280 likes | 411 Views
HealthKey Roadmap : Toward a Community-Wide, Privacy and Security Infrastructure. Briefing For Public Health Data Standards Consortium Presented by: Holt Anderson Arlington, VA March 19, 2001.
E N D
HealthKey Roadmap: Toward a Community-Wide, Privacy and Security Infrastructure Briefing For Public Health Data Standards Consortium Presented by: Holt Anderson Arlington, VA March 19, 2001 Version 8.0
This briefing provides HealthKey’s perspective on a HIPAA compliant privacy and security infrastructure. • What is it and why is it important? • Should organizations and communities invest in it? • How might it get implemented? • What are the barriers to implementation? • How do we overcome those barriers? Version 8.0
Highlights of what will be covered . . . • HEALTHCARE INFORMATION IS FLOWINGELECTRONICALLY. There appears to be pent-up demand!! • We need to focus on PROTECTING this flow of electronic information. • To protect this information flow, healthcare organizations and communities must COLLABORATEto create a privacy and security infrastructure. • We believe that progress toward a privacy and security infrastructure will be made across FIVE SECTORS OF ACTIVITY. Version 8.0
Care Givers Patients & Families Increasingly, patients and families are using the Internet as a resource for getting healthcare information. Most healthcare organizations are on their way to exchanging information electronically. Pharmacies & PBMs Reference Laboratories Hospitals Health Plans Employers Version 8.0
Privacy and Security Infrastructure Care Givers An infrastructure is needed to PROTECT the flow of that information as it moves between organizations AND individuals. Pharmacies & PBMs Reference Laboratories Hospitals Health Plans Patients & Families Employers This infrastructure serves the entire healthcare community. Version 8.0
Protecting the flow of information will enable broader acceptance of electronic exchange and corresponding benefits including: • Presentation of a complete health record assembled from sources spread across multiple and changing providers and payer sources. • Allowing prompt access to complete and accurate information to improve the quality of care through the communication of patient wishes and prevention of mishaps related to drug interactions, handwriting, allergies, transmissible diseases, etc. • Providing more timely access to health information to improve the detection, assessment and early response of public health incidents, such as epidemics, emerging infectious diseases and bioterrorism. • Providing a standard means of controlling and monitoring access to sensitive information, thereby protecting the privacy of individuals. Version 8.0
The privacy and security infrastructure must protect against . . . • System Downtime -- Individuals bringing down machines or causing denials of service • Unauthorized Access -- Individuals getting access to more information than they are authorized to • Identity Theft -- Individuals posing as someone else to access applications/databases, receive transmitted information, or generate/transmit mis-information • Information Theft -- Individuals intercepting email and other transmissions • Misuse of Information/Breach of Privacy -- Individuals using/distributing information inappropriately Version 8.0
The risks to organizations of NOT protecting electronic exchange include . . . • Curtailed business operations from system downtime • Legal actions from patients • Civil and criminal fines from non-compliance • Lost revenue from trading partners or patients • Increased costs • “Unethical” behavior Version 8.0
The risks to individuals of NOT protecting electronic exchange include . . . • Identify theft • Exposure of clinical information • Threat of blackmail • Possible embarrassment Version 8.0
Privacy Policy What information the organization intends to protect and from whom What organizations actually do to implement protections Assurance Make sure that Practices work and comply with Policy We see a privacy and security infrastructure for healthcare as having cascading layers of protection . . . Legal & regulatory definition of protections for healthcare information Law Organization-Specific Layers Security Practices Technologies & Operations Procedures Version 8.0
Privacy Policy is essential for effective Security Practices. • Privacy Policy is a clear statement of what information should be protected and from whom. This statement guides the scope and design of technology solutions and operations procedures. • Privacy Policy establishes an organization’s intent to enforce security practices, and outlines actions that will be taken if the practices are not followed. • Privacy Policy can act as a tool to educate about why protection is important. Version 8.0
