Health Information Security and Privacy Collaboration (HISPC) National Conference

Transcription

1 Health Information Security and Privacy Collaboration (HISPC) National Conference Privacy and Security Technology Standards: An Update from HITSP, CCHIT and NHIN March 5, 2009 Bethesda, MD Presenters Glen Marshall Co-Chair, HITSP Security, Privacy and Infrastructure (SPI) Technical Committee Rick Brady Co-Chair, CCHIT Security Don Bechtel Co-Chair, CCHIT Privacy and Compliance Erik Rolf Co-Chair, NHIN Privacy and Security Sub- Moderator Walter G. Suarez, MD Member, NCVHS; Co-Chair, HITSP SPI TC and HITSP Education Committee; Member, CCHIT Privacy and Compliance

2 Report from the Security, Privacy, and Infrastructure Domain Technical Committee Bethesda, MD March 5, 2009 Presented by: Glen F. Marshall, HITSP SPI TC Co Chair enabling healthcare interoperability 2

3 Report from the HITSP Security, Privacy, and Infrastructure Domain Technical Committee Pre-2008 constructs and maintenance in 2008 New constructs developed for 2008 use cases Other activities in 2008 Activities planned for 2009 HITSP enabling healthcare interoperability Slide 3

4 Overview Volunteer-driven, consensus-based organization that is funded through a contract from the Department of Health and Human Services The Panel brings together experts from across the healthcare community... from consumers to doctors, nurses, and hospitals; from those who develop healthcare IT products to those who use them; and from the government agencies who monitor the U.S. healthcare system to those organizations that are actually writing healthcare IT standards. HITSP enabling healthcare interoperability Slide 4

5 Roles and Responsibilities To harmonize and recommend the technical standards that are necessary to assure the interoperability of electronic health records Create HITSP-recommended Interoperability Specifications (IS) that specify how and what standards should be used for a particular Use Case Support deployment and implementation of these HITSP-recommended Interoperability Specifications Help Standards Development Organizations (SDOs) maintain, revise or develop new standards as required to support the HITSP-recommended Interoperability Specifications HITSP enabling healthcare interoperability Slide 5

6 Organizational Structure HITSP enabling healthcare interoperability Slide 6

7 HITSP Security, Privacy and Infrastructure (SPI) - Core Components of the HITSP Work HITPS SPI Goal: To identity, evaluate and recommend security, privacy and infrastructure constructs that address interoperability needs and requirements defined by the NeHC (AHIC) and ONC Uses Cases Process: Identify Security, Privacy and Infrastructure needs (requirements) from NeHC (AHIC) use-cases/value cases Identify Candidate Standards and evaluate/select standards for interoperability, based on HITSP Tier 2 Criteria Identify and document constructs which describe implementation of the selected standards and maximize the potential for re-use in future AHIC Use Cases Recommend the selected constructs for acceptance and recognition by the Secretary of Health and Human Services Incorporate the applicable constructs throughout all HITSP Interoperability Specifications (ISs) Maintain/update constructs periodically (and develop new ones, as needed) based on new use cases and value cases issued by NeHC (AHIC) and ONC HITSP enabling healthcare interoperability Slide 7

8 Existing Constructs T15 - Collect and Communicate Security Audit Trail T16 - Consistent Time T17 - Secured Communication Channel C19 - Entity Identity Assertion TP20 - Access Control C26 - Nonrepudiation of Origin TP30 - Manage Consent Directives TP13 - Manage Sharing of Documents T14 - Send Lab Result Message TP21 - Query for Existing Data TP22 - Patient ID Cross-Referencing T23 - Patient Demographics Query T24 Pseudonymize C25 - Anonymize T29 - Notification of Document Availability T31 - Document Reliable Interchange T33 - Transfer of Documents on Media C44 - Secure Web Connection TP50 - Retrieve Form for Data Capture TN900 S&P Technical Note HITSP enabling healthcare interoperability Slide 8

