110 likes | 245 Views
Privacy and Security Tiger Team Meeting. Discussion Materials Today’s Topics Recommendations on Trusted Identities for Providers in Cyberspace July 24, 2012. Overview. Today : Finalize recommendations
E N D
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topics Recommendations on Trusted Identities for Providers in Cyberspace July 24, 2012
Overview • Today: Finalize recommendations • Approach: Policy recommendations are aimed at achieving trust for exchange of health information by providers in order to meet Meaningful Use • Timeline: Health Information Technology Policy Committee (HITPC) meeting Wednesday, August 1 We Are Here Note: Tiger Team meeting scheduled for 7/2 is cancelled.
Problem Statement • Problem Statement: The Tiger Team is trying to solve is "trusted identity“ – identity proofing and authentication – and not trusted access or authorization • The sole question on the table: "Are you who you claim to be“?
Current State • Today, organizations are responsible for credentialing individual users of their EHR systems • Although the HIPAA Security Rule does not require credentialing to be done at a particular level (such as NIST LOA 3), there is no evidence to suggest that, in general, organizations are not taking this responsibility seriously and/or that there are widespread problems with this "delegated" approach to trust in identity -- at least in the short term.
Future State • In the future, ONC should support individual-level provider credentials that at least meet NIST LOA 3 • Rationale: • National trusted ID efforts (like NSTIC) focus on individual-level credentials; • DEA requires individual-level credentials for prescribing controlled substances; • Credentials meeting either FICAM or Federal Bridge (for exchange with federal government) are exclusively or customarily issued at the individual-level. • Revisions to NIST publication 800-63 (sets assurance for individual-level credentials for sharing information with government) provide more options for meeting higher levels of assurance than the HITPC. • Testimony from the July 11th hearing refer to higher level, individual credentials as getting easier (and cheaper) to obtain; and • Ideally, individual-level credentialing could allow providers to be credentialed once. Thereafter, providers could go to multiple locations for multiple purposes, as long as those credentials are interoperable, trusted, and easy to obtain (easy process and inexpensive).
Straw Recommendations for Discussion (1/5) • HIPAA Security Rule requirements – at least single-factor authentication w/existing, ad-hoc, organization-driven identity proofing – should continue to be federal policy for the short term • HHS should take steps to move to baseline LOA 3 individual credentials, ideally by MU Stage 3. We recommend the following initial three stages or tiers: • Tier A: Baseline single-factor authentication, with existing organization-driven proofing (current state); • Tier B: Baseline two-factor authentication (per NIST 800-63-1), with existing organization-drive proofing (intermediate step); and • Tier C: Full baseline LOA 3 (identity proofing and two-factor authentication per NIST 800-63-1)
Straw Recommendations for Discussion (2/5) • Timeframes could vary based on privacy risks posed by different exchange models or health care use cases. For example: *within an organization, integrated delivery system or OCHA.
Straw Recommendations for Discussion (3/5) • ONC should leverage the NwHIN CTEs to achieve interoperability and continue to engage in discussions with GSA about achieving FICAM- and/or Federal Bridge-level credentials for health care organizations. • Rationale: In the short-term, it is critical that credentials issued at an organizational or machine/system level be interoperable – and ideally accepted by the federal government
Straw Recommendations for Discussion (4/5) • To achieve Tier C (full baseline LOA 3 for health care providers), the federal government should leverage current NSTIC process, or ensure a focused, multi-stakeholder initiative consistent with NSTIC principles: • Credentials must be interoperable (standards are in place that entities are wiling to accept); • Credentials must be easy to obtain (there are multiple, trusted credentialing providers, the process is not burdensome, and the costs are low); and • Privacy protections for credentialing data should be in place.
Straw Recommendations for Discussion (5/5) • ONC should consult with NIST about future iterations of NIST 800-63-1 to accommodate the unique needs of the health care system • ONC should consider information attributes that might be helpful to include in later stages of developing an NSTIC-type ecosystem for providers, to enable a Tier D of ID and authentication in the health care system –(baseline LOA 3 plus passing additional key attributes that help enable health data access) • To ease liability concerns, which could pose an obstacle to reliance on credentials, the HHS Office for Civil Rights should explore creating HIPAA safe harbors.
Next Steps • Finalize recommendations via email for upcoming August 1st HITPC meeting