SlideShare une entreprise Scribd logo

Privacy and Security Tiger Team 010813

Brian Ahier
Brian Ahier

Privacy and Security Tiger Team Trusted Identity of Patients in Cyberspace Recommendations on Patient Identity Proofing and Authentication January 8, 2012

1  sur  23
Télécharger pour lire hors ligne
Privacy and Security Tiger Team Trusted Identity of Patients in Cyberspace Recommendations on Patient Identity Proofing and Authentication January 8, 2012
Tiger Team Members • Deven McGraw, Chair, Center for Democracy & Technology • Paul Egerman, Co-Chair • Dixie Baker, SAIC • Neil Calman, Institute for Family Health • Carol Diamond, Markle Foundation • Judy Faulkner, Epic • Leslie Francis, University of Utah; NCVHS • Gayle Harrell, Consumer Representative/Florida • John Houston, University of Pittsburgh Medical Center • Alice Leiter, National Partnership for Women & Families • David McCallie, Cerner Corp. • Wes Rishel, Gartner • Latanya Sweeney, Carnegie Mellon University • Micky Tripathi, Massachusetts eHealth Collaborative • Kitt Winter, Social Security Administration 2
Recommendations (1) (DRAFT) Overarching Recommendation: ONC should develop and disseminate best practices for identity proofing and authentication for patient access to portals (MU2 view, download, and transmit capability); such best practices should be disseminated to EPs, EHs and CAHs sufficiently in advance of the onset of Stage 2 to enable planning. • ONC should disseminate these best practices to providers through the RECs and through other means to ensure wide distribution. • These best practices should also be disseminated to vendors. 3
Recommendation (2) (DRAFT) • Recommendation 2: Such best practices should be consistent with the following overarching principles: – Protections should be commensurate with risks – Simplicity and ease of use for patients and consistent with “what they are willing to do” – Flexibility in methods offered—”one size does not fit all” – Leverage solutions in other sectors, such as banking – Accompanied by education that make these processes transparent to the patient – Build to scalable solutions (e.g., greater use of voluntary secure identity providers) – Solutions need to evolve over time as technology changes 4
Key Takeaways from Hearing (to help inform best practices) (DRAFT) • ID Proofing – In person ID proofing provides the most protection. – However, remote proofing is highly desired by some patient populations (veterans, rural, elderly) & is needed to enable more patients to use these accounts. – Consequently, best practices for both options should be provided. 5
In-Person ID Proofing (DRAFT) • Performed by provider where relationship/trust exists; training of provider employees on basics of identity proofing recommended. • Provider may rely on others to perform in-person (for example, notaries public; may be more viable option post implementation of NSTIC) 6
Remote ID Proofing (1) (DRAFT) • Remote ID proofing should be offered, but does raise more risks. Potential methods: – Rely on re-use of existing credentials (for example, credentialing for on-line sites like Facebook) – Third-party, knowledge-based • Dependent on quality of data, questions; may be expensive • May not address all patients, for example, minors <18 • Patient education critical to address privacy concerns – In–house, demographic matching on practice management or other provider systems (Note that for knowledge-based or demographic data ID proofing solutions, best practice to use some data fields not known to others, including family members) – Use of technology (such as through computer cameras) 7
Remote ID Proofing (2) (DRAFT) • To further manage risks, couple with out-of-band confirmation (using an independent/different channel to confirm identity) – for example, letter to confirm account establishment/access by right person; sending to other e-mail addresses; confirming phone call to patient; alerting of unusual activity in the account). 8
Authentication (1) (DRAFT) • Previous recommendation: Providers should require at least a user name and password to authenticate patients – This single-factor authentication should be a minimum – Providers may want to offer their patients additional security (such as through additional authentication factors) or provide such additional security for access to particularly sensitive data – should also be mindful of guidelines for identification and not set requirements so high that patients are discouraged or cannot meaningfully participate 9
Authentication (2) (DRAFT) • Post hearing: ONC should strongly encourage providers to use more than user ID and password (Level “2.5”), and at least initially, drive toward protections analogous to those used in online banking • The Tiger Team considered whether it should encourage the HITSC, though the P&S WG, to consider certification standards in this area. However, given that “one size does not fit all” and the need to take advantage of improvements offered by the evolving technology in this area, the Tiger Team concluded that certification standards may not be the best approach at this time. 10
Authentication (3) (DRAFT) • ONC should also disseminate, at a minimum, the latest best practices in password management • Technology options for authentication continue to evolve; ONC should continue to monitor and update policies as appropriate to reflect improved technological capabilities. 11
Best Practices (draft) - Transparency • Given the risks associated with credentialing patients for view/download/transmit and the critical importance of educating patients about the use of these functions, ONC should respond to previous Policy Committee Recommendations regarding transparency of risks/benefits of V/D/T to patients. (see backup slides) 12
