HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009
Standards, certification criteria, and implementation guidance are intended for use in certifying EHR products –How these capabilities are used within a healthcare environment is based on an individual organization’s size, complexity, capabilities, technical infrastructure, risks and vulnerabilities, and available resources Standards and certification criteria help assure that a “certified EHR product” provides the technical capabilities an organization will need in order to: –Comply with HIPAA and ARRA privacy and security provisions –Participate in the exchanges necessary to demonstrate “meaningful use” Demystifying Standards Recommendations 2
Demystifying 2011 Recommendations 3 HIPAA/ARRA StandardsSupporting Standards Obtain proof that users and systems are whom they claim to be (i.e., authenticate identity) before enabling them to use the system Use the same standard commonly used for web transactions (Transport Layer Security - TLS) to authenticate entities wishing to communicate over the web, and to set up a link between them Control access to information and capabilities Implement HIPAA Security Rule implementation specifications Provide the capability to encrypt and decrypt information Use the NIST-recommended Advanced Encryption Standard (AES) algorithm to encrypt and decrypt information Create an audit trail of system activities Provide the capability to send audit messages to other systems or to a central repository using the IHE Audit Trail and Node Authentication (ATNA) Integration Profile Use IHE Consistent Time (CT) Integration Profile, with Internet standard Network Time Protocols (NTP & SNTP) to synchronize time
Demystifying 2011 Recommendations 4 HIPAA/ARRA StandardsSupporting Standards Detect unauthorized changes in content Use one of the NIST-recommended Secure Hash Algorithms (SHA) to generate a numerical string that uniquely represents a block of data such that if the data are accidentally or intentionally changed, the string also will change Use ASTM standard as guidance in implementing electronic signatures Protect the confidentiality and integrity of information transmitted over networks (e.g., web) To secure information sent over the web, implement encryption and integrity protection using the NIST standards (AES and SHA) Use HITSP Service Collaboration 112 as guidance in sharing documents with entities outside the system Use Internet standard Domain Name Service (DNS) and Lightweight Data Access Protocol (LDAP) to locate resources on the Internet
Demystifying 2011 Recommendations 5 HIPAA/ARRA StandardsSupporting Standards Electronically record individual consumers' consents and authorizations Implement HIPAA Privacy Rule implementation specifications Provide the capability to create an electronic copy of an individual's electronic health record, record it on removable media, and transmit it to a designated entity Use HITSP Capability 120 as guidance in implementing the capability to record unstructured information on removable medium (e.g., CD, thumbdrive) or to send to a Personal Health Record (PHR) Provide the capability to de-identify information Implement HIPAA Privacy Rule implementation specifications Provide the capability to tag de- identified information with a secured link that can be used later to re- identify if necessary Use ISO pseudonymization standard as implementation guidance
Security protection is foundational to “meaningful use” of electronic health records (EHRs) – essential for privacy protection, patient safety, and quality care Hearing sought inputs from domain experts and health practitioners on potential issues, challenges, threats, and solutions around the securing of health information Security Hearing – November 19,
1.System Stability and Reliability Challenges related to maintaining the stability and reliability of electronic health records (EHRs) in the face of natural and technological threats 2.Cybersecurity Challenges related to maintaining the trustworthiness of EHRs and Health Information Exchanges (HIEs) in the face of cyber threats such as denial of service attacks, malicious software, and failures of internet infrastructure 3.Data Theft, Loss, and Misuse Challenges involving accidental loss of data, data theft, extortion and sabotage, including criminal activities and other related areas 4.Building Trust Issues and challenges related to building and maintaining trust in the health information technology ecosystem, and the impacts that real and perceived security weaknesses and failures exert on health organizations, individual providers, and consumers Hearing Panels 7
Security awareness among healthcare organizations is low, and many organizations are not complying with HIPAA! HIMSS 2009 Survey found: –Fewer than half (47%) conduct annual risk assessments –58% have no security personnel –50% reported information security spending ≤3% Days of tightly controlled perimeters are long gone – need to address distributed, mobile, wireless, and virtual resources, as well as computers embedded in FDA-regulated biomedical devices Cyberthreats are real – and as a critical component of our national infrastructure, health care is targeted Key Messages for Policy Committee 8
Security plays major role in protecting patient safety –Data integrity protection to help ensure accuracy of patient records –Protection of safety-critical information (e.g., clinical guidelines) Need for defense in depth – layered policy and protection Need to continually monitor and measure security “outcomes” – effectiveness of security policies and mechanisms cannot be assumed –Use “evidence-based” security policies and practices –Today’s security is plagued with dogma – password rules are antiquated, PC security may not matter, file encryption ineffective Key Messages (2) 9
Need baseline policies and standards for: –Authorization –Authentication – identity proofing and authentication is foundational since all other security protection depends upon –Access Control Role-based security is important – but roles vary across institutions, so creating common policy would be challenging –Audit trail Audit logs from vendor systems may be insufficient to detect misuse Key Messages (3) 10