9 Maintenance in 2008 Minor updates to reflect new underlying standards versions, improve readability and usability, and correct minor editorial and technical issues: TP13 - Manage Sharing of Documents T15 - Collect and Communicate Security Audit Trail T17 Secured Communication Channel T23 - Patient Demographics Query TP22 - Query for Existing Data C26 - Nonrepudiation of Origin T29 - Notification of Document Availability T31 Document Reliable Interchange T33 - HITSP Transfer of Documents on Media TP50 - Retrieve Form for Data Capture Transaction Package HITSP enabling healthcare interoperability Slide 9

10 Maintenance in 2008 More extensive updates TP20 Access Control o o Extensive updates for readability and usability Minor updates to reflect new underlying standards versions and correct minor editorial and technical issues TP21 - Query for Existing Data o Major update to reference the most recent version of the IHE QED Integration Profile supplement o Additional updates to reflect changes in the underlying standard with respect to the technical actors that are referenced, the transactions that are used by the technical actors, and a further refinement of the HL7 V3.0 standard HITSP enabling healthcare interoperability Slide 10

11 Other Activities in 2008 Renamed from Security and Privacy Technical Committee to Security, Privacy and Infrastructure (SPI) Domain Technical Committee Inherited and became responsible for 11 pre-existing Infrastructure constructs Also, during the year Identity Credentials Management Work Group (WG tasks now complete) Webinars and outreach activities NHIN clarification requests Foundations Committee Privacy and Security Matrices FHAs Security Strategy Subgroup National Governors Association (NGA) State Alliance for ehealth CCHIT, including Co-chair/Expert Panel participation HITSP enabling healthcare interoperability Slide 11

12 New Constructs C62- Unstructured Document T63 - Emergency Message Distribution Element T64 - Identify Communication Recipients T66 - Retrieve Value Set T67 - Clinical Referral Request T81 - Retrieval of Medical Knowledge T85 - Administrative Transport to Health Plan C87 - Anonymize for PHCR C88 - Anonymize for IRM HITSP enabling healthcare interoperability Slide 12

13 Activities Planned for 2009 TN900: Significant restructuring of the document is being undertaken to: Improve overall readability, Decrease emphasis on initial 3 use cases Include additional clarification resulting from user community feedback TP20: Access Control Provide greater clarity of previously specified OASIS standards and explain when standards should be used Specify profiles for SAML, WS-Trust, etc (Initial draft of XSPA due in May) TP20 will be a focus of a HITSP demo at HIMSS 2009 TP30: Manage Consent Directives Transaction package upgrade based in part on the resolution of identified gaps Work with SDO to update HL7 Confidentiality codes, and ontology of roles C19: Entity Identity Assertion Component Update to support Level of Assurance T24: Pseudonymize Transaction Update to support provider and organizational pseudonyms 2009 Use Case / Gaps / Extensions work HITSP enabling healthcare interoperability Slide 13

14 Conclusion The HITSP SPI TC continues to make progress on Privacy, Security, and Interoperability standards, working within the multiplicity of jurisdictional constrained policies. New Use-Cases were well satisfied through re-use of existing SPI constructs. Look forward to practical feedback from NHIN experience with SPI constructs. Need to continue to expand our membership and expand the base of active members. HITSP enabling healthcare interoperability Slide 14

15 Join HITSP in developing a safe and secure health information network for the United States. Visit or contact... Michelle Deane, ANSI mmaasdeane@ansi.org Re: HITSP, its Board and Coordinating Committees Jessica Kant, HIMSS jkant@himss.org Theresa Wisdom, HIMSS twisdom@himss.org Re: HITSP Technical Committees HITSP enabling healthcare interoperability Slide 15

16 Certification Commission for Healthcare Information Technology Privacy & Security Technology Standards: Update from HITSP, CCHIT, NHIN Don Bechtel Privacy Officer, HDX, Siemens Medical Solutions And Co-Chair, CCHIT Privacy & Compliance Work Group Rick Brady President & CTO, BSTI and Co-Chair, Security Work Group March 5, :00 5:00 pm Eastern Time HISPC National Conference Bethesda, MD

17 Today s Topics CCHIT Background CCHIT s Security Work Group and Privacy & Compliance Work Group Scope of work and accomplishments Future directions for 2009 and beyond Harmonization with HITSP& NHIN How to Participate Q & A