Patient Use of DIRECT • The Tiger Team also considered whether it needed to make additional recommendations on the use of the DIRECT protocol when patients use the “transmit” function to authorize transmission of their information to a PHR or other third-party. • The Tiger Team concluded that DIRECT is moving forward in way that is consistent with these recommendations: – Specifically, the patient (or legal representative) provides the DIRECT address to the provider – No further recommendations are needed at this time • Additional details on the use of DIRECT are shown on the following slide. 13
Future Solutions (DRAFT) • NSTIC, which would provide for credentials that could be re-used for a range of online purposes, should provide a more scalable solution for patient authentication in the future • ONC should continue to work with NIST to ensure that any issues unique to the health care environment are addressed in the development of the NSTIC approach 14
Backup Slides BACKUP SLIDES 15
Transparency Recommendations on View/Download (1 of 4) • The Tiger Team opted to offer best practice guidance for providers (as well as vendors and software developers) participating in the Meaningful Use program as stated below. Such best practice guidance could be communicated by ONC through the Regional Extension Centers (RECs) as well as through the entities certifying EHR Technology. – Providers participating in the Meaningful Use program should offer patients clear and simple guidance regarding use of the view and download functionality in Stage 2. 16
Transparency Recommendations on View/Download (2 of 4) – With respect to the download functionality, such guidance should be offered at the time the patient indicates a desire to download electronic health information and, at a minimum, address the following three items • Remind patients that they will be in control of the copy of their medical information that they have downloaded and should take steps to protect this information in the same way that they protect other types of sensitive information. • Include a link or links to resources with more information on such topics as the download process and how the patient can best protect information after download. • Obtain independent confirmation that the patient wants to complete the download transaction or transactions. 17
Transparency Recommendations on View/Download (3 of 4) – With respect to the “view” functionality, such guidance should address the potential risks of viewing information on a public computer, or viewing sensitive information on a screen that may be visible to others, or failing to properly log out after viewing. – Providers should also utilize techniques, if appropriate, that avoid or minimize the need for patients to receive repeat notices of the guidance on view and/or download risks. – Providers should also request vendors and software developers to configure the view and download functionality in a way that no cache copies are retained after the view session is terminated. Providers should also request that their view and download functionality include the capability to automatically terminate the session after a period of inactivity. 18
Transparency Recommendations on View/Download (4 of 4) – ONC should also provide the above guidance to vendors and software developers, such as through entities conducting EHR certification. – Providers can review the Markle Foundation policy brief, and the guidance provided to patients as part of the MyHealtheVet Blue Button and Medicare Blue Button, for examples of guidance provided to patients using view and download capabilities. 19
Office of the Secretary Office for Civil Rights (OCR) Overview of the Verification Requirements of the HIPAA Privacy and Security Rules David S. Holtzman, JD, CIPP/G Office for Civil Rights Health Information Privacy Division 20
Privacy Rule Verification Standard • The Privacy Rule (45 CFR 164.514 (h)) requires covered entities (CE) to verify the identity and authority of a person requesting protected health information (PHI), if not known to the CE. • The Rule allows for verification in most instances in either oral or written form, although verification does require written documentation when such documentation is a condition of the disclosure. • The Rule generally does not include specific or technical verification requirements to permit covered entities to fashion procedures that fit the size and complexity of their organization. • The CE must also establish and document procedures for verification of identity and authority of personal representatives, if not known to the entity. OCR 21
Implementing the Privacy Rule’s Verification Standard • For example, verification procedures that can be applied in an electronic health information environment: • Consumers can agree with the CE to keep current their demographic information and personal representatives so the CE can appropriately authenticate each user of the network • For persons claiming to be government officials, proof of government status may be provided by having a legitimate government e-mail extension (e.g., xxx.gov) • Documentation requiring signatures may be provided as a scanned image of the signed documentation or as an electronic document with an electronic signature, to the extent the electronic signature is valid under applicable law. OCR 22
Security Rule Verification Standards • The Security Rule layers additional safeguards for the verification of identity when attempting to access electronic protected health information (e-PHI). • The information access management standard (45 CFR 164.308(a)(4)(i)) requires a covered entity or their business associate to have formal, documented policies and procedures implemented for the authorization of access to e-PHI that are complimentary with those of the Privacy Rule. • The person or entity authentication standard (45 CFR 164.312(d)) requires a covered entity to implement procedures or security measures to verify that a person or entity seeking access to e-PHI is the one claimed. OCR 23

