Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009.

Published byAmice Lora Waters Modified over 9 years ago

Similar presentations

Presentation on theme: "HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009."— Presentation transcript:

1 HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009

2 Standards, certification criteria, and implementation guidance are intended for use in certifying EHR products –How these capabilities are used within a healthcare environment is based on an individual organization’s size, complexity, capabilities, technical infrastructure, risks and vulnerabilities, and available resources Standards and certification criteria help assure that a “certified EHR product” provides the technical capabilities an organization will need in order to: –Comply with HIPAA and ARRA privacy and security provisions –Participate in the exchanges necessary to demonstrate “meaningful use” Demystifying Standards Recommendations 2

3 Demystifying 2011 Recommendations 3 HIPAA/ARRA StandardsSupporting Standards Obtain proof that users and systems are whom they claim to be (i.e., authenticate identity) before enabling them to use the system Use the same standard commonly used for web transactions (Transport Layer Security - TLS) to authenticate entities wishing to communicate over the web, and to set up a link between them Control access to information and capabilities Implement HIPAA Security Rule implementation specifications Provide the capability to encrypt and decrypt information Use the NIST-recommended Advanced Encryption Standard (AES) algorithm to encrypt and decrypt information Create an audit trail of system activities Provide the capability to send audit messages to other systems or to a central repository using the IHE Audit Trail and Node Authentication (ATNA) Integration Profile Use IHE Consistent Time (CT) Integration Profile, with Internet standard Network Time Protocols (NTP & SNTP) to synchronize time

4 Demystifying 2011 Recommendations 4 HIPAA/ARRA StandardsSupporting Standards Detect unauthorized changes in content Use one of the NIST-recommended Secure Hash Algorithms (SHA) to generate a numerical string that uniquely represents a block of data such that if the data are accidentally or intentionally changed, the string also will change Use ASTM standard as guidance in implementing electronic signatures Protect the confidentiality and integrity of information transmitted over networks (e.g., web) To secure information sent over the web, implement encryption and integrity protection using the NIST standards (AES and SHA) Use HITSP Service Collaboration 112 as guidance in sharing documents with entities outside the system Use Internet standard Domain Name Service (DNS) and Lightweight Data Access Protocol (LDAP) to locate resources on the Internet

5 Demystifying 2011 Recommendations 5 HIPAA/ARRA StandardsSupporting Standards Electronically record individual consumers' consents and authorizations Implement HIPAA Privacy Rule implementation specifications Provide the capability to create an electronic copy of an individual's electronic health record, record it on removable media, and transmit it to a designated entity Use HITSP Capability 120 as guidance in implementing the capability to record unstructured information on removable medium (e.g., CD, thumbdrive) or to send to a Personal Health Record (PHR) Provide the capability to de-identify information Implement HIPAA Privacy Rule implementation specifications Provide the capability to tag de- identified information with a secured link that can be used later to re- identify if necessary Use ISO pseudonymization standard as implementation guidance

6 Security protection is foundational to “meaningful use” of electronic health records (EHRs) – essential for privacy protection, patient safety, and quality care Hearing sought inputs from domain experts and health practitioners on potential issues, challenges, threats, and solutions around the securing of health information Security Hearing – November 19, 2009 6

7 1.System Stability and Reliability Challenges related to maintaining the stability and reliability of electronic health records (EHRs) in the face of natural and technological threats 2.Cybersecurity Challenges related to maintaining the trustworthiness of EHRs and Health Information Exchanges (HIEs) in the face of cyber threats such as denial of service attacks, malicious software, and failures of internet infrastructure 3.Data Theft, Loss, and Misuse Challenges involving accidental loss of data, data theft, extortion and sabotage, including criminal activities and other related areas 4.Building Trust Issues and challenges related to building and maintaining trust in the health information technology ecosystem, and the impacts that real and perceived security weaknesses and failures exert on health organizations, individual providers, and consumers Hearing Panels 7

8 Security awareness among healthcare organizations is low, and many organizations are not complying with HIPAA! HIMSS 2009 Survey found: –Fewer than half (47%) conduct annual risk assessments –58% have no security personnel –50% reported information security spending ≤3% Days of tightly controlled perimeters are long gone – need to address distributed, mobile, wireless, and virtual resources, as well as computers embedded in FDA-regulated biomedical devices Cyberthreats are real – and as a critical component of our national infrastructure, health care is targeted Key Messages for Policy Committee 8

9 Security plays major role in protecting patient safety –Data integrity protection to help ensure accuracy of patient records –Protection of safety-critical information (e.g., clinical guidelines) Need for defense in depth – layered policy and protection Need to continually monitor and measure security “outcomes” – effectiveness of security policies and mechanisms cannot be assumed –Use “evidence-based” security policies and practices –Today’s security is plagued with dogma – password rules are antiquated, PC security may not matter, file encryption ineffective Key Messages (2) 9

10 Need baseline policies and standards for: –Authorization –Authentication – identity proofing and authentication is foundational since all other security protection depends upon –Access Control Role-based security is important – but roles vary across institutions, so creating common policy would be challenging –Audit trail Audit logs from vendor systems may be insufficient to detect misuse Key Messages (3) 10

Download ppt "HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009."

Similar presentations

1 HIT Standards Committee Privacy and Security Workgroup: Reformatted Standards Recommendations & Implementation Guidance Dixie Baker, SAIC Steven Findlay,

1 HIT Standards Committee Privacy and Security Workgroup: Reformatted Standards Recommendations & Implementation Guidance Dixie Baker, SAIC Steven Findlay,
NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Security Controls – What Works

Security Controls – What Works
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.

HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Similar presentations

Ads by Google