Security and Privacy Requirements to Support the Exchange
Download
Report
Transcript Security and Privacy Requirements to Support the Exchange
Security and Privacy
Requirements to Support the
Exchange of Health Information
June 30, 2009
Copyright 2009. All Rights Reserved.
PANEL
Suzanne Lightman
Lead Policy Analyst, Office of Management
and Budget (OMB)
Jodi Daniel
Director, Office of Policy & Research,
Office of the National Coordinator (ONC)
2
Copyright 2009. All Rights Reserved.
Julie Boughn
Chief Information Officer and Director, Office
of Information Services, Centers for Medicare
& Medicaid Services (CMS)
Ashley Corbin
PhD, Co-chair, Federal Security
Strategy Work Group
Agenda
Topics Covered in this Session
• Importance of Security & Privacy
• Update on ONCHIT “Nationwide Privacy & Security Framework for
Electronic Exchange of Individually Identifiable Health Information”
• CIO Federal Partner Perspectives
(Requirements, Challenges, Opportunities)
• FHA Federal Security Strategy Initiative (FSS)
• CONNECT Certification & Accreditation
• Incorporation of Security & Privacy Guidelines and Standards in
Current and Future CONNECT Versions
• Open Q&A
3
Copyright 2009. All Rights Reserved.
OFFICE OF
MANAGEMENT
AND BUDGET
Suzanne Lightman
Lead Policy Analyst, OMB
4
Copyright 2009. All Rights Reserved.
OFFICE OF THE
NATIONAL
COORDINATOR
Jodi Daniel, JD, MPH
Director, Office of Policy & Research, ONC
5
Copyright 2009. All Rights Reserved.
Privacy, Security and Health IT
Value of Health IT
What’s new?
• Individuals may have greater roles in their care
• New entities
• New challenges and opportunities for protecting
individually identifiable health information
• New approaches to making information more accessible
• New questions/concerns
6
Copyright 2009. All Rights Reserved.
Privacy, Security and Health IT
Multiple Dimensions
Policy
• Nationwide Privacy and
Security Framework
Legal Obligations
• HIPAA Privacy and Security Rules
• Expanded by ARRA provisions
Specific Implementation
• NHIN
7
Copyright 2009. All Rights Reserved.
Nationwide Privacy & Security
Framework
Policy Guide
• Establishes principles
• Goal is to apply to all health care-related
persons and entities that hold and
exchange electronic individually identifiable
health information
• Foundation upon which current policies
and tools are built
- Toolkit that supports the Framework
- Implementation guidance
8
Copyright 2009. All Rights Reserved.
Toolkit
• Draft Model Personal Health
Record (PHR) Privacy Notice &
Facts-At-A-Glance
• Reassessing Your Security
Practices in a Health IT
Environment: A Guide for Small
Health Care Practices
• HIPAA Privacy Rule Guidance
Related to the Privacy and
Security Framework and
Health IT
9
Copyright 2009. All Rights Reserved.
American Recovery and
Reinvestment Act of 2009 (ARRA)
Legal Requirements
– Established two Federal Advisory Committees
– Requires the Secretary to promulgate regulations related to the
electronic exchange of health information
– Added Privacy Protections
10
Copyright 2009. All Rights Reserved.
ARRA Privacy Provisions
• HIPAA Modifications
– Some provisions and enforcement applies to business associates
– Breach notification requirement
– Changes regarding specific provisions (e.g., electronic access,
accounting, sale of PHI)
• PHR Breach Notification
• Enhanced Enforcement
– Includes ability for State Attorneys General to enforce
• Education Efforts
11
Copyright 2009. All Rights Reserved.
Privacy and Security in Operation
Specific Implementation
– NHIN – Exchange
• NHIN Specifications
• DURSA development
• Consumer preferences
• Privacy and Security
– Certification Criteria –
EHR Products
12
Copyright 2009. All Rights Reserved.
Julie Boughn
CIO and Director, Office of Information Services,
Centers for Medicare & Medicaid Services
13
Copyright 2009. All Rights Reserved.
Ashley Corbin, PhD, MBA
Federal Security Strategy Initiative Co-Chair, Director, DRAV, CMS
14
Copyright 2009. All Rights Reserved.
FHA Federal Security Strategy
Differences in information security
laws, requirements, and policies
in the federal and non-federal
sectors impacts the expansion of
electronic exchange of health
information
FSS Work Group was chartered
to analyze and develop practical
guidance, recommendations and
a strategic roadmap to address
the situation
15
Copyright 2009. All Rights Reserved.
FHA Federal Security Strategy
Interim Guidance
The FSS Work Group has
drafted interim guidance
for the federal partners that
focuses on risk
management-based
adequate security
assurances under FISMA
16
Copyright 2009. All Rights Reserved.
FHA Federal Security Strategy
Information Security Service Model Approach
• Use standards based security management and
assurance framework
• Establish public – private collaborative to drive
compliance criteria that is achievable and
maintainable
• Periodicity of evaluation, certification, and
compliance based on a minimum set of criteria,
but adaptable to the changing circumstances
(e.g., the local HIEs)
• Leverage each organization’s capabilities for
contributions in an overall governance framework
• Each participant is assessed their fair share
of cost
• Coordinate quantifiable expectations and metrics
and a process for continuous improvement
17
Copyright 2009. All Rights Reserved.