Recommandé

Health Informatics: The Electronic Health Record - Dr. Sam Gharbi
Health Informatics: The Electronic Health Record - Dr. Sam GharbiHealth Informatics: The Electronic Health Record - Dr. Sam Gharbi
Health Informatics: The Electronic Health Record - Dr. Sam GharbiSam Gharbi
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Schellman & Company
 
NHIN Privacy & Security
NHIN Privacy & SecurityNHIN Privacy & Security
NHIN Privacy & SecurityBrian Ahier
 
The Four Balancing Acts Involved with Healthcare Data Security Frameworks
The Four Balancing Acts Involved with Healthcare Data Security FrameworksThe Four Balancing Acts Involved with Healthcare Data Security Frameworks
The Four Balancing Acts Involved with Healthcare Data Security FrameworksHealth Catalyst
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
How will the Internet of Things look by 2025?
How will the Internet of Things look by 2025?How will the Internet of Things look by 2025?
How will the Internet of Things look by 2025?Pew Research Center's Internet & American Life Project
 
Protecting Data in the Age of Cybercrime and Data Breach
Protecting Data in the Age of Cybercrime and Data BreachProtecting Data in the Age of Cybercrime and Data Breach
Protecting Data in the Age of Cybercrime and Data BreachLogikcull.com
 
DVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PADVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PAWilliam Buddy Gillespie ITIL Certified
 

Recommandé

Health Informatics: The Electronic Health Record - Dr. Sam Gharbi
Health Informatics: The Electronic Health Record - Dr. Sam GharbiHealth Informatics: The Electronic Health Record - Dr. Sam Gharbi
Health Informatics: The Electronic Health Record - Dr. Sam GharbiSam Gharbi
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Schellman & Company
 
NHIN Privacy & Security
NHIN Privacy & SecurityNHIN Privacy & Security
NHIN Privacy & SecurityBrian Ahier
 
The Four Balancing Acts Involved with Healthcare Data Security Frameworks
The Four Balancing Acts Involved with Healthcare Data Security FrameworksThe Four Balancing Acts Involved with Healthcare Data Security Frameworks
The Four Balancing Acts Involved with Healthcare Data Security FrameworksHealth Catalyst
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
How will the Internet of Things look by 2025?
How will the Internet of Things look by 2025?How will the Internet of Things look by 2025?
How will the Internet of Things look by 2025?Pew Research Center's Internet & American Life Project
 
Protecting Data in the Age of Cybercrime and Data Breach
Protecting Data in the Age of Cybercrime and Data BreachProtecting Data in the Age of Cybercrime and Data Breach
Protecting Data in the Age of Cybercrime and Data BreachLogikcull.com
 
DVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PADVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PAWilliam Buddy Gillespie ITIL Certified
 
Summary of Recommendations on Provider and Patient Identity Management
Summary of Recommendations on Provider and Patient Identity ManagementSummary of Recommendations on Provider and Patient Identity Management
Summary of Recommendations on Provider and Patient Identity ManagementBrian Ahier
 
HIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateHIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateBrian Ahier
 
Innovirtua Healthcare Case Study
Innovirtua Healthcare Case StudyInnovirtua Healthcare Case Study
Innovirtua Healthcare Case StudyInnovirtua
 