18 Background

19 Mission and Goals Mission: Accelerate the adoption of robust, interoperable health IT by creating an efficient, credible certification process. Goals: Reduce the risks of investing in health IT Facilitate interoperability of health IT Unlock adoption incentives and regulatory relief Protect the privacy of health information A Federally Recognized Certification Body 2009 Slide 4

20 Role of Health IT Certification (*see American Recovery & Reinvestment Act of 2009) Office of the National Coordinator New Structures* Standards Harmonization HITSP NHIN Prototype & Implementation Projects Privacy & Security Policies, Laws, Regulations Harmonized Standards Network Architecture Privacy Policies Strategic Direction CCHIT: Certifying Standards Compliance of Health IT Certification of EHRs, PHRs and HIEs Governance and Consensus Process Engaging Public and Private Sector Stakeholders Accelerated adoption of robust, interoperable, privacy-enhancing health IT Certification is a voluntary mechanism to accelerate the adoption of standards and 2007 interoperability Slide 5 Oct 13, 2008

21 Volunteer Organization Develop Criteria for Optional Additional Certifications Child Health Developing 09 Criteria (Planned for launch in July 2009) Cardiovascular Medicine Developing 10 Criteria (Planned for launch in July 2010) Contribute Criteria for Specific Attributes Security Interoperability Privacy & Compliance Behavioral Health Long Term Care ( not yet formed) Develop Base Criteria for a Domain Ambulatory EHR Inpatient EHR Emergency Dept EHR HIE PHR Stand-alone eprescribing Over 200 volunteers currently serving 2009 Slide 6

22 09 Criteria Development Process and Timeline Inputs: (Developed Feb to June) * Scope Guidance from Commission * Roadmap (from previous year) * Future Directions (from previous year) * Environmental Scan: - Use Cases - Standards from HITSP, SDOs - Market research - More (e.g., NHIN coordination) Public Comment periods Develop Draft Criteria Refine Criteria and Develop Draft Test Scripts Proposed Final Criteria and Test Scripts Final Criteria and Test Scripts Launch Certification July Sept Dec March May Work Group Harmonization Pilot Test July 2009 Slide 7

23 Certification Commission for Healthcare Information Technology Security Work Group Co-chairs: Khalid Al-Maskari, CIO, COPE Community Services, Inc Rick Brady, President & CTO, BSTI Staff: Soloman Appavu,

24 Scope of Work Develop conformance criteria addressing security (confidentiality, integrity and availability) of health IT Design criteria so they are adaptable across many domains (care settings, populations specialties) Evaluate changes in the marketplace, technology capabilities and standards Provide a resource to work groups and security jurors Clarify criteria through public comment response Prepare stakeholders for future needs through the roadmap and future directions documents 2009 Slide 9

25 Categories of Criteria Access control Audit Authentication Reliability Security documentation Technical services Inter-domain Backup and recovery 2009 Slide 10

26 Accomplishments Set a baseline for the basic requirements for security Basic transport security Encryption of portable media deals with "headline news re: loss of PHI on backup tapes or stolen notebooks Two factor authentication (on roadmap) Created an inspection process accepted by stakeholders Enabling EHRs to meet future needs, regulatory or otherwise, to avoid a compliance crunch 2009 Slide 11

27 Future Directions Enhance the rigor of testing to secure public confidence Address the needs of diverse stakeholders Offer advanced labeled certification for products meeting an optional higher level of requirements Explore development of an open standards-based method to review health IT security, enabling the growing need for security audits 2009 Slide 12

28 09 Work Group Harmonization Develop Criteria for Optional Additional Certifications Child Health Cardiovascular Medicine Contribute Criteria for Specific Attributes Security Interoperability Privacy & Compliance Develop Base Criteria for a Domain Ambulatory EHR Inpatient EHR Emergency Dept EHR HIE PHR Stand-alone eprescribing 2009 Slide 13

29 Harmonization Perform research to add, incorporate or revise criteria Base criteria on US & international standards, and best practices Work closely with HITSP (overlapping WG members) Incorporate HITSP constructs into extant security criteria to clarify the intent and methods for meeting compliance Guide the HIE WG (coordinates with the NHIN initiative) 09 HIE requirements include physical security, time synchronization, audit control and log, internal and external scanning, virus protection, regular system audit, remote access control, business entity ID 2009 Slide 14

