AT&T Healthcare Community Online - Enabling Greater Access with Stronger Security

Transcription

1 AT&T Healthcare Community Online: Enabling Greater Access with Stronger Security Overview/Executive Summary With a nationwide move to electronic health record (EHR) systems, healthcare organizations and providers are being called to share patient health information to improve care quality, efficiency and effectiveness. And while federal legislation offers incentives for implementing EHRs, providers face stiff penalties if they do not deploy systems or vigilantly protect patient information. AT&T Healthcare Community Online can help solve the access/security conundrum by enabling healthcare organizations to meet the vigorous security regulations while providing access to appropriate stakeholders across the healthcare community.

2 AT&T Healthcare Community Online 2 The Access/Security Conundrum The Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act (ARRA), has a focus on encouraging electronic access to personal health information across the continuum of care to improve patient outcomes. As the meaningful use requirements of the legislation continue to mature, more of this data will be shared across entire ecosystems, rather than via point-to-point exchanges. Indeed, data is apt to be shared across organizations and among diverse care teams as health information exchanges (HIEs), accountable care organizations (ACOs) and patient-centered medical homes (PCMHs) become more prevalent in the industry. At the same time, the legislation calls for increased security and privacy. In addition to instituting new breach notification rules and extending the rules to healthcare business associates, HITECH implements a new tiered system that increases civil monetary penalties for noncompliance and allows states to file civil actions for Health Insurance Portability and Accountability Act (HIPAA) violations. 1 It s a double-edged challenge. Healthcare organizations need to simultaneously find ways to increasingly share information yet, at the same time, more vigilantly protect information. On the one hand, physicians, nurses, other clinicians and administrators need ready access to the robust data that can be used to measure and improve outcomes for individual patients as well as entire patient populations. On the other hand, organizations need to safeguard this data, which is now being shared among multiple entities and care teams, instead of merely traveling from person to person. Dissecting the Security Challenges An examination of the directives emanating from HIPAA and HITECH illuminate the emerging security challenges facing healthcare providers. Security Concerns Arising from HIPAA and HITECH Among other things, HIPAA and HITECH establish the security framework with which healthcare organizations must comply as the industry moves toward more comprehensive adoption of EHRs. Security challenges are likely to become more pronounced as care is delivered under models that demand more robust data sharing and technologies that enable this data sharing. For instance, organizations need to maintain trusting and supportive relationships with the peers they provide data to, and retrieve data from, as part of HIEs. ACOs need to find a way to protect information as individual medical records are shared among hospitals, long-term care facilities, and doctor s offices in an effort to improve patient care. Data security will also need to be addressed as primary care physicians act as the catalyst of PCMHs and share data with specialists and other service providers. Finally, as the federal government requires providers to share information electronically with patients, organizations will need to find ways to meticulously protect this data. The HIPAA Security Rule establishes the foundation for security expectations. Specifically, the rules require implementation of administrative, physical and technical safeguards. With these safeguards acting as a baseline, HIPAA calls for a controlled environment where organizations can manage their relationships with internal and external users throughout their lifecycle with the HIEs various constituencies (provider, payer, patients, etc.), from initial creation of the user s identity to final access termination. Since most of the information is managed electronically, how this digital information and the related identities are managed becomes a key component of overall HIPAA compliance. Certification standards associated with the HITECH legislation provide even greater specificity as related to EHR security. For example, the companion rule 2, which creates standards for EHR software certified for the incentive program, requires that the applications include encryption, authentication and other security functions. To be certified as qualifying for the federal incentive program, the software must comply with the following, among other things: Encrypt and decrypt electronic health information (EHI) within an organization and also when it is exchanged with others. Verify that a person or entity seeking access to EHI is the one claimed and is authorized to access such information. 3 Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information. Terminate an electronic session after a predetermined time of inactivity. Enable a user to generate an audit log. Verify that information has not been altered in transit and when records are exchanged. Security Concerns Identified by Tiger In addition to HIPAA and HITECH requirements, the Privacy and Security Tiger Team, a federal advisory workgroup organized under the auspices of the Office of the National Coordinator for Health Information Technology (ONC), is engaged in crafting more detailed guidance to HIEs. This group is in the early stages of developing a privacy and security framework for more comprehensive data exchange. In late April of 2011, the Tiger Team published a summary document 4 detailing principles and initial recommendations for a privacy and security framework for health information exchange. The principles cover individual access to electronic health information, procedures for correcting erroneous information, transparency, individual choice to exchange data, safeguards, data quality and integrity, and limitations on collection, use, and disclosure of information. The Tiger Team recommends that: HIEs exchange information securely. The requesting provider in an exchange should, at a minimum, provide attestation of his or her treatment relationship with the individual who is subject of the health information exchange. Providers should have a plan for how they will utilize certified EHR technology security functionality. HIEs require a high level of assurance that the organization is who it says it is; all entities involved in health data exchange should be required to have digital certificates; requirements for digital certificates should include organization verification, validation that transactions meet meaningful use (MU), reliance on existing criteria and processes when applicable; protected health information (PHI) transactions should require authenticated digital certificates (a tool used to authenticate clients and servers on the web and ensure that browser communications are secure). Processes for issuing digital certificates and processes for re-evaluation, e.g., annual renewal are in place.