Apply Computer and Mobile Health Technology.pptx
Apply Computer and Mobile Health Technology.pptxApply Computer and Mobile Health Technology.pptx
Apply Computer and Mobile Health Technology.pptxdereje33
 
Building Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital ageBuilding Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital ageAccenture Technology
 
COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...
COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...
COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...Ulster University
 
EHR Certification Requirements For Medical Practices
EHR Certification Requirements For Medical PracticesEHR Certification Requirements For Medical Practices
EHR Certification Requirements For Medical PracticesMichael Patrick
 
Clinical Data Standards and Data Portability
Clinical Data Standards and Data Portability Clinical Data Standards and Data Portability
Clinical Data Standards and Data Portability Nrip Nihalani
 
EHR Certification for Medical Practices
EHR Certification for Medical PracticesEHR Certification for Medical Practices
EHR Certification for Medical PracticesMichael Duffy
 
Nur3563group8 cis
Nur3563group8 cisNur3563group8 cis
Nur3563group8 cistb45004
 
242714436-Organizational-Security-Policies.pptx
242714436-Organizational-Security-Policies.pptx242714436-Organizational-Security-Policies.pptx
242714436-Organizational-Security-Policies.pptxssuser6c814f
 
Final ppt g08
Final ppt g08Final ppt g08
Final ppt g08hetvi naik
 
Leveraging emerging standards for patient engagement pcha
Leveraging emerging standards for patient engagement pchaLeveraging emerging standards for patient engagement pcha
Leveraging emerging standards for patient engagement pchamHealth2015
 
5 Healthcare Tech Trends To Watch
5 Healthcare Tech Trends To Watch5 Healthcare Tech Trends To Watch
5 Healthcare Tech Trends To WatchStaples
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCloudIDSummit
 
MOVIE RECOMMENDATION SYSTEM
MOVIE RECOMMENDATION SYSTEMMOVIE RECOMMENDATION SYSTEM
MOVIE RECOMMENDATION SYSTEMIRJET Journal
 
UK mHealth app assessment
UK mHealth app assessmentUK mHealth app assessment
UK mHealth app assessment3GDR
 
&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...
&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...
&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...mcarruthers
 
Use of personalized medicine tools for clinical research networks
Use of personalized medicine tools for clinical research networksUse of personalized medicine tools for clinical research networks
Use of personalized medicine tools for clinical research networksWolfgang Kuchinke
 
Kuchinke Personalized Medicine tools for clinical research networks
Kuchinke Personalized Medicine tools for clinical research networksKuchinke Personalized Medicine tools for clinical research networks
Kuchinke Personalized Medicine tools for clinical research networksWolfgang Kuchinke
 
Draft TEFCA
Draft TEFCADraft TEFCA
Draft TEFCABrian Ahier
 
Future is Now
Future is NowFuture is Now
Future is NowBrian Ahier
 

Contenu connexe

Similaire à Privacy and Security Tiger Team 010813

Summary of Recommendations on Provider and Patient Identity Management
Summary of Recommendations on Provider and Patient Identity ManagementSummary of Recommendations on Provider and Patient Identity Management
Summary of Recommendations on Provider and Patient Identity ManagementBrian Ahier
 
HIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateHIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateBrian Ahier
 
Innovirtua Healthcare Case Study
Innovirtua Healthcare Case StudyInnovirtua Healthcare Case Study
Innovirtua Healthcare Case StudyInnovirtua
 
Apply Computer and Mobile Health Technology.pptx
Apply Computer and Mobile Health Technology.pptxApply Computer and Mobile Health Technology.pptx
Apply Computer and Mobile Health Technology.pptxdereje33
 
Building Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital ageBuilding Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital ageAccenture Technology
 
COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...
COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...
COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...Ulster University
 
EHR Certification Requirements For Medical Practices
EHR Certification Requirements For Medical PracticesEHR Certification Requirements For Medical Practices
EHR Certification Requirements For Medical PracticesMichael Patrick
 
Clinical Data Standards and Data Portability
Clinical Data Standards and Data Portability Clinical Data Standards and Data Portability
Clinical Data Standards and Data Portability Nrip Nihalani
 
EHR Certification for Medical Practices
EHR Certification for Medical PracticesEHR Certification for Medical Practices
EHR Certification for Medical PracticesMichael Duffy
 
