Download presentation
Presentation is loading. Please wait.
Published byCharla Barnett Modified over 9 years ago
1
Security and Privacy Requirements to Support the Exchange of Health Information June 30, 2009 Copyright 2009. All Rights Reserved.
2
PANEL Copyright 2009. All Rights Reserved. 2 Suzanne Lightman Lead Policy Analyst, Office of Management and Budget (OMB) Jodi Daniel Director, Office of Policy & Research, Office of the National Coordinator (ONC) Julie Boughn Chief Information Officer and Director, Office of Information Services, Centers for Medicare & Medicaid Services (CMS) Ashley Corbin PhD, Co-chair, Federal Security Strategy Work Group
3
Agenda Topics Covered in this Session Importance of Security & Privacy Update on ONCHIT “Nationwide Privacy & Security Framework for Electronic Exchange of Individually Identifiable Health Information” CIO Federal Partner Perspectives (Requirements, Challenges, Opportunities) FHA Federal Security Strategy Initiative (FSS) CONNECT Certification & Accreditation Incorporation of Security & Privacy Guidelines and Standards in Current and Future CONNECT Versions Open Q&A 3 Copyright 2009. All Rights Reserved.
4
Suzanne Lightman Lead Policy Analyst, OMB OFFICE OF MANAGEMENT AND BUDGET 4 Copyright 2009. All Rights Reserved.
5
Jodi Daniel, JD, MPH Director, Office of Policy & Research, ONC OFFICE OF THE NATIONAL COORDINATOR 5 Copyright 2009. All Rights Reserved.
6
Privacy, Security and Health IT Value of Health IT What’s new? Individuals may have greater roles in their care New entities New challenges and opportunities for protecting individually identifiable health information New approaches to making information more accessible New questions/concerns 6 Copyright 2009. All Rights Reserved.
7
Privacy, Security and Health IT Multiple Dimensions Policy Nationwide Privacy and Security Framework Legal Obligations HIPAA Privacy and Security Rules Expanded by ARRA provisions Specific Implementation NHIN 7 Copyright 2009. All Rights Reserved.
8
Nationwide Privacy & Security Framework Policy Guide Establishes principles Goal is to apply to all health care-related persons and entities that hold and exchange electronic individually identifiable health information Foundation upon which current policies and tools are built -Toolkit that supports the Framework -Implementation guidance 8 Copyright 2009. All Rights Reserved.
9
Toolkit Draft Model Personal Health Record (PHR) Privacy Notice & Facts-At-A-Glance Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices HIPAA Privacy Rule Guidance Related to the Privacy and Security Framework and Health IT 9 Copyright 2009. All Rights Reserved.
10
American Recovery and Reinvestment Act of 2009 (ARRA) Legal Requirements –Established two Federal Advisory Committees –Requires the Secretary to promulgate regulations related to the electronic exchange of health information –Added Privacy Protections 10 Copyright 2009. All Rights Reserved.
11
ARRA Privacy Provisions HIPAA Modifications –Some provisions and enforcement applies to business associates –Breach notification requirement –Changes regarding specific provisions (e.g., electronic access, accounting, sale of PHI) PHR Breach Notification Enhanced Enforcement –Includes ability for State Attorneys General to enforce Education Efforts 11 Copyright 2009. All Rights Reserved.
12
Privacy and Security in Operation Specific Implementation –NHIN – Exchange NHIN Specifications DURSA development Consumer preferences Privacy and Security –Certification Criteria – EHR Products 12 Copyright 2009. All Rights Reserved.
13
Julie Boughn CIO and Director, Office of Information Services, Centers for Medicare & Medicaid Services Copyright 2009. All Rights Reserved. 13
14
Ashley Corbin, PhD, MBA Federal Security Strategy Initiative Co-Chair, Director, DRAV, CMS 14 Copyright 2009. All Rights Reserved.
15
Differences in information security laws, requirements, and policies in the federal and non-federal sectors impacts the expansion of electronic exchange of health information FSS Work Group was chartered to analyze and develop practical guidance, recommendations and a strategic roadmap to address the situation FHA Federal Security Strategy 15 Copyright 2009. All Rights Reserved.
16
FHA Federal Security Strategy Interim Guidance The FSS Work Group has drafted interim guidance for the federal partners that focuses on risk management-based adequate security assurances under FISMA 16 Copyright 2009. All Rights Reserved.
17
FHA Federal Security Strategy Information Security Service Model Approach Use standards based security management and assurance framework Establish public – private collaborative to drive compliance criteria that is achievable and maintainable Periodicity of evaluation, certification, and compliance based on a minimum set of criteria, but adaptable to the changing circumstances (e.g., the local HIEs) Leverage each organization’s capabilities for contributions in an overall governance framework Each participant is assessed their fair share of cost Coordinate quantifiable expectations and metrics and a process for continuous improvement Copyright 2009. All Rights Reserved. 17
18
CONNECT Certification & Accreditation Using NIST Compliant Information Security C&A Processes A full set of C&A documentation would describe and test the CONNECT Reference Architecture System as if it were an operational system with “live” data and operating in a specific location An Authorization to Operate (ATO) as a reference implementation for the NHIN under the HHS/ONC Certifying Authority and Designated Approving Authority (DAA) will be obtained C&A documentation provided with the CONNECT Gateway to partner agencies; –Would be utilized and/or directly referenced in their individual assessments –Would be modified by them to fit their operational environment and used in their C&A process 18 Copyright 2009. All Rights Reserved.
