1. HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Certificate Authority- Provider Authentication Recommendations June 8, 2011 1

2. Tiger Team Members 2 Deven McGraw, Chair, Center for Democracy & Technology Paul Egerman, Co-Chair Dixie Baker, SAIC Christine Bechtel, National Partnership for Women & Families Rachel Block, NYS Department of Health Neil Calman, Institute for Family Health Carol Diamond, Markle Foundation Judy Faulkner, EPIC Systems Corp. Leslie Francis, University of Utah; NCVHS Gayle Harrell, Consumer Representative/Florida John Houston, University of Pittsburgh Medical Center David Lansky, Pacific Business Group on Health David McCallie, Cerner Corp. Wes Rishel, Gartner Latanya Sweeney, Carnegie Mellon University Micky Tripathi, Massachusetts eHealth Collaborative Deborah Lafky, ONC Joy Pritts, ONC Judy Sparrow, ONC

3. Definitions On the Internet, the identity of an entity is authenticated using a digital certificate –Contains information about the entity –Contains public (freely published) encryption key that, when used in combination with its paired private key (retained by the entity), can be used to authenticate the identity of the certificate holder The organization that assigns certificates is called a Certificate Authority, (“CA”). 3

4. Authentication Environment 4

5. Previous Recommendation—Nov. 19, 2010 Recommended Certificates an entity-level only, not an individual level Recommended High Level of Assurance Recommended ONC Accreditation of Certificate Authorities—We were asked to review this aspect 5

6. Alternatives Considered CAs must operate under the supervision of some accreditation body recognized by the Office of the National Coordinator (ONC) CAs must conform to the CA best practices of WebTrust and/or European Telecommunications Standards Institute (ETSI) CAs must be cross-certified with the Federal Bridge Certificate Authority (“FBCA”) (either directly or chained up to the FBCA) 6

7. Exchange Functionality Considerations Almost every healthcare organization will at some point need to exchange health information with a federal health agency (e.g., VA, MHS, CMS, IHS) Under FISMA and CIO Council of federal agencies, a federal agency is highly unlikely to accept a certificate that was not issued by a CA cross-certified with the FBCA None of the agencies questioned said they would accept a certificate issued by a CA that is not cross-certified with the FBCA –For example, VA requires that certificates used in Direct pilots be cross- certified Federal Public Key Infrastructure Policy has established a Citizen and Commerce Class Common Certificate Authority (C4CA) that is cross-certified with the FBCA for the purpose of federal-private exchanges 7

8. Security Considerations High Level of Assurance is needed Validation of the entity’s identity is necessary prior to issue the certificate to the entity Tiger Team rejected second alternative (WebTrust or ETSI) because it does not include entity validation 8

9. Implementation Considerations Costs Competitive Environment Technical requirements on entities without an IT department (e.g., small group practices, rural and small hospitals) 9

10. Recommendations 1. Certificates required for exchange under the NwHIN brand should be issued consistent with the following principles: A high level of assurance with respect to organization/entity identity needs to be obtained. The certificate should be acceptable to federal agencies, given the frequent need for providers to exchange health information with the federal health architecture. Multiple competitive sources for digital certificates should be available, in order to ensure that small or less resourced provider entities are able to obtain and use digital certificates. 2. All certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a Certificate Authority (or one of its authorized resellers) that is a member of the Federal PKI framework. 10

11. Some Direct Stakeholder Concerns Concerns that there might exist important operational issues that have not yet been discovered. Recommendation may adversely affect the deployment of The Direct Project. 11

12. Recommendation adjusted in response The HIT Policy Committee will revisit (or ask the HIT Standards Committee to revisit) this recommendation if the S&I Framework process to further investigate the costs and implementation burdens of requiring cross- certification to the Federal Bridge reveals new facts that call into question the conclusion that it is financially and operationally feasible for small or less resourced provider entities to obtain certificates pursuant to this recommendation. 12