Nur3563group8 cis
Nur3563group8 cisNur3563group8 cis
Nur3563group8 cistb45004
 
242714436-Organizational-Security-Policies.pptx
242714436-Organizational-Security-Policies.pptx242714436-Organizational-Security-Policies.pptx
242714436-Organizational-Security-Policies.pptxssuser6c814f
 
Leveraging emerging standards for patient engagement pcha
Leveraging emerging standards for patient engagement pchaLeveraging emerging standards for patient engagement pcha
Leveraging emerging standards for patient engagement pchamHealth2015
 
5 Healthcare Tech Trends To Watch
5 Healthcare Tech Trends To Watch5 Healthcare Tech Trends To Watch
5 Healthcare Tech Trends To WatchStaples
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCloudIDSummit
 
MOVIE RECOMMENDATION SYSTEM
MOVIE RECOMMENDATION SYSTEMMOVIE RECOMMENDATION SYSTEM
MOVIE RECOMMENDATION SYSTEMIRJET Journal
 
UK mHealth app assessment
UK mHealth app assessmentUK mHealth app assessment
UK mHealth app assessment3GDR
 
&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...
&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...
&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...mcarruthers
 
Use of personalized medicine tools for clinical research networks
Use of personalized medicine tools for clinical research networksUse of personalized medicine tools for clinical research networks
Use of personalized medicine tools for clinical research networksWolfgang Kuchinke
 
Kuchinke Personalized Medicine tools for clinical research networks
Kuchinke Personalized Medicine tools for clinical research networksKuchinke Personalized Medicine tools for clinical research networks
Kuchinke Personalized Medicine tools for clinical research networksWolfgang Kuchinke
 

Similaire à Privacy and Security Tiger Team 010813 (20)

Summary of Recommendations on Provider and Patient Identity Management
Summary of Recommendations on Provider and Patient Identity ManagementSummary of Recommendations on Provider and Patient Identity Management
Summary of Recommendations on Provider and Patient Identity Management
 
HIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateHIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA Update
 
Innovirtua Healthcare Case Study
Innovirtua Healthcare Case StudyInnovirtua Healthcare Case Study
Innovirtua Healthcare Case Study
 
Apply Computer and Mobile Health Technology.pptx
Apply Computer and Mobile Health Technology.pptxApply Computer and Mobile Health Technology.pptx
Apply Computer and Mobile Health Technology.pptx
 
Building Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital ageBuilding Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital age
 
COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...
COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...
COGKNOW: Assistive Technology for People with Mild Dementia - A User-Centred ...
 
EHR Certification Requirements For Medical Practices
EHR Certification Requirements For Medical PracticesEHR Certification Requirements For Medical Practices
EHR Certification Requirements For Medical Practices
 
Clinical Data Standards and Data Portability
Clinical Data Standards and Data Portability Clinical Data Standards and Data Portability
Clinical Data Standards and Data Portability
 
EHR Certification for Medical Practices
EHR Certification for Medical PracticesEHR Certification for Medical Practices
EHR Certification for Medical Practices
 
Nur3563group8 cis
Nur3563group8 cisNur3563group8 cis
Nur3563group8 cis
 
242714436-Organizational-Security-Policies.pptx
242714436-Organizational-Security-Policies.pptx242714436-Organizational-Security-Policies.pptx
242714436-Organizational-Security-Policies.pptx
 
Final ppt g08
Final ppt g08Final ppt g08
Final ppt g08
 
Leveraging emerging standards for patient engagement pcha
Leveraging emerging standards for patient engagement pchaLeveraging emerging standards for patient engagement pcha
Leveraging emerging standards for patient engagement pcha
 
5 Healthcare Tech Trends To Watch
5 Healthcare Tech Trends To Watch5 Healthcare Tech Trends To Watch
5 Healthcare Tech Trends To Watch
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
 
MOVIE RECOMMENDATION SYSTEM
MOVIE RECOMMENDATION SYSTEMMOVIE RECOMMENDATION SYSTEM
MOVIE RECOMMENDATION SYSTEM
 
UK mHealth app assessment
UK mHealth app assessmentUK mHealth app assessment
UK mHealth app assessment
 
&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...
&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...
&quot;The Risks and Rewards when Implementing Electronic Medical Records Syst...
 