19
CONNECT Certification & Accreditation Consistent application of the security controls across the various federal partner organizations at large Savings can be realized in the security certification and accreditation process –The certification process draws upon any applicable results from the most current assessment of the common security controls performed at the HHS\ONC organization level. –An organization-wide (federal partner community) approach to reuse and sharing of assessment results can greatly enhance the efficiency of the security certifications and accreditations being conducted by organizations and significantly reduce security program costs. 19 Copyright 2009. All Rights Reserved.
20
A one-time, narrowly enforced C&A effort misses overlap opportunities with security program management and risk management requirements Opening up C&A by including continuous monitoring blends the complementary security goals of compliance and ongoing operational security Doing so will also leverage the spending and resource time spent on compliance into effective and efficient ongoing security practices Certification & Accreditation Operational Security Impact – Security Program C&A Process – System Information Revealed Information Types Contained Relative Importance of the System to the Organization Security Controls that Protect the System System Risks System Boundaries Operational Security Impact: Configuration baselines Implementation guidelines “Defensive” mechanisms (IDS, firewall rule sets, etc.) 20 Copyright 2009. All Rights Reserved.
21
Certification & Accreditation Operational Security Impact - Security Program Continuous Monitoring Methods Automated Processes IT Management Systems C&A Re-assessment Periodic Audits Select controls & monitoring approach System baseline categorization Control effectiveness Impact of system or environment change Operational Security Impact: Vulnerability discovery and mitigation Continual update of SSP and ST&E documents More efficient risk analysis and resource planning C&A – Continuous Monitoring Strategy 21 Copyright 2009. All Rights Reserved.
22
Security and Privacy Guidelines and Standards woven into CONNECT Messaging platform –Supports data confidentiality and integrity Audit log query interface –Supports accounting of disclosures Authorization framework interface –Supports authorization for access, purpose –Requests and verification of user Consumer preferences interface –Supports restrictions on access –Enable consumers to specify Authorized case follow-up –Supports requests for de-identified data and case follow-up 22 Copyright 2009. All Rights Reserved.
23
“Defining the NHIN Dial Tone in 2009” Interface Specification References Standard Description Messaging, Security and Privacy Foundation Messaging Platform SOAP/WSDL/ WS- Addressing/WS- Security Provide secure messaging services for all communications between NHIN-enabled health organizations Authorization FrameworkSAMLArticulate the justification for requesting patient medical information NHIN Services Subject DiscoveryPIXv3Services for locating patients based on demographic information Query for DocumentsXCA Locate health documents associated with a specific patient that conform to a set of query criteria Retrieve DocumentsXCARetrieve specific requested documents associated with a patient Query Audit LogIHE ATNALog requests for patient health information and make this log available to patients Authorized Case FollowupPIXv3 Provide an ability to re-identify pseudonymized patient records when legally permitted for public health case investigations Health Information Event Messaging WS- BaseNotification Provide a publish/subscribe capability for ongoing feeds of data between NHIN- enabled health organizations NHIE Service RegistryUDDI Registry servers that enables NHIN-enabled health organizations to discover the existence and connection information for other NHIN-enabled health organizations NHIN Profiles Consumer Preferences Profile XACML Enable consumers to specify with whom they wish to share their electronic health information 23 Copyright 2009. All Rights Reserved.
24
NHIN Services Architecture Profiles describe how to implement services for a specific domain like consumer preferences for information sharing or biosurveillance Services describe specific interfaces (web services) used between HIEs to discover and exchange health- related information Messaging, Security and Privacy Foundation describes the underlying protocols and capabilities necessary to send and secure messages between NHIEs Copyright 2009. All Rights Reserved. 24 Messaging, Security and Privacy Foundation NHIN Services NHIN Profiles Messaging Message Transport Services Definition Security Public Key Infrastructure Encryption Digital Signature Authorization Framework Requestor Authentication Requestor Authorization Discovery Services Subject Discovery Authorized Case Follow-up Query for Documents NHIE Service Registry Information Exchange Services Retrieve Documents Query Audit Log Health Information Event Messaging Consumer Preferences Profile Store and exchange consumer preferences for sharing of personal health information Other Profiles in Development GIPSE (Biosurveillance)
25
CONNECT Seminar Presentations are Available for Download Online at http://www.connectopensource.org http://www.connectopensource.org 25 Copyright 2009. All Rights Reserved.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.