HITSP Security & Privacy Technical Committee

1. HITSP Security & Privacy Technical Committee Update for HITSP Panel December 13, 2007

2. Current Activities • Workgroups • Gap Closing • Planning for 2008 • Planning for 2009 and beyond

3. Workgroups • Identity Management • Formed, co-chair volunteers accepted, now meeting weekly. • TP20 – Access Control • TP30 – Manage Consent Directives

4. TP20 – Access Control • Reconvening the TP20 Workgroup • Discussions on actor/transaction re-design • Possibility of upgrading with more details • Leveraging on OASIS work • Development work to follow standards maturity • Timeline: March, 2008

5. TP30 – Manage Consent Directives • Reconvening the TP30 Workgroup • Discuss possibility of disaggregating transaction package into more granular transactions and component standards • Upgrading documents with more details • Leveraging work of HL7 privacy and security groups • Timeline: March, 2008

6. Status of Gaps • Collect and Communicate Security Audit Trail • A more robust alternative to BSD syslog (RFC 3164). • Still awaiting publication by IETF • SHA-1 vs. SHA-256 • SHA-1 will be phased out by 2010. Federal Government is already phasing it out. We are qualifying “future” to be ASAP for moving to SHA-256. • Secured Communications Channel • Asynchronous point-to-point communication • Considered by the TC as driven by requirements of the ‘07 Use Cases. We will identify and specify the new requirement.

7. Status of Gaps • Entity Identity Assertion • Requires IHE XDS.b • Revised TP13 is out for public comment • Manage Consent Directives • Changing a deployed consent directive, andMultiple/conflicting consents (automation) • Both of these to be resolved in TP30 task force • Locating records for revocation of consent • To be considered by SPTC

8. Status of Gaps • Manage Consent Directives (cont.) • Vocabulary for jurisdictional and organizational privacy policies • To be considered by the TP30 Task Force. This is considered part of the ontology/cross-cutting consent content. • Will rely upon HL7 Security TC which has taken on this task • HL7 Permission Catalogue • HL7 Security TC has accepted permission catalogue vocabulary update as a work item. • Pre-coordinated policies • To be considered by the SPTC and TP30 task force for submitting recommendations to the TC Leadership group.

9. 2008 Use Cases • Use Cases with Security Implications • Remote Consultation • Remote Monitoring • Immunizations & Response Management • Personalized Healthcare • Public Health Case Reporting • Consultation and Transfers of Care • Have provided comments on ONC’s prototypes. • Will review and provide comments on draft use case documents and then on detailed use case documents (in coordination with other TCs)

10. 2009 and Beyond • ONC’s futures on Privacy and Security • CC 18.0 Patient identification for authorization and authentication • AHIC 2.0 Secure messaging/online consultation • AHIC 7.0 Identification/authentication • AHIC 14.0 Confidentiality, privacy, & security of patient data • AHIC 15.0 Data access/data control • AHIC 17.1 Security, network, repositories • AHIC 30.0 Provider list • HITSP 5.0 Cross use case work on security (standards) • HITSP 5.3 Authentication models to support chain of trust data exchanges • AHIC 46.0 Legal liability & regulatory barriers • AHIC 47.0 Consumer consent

11. Questions?