collection.
The third goal is called Universal Protocol. This is used during surgical procedures to verify the correct person, the correct procedural site and the correct procedure. The key to this goal is the process called Time Out. A Time Out is conducted prior to starting a surgical procedure. During a time-out all activities are suspended so that all relevant members of the team are focused on the active confirmation of the correct patient, procedure, site and other critical elements. When reviewing data related to the verification and assignment of access rights a time-out will help to ensure the data is being reviewed and that it is correct.
Creating and implementing a successful identification program requires standards that need to be followed each and every time an identification needs to be verified. In assessing the implementation of an identification program, consideration should be given to authenticating baseline data and providing continuous data updates, which will ensure a smooth system.