Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6,

Slides:

Advertisements

Similar presentations

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.

Advertisements

EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

1 Privacy and Security Tiger Team Meeting Discussion Materials Topics Patient Authentication Hearing Questions for RFC on Meaningful Use Stage 3 October.

HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

Intra-ASEAN Secure Transactions Framework Project Progress Report

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

August 12, Meaningful Use *** UDOH Informatics Brown Bag Robert T Rolfs, MD, MPH.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.

OASIS Trust Elevation Elevate Trust in Electronic Identities Abbie Barbir, Ph.D Co-Chair OASIS Trust Elevation TC.

Large-Scale, Cost-Effective, Progressive Authentication and Identify Management Solutions Enabling Security, Efficiency and Collaboration through Technology.

Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.

Chapter 10: Authentication Guide to Computer Network Security.

Author of Record Digital Identity Management Sub-Workgroup October 24, 2012.

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,

HIT Standards Committee Hearing on Trusted Identity of Patients in Cyberspace November 29, 2012 Jointly sponsored by HITPC Privacy and Security Tiger Team.

A Brief Introduction to Patient Identification Using the VUHID System Barry R. Hieb, MD Chief Scientist, Global Patient Identifiers Inc. Kantara, June.

Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.

Authentication, Access Control, and Authorization (1 of 2) 0 NPRM Request (for 2017) ONC is requesting comment on two-factor authentication in reference.

Privacy and Security Tiger Team Today’s Discussion: MU3 RFC Comments May 8, 2013.

Privacy and Security Tiger Team Trusted Identity of Providers in Cyberspace Follow-Up Recommendations September 6, 2012.

Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Privacy and Security Tiger Team Today’s Discussion: Non-Targeted Query Virtual Hearing Testimony July 10, 2013.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.

Florida Information Protection Act of 2014 (FIPA).

Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.

Privacy and Security Tiger Team Trusted Identity of Providers in Cyberspace Recommendations August 1, 2012.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange February 21, 2013.

Electronic Submission of Medical Documentation (esMD) Identity Proofing Sub-Workgroup October 31, 2012.

Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange March 12, 2013.

Levels of Assurance in Authentication Tim Polk April 24, 2007.

General Session/ Presentation: “Cross Training: Security Best Practices from Other Industries”.

Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.

CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.

Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University

HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009.

Lecture 24 Wireless Network Security

Draft Provider Directory Recommendations Begin Deliberations re Query for Patient Record NwHIN Power Team July 10, 2014.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Information Exchange Workgroup June 14, IE WG Presentation to HITPC (draft) IE WG Workplan Query exchange recommendations Provider directory.

Privacy and Security Tiger Team Potential Questions for Request for Comment Meaningful Use Stage 3 October 3, 2012.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Identity Management Overview

Trust Profiling for Adaptive Trust Negotiation

Florida Information Protection Act of 2014 (FIPA)

Tokens & Proofing De-Mystified

Florida Information Protection Act of 2014 (FIPA)

Federal Requirements for Credential Assessments

Overview of CRISP Connectivity Process

Presentation transcript:

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6, 2012

Overview Today: Discuss results of HITPC meeting and request for additional refinement of draft recommendations Timeline: Health Information Technology Policy Committee (HITPC) meeting Wednesday Sept. 6 2 June 18: NSTIC 101 July 11: Joint Public Hearing July 16: Formulate Recommendations August 1: Report Recommendations to HITPC August 6: Refine Recommendations August 20: Refine Recommendations Sept 6: HITPC Meeting We Are Here

Results of HITPC Meeting General agreement on the approach that the Tiger Team is proposing to address provider authentication –Questions regarding cloud computing –Concern about time burdens on physicians Requested additional work to identify the “riskier” transactions referenced in our recommendations Proposed Approach: –Determine which types of exchange transactions are "risky" and should require LoA 3 –Develop criteria describing the attributes of these riskier transactions 3

Exchange Scenarios 4 FunctionLoA*Risk/Harm EHR access via local computer/terminal within a secured area 2 Unauthorized personnel may physically access computer EHR access via local computer/terminal within a publicly accessible area 2 Unauthorized personnel or public may physically access On premises (hospital/clinic) wireless access to E H R unsecured network Data transfer in open, Man-in-middle attack sniffing, Unauthorized personnel or public may remotely access On premises (hospital/clinic) wireless access to EHR via VPN Theft, unauthorized access/exposure EHR access via mobile devices off premise3Theft, unauthorized access/exposure Physician HIE access in multiple practicesUnauthorized access Clinic to patient secure messaging – authentication prior to Direct HISP interactions Possible interception of patient information Electronic Prescribing3+Fraudulently obtaining controlled substances *Recommended baseline LOA based on Tiger Team deliberations