Select policies & practices must be aligned across organizations to ensure electronic inter-operability with seamless protection. This type of infrastructure requires community-wide collaboration. Version 8.0
We believe that community-wide privacy and security infrastructure will only emerge if it: • Enhances, rather than restricts, an organization’s ability to differentiate themselves in the markeplace • Solves common problems in a standard way allowing organizations to focus on their individual interests in unique ways • Lets each organization implement at their own pace (in “incremental steps” if necessary) • Addresses a business need that organizations perceive as “real” • Enables electronic exchange, rather than “getting in the way” • Can be built using solutions that are available and practical • Is affordable and justified Version 8.0
Cost to Maintain “Ease of Use” of electronic exchange The fundamental trade-off is mitigating the financial risk of doing electronic exchange while minimizing the impact on “ease of use”. Financial Risk of electronic exchange $ Impact “Too much” complexity Sophistication of Privacy and Security Infrastructure Version 8.0
Will organizations collaborate to build and share a common privacy and security infrastructure? • There seems to be good reasons for a common infrastructure. • Same trading partners • All want to mitigate the risk • Organization-specific protection methods are sub-optimal. • But organizations have real world limitations. • Cannot wait for a common solution to unfold • Limited resources to build a ‘near term’ and a ‘long term’ solution • Vision and Leadership is needed. Version 8.0
Healthkey’s findings suggest that progress toward a privacy and security infrastructure will be made across five sectors of activity: 1: Enterprise Awareness -- recognizing there is risk/vulnerability and a need to do something 2: Enterprise Preparedness -- preparing the enterprise for external communication with trading partners 3: Enterprise Co-Existence -- enabling protected communication among enterprises 4: Enterprise Affiliation -- implementing standards between enterprises 5: Community-Wide Participation -- getting enterprises, small organizations, and individuals to use a common electronic identity for “users” Version 8.0
Enterprise Preparedness Enterprise Co-Existence Enterprise Affiliation Community -Wide Participation Hacked! • Action Plan • Resource Commitment First, enterprises must become aware that they are vulnerable and that they can do something about it. HealthKey’s Roadmap -- to a Community Privacy and Security Infrastructure Enterprise Awareness HIPAA What could happen! What I should do! • Call to Action • There’s risk! • I’m vulnerable! • I need to be doing something! Version 8.0
From there, enterprises will take the necessary steps to protect themselves and the communities that they are serving. HealthKey’s Roadmap - to a Community Privacy and Security Infrastructure • Each sector of activity contains a number of action steps. There is NO single route through the sectors or action steps. • Sectors are NOT linear. Progress can be made concurrently within multiple sectors of activity. • Sectors do represent increasing collaboration and community-wide acceptance. • Each action step represents a different capability of the infrastructure. • Capabilities may be implemented at various levels of sophistication. Version 8.0
Enterprise Co-Existence Enterprise Affiliation Community-Wide Participation Enabling protected communication among enterprises Implementing standards between enterprises Getting broad base adoption and use of a common electronic identity for “users” Control WHAT is accessed! Standardize Trading Partner Arrangements Upgrade Applications Exchange E-mail Protect Electronic Perimeter Set Privacy Policies Secure Connections Standardize Privacy Policies Find an Electronic identity Empower Administrative Entity Set Access Control Policy Standardize Identity Management Standardize Identity Validation Enable Single Log-On Validate Servers Administer User Accounts Authenticate & Validate User Control WHO has access!! HealthKey’s Roadmap - to a Community Privacy and Security Infrastructure Enterprise Preparedness Sector Preparing the enterprise for external communication with trading partners Capabilities Version 8.0
Enterprise Preparedness Enterprise Co-Existence Community ‘A’ Community ‘B’ Enterprise Affiliation Community-Wide Participation HealthKey’s Roadmap - to a Community Privacy and Security Infrastructure Progress will be made at different rates in each sector, depending upon the community. Community Snapshot 75% 50% 25% Version 8.0