3 AT&T Healthcare Community Online 3 ONC should oversee an accreditation program for reviewing and authorizing certificate issuers, and select or specify standards for digital certificates. With respect to individual users, provider entities and organizations must develop and implement policies to positively identify and authenticate their individual users. AT&T Healthcare Community Online: Addressing the Access and Security Challenge AT&T Healthcare Community Online helps solve the access/security conundrum by enabling healthcare organizations to meet the vigorous security regulations while providing access to appropriate stakeholders across the healthcare community. Healthcare Community Online enables highly secure exchange and sharing of patient health data across a healthcare ecosystem. It is a cloud-based health information exchange and a comprehensive care coordination platform that integrates patient records/data from multiple sources into a single patient view, providing clinicians with virtually real-time access to patient information and ehealth applications such as e-prescribing, acute and ambulatory EHRs, electronic lab orders/results, and data analytics. Healthcare Community Online meets the growing connectivity needs of healthcare organizations, while at the same time helps satisfy security concerns outlined in HIPAA, HITECH and by the Tiger Team. AT&T Healthcare Community Online offers: Core services to support healthcare organizations business and connectivity needs. A highly secure architecture that protects data as it traverses throughout the healthcare continuum. Easy-to-use cloud-based applications and storage solutions for your individual needs. A workable adoption framework to help you meet your specific security needs. The Platform as a Service Model with Healthcare Community Online AT&T Healthcare Community Online is constructed and designed to be a full, state-of-the-art service-oriented architecture (SOA). The Healthcare Community Online framework uses SOA as the foundation of its interoperability approach and allows AT&T to meet complex and dynamic system integration requirements. SOA standards and the use of web services technology support the ability of Healthcare Community Online to readily adapt and meet current and future HIE capabilities. AT&T Healthcare Community Online is the best model to address an extremely diverse range of technical capabilities and systems operating in an HIE infrastructure. A key aspect of the security framework of Healthcare Community Online is its hub-based identity management model. Enabled by a platform as a service (PaaS) approach, the hub architecture dramatically reduces complexity, especially in an HIE environment where participants need the ability to query multiple data sources in near real-time. As a result, the complexity of installation and configuration is dramatically reduced for healthcare leaders. Due to the PaaS model, the user experience remains simple and seamless as all of the complex security functionality plays out behind the scenes. As a result, information technology leaders and staff members may assume that all communications and interactions in the network are inherently highly secure, instead of establishing and managing security protocols and technologies on a one-to-one basis. Healthcare Community Online also offers specific advanced, highly secure features such as: Single sign-on (SSO), which makes it easier for users to participate in data exchange. Clinical message exchange, which enables individuals and organizations to confidently share information. Encryption, which supports encryption of data in transit and also provides an option to encrypt stored data. Authentication and authorization, which ensures the identities of individuals accessing data. Access controls and audit logging, which helps organizations deal with compliance regulations. Data backup and disaster recovery, which promotes confidence when relying on electronic data. With these functions and features in place, data is protected as it is shared among organizations and users. At the same time, though, users access information without being unduly encumbered by complicated security procedures and IT administrators can manage access in a streamlined fashion. Healthcare Community Online and the Trusted Identify Framework The Trusted Identity Framework in AT&T Healthcare Community Online addresses regulatory security concerns such as user authorization, authentication, non-repudiation, encryption, administration, and audit/ logging requirements. The Trusted Identity Framework supports a unified and leveraged approach to managing digital identities and information security across a wide variety of technologies and across a wide variety of business process requirements. This integrated approach results in reduced complexity with increased consistency of policy enforcement across multiple organizations. The end result: simplicity. Users have a single digital identity to access information across organizations and security administration is streamlined, resulting in significant cost reductions. The Trusted Identity Framework is comprised of four primary components: 1. Trusted Identity Broker: establishes a single hub connection point to federate a user s identity across multiple security enclaves. 2. Trusted Authentication Broker: controls who has access to the HIE by managing and issuing multiple types of credentials, such as ID/ password, hardware tokens, and public key infrastructure (PKI). 3. Trusted Authorization Manager: provides provisioning services that make managing permissions for external identities simple, fast and repeatable. 4. Trusted Compliance Manager: aggregates and analyzes securityrelated data, making it possible to quickly and easily meet compliance with audit and reporting requirements.