Backup Slides 5

Recommendations to the HIT Policy Committee (1/3) 1.The Tiger Team believes that ONC should move toward individual-user level credentials to meet NIST Level of Assurance (LOA) 3 for riskier exchange transactions, ideally by Meaningful Use Stage 3. Rationale: Low risk activity, such as on-site, intra-organizational access to systems/data should not necessitate additional authentication requirements. Riskier exchange transactions, such as remote access to systems/data across a network, should require the increased assurance provided by LOA 3. 6

Recommendations to the HIT Policy Committee (2/3) 2.As an interim step, the ONC could require baseline two-factor authentication (per NIST ) with existing organization-driven identity proofing (LOA “2.5”) –Two-factor authentication provides additional assurance –Entities not yet required to implement more robust identity proofing per NIST Should extend to all clinical users accessing/exchanging data in the riskier exchange transactions. 7

Recommendations (3 of 3) 4.ONC’s work to implement this recommendation should be informed by NSTIC and aim to establish trust within the health care system, taking into account provider workflow needs and the impact of approaches to trusted identity on health care on health care quality and safety. For example, NSTIC also will focus on the capability to pass along key attributes that can be attached to identity. The capability to pass key attributes – e.g., valid professional license – may be critical to facilitating access to data. 5.ONC should consult with NIST about future iterations of NIST to identify any unique needs in the healthcare environment that must be specifically addressed. 8

Authentication Requirements LOA2LOA3 Single factorMulti-factor NIST LOA2 Identity Proofing (or higher) NIST LOA3 Identity proofing (or higher) Approved cryptographic techniques required Approved cryptographic required for all operations Eaves dropper, on-line guessing prevented Eavesdropper, replay, on-line guessing, verifier impersonation and man-in-the- middle attacks prevented LOA3/LOA 4 Multi-factor may be usedMinimum of two factors required; 3 token types may be used: “soft” cryptographic tokens, “hard” cryptographic tokens and “one-time password” device tokens. Examples: shared secret, mobile one- time- password (OTP) application, PKI, USB token, credit card password tokens, RFID or blue tooth token 9

LOA2/LOA3 Identity Proofing Required Information Level 2Level 3 In person Possession of valid current primary Government Picture ID applicant’s picture, and either address of record or nationality of record (e.g. driver’s license or passport) Level 2 plus ID must be verified Remote Possession of a valid Government ID (e.g. a driver’s license or passport) number and Financial account number (e.g., checking account, savings account, loan or credit card) with confirmation via records of either number. Same as Level 2 but confirmation via records of both numbers. 10

Level 2Level 3 Inspects photo-ID, compare picture to applicant, record ID number, address and DoB. If ID appears valid and photo matches applicant then: a) If ID confirms address of record, authorize or issue credentials and send notice to address of record, or; b) If ID does not confirm address of record, issue credentials in a manner that confirms address of record. Essentially same as Level 2 plus Verify via the issuing government agency or through credit bureaus or similar databases. Confirm that: name, DoB, address and other personal information in record are consistent with the application. LOA2/LOA3 Identity Proofing Registration Authority (RA) In Person Process Person 11

LOA2/LOA3 Identity Proofing Registration Authority (RA) Remote Process Level 2Level 3 Verifies information provided by applicant including ID number or account number through record checks either with the applicable agency or institution or through credit bureaus or similar databases, and confirms that: name, DoB, address other personal information in records are on balance consistent with the application and sufficient to identify a unique individual. Address confirmation and notification: a) Sends notice to an address of record confirmed in the records check or; b) Issues credentials in a manner that confirms the address of record supplied by the applicant; or c) Issues credentials in a manner that confirms the ability of the applicant to receive telephone communications or at number or address associated with the applicant in records. Verifies information provided by applicant including ID number and account number through record checks either with the applicable agency or institution or through credit bureaus or similar databases, and confirms that: name, DoB, address and other personal information in records are consistent with the application and sufficient to identify a unique individual. Address confirmation: a) Issue credentials in a manner that confirms the address of record supplied by the applicant; or b) Issue credentials in a manner that confirms the ability of the applicant to receive telephone communications at a number associated with the applicant in records, while recording the applicant’s voice. 12