Document 7145491
Download
Report
Transcript Document 7145491
Tugboat Captains &
Clinicians
Both are in Harms Way
Presented to:
Internet2 Conference
Atlanta, GA - October 31, 2000
W. Holt Anderson, Executive Director
NC Healthcare Information & Communications Alliance, Inc. (NCHICA)
Structure of Presentation
•
•
•
•
•
•
Implementing a Vision
HIPAA
HealthKey
NC Projects
Federal PKI Bridge
The Tugboat Captain
2
Implementing a Vision
• “Paperless, person-centered health records by
2010.”
• Adopted by the following organizations in NC:
–
–
–
–
–
–
–
–
–
Medical Society
Nurses Association
Hospital Assn.
Health Information Management Assn.
Assn.of Local Health Directors
Assn. of Pharmacists
Health Care Facilities Assn.
Assn. For Health Care Quality
Assn. For Hospice & End of Life Care
3
4
Definition - Health Record
• A virtual digital record of an individual’s
health information and all episodes of care
• This record is maintained by multiple
providers and shared when necessary for
care of that individual
(as allowed by patient consent and/or law)
• NOT a central “master file”of information
5
Enhancing the Quality of Care
• Preventing medical mishaps related to
drug interactions, handwriting, allergies,
transmissible diseases, etc.
(Automated delivery of information)
• Enhancing quality control through access
to information
6
Death by Handwriting
• Texas cardiologist
– Prescribed 20mg Isordil 4X / day
• Pharmacist
– Filled 20mg Plendil 4X / hday = 80mg / day
– Normally Plendil taken max 10mg / day
• 42-year old patient died of heart attack
• Jury found MD and Pharmacist
responsible and awarded $450K to
widow and three small children
USA Today 10-21-99
7
Controlling and Reducing Costs
Cost of paper records is said to be at
least 25% of total health care costs.
• Minimize space requirements
• Reduce resources for filing, storage and
retrieval of information
• Improve access time
• Less duplication
8
HIPAA
Health Insurance Portability & Accountability Act of
1996 [PL 104-191]
• Administrative Simplification
–
–
–
–
Electronic Transactions & Codes
National Identifiers
Security & Electronic Signatures
Privacy
• Generally expected to be implemented by end of
2002
• Civil Monetary & Criminal Penalties
9
Federal Mandate under HIPAA
(in effect since 8/21/96)
• Section 1173(d)(2) of the Act stipulates that healthcare
organizations (that maintain or transmit electronic patient
information) shall maintain reasonable and appropriate
administrative, technical, and physical safeguards to:
– Ensure the integrity and confidentiality of patient
information
– Protect against any reasonably anticipated threats or
hazards to the security or integrity of the information
– Protect against unauthorized uses or disclosures of the
information
– And, ensure the compliance of the officers and
employees of the organization with this provision.
10
Proposed Privacy Regulation
• Covers electronic information (and products of and
contributors to electronic information)
• Providers, Health Plans & Clearinghouses
• Requires contracts with trading partners to assure
continuity of privacy (also in Security regs)
• Permits sharing for care, claims, & certain
operations (QA, utilization review, credentialing)
without patient consent
• Limited sharing for “national priority” activities
• Requires written “fair information practices”
11
Penalties for Non-Compliance
• Violation of transaction or security standards
– Not more than $100 per violation, maximum of
$25,000/year
– No aggregate maximum
• Wrongful disclosures (privacy)
– Not more than $50,000 per violation
– Imprisonment for not more than one year
12
Penalties for Non-Compliance
(cont)
• False Pretenses (privacy)
– Not more than $100,000 per violation
– Imprisonment not more than five years
• Intent to sell, transfer, or use (privacy)
– Not more than $250,000 per violation
– Imprisonment for not more than ten years
13
Scope of Compliance
• More than just technology
– Policies
– Operational Procedures
– Physical Security
– Business Partner Agreements
– Personnel
– Management & Supervision
– Training
14
Security Standard
• Defined:
– Set of requirements with implementation
features that providers, health plans, and
clearinghouses must include in their operations
to assure that individual health information
remains secure.
• Scalable: applies to all size organizations; larger
organizations may be held to a higher standard.
15
Security Requirements by Category
Administrative
Certification
Chain of Trust
Agreements
Contingency Plan
Formal Mechanisms:
Records
Info Access Control
Internal Audit
Personnel Security
Security Configuration
Security Incident
Procedures
Security Mgmt.
Process
Termination
Procedures
Training
Physical
Safeguards
Assigned Security
Responsibility
Media Controls
Physical Access Controls
Policy - Workstation Use
Secure Workstation
Location
Security Awareness
Training
Electronic
Signature
Digital Signature
Technical Security
Mechanisms
Communications/Network
Controls
Integrity Controls
Message Authentication
Technical Security
Services
Access Controls
Audit Controls
Authorization Controls
Data Authentication
(corruption)
Entity Authentication
Implementation Features Under Each Requirement
16
Technical Security Mechanisms
Objective:
Ensure processes are in place to guard
against unauthorized access to data that is
transmitted over a communications network
(intercept and interpret), and to protect
systems from external access.
