Using HL7’s CCOW Standard to Create Secure Information Solutions Colorado Healthcare Information Systems Society (CHIMSS) January 12, 2001 Robert Seliger.

Slides:



Advertisements
Similar presentations
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Advertisements

Copyright © 2001 HL7 HL7: Standards for e-Health CCOW Context Management Standard Robert Seliger CCOW Co-Chair President and CEO, Sentillion, Inc.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.
NAU HIPAA Awareness Training
SLIDE 1 Westbrook Technologies from Fortis: A Healthcare Solution for Medical Records, Billing and HIPAA.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Free HIPAA Training BCI Computers Free HIPAA Training (c) 2014 BCI Computers all rights reserved.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Minnesota Law and Health Information Exchange Oversight Activities James I. Golden, PhD State Government Health IT Coordinator Director, Health Policy.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
The Use of Health Information Technology in Physician Practices
Copyright © 2001 HL7 HL7: Standards for e-Health CCOW Context Management Standard Robert Seliger CCOW Co-Chair President and CEO, Sentillion, Inc.
Copyright © 2001 HL7 HL7: Standards for e-Health CCOW Context Management Standard Robert Seliger CCOW Co-Chair President and CEO, Sentillion, Inc.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Overview of IHE IT Infrastructure Patient Synchronized Applications.
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Cryptography, Authentication and Digital Signatures
HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 15,
Configuring Directory Certificate Services Lesson 13.
Chapter 2 Standards for Electronic Health Records McGraw-Hill/Irwin Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Overview of IHE IT Infrastructure Patient Synchronized Applications.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,
Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
HIPAA Vendor Readiness Siemens/HDX Audio Telecast July 24, 2002.
1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.
C HAPTER 34 Code Blue Health Sciences Edition 4. Confidentiality of sensitive information is an important issue in healthcare. Breaches of confidentiality.
Component 3-Terminology in Healthcare and Public Health Settings Unit 16-Definitions and Concepts in the EHR This material was developed by The University.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Unit 7 Seminar.  According to Sanderson (2009), the problems with the current paper-based health record system have been well documented. The author.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
S ecure A rchitecture F or E xchanging Health Information in Central Massachusetts Larry Garber, M.D. Peggy Preusse, R.N. June 9 th, 2005.
Integrating the Healthcare Enterprise Improving Clinical Care: Enterprise User Authentication For IT Infrastructure Robert Horn Agfa Healthcare.
 Health Insurance and Accountability Act Cornelius Villalon Jr.
Content Introduction History What is Digital Signature Why Digital Signature Basic Requirements How the Technology Works Approaches.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 2 Clinical Information Standards – Unit 3 seminar Electronic.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 3 This material was developed by Oregon Health & Science University,
HIPAA Privacy Rule Training
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
Disability Services Agencies Briefing On HIPAA
The Health Insurance Portability and Accountability Act
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Presentation transcript:

Using HL7’s CCOW Standard to Create Secure Information Solutions Colorado Healthcare Information Systems Society (CHIMSS) January 12, 2001 Robert Seliger President and CEO, Sentillion Co-Chair HL7 CCOW Committee Copyright© 2001 Sentillion, Inc. All Rights Reserved

Secure? Copyright© 2001 Sentillion, Inc. All Rights Reserved

Agenda HIPAA Digital Security CCOW Practical Security Solutions Copyright© 2001 Sentillion, Inc. All Rights Reserved

HIPAA Final regulations published December 28, 2000 See: Copyright© 2001 Sentillion, Inc. All Rights Reserved

HIPAA: Situation Statement According to the American Health Information Management Association (AHIMA), an average of 150 people ‘‘from nursing staff to x-ray technicians, to billing clerks’’ have access to a patient’s medical records during the course of a typical hospitalization.* * Standards for Privacy of Individually Identifiable Health Information; Final Rule, December 28, 2000, U.S. Dept. of Health and Human Services. Copyright© 2001 Sentillion, Inc. All Rights Reserved

HIPAA: Approach Ensure the rights that an individual who is a subject of individually identifiable health information should have. Specify the procedures that should be established for the exercise of such rights. Define the uses and disclosures of such information that should be authorized or required. Copyright© 2001 Sentillion, Inc. All Rights Reserved

