User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March 11, 2015.

Westbrook Technologies from Document Management’s Role in HIPAA.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept

SLIDE 1 Westbrook Technologies from Fortis: A Healthcare Solution for Medical Records, Billing and HIPAA.

1 Jan 2013 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered.

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances Michelle Ferritto,

Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Privacy and Security Workgroup: Big Data Public Hearing December 8, 2014 Deven McGraw, chair Stan Crosley, co-chair.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

OASIS Trust Elevation Elevate Trust in Electronic Identities Abbie Barbir, Ph.D Co-Chair OASIS Trust Elevation TC.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

RIVERA SÁNCHEZ-1 CSE 5810 User Authentication in Mobile Healthcare Applications Yaira K. Rivera Sánchez Computer Science & Engineering Department University.

2015 User Conference Electronic Prescribing of Controlled Substances (EPCS) April 25, 2015 Presented by: Peter Minio Product Manager, Pediatric and Primary.

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,

1 HIT Policy Committee HIT Standards Committee Privacy and Security Workgroup: Status Report Dixie Baker, SAIC July 16, 2009.

Functional Model Workstream 1: Functional Element Development.

HIT Standards Committee Hearing on Trusted Identity of Patients in Cyberspace November 29, 2012 Jointly sponsored by HITPC Privacy and Security Tiger Team.

Transport & Security Standards Workgroup Notice of Proposed Rulemaking Comments Dixie Baker, Chair Lisa Gallagher, Co-Chair May 15, 2015.

Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.

HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.

Authentication, Access Control, and Authorization (1 of 2) 0 NPRM Request (for 2017) ONC is requesting comment on two-factor authentication in reference.

HIT Standards Committee HIT Standards Committee Privacy and Security Workgroup Discussion of NwHIN Power Team Recommendations August 6,

Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange and MU3 RFC Comments April 30, 2013.

Privacy and Security Tiger Team Today’s Discussion: MU3 RFC Comments May 8, 2013.

Privacy and Security Tiger Team Trusted Identity of Providers in Cyberspace Follow-Up Recommendations September 6, 2012.

Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Draft – discussion only Content Standards WG (Documents and Data) Proposed HITSC Workgroup Evolution 1 Architecture, Services & APIs WG Transport and Security.

Data Gathering HITPC Workplan HITPC Request for Comments HITSC Committee Recommendations gathered by ONC HITSC Workgroup Chairs ONC Meaningful Use Stage.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

NIST Update: Part Deux Elaine Newton, PhD NIST

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6,

Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.

Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange and MU3 RFC Comments Summary April 15, 2013.

HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009.

Working with HIT Systems

HIT Standards Committee Overview and Progress Report March 17, 2010.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

HIT Standards Committee Privacy and Security Workgroup Standards and Certification Requirements for Certified EHR Modules Dixie Baker, Chair Walter Suarez,

Privacy and Security Tiger Team Potential Questions for Request for Comment Meaningful Use Stage 3 October 3, 2012.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014.

HIT Standards Committee Privacy and Security Workgroup Task Update: Standards and Certification Criteria for Certifying EHR Modules Dixie Baker, Chair.

Data Gathering HITPC Workplan HITPC Request for Comments HITSC Committee Recommendations gathered by ONC HITSC Workgroup Chairs ONC Meaningful Use Stage.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

Mary Trauner Senior Research Scientist Georgia Institute of Technology Middleware for Video.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Privacy: HIPAA Emerson Murphy-Hill. Rosie Callender, RHIA, web.msm.edu/hipaa/An%20Introduction%20to%20HIPAA.ppt What is HIPAA? A Federal Law Created in.

Federal Requirements for Credential Assessments

HIPAA Security Standards Final Rule

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

Presentation transcript:

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014

Background - HITPC Recommendations Health IT Policy Committee (HITPC) Privacy and Security Tiger Team Recommendations re Authentication (2012, 2013) Move toward multifactor authentication (National Institute of Standards and Technology (NIST) level of assurance (LOA) 3 for provider remote access of protected health information (PHI) Continue to identity proof providers in compliance with the Health Insurance Portability and Accountability Act (HIPAA) Continue to be informed by the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative Engage with NSTIC initiative to help align direction in consumer identity-proofing, authentication, and the use of third-party credentials with the needs of the healthcare industry Office of the National Coordinator for Health Information Technology 1

Recap of Relevant TSSWG Presentations Trustmarks OpenID Connect (authentication) OAuth 2.0 (authorization) – Related profiles: BB+ and User Managed Access NIST new directions in identity management Office of the National Coordinator for Health Information Technology 2

2014 Edition Authentication Criterion Office of the National Coordinator for Health Information Technology 3 § Edition electronic health record certification criteria. (d) Privacy and security. (1)Authentication, access control, and authorization. (i) Verify against a unique identifier(s) (e.g., username or number) that a person seeking access to electronic health information is the one claimed;

Recommendations (1 of 3) Office of the National Coordinator for Health Information Technology 4 To strengthen the authentication currently certified in EHR technology, the TSSWG recommends adding the following criteria: (ii) Continuously protect the integrity and confidentiality of information used to authenticate users, using the standard specified in § (a)(1) of the 2014 Edition EHR Standards, Implementation Specifications, and Certification Criteria. (iii) If passwords are used for user authentication, accept only passwords that meet the guessing entropy guidelines set forth in Appendix A of NIST

Recommendations (2 of 3) Office of the National Coordinator for Health Information Technology 5 To enable EHR technology to be certified for having implemented multi-factor authentication, the TSSWG recommends adding the following certification criterion: – Restrict access to the system, or to one or more individual functions within the system (e.g., prescribing controlled substances), to only those individuals who have presented at least two of the following three forms of authentication -- knowledge of a secret (e.g., password), possession of a physical object (e.g., hard token or smartcard), a biometric (e.g., fingerprint).

Recommendations (3 of 3) Office of the National Coordinator for Health Information Technology 6 The TSSWG further recommends that the ONC: Support NIST effort to revamp NIST Special Publication (Electronic Authentication Guideline) – Closely follow move from LOA to componentized trust – Recommend appropriate identity-proofing for query-based access Consider Data Segmentation for Privacy (DS4P) for authorizing access to behavioral data (TSSWG will address later in the work plan) Track development and piloting of User Managed Access (UMA) profile of OAuth 2.0 as potential standard for consumer consent