Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal.

Slides:

Advertisements

Similar presentations

Mobile Payments and the FTC Manas Mohapatra Director of Mobile Policy Mobile Technology Unit Federal Trade Commission The views expressed are not necessarily.

Advertisements

Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Information Security Policies and Standards

The State of Security Management By Jim Reavis January 2003.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.

RADM Ali S. Khan, MD, MPH Director, Office of Public Health Preparedness and Response Bridging the Gaps: Public Health and Radiation Emergency Preparedness.

Privacy and Security in the Direct Context Session 6 April 12, 2010.

FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.

Informed Consent and HIPAA Tim Noe Coordinating Center.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality

Tackling the Policy Challenges of Health Information Exchange Carol Diamond, MD, MPH Managing Director, Markle Foundation.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

Understanding the Value of Identity in Government Social Networking A Framework of Identity Trust in Government Social Networking September 4, 2015.

Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

1 Brett Roberts Director of Innovation | Microsoft NZ | 28 Aug 07 Technology and Privacy.

Credit unions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback.

Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.

1 Identity and Transparency ( Bridging the GAPS of Governance Bridging the GAPS of Governance in eGov Initiatives in eGov Initiatives )‏ Badri Sriraman.

Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

1 Healthcare Privacy and Security: Concepts and Challenges Dixie B. Baker, Ph.D. Chair, HIMSS Privacy and Security Advocacy Task Force.

A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.

© 2009 National Automated Clearing House Association. All rights reserved. Industry Perspectives on Emerging Risks and Public/Private Engagement: Network.

State Alliance for e-Health Conference Meeting January 26, 2007.

Privacy of Home Energy Usage Data Jim Williams June 26, 2012 Jim Williams June 26, 2012.

U.S. General Services Administration Federal Technology Service November 9, 1999 Judith Spencer Director, Center for Governmentwide Security Office of.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

State HIE Program Chris Muir Program Manager for Western/Mid-western States.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.

0 Connectathon 2009 Registration Bob Yencha Webinar | August 28, 2008 enabling healthcare interoperability.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

January 26, 2007 State Alliance for e-Health January 26, 2007 Robert M. Kolodner, MD Interim National Coordinator Office of the National Coordinator for.

Privacy and Security Solutions For Interoperable Health Information Exchange Presented by Linda Dimitropoulos, PhD RTI International Presented at AHRQ.

Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Moving the National Health Information Technology Agenda Forward The Fourth Health Information Technology Summit March 28, 2007 Robert M. Kolodner, MD.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

PHDSC Privacy, Security, and Data Sharing Committee Letter to Governors.

API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015.

Protecting your Managed Services Practice: Are you at Risk?

National Health Policy Conference February 4, 2008 Washington State Health Reform Efforts Richard K. Onizuka, PhD Health Policy Director.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

The technology behind the USPS EPM. AND COMPLIANCE March 25, 2004 Adam Hoffman.

Surface Transportation System Funding Alternatives Program Overview 1 Bob Arnold, Director Office of Transportation Management, FHWA.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Overview nate-trust.org Who (describe your organization)

Update from the Faster Payments Task Force

Organization and Knowledge Management

Standards and the National HIT Agenda John W. Loonsk, MD

NIST Cybersecurity Framework

Ethical questions on the use of big data in official statistics

Concerns of a Privacy Advocate – and How to Respond

Healthcare Privacy: The Perspective of a Privacy Advocate

Introduction to Personal Health Records –

Appropriate Access InCommon Identity Assurance Profiles

Privacy in Nationwide Health IT

Student Privacy in the age of big data

Jeanie Moore Director, (Acting) Office of External Affairs

Presentation to the Portfolio Committee

Jeremy Grant Coordinator Better Identity Coalition

Presentation transcript:

Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal Health Technology Initiative, Markle Health Program

Common Framework for Networked Personal Health Information

Objectives The overall purpose: –To help open up private and secure data flows between health data sources and consumer-accessible applications (networked PHRs). –We call these “Consumer Data Streams” — the chain of handoffs of copies of personal health information destined for the consumer’s application. The focus is on policies: –Authentication: Trust across entities for ID proofing, online tokens, ongoing monitoring, and auditing. –Access: Broader focus on privacy, consent, data collection and use, transparency, enforcement, etc., across entities participating in Consumer Data Streams.

Many Simultaneous Activities Access policy efforts: Employers AHIC HITSP HISPC National Governors Ass’n Congress, etc. Authentication efforts: EAP/EAF AHIC HITSP Liberty Alliance VeriSign Private vendors AHIP/BCBS Dossia Intuit Revolution WebMD Google Microsoft VA/CMS Large IDNs Many smaller players Public and private PHR efforts

Consumer Authentication Overview Working Group set out to find a set of authentication methods and policies that would bring networked PHRs closer to reality. Two big barriers : 1.Proofing: We could not find Metric “X” for proofing accuracy. 2.Business issues: (i.e., competition, lack of business value, and fear of liability) may discourage data holders from accepting even well-executed proofing and authentication from remote parties.

Consumer Authentication Recommendations 1A: In-person proofing is a reasonable — although imperfect and poorly measured — default when there is no prior relationship with the consumer. But it’s not always feasible. 1B: Consider ‘bootstrapping’ in-person encounters with other sectors (financial institutions, post offices, retail pharmacies, notary publics, etc.). Part 1: Proofing

Consumer Authentication Recommendations 1C: Consider Remote Proofing: a.Rely on combinations of at least two alternative methods or sources for validating identity that use separate data (i.e., don't use two different sources relying on Social Security Number or the same account number). b.Are optimized to minimize the rate of false positives (i.e., when the wrong person is granted access based on an identity not his own). c.Provide an alternative identity-proofing protocol to mitigate false negatives (i.e., when the right person using his correct identity is denied access nonetheless). d.Take precautions to minimize risk to the consumer. Part 1: Proofing

Consumer Authentication Recommendations 1D: Begin Federal research on identity proofing quality. Federal studies to create proofing accuracy benchmarks. 1E: Do not use clinical information as validation data in an authentication process. Part 1: Proofing (continued)

Consumer Authentication Recommendations Part 2 & 3: Tokens and Monitoring 2A-2E: Follow Industry Practice in Binding, Use, and Re- use of Tokens 3A: Ongoing monitoring: Proofing is a process, not an event. Every authentication offers a chance at re-verification. 3B: Enable consumers to view audit trail: Consumers can help detect fraud when they have access to transaction history.

Consumer Authentication Recommendations Part 4: Auditing and Enforcement 4A: Ensure that third parties are “observable” in how and how well they are performing identity proofing, token- issuing and ongoing monitoring or any related services to authenticate consumers. 4B: Ensure a mechanism for enforcement and redress for bad actions. 4C: Consider federation and/or other contractual means to address Recommendations 4A and 4B.

Conclusion: A Path Forward Our next area of work is to establish policy rules and techniques that establish trust among participants, including consumers, over a “network of networks.” New trends — new threats, new business relationships, emerging technologies, and consumer awareness and behavior — all warrant close monitoring and all reinforce the idea that that the path forward on consumer authentication requires careful thinking, new research, and innovative approaches.

Closing Remarks Thank You!