HIT Standards Committee Privacy and Security Workgroup: Update Dixie Baker Dixie Baker, SAIC Steve Findlay Steve Findlay, Consumers Union December 18,
2 Privacy and Security Workgroup Members Dixie Baker, SAIC Steve Findlay, Consumers Union Anne Castro, BlueCross BlueShield of South Carolina Aneesh Chopra, Federal Chief Technology Officer Ed Larsen, HITSP David McCallie, Cerner Corporation John Moehrke, HITSP Gina Perez, Delaware Health Information Network Wes Rishel, Gartner Walter Suarez, Kaiser Permanente Sharon Terry, Genetic Alliance
Demystifying Standards (I hope) and Update Observations from Security Hearing, November 19 Topics to Be Covered 3
Standards, certification criteria, and implementation guidance are intended for use in certifying EHR products –How these capabilities are used within a healthcare environment is based on an individual organization’s size, complexity, and capabilities, technical infrastructure, risks and vulnerabilities, and available resources Standards and certification criteria help assure that a “certified EHR product” has the technical capabilities an organization will need to: –Comply with HIPAA and ARRA privacy and security provisions –Be ready and eligible for “meaningful use” Demystifying Standards Recommendations 4
Demystifying 2011 Recommendations 5 HIPAA/ARRA StandardsSupporting Standards 1. Obtain proof that users and systems are whom they claim to be (i.e., authenticate identity) before enabling them to use the system Use the same standard commonly used for web transactions (Transport Layer Security - TLS) to do this for all web-based communications 2. Control access to information and capabilities HIPAA Security Rule implementation specifications 3. Provide the capability to encrypt and decrypt information Use the NIST-recommended Advanced Encryption Standard (AES) algorithm 4. Create an audit trail of system activities Use the IHE Consistent Time (CT) Integration Profile, with Internet standard Network Time Protocols (NTP & SNTP) to synchronize time Use the IHE Audit Trail and Node Authentication (ATNA) Integration Profile to exchange audit information
Demystifying 2011 Recommendations 6 HIPAA/ARRASupporting Standards 5. Detect unauthorized changes in content Use one of the NIST-recommended Secure Hash Algorithms (SHA) to generate a number that uniquely represents the data – so that if the data are accidentally or intentionally changed, the number will also change Use ASTM standard as guidance in implementing electronic signatures 6. Protect the confidentiality and integrity of information transmitted over networks (e.g., web) Implement encryption and integrity protection using the NIST standards (AES and SHA) Use HITSP Service Collaboration 112 as guidance in sharing documents with entities outside the system Use Internet standard Domain Name Service (DNS) and Lightweight Data Access Protocol (LDAP) to locate resources on the Internet
Demystifying 2011 Recommendations 7 HIPAA/ARRASupporting Standards 7. Electronically record individual consumers' consents and authorizations HIPAA Privacy Rule implementation specifications 8. Provide the capability to create an electronic copy of an individual's electronic health record, record it on removable media, and transmit it to a designated entity Use HITSP Capability 120 as guidance in implementing the capability to record unstructured information on removable media (e.g., CD, thumbdrive) or to send to a Personal Health Record (PHR) 9. Provide the capability to de-identify information HIPAA Privacy Rule implementation specifications 10. Provide the capability to tag de- identified information with a secured link that can be used later to re-identify if necessary Use ISO pseudonymization standard as guidance
Working Group discovered potential problem with recommended standard for protecting the integrity of data – recommendation excluded an early version of the Secure Hash Algorithm (SHA-1) that is widely used to protect the integrity in web transactions –Hash algorithms don’t keep information secret – they just help detect when it has been modified NIST guidance states that Federal agencies may not use SHA-1 after 2010 for digital signatures and certain other applications, but allowed its use for protecting data integrity Latest update of FIPS PUB still includes SHA Recommendations - Update 8
Changed recommendation to latest version of FIPS PUB hashing standard (which includes SHA-1) Changed the certification criteria to: –Explicitly allow SHA-1 for web integrity protection only, and encourage the use of one of the other 4 hash algorithms included in the standard –Require one of the other algorithms for protecting the integrity of data at rest Changes highlighted in hand-out Resolution Coordinated Through Standards Committee Leadership 9
1.System Stability and Reliability Challenges related to maintaining the stability and reliability of electronic health records (EHRs) in the face of natural and technological threats 2.Cybersecurity Challenges related to maintaining the trustworthiness of EHRs and Health Information Exchanges (HIEs) in the face of cyber threats such as denial of service attacks, malicious software, and failures of internet infrastructure 3.Data Theft, Loss, and Misuse Challenges involving accidental loss of data, data theft, extortion and sabotage, including criminal activities and other related areas 4.Building Trust Issues and challenges related to building and maintaining trust in the health information technology ecosystem, and the impacts that real and perceived security weaknesses and failures exert on health organizations, individual providers, and consumers Security Hearing Panels – Nov 19,
Keep it simple! –Abstract out complexity – create standards-based components that hide complexity –Bake security into products –Need for security “toolkit” especially for small practices Implement defense in depth – layered security Days of tightly controlled perimeters are long gone – need to address distributed, mobile, wireless, and virtual resources, as well as computers embedded in biomedical devices Need to measure security “outcomes” Key Messages 11
Many existing clinical products lack the functionality needed to support security best practices Systems embedded in FDA-regulated biomedical devices are a “huge problem” – present vulnerabilities not easily addressed by “enterprise” security practices –Often managed by vendors –Cannot be modified – no OS updates, anti-viral software –Cell phones are rapidly entering this category “Least critical” systems often are those that are compromised and set up as a backdoor for hackers to access more important systems System Stability & Reliability 12
Security awareness among healthcare organizations is low, and many organizations are not complying with HIPAA! HIMSS 2009 Survey found: –Fewer than half (47%) conduct annual risk assessments –58% have no security personnel –50% reported information security spending ≤3% Need to continually monitor and measure effectiveness of security policies and mechanisms –Use “evidence-based” security policies and practices –Today’s security is plagued with dogma – password rules are antiquated, PC security may not matter, file encryption ineffective Cybersecurity 13
Portable devices and wireless access present major vulnerabilities Web 2.0 social technologies and cloud computing present new avenues for data loss Audit logs from vendor systems may be insufficient to detect misuse of information Role-based security is important – but roles vary across institutions, so creating common policy and standards would be challenging Data Theft, Loss, and Misuse 14
Security and privacy are foundational to EHR adoption Health care data are increasingly a target Security plays major role in protecting patient safety –Data integrity protection to help ensure accuracy of patient records –Protection of safety-critical information (e.g., clinical guidelines) Need baseline policies and standards for: –Authorization –Authentication – identity proofing and authentication are foundational since all other security protection depends upon –Access Control –Audit trail – use statistical profiling Building Trust 15