1 © 2002-2013 Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks.

Slides:

Advertisements

Similar presentations

1 HL7 Educational Session – eHealth Week Budapest 2011 © Health Level Seven International, Inc. All Rights Reserved. HL7 and Health Level Seven.

Advertisements

ELTSS Alignment to Nationwide Interoperability Roadmap DRAFT: For Stakeholder Consideration in response to public comment.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

1 Jan 2013 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

<<Date>><<SDLC Phase>>

1 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks.

Electronic Submission of Medical Documentation (esMD) for Medicare FFS Presentation to HITSC Provenance Workgroup January 16, 2015.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

MY SMART PHONE DOES WHAT WITH MY BLOOD PRESSURE DATA ??? Anita Fineberg, LL.B. CIPP/C Barrister & Solicitor President, Anita Fineberg & Associates Inc.

© 2012 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International.

Security Controls – What Works

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )

1 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

EsMD Background Phase I of esMD was implemented in September of It enabled Providers to send Medical Documentation electronically Review Contractor.

1 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks.

Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

© 2012 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International.

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

Standard Operating Procedures Joe Wherton Queen Mary University of London

ETICS2 All Hands Meeting VEGA GmbH INFSOM-RI Uwe Mueller-Wilm Palermo, Oct ETICS Service Management Framework Business Objectives and “Best.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 9, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.

ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.

Communicate with All Workers Involved in the Process of Delivering High-Quality Health Care by Choosing Dossier365 on the Azure Platform MICROSOFT AZURE.

“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 23, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.

February 8, 2005IHE Europe Educational Event 1 Integrating the Healthcare Enterprise Basic Security Robert Horn Agfa Healthcare.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Eliza de Guzman HTM 520 Health Information Exchange.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

HIPAA Vendor Readiness Siemens/HDX Audio Telecast July 24, 2002.

Health eDecisions Use Case 2: CDS Guidance Service Strawman of Core Concepts Use Case 2 1.

HIT Standards Committee Overview and Progress Report March 17, 2010.

Technical Support to SOA Governance E-Government Conference May 1-2, 2008 John Salasin, Ph.D. DARPA

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Alliance Key Manager for Windows Azure Puts Encryption Key Management and Data Breach Security at Your Fingertips COMPANY PROFILE: TOWNSEND SECURITY Townsend.

© 2009 Health Level Seven ®, Inc. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven, Inc. Reg. U.S. Pat &

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Easy-to-Use RedFlag System Delivers Notifications via Phone, , Text, Social Media, and More to Improve Effectiveness of Your Communications COMPANY.

Cross-Enterprise User Authentication Year 2 March 16, 2006 Cross-Enterprise User Authentication Year 2 March 16, 2006 John F. Moehrke GE Healthcare IT.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.

Basic Security Cor Loef Philips Medical Systems Co-Chair IHE Radiology Technical Committee.

Next VVSG Training Security: Testing Requirements October 15-17, 2007 Nelson Hastings Alicia Clay Jones National Institute of Standards and Technology.

One Drive for Business: More Than a File Share Erica Toelle

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.

DATA SECURITY FOR MEDICAL RESEARCH

Data and database administration

Integrating the Healthcare Enterprise

Introduction to Soonr by ….

Instantaneous Messaging System Uses Microsoft Azure Platform to Help Physicians Give Optimal Quality Patient Care with Real-Time Information MICROSOFT.

The HIPAA Privacy Rule and Research

The Freedom of Information and Data Protection Legislation An Overview

Introduction to the PACS Security

Colorado “Protections For Consumer Data Privacy” Law

Mobile Health (MH) Working Group – Projects Update

Presentation transcript:

1 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Tim McKay Mobile Health Workgroup April 27/28, 2015 Consumer Mobile Health Application Functional Framework Out of Cycle Meeting

2 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Why start this project?  Need for criteria to enable development of consumer health apps which have a uniform approach to security, privacy and data use  Current HL7 functional models cannot be used as-is to allow for certification of secure consumer-facing mobile health applications  Shift in consumer health offerings from being o Global in scope and Web by channel to o Narrow in scope and Mobile by channel  Provide a path for the certification of apps o Consumer confidence o Provider confidence

3 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off In Scope  This project will define security, privacy and data standards for secure mobile health applications (apps) o Limited to smartphones but may be extended to tablets o Standards will cover the app lifecycle  Central artifact is a set of conformance criteria (functional requirements) o Conformance criteria address the key user stories of the human actors of the system. o Conformance criteria address the technical actors necessary to fulfill the stories of the human actors  Focus in on the consumer/citizen  Two points of view: commercial and care