CONNECT Certification & Accreditation
• Using NIST Compliant Information Security C&A Processes
• A full set of C&A documentation would describe and test the CONNECT
Reference Architecture System as if it were an operational system with
“live” data and operating in a specific location
• An Authorization to Operate (ATO) as a reference implementation for the
NHIN under the HHS/ONC Certifying Authority and Designated
Approving Authority (DAA) will be obtained
• C&A documentation provided with the CONNECT Gateway to partner
agencies;
– Would be utilized and/or directly referenced in their individual assessments
– Would be modified by them to fit their operational environment and used in
their C&A process
18
Copyright 2009. All Rights Reserved.
CONNECT Certification & Accreditation
• Consistent application of the security controls across the
various federal partner organizations at large
• Savings can be realized in the security certification and
accreditation process
– The certification process draws upon any applicable results from the
most current assessment of the common security controls performed
at the HHS\ONC organization level.
– An organization-wide (federal partner community) approach to reuse
and sharing of assessment results can greatly enhance the efficiency
of the security certifications and accreditations being conducted by
organizations and significantly reduce security program costs.
19
Copyright 2009. All Rights Reserved.
Certification & Accreditation
Operational Security Impact – Security Program
•
A one-time, narrowly enforced C&A effort misses overlap opportunities with
security program management and risk management requirements
•
Opening up C&A by including continuous monitoring blends the complementary
security goals of compliance and ongoing operational security
•
Doing so will also leverage the spending and resource time spent on compliance
into effective and efficient ongoing security practices
C&A Process – System Information Revealed
Information Types Contained
Relative Importance of the System to the Organization
Security Controls that Protect the System
System Risks
System Boundaries
20
Copyright 2009. All Rights Reserved.
Operational Security Impact:
Configuration baselines
Implementation guidelines
“Defensive” mechanisms
(IDS, firewall rule sets, etc.)
Certification & Accreditation
Operational Security Impact - Security Program
C&A – Continuous
Monitoring Strategy
Continuous Monitoring Methods
Automated Processes
Select controls &
monitoring approach
IT Management Systems
C&A Re-assessment
Periodic Audits
System baseline
categorization
Operational Security Impact:
Control effectiveness
Vulnerability discovery and mitigation
Continual update of SSP and ST&E documents
Impact of system or
environment change
21
Copyright 2009. All Rights Reserved.
More efficient risk analysis and resource planning
Security and Privacy Guidelines and
Standards woven into CONNECT
• Messaging platform
– Supports data confidentiality
and integrity
• Audit log query interface
– Supports accounting of
disclosures
• Authorization framework
interface
– Supports authorization for
access, purpose
– Requests and verification of user
22
Copyright 2009. All Rights Reserved.
• Consumer preferences
interface
– Supports restrictions on access
– Enable consumers to specify
• Authorized case follow-up
– Supports requests for de-identified
data and case follow-up
“Defining the NHIN Dial Tone in 2009”
Interface Specification
References
Standard
Description
Messaging, Security and Privacy Foundation
Messaging Platform
Authorization Framework
SOAP/WSDL/
WSAddressing/WSSecurity
Provide secure messaging services for all communications between NHIN-enabled
health organizations
SAML
Articulate the justification for requesting patient medical information
PIXv3
Services for locating patients based on demographic information
NHIN Services
Subject Discovery
Query for Documents
XCA
Locate health documents associated with a specific patient that conform to a set of
query criteria
Retrieve Documents
XCA
Retrieve specific requested documents associated with a patient
Query Audit Log
Authorized Case Followup
Health Information Event
Messaging
NHIE Service Registry
IHE ATNA
PIXv3
WSBaseNotification
Log requests for patient health information and make this log available to patients
Provide an ability to re-identify pseudonymized patient records when legally
permitted for public health case investigations
Provide a publish/subscribe capability for ongoing feeds of data between NHINenabled health organizations
UDDI
Registry servers that enables NHIN-enabled health organizations to discover the
existence and connection information for other NHIN-enabled health organizations
XACML
Enable consumers to specify with whom they wish to share their electronic health
information
NHIN Profiles
Consumer Preferences
Profile
23
Copyright 2009. All Rights Reserved.
NHIN Services Architecture
NHIN Profiles
Consumer Preferences Profile
Store and exchange consumer preferences
for sharing of personal health information
Other Profiles in Development
GIPSE (Biosurveillance)
Profiles describe how
to implement services
for a specific domain
like consumer
preferences for
information sharing or
biosurveillance
NHIN Services
Discovery Services
• Subject Discovery
• Authorized Case Follow-up
• Query for Documents
• NHIE Service Registry
Information Exchange Services
• Retrieve Documents
• Query Audit Log
• Health Information Event Messaging
Messaging, Security and Privacy Foundation
Messaging
• Message Transport
• Services Definition
24
Copyright 2009. All Rights Reserved.
Security
• Public Key Infrastructure
• Encryption
• Digital Signature
Authorization Framework
• Requestor Authentication
• Requestor Authorization
Services describe
specific interfaces
(web services) used
between HIEs to
discover and
exchange healthrelated information
Messaging, Security
and Privacy
Foundation
describes the
underlying protocols
and capabilities
necessary to send
and secure messages
between NHIEs
CONNECT Seminar
Presentations are Available
for Download Online at
http://www.connectopensource.org
25
Copyright 2009. All Rights Reserved.