HIPAA: Scope 1. Care, services, or supplies related to the health of an individual. 2. Health information maintained/transmitted electronically or via any other form or medium. Copyright© 2001 Sentillion, Inc. All Rights Reserved

HIPAA: Philosophy We do not prescribe the particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. (That is, as with other provisions of this rule, this requirement is ‘‘scalable.’’) * Standards for Privacy of Individually Identifiable Health Information; Final Rule, December 28, 2000, U.S. Dept. of Health and Human Services. Copyright© 2001 Sentillion, Inc. All Rights Reserved

HIPAA: Enforcement HSS’s Office for Civil Rights: 1.Voluntary 2. Civil monetary penalties and referrals for criminal prosecution. Copyright© 2001 Sentillion, Inc. All Rights Reserved

Digital Security Authentication Encryption Non-Repudiation Copyright© 2001 Sentillion, Inc. All Rights Reserved

Digital Signatures Secure Hash Value Encrypt Value COMPARE by Private key by Public key Receiver Sender Original message Signed Message Value Decrypt Copyright ©JungJoo-won, 1996, Verified message

Digital Encryption Encrypt by Public keyby Private key Receiver Sender Original message Encrypted Message Decrypt Decrypted message Copyright ©JungJoo-won, 1996,

Where Do Keys Reside? Private Keys: A “smart” card Embedded in a device On your personal computer Public Keys: In a file in “raw” form In a signed file, known as a digital certificate Copyright© 2001 Sentillion, Inc. All Rights Reserved

Digital Signature Inherent Limitations The verification process only establishes that the private key of the person whose public key is specified in the digital certificate was used to affix the digital signature. This verification process is a post-signing mechanism and does not correspond to the trusted witnessing mechanism established within the traditional signature environment. * * Non-Repudiation in the Digital Environment, Adrian McCullagh and William Caelli, First Monday, Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW Multiple disparate applications: labs, meds, cardiology, scheduling, billing, etc. Users in need of easy access to data and tools: physicians, nurses, therapists, administrators, etc. Kiosk as well as personal workstations: hospitals, clinics, offices, homes, etc. Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW Status ANSI certified standard published by Health Level Seven Uptake: 3M, Agilent, Bionetrix, CoreChange, Care Data Systems, Drager, DR Systems, Eclipsys, GE/Marquette, Medcon, Medscape, McKessonHBOC, Presideo, SpaceLabs/Burdick, Stockell, many others in 2001 Sites: Rex (1000), Marshfield Clinic (6500), St. Joes (1500), St. Als (2000), Cottage (2000), etc. Co-Chairs: Robert Seliger, Sentillion (founding co-chair) Barry Royer, Siemens (SMS) Michael Macalusso, McKessonHBOC Copyright© 2001 Sentillion, Inc. All Rights Reserved

What They’re Saying … “Originally an ad hoc group created to solve the problem of insuring common context between different applications in simultaneous use on the desktop, CCOW is capturing extremely important space in web browser and user security areas.”* * CHIM Standards Insight, Feb. 7, 2000 Copyright© 2001 Sentillion, Inc. All Rights Reserved

Example: Patient Link Nancy Furlow Copyright© 2001 Sentillion, Inc. All Rights Reserved

Demonstration Show it! Copyright© 2001 Sentillion, Inc. All Rights Reserved

Architecture Copyright© 2001 Sentillion, Inc. All Rights Reserved

Architecture Copyright© 2001 Sentillion, Inc. All Rights Reserved

Architecture Copyright© 2001 Sentillion, Inc. All Rights Reserved

Theory of Operation: Patient Link (1) User selects the patient of interest using any application on the clinical desktop. 1 Copyright© 2001 Sentillion, Inc. All Rights Reserved

Theory of Operation: Patient Link (2) Application tells the context manager to start a context change transaction and sets the context data to indicate the newly selected patient. 2 Copyright© 2001 Sentillion, Inc. All Rights Reserved

3 Theory of Operation: Patient Link (3) Context manager tells patient mapping agent that a context change is occurring; mapping agent supplies the context manager with other identifiers by which the patient is known. Copyright© 2001 Sentillion, Inc. All Rights Reserved

