HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Certificate Authority- Provider Authentication Recommendations.

Slides:



Advertisements
Similar presentations
Certificate Interoperability S&I Framework Initiative Final Report August 17, 2011.
Advertisements

HIT Policy Committee Meaningful Use Workgroup Update Paul Tang Palo Alto Medical Foundation George Hripcsak Columbia University December 15, 2009.
HIT Policy Committee Information Exchange Workgroup Proposed Next Steps Micky Tripathi, Chair David Lansky, Co-Chair August 19, 2010.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair August 19,
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Interoperability and Health Information Exchange Workgroup March 10, 2015 Micky Tripathi, chair Chris Lehmann, co-chair.
Privacy and Security in the Direct Context Session 6 April 12, 2010.
HIT Policy Committee Meaningful Use Workgroup Presentation Paul Tang, Chair Palo Alto Medical Foundation George Hripcsak. Co-Chair Columbia University.
HIT Standards Committee Privacy and Security Workgroup: Standards for Consumer Engagement Dixie Baker, SAIC Steve Findlay, Consumers Union May 26, 2010.
Privacy and Security Tiger Team Meeting Recommendations regarding a framework of security protections for EHRs December 7, 2011.
First Annual Summary of Privacy and Security Tiger Team Activities July 1, 2010 through September 30, 2013 Joy Pritts, Chief Privacy Officer.
Privacy and Security Tiger Team Comparison of Stage 2 Proposed Rules w/Health IT Policy Committee previous privacy & security recommendations Preliminary.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Provider Authentication Recommendations November 19, 2010.
Navigating Privacy and Security Issues for HIE: A Consumer Perspective Deven McGraw Chief Operating Officer National Partnership for Women & Families
HIT Policy Committee Strategic Plan Workgroup Paul Tang, Chair Palo Alto Medical Foundation Jodi Daniel, Co-Chair ONC December 15, 2009.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair August 3,
Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Summary of 12/9 Hearing on Patient Matching December 13,
HIT Standards Committee Privacy and Security Workgroup Dixie Baker, Chair Walter Suarez, Co-Chair June 22, 2011.
HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair September 14,
HIT Policy Committee Strategic Plan Workgroup Strategic Framework Paul Tang, Chair Palo Alto Medical Foundation Jodi Daniel, Co-Chair ONC March 17, 2010.
Privacy and Security Tiger Team Trusted Identity of Providers in Cyberspace Follow-Up Recommendations September 6, 2012.
Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.
HIT Policy Committee Governance Workgroup Update John Lumpkin, Robert Wood Johnson Foundation, Chair September 14, 2010.
Privacy and Security Tiger Team Trusted Identity of Providers in Cyberspace Recommendations August 1, 2012.
HIT Policy Committee NHIN Workgroup Introductory Remarks David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of Commerce,
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
HIT Standards Committee Privacy and Security Workgroup Dixie Baker, Chair, Privacy and Security Workgroup Walter Suarez, Co-Chair, Privacy and Security.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
HIT Policy Committee Privacy & Security Tiger Team Update Deven McGraw, Co-Chair Center for Democracy & Technology Paul Egerman, Co-Chair June 25, 2010.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Patient Matching Recommendations February 2,
HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 18,
HIT Policy Committee Meaningful Use Workgroup Paul Tang, Chair George Hripcsak, Co-Chair June 25, 2010.
PKI and the U.S. Federal E- Authentication Architecture Peter Alterman, Ph.D. Assistant CIO for e-Authentication National Institutes of Health Internet2.
HIT Standards Committee NHIN Workgroup Introductory Remarks Farzad Mostashari Office of the National Coordinator for Health IT Douglas Fridsma Office of.
Privacy & Security Tiger Team: Update on C/A workgroup recommendations for behavioral health & CEHRT May 6, 2014.
HIT Standards Committee Meaningful Use Workgroup Presentation to HIT Policy Committee on July 16, 2009 As Presented by:Paul Tang, Chair Palo Alto Medical.
Information Exchange Workgroup Recommendations to HIT Policy Committee October 3, 2012 Micky Tripathi, Larry Garber.
HIT Policy Committee Adoption Certification Workgroup Proposed Next Steps Paul Egerman, Chair Marc Probst, Co-Chair July 21, 2010.
HIT Policy Committee Privacy & Security Policy Workgroup Deven McGraw, Chair Center for Democracy & Technology Rachel Block, Co-Chair NYS Department of.
HIT Standards Committee Clinical Operations Workgroup Jamie Ferguson, Kaiser Permanente John Halamka, Harvard Medical School June 23, 2009.
HIT Standards Committee Privacy and Security Workgroup Dixie Baker, Chair, Privacy and Security Workgroup Walter Suarez, Co-Chair, Privacy and Security.
HIT Standards Committee Implementation Workgroup Judy Murphy, Aurora Health Care, Co-Chair Liz Johnson, Tenet Healthcare, Co-Chair June 22, 2011.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair October 20,
Privacy and Security Tiger Team Trusted Identity of Patients in Cyberspace Initial Impressions on November 29 Hearing December 5, 2012.
HIT Policy Committee Meaningful Use Workgroup Update Paul Tang Palo Alto Medical Foundation George Hripcsak Columbia University January 13, 2010.
HIT Policy Committee Health Information Exchange Workgroup Deven McGraw, Center for Democracy & Technology Micky Tripathi, Massachusetts eHealth Collaborative.
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair July 21, 2010.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
1 Overview of HIT Policy Committee’s Privacy Hearing Jodi Daniel, JD, MPH Director, Office of Policy and Research Office of the National Coordinator for.
HIT Standards Committee Privacy and Security Workgroup Standards and Certification Requirements for Certified EHR Modules Dixie Baker, Chair Walter Suarez,
Privacy and Security Tiger Team Potential Questions for Request for Comment Meaningful Use Stage 3 October 3, 2012.
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council
First Annual Summary of Privacy and Security Tiger Team Activities July 1, 2010 through September 30, 2013 Joy Pritts, Chief Privacy Officer.
HIT Standards Committee Privacy and Security Workgroup Progress Report on Review of Governance RFI Dixie Baker, Chair Walter Suarez, Co-Chair May 24, 2012.
HIT Standards Committee Privacy and Security Workgroup Task Update: Standards and Certification Criteria for Certifying EHR Modules Dixie Baker, Chair.
HIT Standards Committee Implementation Workgroup Judy Murphy, Aurora Health Care, Co-Chair Liz Johnson, Tenet Healthcare, Co-Chair September 28, 2011.
Governance Workgroup Recommendations on Scope of Nationwide Health Information Network Governance Functions John Lumpkin, MD, MPH, Chair Robert Wood Johnson.
Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority Meet FedFed.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
HIT Standards Committee NwHIN Power Team Dixie Baker, Chair July 20,
Arizona Health-e Connection Leadership from Governor Napolitano
Health IT Policy Committee’s Workgroup Updates June 16, 2009 Meeting
HIMSS National Conference New Orleans Convention Center
Presentation transcript:

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Certificate Authority- Provider Authentication Recommendations June 8,

Tiger Team Members 2 Deven McGraw, Chair, Center for Democracy & Technology Paul Egerman, Co-Chair Dixie Baker, SAIC Christine Bechtel, National Partnership for Women & Families Rachel Block, NYS Department of Health Neil Calman, Institute for Family Health Carol Diamond, Markle Foundation Judy Faulkner, EPIC Systems Corp. Leslie Francis, University of Utah; NCVHS Gayle Harrell, Consumer Representative/Florida John Houston, University of Pittsburgh Medical Center David Lansky, Pacific Business Group on Health David McCallie, Cerner Corp. Wes Rishel, Gartner Latanya Sweeney, Carnegie Mellon University Micky Tripathi, Massachusetts eHealth Collaborative Deborah Lafky, ONC Joy Pritts, ONC Judy Sparrow, ONC

Definitions On the Internet, the identity of an entity is authenticated using a digital certificate –Contains information about the entity –Contains public (freely published) encryption key that, when used in combination with its paired private key (retained by the entity), can be used to authenticate the identity of the certificate holder The organization that assigns certificates is called a Certificate Authority, (“CA”). 3

Authentication Environment 4

Previous Recommendation—Nov. 19, 2010 Recommended Certificates an entity-level only, not an individual level Recommended High Level of Assurance Recommended ONC Accreditation of Certificate Authorities—We were asked to review this aspect 5

Alternatives Considered CAs must operate under the supervision of some accreditation body recognized by the Office of the National Coordinator (ONC) CAs must conform to the CA best practices of WebTrust and/or European Telecommunications Standards Institute (ETSI) CAs must be cross-certified with the Federal Bridge Certificate Authority (“FBCA”) (either directly or chained up to the FBCA) 6

Exchange Functionality Considerations Almost every healthcare organization will at some point need to exchange health information with a federal health agency (e.g., VA, MHS, CMS, IHS) Under FISMA and CIO Council of federal agencies, a federal agency is highly unlikely to accept a certificate that was not issued by a CA cross-certified with the FBCA None of the agencies questioned said they would accept a certificate issued by a CA that is not cross-certified with the FBCA –For example, VA requires that certificates used in Direct pilots be cross- certified Federal Public Key Infrastructure Policy has established a Citizen and Commerce Class Common Certificate Authority (C4CA) that is cross-certified with the FBCA for the purpose of federal-private exchanges 7

Security Considerations High Level of Assurance is needed Validation of the entity’s identity is necessary prior to issue the certificate to the entity Tiger Team rejected second alternative (WebTrust or ETSI) because it does not include entity validation 8

Implementation Considerations Costs Competitive Environment Technical requirements on entities without an IT department (e.g., small group practices, rural and small hospitals) 9

Recommendations 1. Certificates required for exchange under the NwHIN brand should be issued consistent with the following principles: A high level of assurance with respect to organization/entity identity needs to be obtained. The certificate should be acceptable to federal agencies, given the frequent need for providers to exchange health information with the federal health architecture. Multiple competitive sources for digital certificates should be available, in order to ensure that small or less resourced provider entities are able to obtain and use digital certificates. 2. All certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a Certificate Authority (or one of its authorized resellers) that is a member of the Federal PKI framework. 10

Some Direct Stakeholder Concerns Concerns that there might exist important operational issues that have not yet been discovered. Recommendation may adversely affect the deployment of The Direct Project. 11

Recommendation adjusted in response The HIT Policy Committee will revisit (or ask the HIT Standards Committee to revisit) this recommendation if the S&I Framework process to further investigate the costs and implementation burdens of requiring cross- certification to the Federal Bridge reveals new facts that call into question the conclusion that it is financially and operationally feasible for small or less resourced provider entities to obtain certificates pursuant to this recommendation. 12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.