Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIT Standards Committee Privacy and Security Workgroup: Update Dixie Baker Dixie Baker, SAIC Steve Findlay Steve Findlay, Consumers Union December 18,

Published byDortha Owen Modified over 8 years ago

Similar presentations

Presentation on theme: "HIT Standards Committee Privacy and Security Workgroup: Update Dixie Baker Dixie Baker, SAIC Steve Findlay Steve Findlay, Consumers Union December 18,"— Presentation transcript:

1 HIT Standards Committee Privacy and Security Workgroup: Update Dixie Baker Dixie Baker, SAIC Steve Findlay Steve Findlay, Consumers Union December 18, 2009 1

2 2 Privacy and Security Workgroup Members Dixie Baker, SAIC Steve Findlay, Consumers Union Anne Castro, BlueCross BlueShield of South Carolina Aneesh Chopra, Federal Chief Technology Officer Ed Larsen, HITSP David McCallie, Cerner Corporation John Moehrke, HITSP Gina Perez, Delaware Health Information Network Wes Rishel, Gartner Walter Suarez, Kaiser Permanente Sharon Terry, Genetic Alliance

3 Demystifying Standards (I hope) and Update Observations from Security Hearing, November 19 Topics to Be Covered 3

4 Standards, certification criteria, and implementation guidance are intended for use in certifying EHR products –How these capabilities are used within a healthcare environment is based on an individual organization’s size, complexity, and capabilities, technical infrastructure, risks and vulnerabilities, and available resources Standards and certification criteria help assure that a “certified EHR product” has the technical capabilities an organization will need to: –Comply with HIPAA and ARRA privacy and security provisions –Be ready and eligible for “meaningful use” Demystifying Standards Recommendations 4

5 Demystifying 2011 Recommendations 5 HIPAA/ARRA StandardsSupporting Standards 1. Obtain proof that users and systems are whom they claim to be (i.e., authenticate identity) before enabling them to use the system Use the same standard commonly used for web transactions (Transport Layer Security - TLS) to do this for all web-based communications 2. Control access to information and capabilities HIPAA Security Rule implementation specifications 3. Provide the capability to encrypt and decrypt information Use the NIST-recommended Advanced Encryption Standard (AES) algorithm 4. Create an audit trail of system activities Use the IHE Consistent Time (CT) Integration Profile, with Internet standard Network Time Protocols (NTP & SNTP) to synchronize time Use the IHE Audit Trail and Node Authentication (ATNA) Integration Profile to exchange audit information

6 Demystifying 2011 Recommendations 6 HIPAA/ARRASupporting Standards 5. Detect unauthorized changes in content Use one of the NIST-recommended Secure Hash Algorithms (SHA) to generate a number that uniquely represents the data – so that if the data are accidentally or intentionally changed, the number will also change Use ASTM standard as guidance in implementing electronic signatures 6. Protect the confidentiality and integrity of information transmitted over networks (e.g., web) Implement encryption and integrity protection using the NIST standards (AES and SHA) Use HITSP Service Collaboration 112 as guidance in sharing documents with entities outside the system Use Internet standard Domain Name Service (DNS) and Lightweight Data Access Protocol (LDAP) to locate resources on the Internet

7 Demystifying 2011 Recommendations 7 HIPAA/ARRASupporting Standards 7. Electronically record individual consumers' consents and authorizations HIPAA Privacy Rule implementation specifications 8. Provide the capability to create an electronic copy of an individual's electronic health record, record it on removable media, and transmit it to a designated entity Use HITSP Capability 120 as guidance in implementing the capability to record unstructured information on removable media (e.g., CD, thumbdrive) or to send to a Personal Health Record (PHR) 9. Provide the capability to de-identify information HIPAA Privacy Rule implementation specifications 10. Provide the capability to tag de- identified information with a secured link that can be used later to re-identify if necessary Use ISO pseudonymization standard as guidance

8 Working Group discovered potential problem with recommended standard for protecting the integrity of data – recommendation excluded an early version of the Secure Hash Algorithm (SHA-1) that is widely used to protect the integrity in web transactions –Hash algorithms don’t keep information secret – they just help detect when it has been modified NIST guidance states that Federal agencies may not use SHA-1 after 2010 for digital signatures and certain other applications, but allowed its use for protecting data integrity Latest update of FIPS PUB still includes SHA-1 2011 Recommendations - Update 8