4 Theory of Operation: Patient Link 4 (4) Context manager tells the other applications that a new patient context has been proposed. The context manager surveys the applications to determine whether each can apply the new context. 4 Copyright© 2001 Sentillion, Inc. All Rights Reserved

5 Theory of Operation: Patient Link 5 (5) Each application indicates whether or not it can apply the new context. 5 5 Copyright© 2001 Sentillion, Inc. All Rights Reserved

5 5 Theory of Operation: Patient Link (6) If one or more of the applications prefers not to, or cannot, apply the new context, the user is asked to decide whether to continue, cancel, or break the link. Otherwise, context change continues automatically. 6 Copyright© 2001 Sentillion, Inc. All Rights Reserved

5 5 Theory of Operation: Patient Link (7) Context manager tells each application to apply the new context, or that the transaction has been canceled. If apply, then each applications tunes to the new patient context. 7 7 Copyright© 2001 Sentillion, Inc. All Rights Reserved

User Link Conceptually, same as Patient Link: Context change transaction User mapping agent Incorporates secure “Chain of Trust”: Digitally signed communication between programs No exchange of user passwords Copyright© 2001 Sentillion, Inc. All Rights Reserved

Chain of Trust Theory of Operation: User Link (1) User signs on (enters logon name, password, swipes security card, etc.) 1 Copyright© 2001 Sentillion, Inc. All Rights Reserved

Chain of Trust 2 Theory of Operation: User Link (2) Application authenticates the user and tells context manager the user’s logon name; authentication data is not passed on to the context manager. Copyright© 2001 Sentillion, Inc. All Rights Reserved

Chain of Trust Theory of Operation: User Link (3) Context manager tells mapping agent context change is occurring; mapping agent supplies the context manager with other logon names for the user as known to each application. 3 Copyright© 2001 Sentillion, Inc. All Rights Reserved

Chain of Trust Theory of Operation: User Link (4) Context manager tells other applications that there is a new user context Copyright© 2001 Sentillion, Inc. All Rights Reserved

Chain of Trust Theory of Operation: User Link (5) Each application gets user’s application- specific logon name from the context manager Copyright© 2001 Sentillion, Inc. All Rights Reserved

Chain of Trust Theory of Operation: User Link (6) Context manager tells each application to apply the new context, or that the transaction has been canceled. If apply, then each applications tunes to the new user context Copyright© 2001 Sentillion, Inc. All Rights Reserved

Practical Security Solutions HIPAA Requirements & Implications Requirements: Authenticate user access of patient records Audit user access of patient records Upon request, inform patients of access to records Implications: Effective administrative processes Practical security solutions Copyright© 2001 Sentillion, Inc. All Rights Reserved

Practical Security Solutions The Setting A building or campus of buildings A network within and between these buildings Connected to the Internet Caregivers, ancillary workers, patients, visitors, salesmen, etc. Computers everywhere Myriad patient-related applications Busy people Copyright© 2001 Sentillion, Inc. All Rights Reserved

Practical Security Solutions Key Considerations Physical Protection If can’t get at it, can’t have it Limited Trust If minimize dependencies, minimize exposure User Friendliness If easy to comply, people will System Understandability If don’t know how it works, won’t know if it works Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW-Based Security Robust User Authentication Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW-Based Security Single Sign-On Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW-Based Security Roaming User Certificate Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW-Based Security Context-Based Auditing Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW-Based Security Context-Based Audit Reports Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW-Based Security Context-Based Access Controls Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW-Based Security Secure Network Appliance Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW-Based Security Centralized Administration Copyright© 2001 Sentillion, Inc. All Rights Reserved

CCOW-Based Security Summary Need Authenticate User Access Audit User Access Inform Patients of Access Physical Protection Limited Trust User Friendliness System Understandability Solution User Authenticator Context Audit Logs Context Reporting Network Appliance Central Administration Single sign-on CCOW Standard Copyright© 2001 Sentillion, Inc. All Rights Reserved

Conclusion HIPAA Digital Security CCOW Practical Security Solutions Copyright© 2001 Sentillion, Inc. All Rights Reserved

Get Smart! Robert Seliger Copyright© 2001 Sentillion, Inc. All Rights Reserved

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.