1 / 12

Privacy and Security Tiger Team Meeting

Privacy and Security Tiger Team Meeting. Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6, 2012. Overview. Today : Discuss results of HITPC meeting and request for additional refinement of draft recommendations

noma
Download Presentation

Privacy and Security Tiger Team Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6, 2012

  2. Overview • Today: Discuss results of HITPC meeting and request for additional refinement of draft recommendations • Timeline: Health Information Technology Policy Committee (HITPC) meeting Wednesday Sept. 6 We Are Here

  3. Results of HITPC Meeting • General agreement on the approach that the Tiger Team is proposing to address provider authentication • Questions regarding cloud computing • Concern about time burdens on physicians • Requested additional work to identify the “riskier” transactions referenced in our recommendations • Proposed Approach: • Determine which types of exchange transactions are "risky" and should require LoA3 • Develop criteria describing the attributes of these riskier transactions

  4. Exchange Scenarios *Recommended baseline LOA based on Tiger Team deliberations

  5. Backup Slides

  6. Recommendations to the HIT Policy Committee (1/3) • The Tiger Team believes that ONC should move toward individual-user level credentials to meet NIST Level of Assurance (LOA) 3 for riskier exchange transactions, ideally by Meaningful Use Stage 3. Rationale: • Low risk activity, such as on-site, intra-organizational access to systems/data should not necessitate additional authentication requirements. • Riskier exchange transactions, such as remote access to systems/data across a network, should require the increased assurance provided by LOA 3.

  7. Recommendations to the HIT Policy Committee (2/3) • As an interim step, the ONC could require baseline two-factor authentication (per NIST 800-63-1) with existing organization-driven identity proofing (LOA “2.5”) • Two-factor authentication provides additional assurance • Entities not yet required to implement more robust identity proofing per NIST 800-63-1 • Should extend to all clinical users accessing/exchanging data in the riskier exchange transactions.

  8. Recommendations (3 of 3) • ONC’s work to implement this recommendation should be informed by NSTIC and aim to establish trust within the health care system, taking into account provider workflow needs and the impact of approaches to trusted identity on health care on health care quality and safety. • For example, NSTIC also will focus on the capability to pass along key attributes that can be attached to identity. The capability to pass key attributes – e.g., valid professional license – may be critical to facilitating access to data. • ONC should consult with NIST about future iterations of NIST 800-63-1 to identify any unique needs in the healthcare environment that must be specifically addressed.

  9. 800-63 Authentication Requirements

  10. LOA2/LOA3 Identity ProofingRequired Information

  11. LOA2/LOA3 Identity ProofingRegistration Authority (RA) In Person Process Person

  12. LOA2/LOA3 Identity Proofing Registration Authority (RA) Remote Process

More Related