1 / 15

HIT Standards Committee

HIT Standards Committee. Privacy and Security Workgroup: Update Dixie Baker , SAIC Steve Findlay , Consumers Union December 18, 2009. Privacy and Security Workgroup Members. Dixie Baker, SAIC Steve Findlay, Consumers Union Anne Castro, BlueCross BlueShield of South Carolina

zed
Télécharger la présentation

HIT Standards Committee

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIT Standards Committee Privacy and Security Workgroup: Update Dixie Baker, SAIC Steve Findlay, Consumers Union December 18, 2009

  2. Privacy and Security Workgroup Members Dixie Baker, SAIC Steve Findlay, Consumers Union Anne Castro, BlueCross BlueShield of South Carolina Aneesh Chopra, Federal Chief Technology Officer Ed Larsen, HITSP David McCallie, Cerner Corporation John Moehrke, HITSP Gina Perez, Delaware Health Information Network Wes Rishel, Gartner Walter Suarez, Kaiser Permanente Sharon Terry, Genetic Alliance

  3. Topics to Be Covered • Demystifying Standards (I hope) and Update • Observations from Security Hearing, November 19

  4. Demystifying Standards Recommendations • Standards, certification criteria, and implementation guidance are intended for use in certifying EHR products • How these capabilities are used within a healthcare environment is based on an individual organization’s size, complexity, and capabilities, technical infrastructure, risks and vulnerabilities, and available resources • Standards and certification criteria help assure that a “certified EHR product” has the technical capabilities an organization will need to: • Comply with HIPAA and ARRA privacy and security provisions • Be ready and eligible for “meaningful use”

  5. Demystifying 2011 Recommendations

  6. Demystifying 2011 Recommendations

  7. Demystifying 2011 Recommendations

  8. 2011 Recommendations - Update • Working Group discovered potential problem with recommended standard for protecting the integrity of data – recommendation excluded an early version of the Secure Hash Algorithm (SHA-1) that is widely used to protect the integrity in web transactions • Hash algorithms don’t keep information secret – they just help detect when it has been modified • NIST guidance states that Federal agencies may not use SHA-1 after 2010 for digital signatures and certain other applications, but allowed its use for protecting data integrity • Latest update of FIPS PUB still includes SHA-1

  9. Resolution Coordinated Through Standards Committee Leadership • Changed recommendation to latest version of FIPS PUB hashing standard (which includes SHA-1) • Changed the certification criteria to: • Explicitly allow SHA-1 for web integrity protection only, and encourage the use of one of the other 4 hash algorithms included in the standard • Require one of the other algorithms for protecting the integrity of data at rest • Changes highlighted in hand-out

  10. Security Hearing Panels – Nov 19, 2009 • System Stability and Reliability • Challenges related to maintaining the stability and reliability of electronic health records (EHRs) in the face of natural and technological threats • Cybersecurity • Challenges related to maintaining the trustworthiness of EHRs and Health Information Exchanges (HIEs) in the face of cyber threats such as denial of service attacks, malicious software, and failures of internet infrastructure • Data Theft, Loss, and Misuse • Challenges involving accidental loss of data, data theft, extortion and sabotage, including criminal activities and other related areas • Building Trust • Issues and challenges related to building and maintaining trust in the health information technology ecosystem, and the impacts that real and perceived security weaknesses and failures exert on health organizations, individual providers, and consumers

  11. Key Messages • Keep it simple! • Abstract out complexity – create standards-based components that hide complexity • Bake security into products • Need for security “toolkit” especially for small practices • Implement defense in depth – layered security • Days of tightly controlled perimeters are long gone – need to address distributed, mobile, wireless, and virtual resources, as well as computers embedded in biomedical devices • Need to measure security “outcomes”

  12. System Stability & Reliability • Many existing clinical products lack the functionality needed to support security best practices • Systems embedded in FDA-regulated biomedical devices are a “huge problem” – present vulnerabilities not easily addressed by “enterprise” security practices • Often managed by vendors • Cannot be modified – no OS updates, anti-viral software • Cell phones are rapidly entering this category • “Least critical” systems often are those that are compromised and set up as a backdoor for hackers to access more important systems

  13. Cybersecurity • Security awareness among healthcare organizations is low, and many organizations are not complying with HIPAA! HIMSS 2009 Survey found: • Fewer than half (47%) conduct annual risk assessments • 58% have no security personnel • 50% reported information security spending ≤3% • Need to continually monitor and measure effectiveness of security policies and mechanisms • Use “evidence-based” security policies and practices • Today’s security is plagued with dogma – password rules are antiquated, PC security may not matter, file encryption ineffective

  14. Data Theft, Loss, and Misuse • Portable devices and wireless access present major vulnerabilities • Web 2.0 social technologies and cloud computing present new avenues for data loss • Audit logs from vendor systems may be insufficient to detect misuse of information • Role-based security is important – but roles vary across institutions, so creating common policy and standards would be challenging

  15. Building Trust • Security and privacy are foundational to EHR adoption • Health care data are increasingly a target • Security plays major role in protecting patient safety • Data integrity protection to help ensure accuracy of patient records • Protection of safety-critical information (e.g., clinical guidelines) • Need baseline policies and standards for: • Authorization • Authentication – identity proofing and authentication are foundational since all other security protection depends upon • Access Control • Audit trail – use statistical profiling

More Related