4 AT&T Healthcare Community Online 4 By brokering trust and providing protocol translation, identity providers and service providers can select the technology or standard best suited to their back-end environment while simultaneously improving their ability to interoperate with a variety of existing or new federation endpoints. The Trusted Identity Broker makes it significantly easier for organizations to participate in HIEs. The approach calls for minimal end-point integration compared to the conventional approach, which consists of buying a software solution, performing custom development and weeks of integration work at each end-point. Specific features of the Trusted Identity Broker include: Multi-protocol support Establish a single connection hub Federate user identities Control HIE access Manage multiple credentials Provide provisioning services Manage permissions for external identities Aggregate and analyze security data Meet compliance, audit and reporting requirements Trusted Identity Framework 1. Trusted Identity Broker allows healthcare organizations to connect to multiple end-points, such as a physician s practice, a lab, a pharmacy, etc. Trusted Identity Broker utilizes a hub architecture, which dramatically reduces the complexity in situations where organizations are connecting multiple end-points, such as in HIEs where participants need the ability to query multiple data sources in near real-time. With Trusted Identity Broker, each organization only has to worry about a single connection to the HIE instead of juggling multiple point-topoint connections. Perhaps most importantly, the Trusted Identity Broker eliminates the need to juggle multiple standards. In essence, providers no longer have to fret about using multiple competing standards such as SAML 1.1, SAML 2.2, Microsoft standards and various proprietary connectivity standards. Instead, under this standards neutral paradigm, providers connect once to the central hub and, through this interface, connect to any authenticated third-party. With Trusted Identity Broker, the end-user HIE experience is simplified. The Trusted Identity Broker manages the federation of user identities across security enclaves. It allows a user to log in at his local security domain, federate his identity to the central hub, and then select from a variety of external services that are all accessible without requiring a secondary login (i.e. single sign on). The Trusted Identity Broker also supports the direct authentication of users to Healthcare Community Online, which is preferred for smaller organizations that do not have the technical means to federate users from their local domain. As such, the technology accommodates compliance with the person and entity authentication requirements outlined in HIPAA security regulations by making it possible to positively identify organizations and individuals through the hub instead of through one-to-one exchanges. Because end-users only have to authenticate their identity once instead of authenticating their identity each time they communicate with a member of the HIE, technical barriers are diminished and organizations begin realizing the benefits of federation in a few short weeks. Trusted Identity Broker provides out-of-the-box multi-protocol support and translation for all federation standards, as well as support for integration with proprietary federation implementations. Federation logging and auditing Reporting on federation activities between end-points User identification mapping Federation attribute translation and metadata translation services Federation network administrator dashboard Federation relationship management tools between end-points Self-service administrator support for end-point configuration How to connect user guides Test environment for testing federation configurations With the Trusted Identity Broker, users can easily and confidently participate in data exchange, as security procedures are simplified due to the utilization of a hub rather than a one-to-one model. 2. Trusted Authentication Broker manages user authentication and the supporting processes. In essence, the Trusted Authentication Broker controls who has access to the HIE. Trusted Authentication Broker includes the management and issue of multiple types of credentials, such as ID/password, hardware tokens, and public key infrastructure (PKI). The functionality enables health providers to deal with identity verification, authorization and tracking requirements emanating from the regulatory requirements. Trusted Authentication Broker also provides the process and interfaces for self-service password reset, risk based authentication, classifying and grading authentication levels and help-desk support series. Features of Trusted Authentication Broker include: Direct logon to the hub, from anywhere using a simple Internet connection. The ability to up- or down-grade local or federated authentications. Rules enforcement via authentication strength criteria. Requires no changes to application architecture. Audit and reporting tools. With Trusted Authentication Broker, organizations can confidently proceed, knowing that users are who they say they are and that the proper access is being granted to each individual.

