Your Email Address Is a Lot of Things, but It’s Not Your Digital Identity

By: Gus Malezis, President and CEO of Imprivata

Whether we realize it or not, most of us use email as a form of identification, specifically digital identification. Whether you’re logging in to your system in the office, signing in to Facebook, LinkedIn, or your personal Gmail or Yahoo account, or making a purchase on Amazon or eBay, you’re typically using (one of) your email address(es) to sign in as a means of identifying who you are. But some companies (banks are a great example) will require that you use a username, or your ATM card number, as that login ID.

Because many vendors have historically utilized an email address as a login ID, instead of a username, a lot of people make a connection – a flawed connection – that your email is your identity.

But is your email really your identity?
It’s not. Your email is just an email, designed and built so that a message can get to you. It’s just a place where someone can send information to you. It hasn’t been validated by any sort of legal identifier (Social Security Number, driver’s license, etc.), there is no identity proofing, anyone can get an email address with minimal process or validation…and you get the drift…it’s not tangible. It can be lost or you can lose access to it if you change email vendors or change jobs. Worse yet, anyone can construct an email address that might spoof you; meaning someone, anyone, can get an address that might be similar enough to your name, but is not you. In this case, emails would be sent to the incorrect person. This happens all the time now with domain addresses, known as hoarding or cybersquatting. 

So now that we understand your email address is NOT your digital identity, we can ask the question of what is a digital identity?
That is another great question for consideration, and another article. For now, let’s consider that a digital identity is a username, or ID, created with identity proofing and validation. This would be analogous to what a financial institution, say a bank, provides to customers. A bank doesn’t depend on your email address. A bank depends on your username. And before they gave you a username, they vetted you. They used your SSN, driver’s license, your previous addresses, and they ran a credit check. Then, once they fully validated you, they created a digital identity for you which is usually that of your debit card. That is a true digital identity.

Regardless of the industry we’re in, all vendors should all take a lesson from banking. Stop relying on email for digital ID. Build a high-trust digital identity that relies on identity-proofing and validation, and use it appropriately.

What would digital identity look like in healthcare?
New technology solutions have emerged to help make digital identity a reality in healthcare. At the heart of digital identity is positive patient validation and identification. In this case, a person is validated, similarly to what a bank might do, and only then is a digital or digital/physical identity provided. To ensure further trust, biometrics would be used, biometrics such as a fingerprint, palm vein, iris, etc. This combination of validated identity integrated with biometric data provides a higher level of identity trust. Some countries, such as the UK, are doing this with Smart Cards; patient ID cards that store a patient’s entire medical identity. Other countries use a program similar to a driver’s license; in this case once identity validation is achieved, a nine-digit number (sometimes longer) is offered, which then becomes the digital ID

Many leading healthcare organizations in the U.S. see biometric identification as a crucial and prominent option and one that provides more security, reliability and trust.

The bottom line in healthcare is, in order to address patient identification effectively, technology solutions have to do more than simply identify patients accurately. An effective technology solution must provide a positive patient identification process that directly integrates with existing workflows and allows for secure identification at any point of care. It must also provide extremely high levels of interoperability across multiple clinical systems, patient acceptance and usability proven to work in healthcare environment.


More AEHIT News Volume 2, No. 3: