1 / 14

Privacy and Security Tiger Team Meeting

Privacy and Security Tiger Team Meeting. Discussion Materials Today’s Topic Trusted Identities of Providers in Cyberspace July 16, 2012. Today’s Discussion.

tekli
Télécharger la présentation

Privacy and Security Tiger Team Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Trusted Identities of Providers in Cyberspace July 16, 2012

  2. Today’s Discussion • In view of the results of last week’s hearing, determine to what extent the Tiger Team needs to revise or clarify its previous recommendations on provider authentication. • Finalize recommendations for HIT Policy Committee meeting on WednesdayAugust 1. We Are Here

  3. Focus of Discussion • Identity Proofing: The process by which information about a person is collected and verified for the purpose of issuing credentials to that person. • Authentication: The process of establishing confidence in the identity of users or information systems. • Authorization: Mechanism by which a system determines what level of access a particular authenticated individual should have to secured resources controlled by the system.

  4. Previous Recommendations • Digital certificates with “high” degree of assurance issued at an entity level, with each entity credentialing its individual users • Assuring a trusted “machine to machine” transfer of protected health information • Individual-level credentials for accessing information across a network (such as NwHIN) should be issued at a level higher than just user name and password • Details on previous recommendations in back-up • Focused on exchange among providers to meet meaningful use • Should this continue to be our focus?

  5. Key Questions Distinguish policy by use case? • For “directed exchange” between two organizations, relying on entity-level assurance (with each entity required to credential individual users), current plans/policy sufficient (at least in the short-term) • For access to information across the network by a provider, individual level credentials needed • Individual level credentials could be an option even for directed exchange? • NSTIC, FICAM, NIST 800-63-1 all focused on individual-level credentials

  6. Key Questions (2) • Require (or move to requiring) credentials for providers/clinicians at baseline NIST Level of Assurance (LOA) 3? • Revision to NIST 800-63-1 clarifies what is required to identity proof and authenticate (expanded options) • Requires gov’t issued ID and multi-factor authentication for remote access • Require (or move to requiring) use of FICAM-certified identity providers? • Four non-federal organizations have been approved to be Trust Framework Providers • CMS will use FICAM-certified credential providers • Require/allow organizations to credential individual users to baseline level 3?

  7. Key Questions (3)? • Leverage NSTIC to develop identity ecosystem for providers? • Urge Administration to focus some effort on developing health care provider solution? • Endorse NSTIC principles? • Privacy enhancing & voluntary • Secure and resilient • Interoperable • Cost-effective and easy-to-use

  8. Key Questions (4) • Should the Tiger Team say something about addressing liability concerns? For example: • Urge HHS to explore mechanisms (such as safe harbors) that more fully address liability concerns?   • More specifically, if there is a process for establishing trusted identity - for example, being credentialed by a FICAM-certified identity provider - and providers follow that, could they be absolved of liability for a breach that occurs due to mistaken identity?

  9. Backup slides Backup Slides

  10. Previous Tiger Team/HITPC Recommendations • Organizations that are seeking to exchange information as part of the Nationwide Health Information Network (NwHIN) should be required to adopt baseline user authentication policies that require more than just user name and password for remote access. At least two factors should be required. Remote access is defined as access over a public network like the Internet. Source: Recommendations were in the context of authentication of individual users (providers) of certified EHR systems. See HITPC Transmittal Letter, dated April 18, 2011; available at: Privacy & Security Tiger Team Recommendations Transmittal Letter [PDF - 537 KB]

  11. Recommendations (con’t) Rationale for recommendation #1: • The Tiger Team was not comfortable with requiring the application of the NIST or DEA requirements for EHR user authentication because of the stringency of the second factor requirement. • The Tiger Team was particularly concerned about remote access (vs. access within an entity’s private network), but had a difficult time initially setting parameters for what constitutes “remote” access. • The Standards Committee also should provide recommendations on appropriate factors for two-factor authentication

  12. Recommendations (con’t) • These recommendations are intended to set a baseline for user authentication; organizations and entities can adopt more stringent requirements. • For more sensitive, higher risk transactions, an additional authentication of greater strength subsequent to an initial authentication may be required, as has already been recognized with the DEA policy covering prescribing controlled substances. Additional work may be needed by the Policy Committee and ONC to identify the potential use cases that might require authentication above the baseline requirement.

  13. Recommendations (con’t) • NwHINPolicies should be re-assessed for consistency with other national identity efforts, technology developments, such as National Strategy for Trusted Identity in Cyberspace. Such policies should be re-assessed to address innovations in technology both within and outside of the healthcare sector.

  14. Recommendations (con’t) • ONC should also work to develop and disseminate evidence about the effectiveness of various methods for authentication and reassess NwHIN policies accordingly. • For writing e-prescriptions for controlled substances, Certified EHRs should have capability for two-factor authentication, at a minimum consistent with DEA rule.

More Related