Use of personalized medicine tools for clinical research networks
Use of personalized medicine tools for clinical research networksUse of personalized medicine tools for clinical research networks
Use of personalized medicine tools for clinical research networks
 
Kuchinke Personalized Medicine tools for clinical research networks
Kuchinke Personalized Medicine tools for clinical research networksKuchinke Personalized Medicine tools for clinical research networks
Kuchinke Personalized Medicine tools for clinical research networks
 

Plus de Brian Ahier

AMA Digital Health Study
AMA Digital Health Study AMA Digital Health Study
AMA Digital Health Study Brian Ahier
 
DoD onboarding slides
DoD onboarding slidesDoD onboarding slides
DoD onboarding slidesBrian Ahier
 
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...Brian Ahier
 
Remarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyRemarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyBrian Ahier
 
Accountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsAccountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsBrian Ahier
 
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataFTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataBrian Ahier
 
Mobile Device Tracking Seminar
Mobile Device Tracking SeminarMobile Device Tracking Seminar
Mobile Device Tracking SeminarBrian Ahier
 
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBig Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBrian Ahier
 
Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Brian Ahier
 
ONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaBrian Ahier
 
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Brian Ahier
 
DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13Brian Ahier
 
Patient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingPatient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingBrian Ahier
 
Frisse - One Step at a Time
Frisse - One Step at a TimeFrisse - One Step at a Time
Frisse - One Step at a TimeBrian Ahier
 
The Pulse of Liquid Health Data
The Pulse of Liquid Health DataThe Pulse of Liquid Health Data
The Pulse of Liquid Health DataBrian Ahier
 
Direct Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesDirect Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesBrian Ahier
 
Direct Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsDirect Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsBrian Ahier
 
Direct20: Modular Specifications - Provider Directories
Direct20: Modular Specifications - Provider DirectoriesDirect20: Modular Specifications - Provider Directories
Direct20: Modular Specifications - Provider DirectoriesBrian Ahier
 

Plus de Brian Ahier (20)

Draft TEFCA
Draft TEFCADraft TEFCA
Draft TEFCA
 
Future is Now
Future is NowFuture is Now
Future is Now
 
AMA Digital Health Study
AMA Digital Health Study AMA Digital Health Study
AMA Digital Health Study
 
DoD onboarding slides
DoD onboarding slidesDoD onboarding slides
DoD onboarding slides
 
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
 
Remarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyRemarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT Policy
 
Accountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsAccountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft Recommendations
 
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataFTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
 
Mobile Device Tracking Seminar
Mobile Device Tracking SeminarMobile Device Tracking Seminar
Mobile Device Tracking Seminar
 
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBig Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
 
Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations
 
ONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification Criteria
 
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
 
DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13
 
Patient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingPatient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder Meeting
 
Frisse - One Step at a Time
Frisse - One Step at a TimeFrisse - One Step at a Time
Frisse - One Step at a Time
 
The Pulse of Liquid Health Data
The Pulse of Liquid Health DataThe Pulse of Liquid Health Data
The Pulse of Liquid Health Data
 
Direct Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesDirect Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse Directories
 
Direct Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsDirect Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory Pilots
 
Direct20: Modular Specifications - Provider Directories
Direct20: Modular Specifications - Provider DirectoriesDirect20: Modular Specifications - Provider Directories
Direct20: Modular Specifications - Provider Directories
 