5 AT&T Healthcare Community Online 5 3. Trusted Authorization Manager provides provisioning services that manage registration and workflow processes. Additionally, Trusted Authorization Manager makes managing permissions for external identities simple, fast and repeatable. A highly configurable solution, it is particularly well suited for complex authorization processes, such as those involving multiple approvers or those involving multiple rules, which are based on data residing in disparate databases. For example, Trusted Authorization Manager makes compliance with HIPAA s permitted use stipulations easier. Under the permitted uses clause, healthcare organizations can disclose PHI to the patient and to other authorized organizations for the purposes of treatment, payment, and operations. Trusted Authorization Manager offers a series of centralized applications for self-service registration, applications request-andapproval workflow, delegated administration, password management login, audit reporting, and other functions related to identity management. For example, healthcare organizations can verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information. The Trusted Authorization Manager is built on a delegated administration model meaning that the rights of each individual identity are managed by an onsite administrator who has access to the individual s requesting privileges. In short, the administrator making the decision about access rights is familiar with the roles and responsibilities of who they are providing access to. In a provider organization, the administrator will know what type of access rights to grant to individuals, based on their specific role in the healthcare organization (i.e. executive, physician, nurse, and support staff). The security administrator can also oversee the access rights of each identity over time. For example, the security administrator can remove access rights if a physician leaves the organization or add access rights to certain features for certain individuals as needed. In addition, once an administrator controls what type of access each user has, users self-enroll and establish their own ID and password. As such, IDs and passwords do not need to be ed and, therefore, are not subject to the vulnerability associated with . As such, the password is never exposed. Trusted Authorization Manager features include: Self-service registration Cross-organizational delegated administration functionality N-tier delegation (i.e. different levels of security and access required and allowed for various situations) for intra-organizational user management Configurable workflow for custom access management processes Rules-based workflow and decision engine Self-service password reset Audit tools Reporting tools Trusted Authorization Manager brings simplicity to complex permissions and authorization processes. 4. Trusted Compliance Manager makes it easy for healthcare providers to aggregate and analyze security-related data, facilitating quick and easy compliance with audit and reporting requirements. Trusted Compliance Manager makes it possible for organizations to validate that users continue to access the HIE as intended and within the established rules. In addition, other or extra protections can be built into the Compliance Manager. For example, if a user has not accessed a certain function in a certain amount of time, then the permissions for that identity can be re-evaluated by the security administrator. In addition, Trusted Compliance Manager audits every event each time a user is created, a user s privileges are suspended or an application access is granted. All of those actions are logged in the Trusted Compliance Manager. The information is compiled in an easy-to-decipher report. Such functionality allows organizations to address HIPAA s administrative safeguards calling for reviews of system activities and audit logs. Features of Trusted Compliance Manager include: Administration interface configures polices and rules according to an organization s HIPAA plan. Automatically determines exceptions based on usage patterns. Collects and aggregates information across the Trusted Identity Framework. Facilitates comprehensive analysis of compliance status. Is based on IHE ATNA and RFC-3881 standards for healthcare security audit records. Records most major events such as: PHI access Document retrieval Patient search RLS registry lookup Patient feed processing Saves all records to a database with tightly controlled access policies. Uses asynchronous queuing model to avoid impacting application performance. Encrypts data at rest and in-flight for every stage of audit event handling. Trusted Compliance Manager ensures that users access systems and data as intended, and makes it easy to comply with audit requirements. Simplifying HIPAA Compliance Healthcare Community Online is designed to facilitate compliance with HIPAA and protect a patient s right to privacy. Through Healthcare Community Online systems, processes, and best practices, access to patient data is managed and protected from unauthorized access. Because Healthcare Community Online uses a centralized hub model, the number of federations to be managed is reduced, resulting in a simpler, more secure approach. By allowing AT&T Healthcare Community Online to act as the independent third-party to manage identities, customers meet separation of duties requirements and allow stakeholders to only have to trust one entity, not an entire community.

6 AT&T Healthcare Community Online 6 Conclusion With AT&T Healthcare Community Online, healthcare organizations can easily share information, making it possible to comply with the government s meaningful use requirements and ultimately to improve the service and care delivered to patients. AT&T Healthcare Community Online makes it possible for organizations to protect personal health information and offers the following benefits: Reduced cost and complexity associated with managing identities and access privileges across constituents. Seamless integrations with systems and applications; simplified endpoint connectivity and collaboration. Virtually anytime, anywhere access to applications for users across the extended enterprise. Improved end-user experience via single sign-on to multiple systems and application. Faster deployment versus in-house or on-premise. Simpler compliance with regulations and enterprise policies for users inside and outside a firewall. Unparalleled security, service; access to global help desk. With advanced safeguards in place, healthcare providers can move their healthcare information technology initiatives forward, knowing that personal health information is protected, addressing the evolving security requirements of HIPAA, HITECH, and the ONC s Tiger Team. References 1. Federal Register. Modifications to the HIPAA Privacy, Security and Enforcement Rules Under the Health Information Technology for Economic and Clinical Care Act, July 14, Accessed at: nprmhitech.pdf 2. Department of Health and Human Services, 45 CFR Part 170 Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, Final Rule, July 28, Accessed at: access.gpo.gov/2010/pdf/ pdf. 3. Centers for Medicare and Medicaid Services. Are You a Covered Entity? Accessed at: AreYouaCoveredEntity.asp 4. Tiger Team. Policy and Technology Framework for Health Information Exchange. Accessed at: wp-content/uploads/2011/04/framework pdf For more information contact an AT&T Representative or visit 07/28/11 AB Compuware Corporation and AT&T Intellectual Property. Covisint, the Covisint logo and all Covisint products and services listed within are trademarks or registered trademarks of Compuware Corporation. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.