4 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Key User Stories App UserClinician I want my access to the app to be secure. I want to control access to who can view or use any data generated from the app. I care about some data a lot; other data I really don’t care about. I want the app to potentially improve my health and wellbeing. I do not want the app to harm my health and wellbeing. If I stop using the app, I want to be able to determine what happens to any data stored by the app. If I am allowed to use data generated from the app, I want to know enough about the data to determine if I can trust using it in making decisions about clinical care. I want the app to potentially improve the health of my patients who use it. I want the app to potentially improve my relationships with my patients who use it. I want the app to not overstep its bounds in terms of clinical claims. I want my patients’ data to be used for medical research.

5 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Mobile app lifecycle

6 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Out of Scope  This project will NOT define standards for the content of mobile applications.  This project will NOT address apps written for basic phones.

7 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Approach  Create a lightweight model  Assume profiles can be built off the model.  Create a developer-friendly model.  Create a product lifecycle based model.  Allow for core and optional criteria.  Provide resources relevant to conformance criteria.  Use PHRS-FM and EHRS-FM as resources.  Manage scope creep: can “it” fit within the general model

8 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Goals  Overall: have draft ready for comment-only ballot for September Use comments to address significant gaps to prepare for DSTU ballot for May  Out-of-cycle: draft conformance criteria for as many sections of the model as possible using time-boxed sub-groups.  Weekly meetings: review and extend work of out- of-cycle meeting  Sub-groups may choose to continue

9 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Section 1: Pre-Launch Activities 1.1 Regulatory/Compliance Approval Determine need for approval(s) Obtain approval(s) 1.2 Risk Assessment and Mitigation 1.3Product Usability

10 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Section 2: Download and Install App 2.1 App Store Experience Description of App Access to Terms of Use Access to Privacy Policy Payment for App 2.2 Launch App and Establish User Account Acceptance of Terms of Use Account Creation Identity proofing of account holder Account linking to pre-existing information Establish mechanisms for user authentication

11 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Section 3: Use App (1 of 5) 3.1 Session security User authentication User authorization Session encryption Session termination/sign-off 3.2 Authorization of Data Collection Data content Method of collection Smartphone capabilities data (e.g., calendar, contacts) hardware (e.g. camera, location) External device

12 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Section 3: Use App (2 of 5) 3.3Authorization of Data Use Third Party Access/Use Account proxies External actors Human System Prohibited uses of data Data deletion 3.4 Pairing User Accounts with Devices and Data Repositories First pairing Ongoing authentication/authorization Account disassociation

13 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Section 3: Use App (3 of 5) 3.5 Data Storage Data security Device storage Cloud/external storage Data authenticity Data provenance Data formats Unstructured data Structured data Metadata user device

14 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Section 3: Use App (4 of 5) 3.6 Data Transmission Ability to transmit stored data Standards-based data transmission Authorization by user Single authorization Subscription authorization 3.7In-App Payments

15 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Section 3: Use App (5 of 5) 3.8 Notifications and Alerts Obtaining permission to generate notifications and alerts Methods SMS/text messaging Smartphone notification centers Lock screen use 3.9 App Version Upgrades Automatic and user-permitted upgrades Changes to Terms of Use 3.10 Audit

16 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Section 4: Delete App 4.1 App Removal 4.2 Data Removal & Relocation Smartphone Cloud 4.3 Permitted Uses of Data After Account Closure Permitted uses (including conditions of use) Prohibited uses

17 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks of Health Level Seven International, Inc. Reg. U.S. Pat & TM Off Template Example 1.2 Risk Assessment and Mitigation 1 Shall (All) Complete a general product risk assessment using an established risk management framework. The framework should be one which is used by a Realm’s health systems to determine risk of inappropriate disclosure of medical information. 2 Shall (All) Rank risk assessment findings in terms of their potential effect on adequately securing an individual’s personally identifiable information (PII) including any protected health information (PHI). 3 Should (All) Prior to product launch, complete User Acceptance Testing (UAT) by testers who are not part of the formal development team. Often this will include product business owners. 4 Shall (IF) [Uses credit/debit cards] Assess product for Payment Industry Card (PCI) compliance. Regulations, standards, and implementation tools National Institute for Standards and Technology (NIST), Cybersecurity Framework, Payment Card Industry Standards,