30 HITSP in 08 Criteria 2009 Slide 15

31 Certification Commission for Healthcare Information Technology Privacy & Compliance Work Group Co-chairs: Donald Bechtel, Privacy Officer, HDX Siemens Medical Solutions Cassi Birnbaum, RHIA, CPHQ, Director of Health Information/Privacy Officer, Rady Children's Hospital, San Diego Staff: Bonnie Cassidy:

32 A Developing Focus 2007: An expert panel guided work groups on privacy and compliance issues but did not develop 08 criteria 2008: A work group established for 09 certification Develop criteria that cut across all domains Re-evaluate existing 08 privacy criteria in the domains Harmonize future development to move cross-cutting privacy requirements to the Privacy and Compliance Work Group New criterion should appear on the road map 18 months prior to being required in the current year s criteria 2009 Slide 17

33 Scope of Work The Privacy and Compliance Work Group is tasked with developing criteria needed in all health IT systems for the protection of privacy and ensuring compliance with applicable laws. The Commission has provided guidance to the work group regarding the importance of avoiding requirements that have an adverse impact on the cost and/or usability of systems, and that might threaten the mission of accelerating health IT adoption Slide 18

34 Accomplishments Developed criteria addressing confidentiality, integrity and availability for 09 ambulatory EHR test scripts Added pending Records Management and Evidentiary Support (RM-ES) requirements to the road map Prepared stakeholders for future needs through the roadmap and future directions documents Prepared preliminary glossary of privacy terms 2008 Slide 19

35 09 Criteria Categories Privacy and data integrity in the management of clinical documentation, the extent to which data is complete, consistent and accurate Amendments alteration of health information by modification, correction, addition, or deletion Authentication and Authorship validation of correctness for both the information itself and the person who is the author or user of the information (JCAHO), or the provision of assurance of the claimed identity of an entity, receiver or subject (ASTM) 2009 Slide 20

36 Future Directions 10 Criteria Road Map Amendments add to ED and inpatient Consent Management EHR Trace-ability document event auditing Metadata Display of Clinical Notes Record Preservation Break the Glass 11 Criteria Road Map User Defined Alerts related to patient consents and authorizations Legal Business Record ability to view the complete order and medication history (HITSP) prevent a user s ability to deny the origination, receipt, or authorization of a data exchange (HITSP, HL7) 2008 Slide 21

37 09 Work Group Harmonization Develop Criteria for Optional Additional Certifications Child Health Cardiovascular Medicine Contribute Criteria for Specific Attributes Security Interoperability Privacy & Compliance Develop Base Criteria for a Domain Ambulatory EHR Inpatient EHR Emergency Dept EHR HIE PHR Stand-alone eprescribing 2009 Slide 22

38 Future Challenges Understanding and incorporating the privacy provisions of the HITECH Act in the ARRA of 2009 Existing regulations or best practices do not clearly differentiate paper vs. electronic EHRs What is practical for electronic records? Recognizing efficiencies and eliminating unnecessary processes Understanding the variations in federal and state requirements 2009 Slide 23

39 Certification Commission for Healthcare Information Technology Participating in the Process

40 Opportunities to Participate Work group applications open Mar 23 Apr 20 Commission nominations open every July Public comment periods (30 days) open in September, December, and March Town Call teleconferences on specific topics Town Halls at major meetings Apr 5-6, HIMSS09 (includes technical sessions) Watch for announcements of events Sign up for CCHIT enews at the website 2009 Slide 25

41 Nationwide Health Information Network Security and Privacy in the NHIN Erik Rolf, CISA, CISSP Co-Chair, NHIN Security and Privacy Sub- Security Architect, CareSpark HIE March 5, 2009

42 Agenda Project Scope and Goals Privacy and Security in the NHIN Parallel Work Threat Analysis Future Work 2

43 NHIN Network of Networks Health Bank or PHR Support Organization Community Health Centers Community #1 CDC IHS Common Dial Tone & Chain of Trust among NHIEs Enabled by Governance Structure & VA Integrated Delivery System DoD NCI CMS SSA Community #2 The Internet Standards, Specifications and Agreements for Secure Connections 3