Privacy and Security Tiger Team 010813

  • 1. Privacy and Security Tiger Team Trusted Identity of Patients in Cyberspace Recommendations on Patient Identity Proofing and Authentication January 8, 2012
  • 2. Tiger Team Members • Deven McGraw, Chair, Center for Democracy & Technology • Paul Egerman, Co-Chair • Dixie Baker, SAIC • Neil Calman, Institute for Family Health • Carol Diamond, Markle Foundation • Judy Faulkner, Epic • Leslie Francis, University of Utah; NCVHS • Gayle Harrell, Consumer Representative/Florida • John Houston, University of Pittsburgh Medical Center • Alice Leiter, National Partnership for Women & Families • David McCallie, Cerner Corp. • Wes Rishel, Gartner • Latanya Sweeney, Carnegie Mellon University • Micky Tripathi, Massachusetts eHealth Collaborative • Kitt Winter, Social Security Administration 2
  • 3. Recommendations (1) (DRAFT) Overarching Recommendation: ONC should develop and disseminate best practices for identity proofing and authentication for patient access to portals (MU2 view, download, and transmit capability); such best practices should be disseminated to EPs, EHs and CAHs sufficiently in advance of the onset of Stage 2 to enable planning. • ONC should disseminate these best practices to providers through the RECs and through other means to ensure wide distribution. • These best practices should also be disseminated to vendors. 3
  • 4. Recommendation (2) (DRAFT) • Recommendation 2: Such best practices should be consistent with the following overarching principles: – Protections should be commensurate with risks – Simplicity and ease of use for patients and consistent with “what they are willing to do” – Flexibility in methods offered—”one size does not fit all” – Leverage solutions in other sectors, such as banking – Accompanied by education that make these processes transparent to the patient – Build to scalable solutions (e.g., greater use of voluntary secure identity providers) – Solutions need to evolve over time as technology changes 4
  • 5. Key Takeaways from Hearing (to help inform best practices) (DRAFT) • ID Proofing – In person ID proofing provides the most protection. – However, remote proofing is highly desired by some patient populations (veterans, rural, elderly) & is needed to enable more patients to use these accounts. – Consequently, best practices for both options should be provided. 5
  • 6. In-Person ID Proofing (DRAFT) • Performed by provider where relationship/trust exists; training of provider employees on basics of identity proofing recommended. • Provider may rely on others to perform in-person (for example, notaries public; may be more viable option post implementation of NSTIC) 6
  • 7. Remote ID Proofing (1) (DRAFT) • Remote ID proofing should be offered, but does raise more risks. Potential methods: – Rely on re-use of existing credentials (for example, credentialing for on-line sites like Facebook) – Third-party, knowledge-based • Dependent on quality of data, questions; may be expensive • May not address all patients, for example, minors <18 • Patient education critical to address privacy concerns – In–house, demographic matching on practice management or other provider systems (Note that for knowledge-based or demographic data ID proofing solutions, best practice to use some data fields not known to others, including family members) – Use of technology (such as through computer cameras) 7
  • 8. Remote ID Proofing (2) (DRAFT) • To further manage risks, couple with out-of-band confirmation (using an independent/different channel to confirm identity) – for example, letter to confirm account establishment/access by right person; sending to other e-mail addresses; confirming phone call to patient; alerting of unusual activity in the account). 8
  • 9. Authentication (1) (DRAFT) • Previous recommendation: Providers should require at least a user name and password to authenticate patients – This single-factor authentication should be a minimum – Providers may want to offer their patients additional security (such as through additional authentication factors) or provide such additional security for access to particularly sensitive data – should also be mindful of guidelines for identification and not set requirements so high that patients are discouraged or cannot meaningfully participate 9
  • 10. Authentication (2) (DRAFT) • Post hearing: ONC should strongly encourage providers to use more than user ID and password (Level “2.5”), and at least initially, drive toward protections analogous to those used in online banking • The Tiger Team considered whether it should encourage the HITSC, though the P&S WG, to consider certification standards in this area. However, given that “one size does not fit all” and the need to take advantage of improvements offered by the evolving technology in this area, the Tiger Team concluded that certification standards may not be the best approach at this time. 10
  • 11. Authentication (3) (DRAFT) • ONC should also disseminate, at a minimum, the latest best practices in password management • Technology options for authentication continue to evolve; ONC should continue to monitor and update policies as appropriate to reflect improved technological capabilities. 11
  • 12. Best Practices (draft) - Transparency • Given the risks associated with credentialing patients for view/download/transmit and the critical importance of educating patients about the use of these functions, ONC should respond to previous Policy Committee Recommendations regarding transparency of risks/benefits of V/D/T to patients. (see backup slides) 12