Many organizations start here Standardize Trading Partner Arrangements Upgrade Applications Exchange E-mail Protect Electronic Perimeter Set Privacy Policies Secure Connections Standardize Privacy Policies Can start anywhere! Set Access Control Policy Enable Single Log-On Administer User Accounts Authenticate & Validate User HealthKey’s Roadmap -- Multiple routes to any destination Enterprise Preparedness Enterprise Co-Existence Enterprise Affiliation Community-Wide Participation Find an Electronic identity Empower Administrative Entity Standardize Identity Management Standardize Identity Validation Validate Servers Version 8.0
User Registration Procedures Assurance & Tiger Team Cross Validation Procedures Intrusion Detection Encrypted by person VPN Info Sharing Agreements Encrypted Gateway DMZ SSL/H Support Procedures Internet Border Private Circuit Transaction Security Not Encrypted Many CAs no Bridge Deploy Identity Procedures User Registration Procedures Many CAs with Bridge Identification Policy Single CA CA Issued Keys Certificates Self Defined Keys Biometrics Smart ID’s Passwords - PKI capabilities - HealthKey Projects HealthKey’s Roadmap - Implementation Options Enterprise Preparedness Enterprise Co-Existence Enterprise Affiliation Community-Wide Participation Protect Electronic Perimeter Upgrade Applications Set Privacy Policies Exchange E-mail Standardize Trading Partner Arrangements Standardize Privacy Policies Secure Connections Set Access Control Policy Standardize Identity Management Empower Administrative Entity Standardize Identity Validation Find an Electronic Identity Validate Servers Administer User Accounts Enable Single Log-On Authenticate & Validate User Version 8.0
User Registration Procedures Cross Validation Procedures Info Sharing Agreements Transaction Security Many CAs no Bridge Many CAs with Bridge Single CA CA Issued Keys Self Defined Keys HealthKey’s Roadmap - Doing Many Things At Once Enterprise Preparedness Enterprise Co-Existence Enterprise Affiliation Community-Wide Participation Assurance & Tiger Team Intrusion Detection Encrypted by person VPN Encrypted Gateway DMZ SSL/H Support Procedures Internet Border Private Circuit Not Encrypted Deploy Identity Procedures User Registration Procedures Protect Electronic Perimeter Upgrade Applications Set Privacy Policies Exchange E-mail Standardize Trading Partner Arrangements Standardize Privacy Policies Secure Connections Identification Policy Certificates Biometrics Set Access Control Policy Standardize Identity Management Empower Administrative Entity Standardize Identity Validation Find an Individual’s Electronic Identity Smart ID’s Validate Servers Passwords Administer User Accounts Enable Single Log-On Authenticate & Validate User Things most organizations are already doing! Version 8.0
We want to know if the “Roadmap” framework make sense to you? • Can you see your organization on the map? • Are there things that you would add or change? • Is it a useful tool for community education and planning? • Do you envision a common electronic identity for users? If so, how will you make it happen? • Will your organization collaborate towards a common privacy and security infrastructure? If not, is there something else that makes better sense? Version 8.0
There are a number of Roadblocks between us and this critical infrastructure . . . • There is confusion! -- “What problem?” • The complexity is daunting -- infrastructure, technology, social implications, legislation, operations, cost, capital, etc. • We act competitively, not collaboratively -- and collaboration is difficult • We are looking for silver bullets -- there are many vendors pushing solutions, not solving problems • Who’s driving? -- There is a leadership void, organizations are reacting to regulations and vendor offerings Version 8.0
Recommendations to organizations and communities for making progress towards a common infrastructure. • Agree on the unique ‘Road Map’ for your community • Convene key stakeholders • Agree upon a big picture of enterprise-specific and shared capabilities • Define approach for building shared capabilities (e.g. Business Associate Agreements, Privacy Policies, Strategies for User Authentication/Validation) • Demonstrate leadership of the ‘Critical Few’ • Handful of influential organizations necessary to make things happen • Commit to shared capabilities • Work together and with vendors to guide implementation • Establish and empower a ‘Catalyst for Collaboration’ • Trusted individuals and process for sustaining collaboration • Raise awareness/Educate about what is being done and why • Recommend ways to deploy innovation to small organizations and individuals Version 8.0
Where do we go from here? • Do you agree with these roadblocks and recommendations? Are they practical? • Do you see a role for a HealthKey-like program in your community? If so, what would it be? • Would you contribute to funding the HealthKey-like program? Version 8.0
Thank you ! For further information: www.healthkey.org Version 8.0