17
Communications--Open Network
• Where the network is open (e.g., shared
data line, Internet, switched WAN), then
the following must be in place:
– Alarm (sense abnormal conditions)
– Audit Trail
– Entity Authentication
– Event Reporting
– Encryption is stated as “should be employed”
18
If You Use Electronic Signatures
• Must have:
– message integrity
– non-repudiation
– user authentication
• May have:
– ability to add attributes
– continuity of signature capability
– countersignature capability
– independent verifiability
– interoperability
– multiple signatures
– transportability
19
HealthKey
Secure E-Health Solutions
A Program funded by
The Robert Wood Johnson Foundation
HealthKey Origins
Funded by $2.5 million Robert Wood Johnson
Foundation grant - Fall 1999
Collaboration to advance the development of
health information infrastructure
Market-driven, community-based approach
Coordinated pilot efforts in 5 states
21
HealthKey Participants
Massachusetts Health Data Consortium
(MHDC)
Minnesota Health Data Institute (MHDI)
North Carolina Healthcare Information
and Communications Alliance (NCHICA)
Utah Health Information Network (UHIN)
Community Health Information
Technology Alliance (CHITA) -- WA
22
HealthKey Strategy
Identify
interoperable, standards-based
solutions to real business problems
Showcase pilot participants as leaders in
testing evolving health information
infrastructure
Identify approaches to achieve HIPAA
compliance
23
$64,000 Question
Is PKI a valid
infrastructure for the
health industry?
If so, what is the likely
architectural model?
24
MN & NC to pilot Bridge CA
Developed
by Mitretek for the Federal
Dept of Treasury/GSA
Allows
validation of digital certificates
from multiple CAs
Aggressive
timeframe - demo by
Spring 2000
Additional
states/projects can tie in
after pilot phase
25
NCHICA PKI Projects
– Rekmote access to immunization registry
– Shared access to clinical info for Medicaid
high-maintenance patients
– Remote primary care provider access to
neonatal/perinatal patient info
– Remote primary care provider access to
patient info for children with special needs
– Access to emergency dept. database
– Possible pharmacy application
26
MHDI PKI Projects
– Access to Immunization data
– Transmit newborn screening results
from MN Dept of Health
– Provide secure access to Central Query
Service for eligibility inquiries
Other States
– Additional projects underway
27
Provider Access to
Immunization Registry
Securely
PAiRS
What is PAiRS?
• Combines immunization records from both
public and private sources in a common
database
• Widely accessible, inexpensive and secure
inquiry only access to immunization records
via the Internet
• Reliably identifies relevant records for an
individual in the absence of a unique identifier
29
Current Project Status
• Approximately 1.5 million children (0-18)
and an associated 12 million vaccine
doses
• 28 pilot sites, 172 users
• Over $1 million in in-kind contributions
30
Challenges to Successful
Implementation of PAiRS:
•
•
•
•
•
Initiation of use
Recognition of PAiRS value
Accessibility of computers
Computer skills of nurses and physicians
Busy practices with established service
delivery methods
• Security & Interoperability
32
Where do we go from here?
• PAiRS participation expansion
• PKI for user authentication and security
• Regional PAiRS project - demonstration
project to facilitate inter-state exchange of
immunization information
33
NCEDD Project Description
• 3 goals (putting down a
railroad track)
– select a standard data format
(DEEDS)
– demonstrate secure data
exchange
– statewide ED database for
injury surveillance, EMS
outcomes, best practice
(NCEDD)
35
Use of NCEDD Data
• Public Health Surveillance
– Disasters, bioterrorism, reportable conditions
• Research using hospital discharge dataset
– Injury surveillance, Trends/impact of new facilities,
HMO penetration, substance abuse indicators
• Linkages- outcomes, episode of care
– EMS
– Trauma Registry
– Hospital Database
• Aggregate format
– Oversight Committee of participating hospitals
36
NCEDD Security
Security/Access Concerns
• Confidential data over Internet
– Patient
– Facility
– Provider
• Authentication of users - multiple organizations
– Public health staff - SCHS, Epidemiology
– STEER staff - Chapel Hill, Wilmington
– Participant hospitals ?
38
Federal PKI Approach
(with thanks to Richard A. Guida, Chair, Federal PKI Steering Committee)
• Establish Federal PKI Policy Authority
• Develop/deploy Bridge CA using COTS
– Four levels of assurance (emulate Canada)
– Prototype early 2000, production mid 2000
• Deal with directory issues in parallel
– Border directory concept; “White Pages”
• Use ACES (Access Certs for Electronic
Services) for public transactions
39
FBCA Overview
• Non-hierarchical hub for interagency
interoperability
• Ability to map levels of assurance in
disparate certificate policies
• Ultimate “bridge” to CAs external to
Federal government
• Directory contains only FBCA-issued
certificates
40
FBCA PKI Architecture
US Federal
41
Potential Architectures
• Multiple CAs within membrane, with
single signing key
• Single CA
• Multiple CAs within membrane, crosscertified among themselves
42
Multiple CAs, Cross-certified
• In essence, the “quark” model
• Certificate path length may be +1
• Adding CAs within membrane should be
straightforward albeit not necessarily
easy
• Requires solving inter-product
interoperability issues within membrane
rather than outside - which is good
43
Current Status
• Decision: cross-certified CAs within
membrane
• Multiple vendor products: Initially
Entrust and GTE for “prototype” FBCA
• Migration from prototype to production
FBCA will entail adding other CAs
inside the membrane
• GSA/FTS has responsibility to execute
44
PKI Use and Implementation
Issues
• Misunderstanding what it can and can’t do
• Requiring legacy fixes to implement
• Waiting for standards to stabilize
• High cost - a yellow herring
• Interoperability woes - a red herring
• Legal trepidation - the brightest red herring
45
The Tugboat Captain
TJ Hooper v. Northern Barge
Company 60 F.2d 737 (2d Cir. 1932)
• Long Island Sound - storm comes up and
tug loses barge
• Plaintiff was barge owner
• Plaintiff found negligent because Captain
had no weather radio
Rationale: to avoid negligence, keep up with
technological innovations - they set the
standard of care in the industry
46
The price of good navigation is
eternal vigilance
W. Holt Anderson, Executive Director
NC Healthcare Information & Communications Alliance, Inc.
www.nchica.org
Thank you !
www.nchica.org