9 Changed recommendation to latest version of FIPS PUB hashing standard (which includes SHA-1) Changed the certification criteria to: –Explicitly allow SHA-1 for web integrity protection only, and encourage the use of one of the other 4 hash algorithms included in the standard –Require one of the other algorithms for protecting the integrity of data at rest Changes highlighted in hand-out Resolution Coordinated Through Standards Committee Leadership 9

10 1.System Stability and Reliability Challenges related to maintaining the stability and reliability of electronic health records (EHRs) in the face of natural and technological threats 2.Cybersecurity Challenges related to maintaining the trustworthiness of EHRs and Health Information Exchanges (HIEs) in the face of cyber threats such as denial of service attacks, malicious software, and failures of internet infrastructure 3.Data Theft, Loss, and Misuse Challenges involving accidental loss of data, data theft, extortion and sabotage, including criminal activities and other related areas 4.Building Trust Issues and challenges related to building and maintaining trust in the health information technology ecosystem, and the impacts that real and perceived security weaknesses and failures exert on health organizations, individual providers, and consumers Security Hearing Panels – Nov 19, 2009 10

11 Keep it simple! –Abstract out complexity – create standards-based components that hide complexity –Bake security into products –Need for security “toolkit” especially for small practices Implement defense in depth – layered security Days of tightly controlled perimeters are long gone – need to address distributed, mobile, wireless, and virtual resources, as well as computers embedded in biomedical devices Need to measure security “outcomes” Key Messages 11

12 Many existing clinical products lack the functionality needed to support security best practices Systems embedded in FDA-regulated biomedical devices are a “huge problem” – present vulnerabilities not easily addressed by “enterprise” security practices –Often managed by vendors –Cannot be modified – no OS updates, anti-viral software –Cell phones are rapidly entering this category “Least critical” systems often are those that are compromised and set up as a backdoor for hackers to access more important systems System Stability & Reliability 12

13 Security awareness among healthcare organizations is low, and many organizations are not complying with HIPAA! HIMSS 2009 Survey found: –Fewer than half (47%) conduct annual risk assessments –58% have no security personnel –50% reported information security spending ≤3% Need to continually monitor and measure effectiveness of security policies and mechanisms –Use “evidence-based” security policies and practices –Today’s security is plagued with dogma – password rules are antiquated, PC security may not matter, file encryption ineffective Cybersecurity 13

14 Portable devices and wireless access present major vulnerabilities Web 2.0 social technologies and cloud computing present new avenues for data loss Audit logs from vendor systems may be insufficient to detect misuse of information Role-based security is important – but roles vary across institutions, so creating common policy and standards would be challenging Data Theft, Loss, and Misuse 14

15 Security and privacy are foundational to EHR adoption Health care data are increasingly a target Security plays major role in protecting patient safety –Data integrity protection to help ensure accuracy of patient records –Protection of safety-critical information (e.g., clinical guidelines) Need baseline policies and standards for: –Authorization –Authentication – identity proofing and authentication are foundational since all other security protection depends upon –Access Control –Audit trail – use statistical profiling Building Trust 15

Download ppt "HIT Standards Committee Privacy and Security Workgroup: Update Dixie Baker Dixie Baker, SAIC Steve Findlay Steve Findlay, Consumers Union December 18,"

Similar presentations

1 HIT Standards Committee Privacy and Security Workgroup: Reformatted Standards Recommendations & Implementation Guidance Dixie Baker, SAIC Steven Findlay,

1 HIT Standards Committee Privacy and Security Workgroup: Reformatted Standards Recommendations & Implementation Guidance Dixie Baker, SAIC Steven Findlay,
NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
HIT Standards Committee Privacy and Security Workgroup Recommendations for Electronic Health Record (EHR) Query of Provider Directories Dixie Baker, Chair.

HIT Standards Committee Privacy and Security Workgroup Recommendations for Electronic Health Record (EHR) Query of Provider Directories Dixie Baker, Chair.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
HIT Standards Committee Privacy and Security Workgroup: Standards for Consumer Engagement Dixie Baker, SAIC Steve Findlay, Consumers Union May 26, 2010.

HIT Standards Committee Privacy and Security Workgroup: Standards for Consumer Engagement Dixie Baker, SAIC Steve Findlay, Consumers Union May 26, 2010.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
The Final Standards Rule John D. Halamka MD. Categories of Standards Content Vocabulary Privacy/Security.

The Final Standards Rule John D. Halamka MD. Categories of Standards Content Vocabulary Privacy/Security.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.

Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.

Similar presentations

Ads by Google