  • 13. Patient Use of DIRECT • The Tiger Team also considered whether it needed to make additional recommendations on the use of the DIRECT protocol when patients use the “transmit” function to authorize transmission of their information to a PHR or other third-party. • The Tiger Team concluded that DIRECT is moving forward in way that is consistent with these recommendations: – Specifically, the patient (or legal representative) provides the DIRECT address to the provider – No further recommendations are needed at this time • Additional details on the use of DIRECT are shown on the following slide. 13
  • 14. Future Solutions (DRAFT) • NSTIC, which would provide for credentials that could be re-used for a range of online purposes, should provide a more scalable solution for patient authentication in the future • ONC should continue to work with NIST to ensure that any issues unique to the health care environment are addressed in the development of the NSTIC approach 14
  • 16. Transparency Recommendations on View/Download (1 of 4) • The Tiger Team opted to offer best practice guidance for providers (as well as vendors and software developers) participating in the Meaningful Use program as stated below. Such best practice guidance could be communicated by ONC through the Regional Extension Centers (RECs) as well as through the entities certifying EHR Technology. – Providers participating in the Meaningful Use program should offer patients clear and simple guidance regarding use of the view and download functionality in Stage 2. 16
  • 17. Transparency Recommendations on View/Download (2 of 4) – With respect to the download functionality, such guidance should be offered at the time the patient indicates a desire to download electronic health information and, at a minimum, address the following three items • Remind patients that they will be in control of the copy of their medical information that they have downloaded and should take steps to protect this information in the same way that they protect other types of sensitive information. • Include a link or links to resources with more information on such topics as the download process and how the patient can best protect information after download. • Obtain independent confirmation that the patient wants to complete the download transaction or transactions. 17
  • 18. Transparency Recommendations on View/Download (3 of 4) – With respect to the “view” functionality, such guidance should address the potential risks of viewing information on a public computer, or viewing sensitive information on a screen that may be visible to others, or failing to properly log out after viewing. – Providers should also utilize techniques, if appropriate, that avoid or minimize the need for patients to receive repeat notices of the guidance on view and/or download risks. – Providers should also request vendors and software developers to configure the view and download functionality in a way that no cache copies are retained after the view session is terminated. Providers should also request that their view and download functionality include the capability to automatically terminate the session after a period of inactivity. 18
  • 19. Transparency Recommendations on View/Download (4 of 4) – ONC should also provide the above guidance to vendors and software developers, such as through entities conducting EHR certification. – Providers can review the Markle Foundation policy brief, and the guidance provided to patients as part of the MyHealtheVet Blue Button and Medicare Blue Button, for examples of guidance provided to patients using view and download capabilities. 19
  • 20. Office of the Secretary Office for Civil Rights (OCR) Overview of the Verification Requirements of the HIPAA Privacy and Security Rules David S. Holtzman, JD, CIPP/G Office for Civil Rights Health Information Privacy Division 20
  • 21. Privacy Rule Verification Standard • The Privacy Rule (45 CFR 164.514 (h)) requires covered entities (CE) to verify the identity and authority of a person requesting protected health information (PHI), if not known to the CE. • The Rule allows for verification in most instances in either oral or written form, although verification does require written documentation when such documentation is a condition of the disclosure. • The Rule generally does not include specific or technical verification requirements to permit covered entities to fashion procedures that fit the size and complexity of their organization. • The CE must also establish and document procedures for verification of identity and authority of personal representatives, if not known to the entity. OCR 21
  • 22. Implementing the Privacy Rule’s Verification Standard • For example, verification procedures that can be applied in an electronic health information environment: • Consumers can agree with the CE to keep current their demographic information and personal representatives so the CE can appropriately authenticate each user of the network • For persons claiming to be government officials, proof of government status may be provided by having a legitimate government e-mail extension (e.g., xxx.gov) • Documentation requiring signatures may be provided as a scanned image of the signed documentation or as an electronic document with an electronic signature, to the extent the electronic signature is valid under applicable law. OCR 22
  • 23. Security Rule Verification Standards • The Security Rule layers additional safeguards for the verification of identity when attempting to access electronic protected health information (e-PHI). • The information access management standard (45 CFR 164.308(a)(4)(i)) requires a covered entity or their business associate to have formal, documented policies and procedures implemented for the authorization of access to e-PHI that are complimentary with those of the Privacy Rule. • The person or entity authentication standard (45 CFR 164.312(d)) requires a covered entity to implement procedures or security measures to verify that a person or entity seeking access to e-PHI is the one claimed. OCR 23