44 Background and Scope NHIN Trial Implementation work began in October of Privacy and Security were tasked as key focus areas. Privacy context was defined based on NHIN guiding principles. Threat and vulnerability analysis was conducted on the Core Services specifications. 4

45 Parallel and Complimentary Work NHIN Cooperative Technical and Security Core Services Work Group Federal Security Strategy for Health Information Exchange AHIC Confidentiality, Security and Privacy Work Group Certification Commission for Health IT (CCHIT) Health Information Technology Standards Panel (HITSP) Health Information Security and Privacy Collaboration (HISPC) National Institute of Standards and Technology (NIST) Standards Development Organizations Defines functional and technical specifications for key services to be used in implementing health information exchanges. Develops guidance that enables the adoption of secure, scalable health information exchanges among Federal and private sector healthcare organizations. Makes recommendations on the protection of personal health information in order to secure trust, and support appropriate interoperable electronic health information exchange. Private-sector collaboration launched by AHIMA, HIMSS, and the National Alliance to certify health IT products. Public-private partnership chartered to identify, recommend, and harmonize data and technical standards for healthcare. Federal and state partnership working to harmonize laws and policies related to security and privacy. Develops federal security standards, guidelines, and procedures under authority from FISMA. Broad range of consortia, associations, and other bodies that create and maintain individual technical and data standards. 5

46 Privacy Context The NHIN is comprised of: Covered Entities (HIPAA) Business Associates of Covered Entities (HIPAA) Governmental agencies subject to varying privacy laws HIPAA non-covered Entities subject to other privacy laws The NHIN is an organizing concept, and therefore is not subject to privacy laws Privacy compliance is mandated by the Participants through a governing body and the Data Use and Reciprocal Support Agreement (DURSA) 6

47 Current Privacy Landscape of the NHIN Participating NHIEs play an important role in protecting privacy by: Obtaining authorization to share data across the NHIN Authenticating participant users Enforcing participant access for permitted purposes The NHIN Trial Implementations focused on developing and implementing technology that supports core privacy principles 7

48 Status of the NHIN Security & Privacy Protections Messaging Platform Supports data Confidentiality and Integrity Audit Log Query Interface Supports accounting of disclosures Authorization Framework Interface Supports authorization for access, purpose requests and verification of user 8

49 Status of the NHIN Security & Privacy Protections Consumer Preferences Interface Supports restrictions on access Authorized Case Follow-Up Supports requests for de-identified data and case follow-up DURSA Important component of the trust fabric: Supports access, accounting, restrictions, de-identification, verification of requestor, safeguards, incident reporting & mitigation 9

50 Web Services Threat Matrix The threats expected in the interoperability environment closely model those of web services and web service constructs. NHIN is closely correlated with web service mitigation strategies and mechanisms to address existing and emergent threats. 10

51 NHIN Privacy & Security Next Steps Development of governing body NHIE certification criteria (application, evaluation & testing) Centralized service registry Policy development regarding: Requirements for initial authorization & ongoing maintenance Resolution of outstanding interface issues Data elements Internal NHIE processing & auditing Criteria for queries outside treatment Support for varying authorization requirements Further interface development Policy choices in existing interfaces New interfaces as necessary to support future use cases 11

52 NHIN Privacy & Security Next Steps Define a baseline for consistent security standards among participants based on: Harmonization of security standards Industry best practices Common security policies and technology among HIEs 12

53 Future Work Further enhancement of controls in the areas of data integrity and nonrepudiation. Refine requirements for implementation of enhanced NHIE audit trails. Development of distributed access management capabilities for both data providers and consumers. Enhance service registration and discovery to facilitate data availability. Further strengthen of message initiator and receiver authentication 13

54 Future Work Analyze security dependencies and processes of NHIN participants Collaborate with HITSP on interoperability standards Collaborate with parallel workgroups regarding privacy and security implementation guidance Continue security control development to defend against continually evolving threat landscape 14

55 Final thoughts Expanding the discovery capabilities of the NHIN beyond NHIEs to address specific entities within an NHIE such as providers, labs, pharmacies, etc. As the NHIN moves into production in 2009, additional technical issues associated with maintaining a large scale dynamic network need to be addressed Certificate authorities and service registries must be accountable to the governance of the NHIN 15

56 Q&A Questions Answers 16