Electronic Medical Records and Health IT are integral part of the Administration’s health reform. Committees such as the Nationwide Health Information Network are formulating standards and recommendations that will soon affect how electronic healthcare will be implemented. At the cornerstone of these efforts is the need to establish, with the appropriate degree of confidence, who is who in an electronic healthcare transaction: this is what defines identity assurance. This session will explain identity assurance, its implications, discuss pragmatic approaches to applying it to electronic healthcare and how to get started.

1. Identity Assurance in Healthcare: What Does It Mean to You? By Frank Villavicencio HIMSS Conference March 1-4, 2010

2. Identropy at a Glance Exclusive Focus on Identity & Access Management (IAM) 3 Lines of Business: Advisory Services, Implementation, Managed Services 20+ IAM/AGS Experts with hands-on experience in over 80 successful implementations in the last 3 years Full Range of Services to Support Full Solution Lifecycle

3. We Will Cover… Overview of Identity Assurance Why Does it Matter in Healthcare? What Does it Mean to You? Q&A

4. Identity Assurance Identity assurance is the ability for a party to determine, with some level of certainty, that the human being represented by a credential in an electronic transaction is in fact the alleged person Published in The New Yorker 7/5/1993 by Peter Steiner

5. Identity Assurance and Risk Levels Identity Assurance Levels (AL) map to risk levels in a transaction

6. It is More than Authentication… ...it is a lifecycle Termination Renewal Step-up Authentication Risk Monitoring Authentication Credentialing Identity Verification Creation

7. What Do I Care?

8. Identity Assurance in the Identity Lifecycle IdentityManagement Roles Management Simplified Secure Access Access Certification PasswordManagement

9. What Does It Mean to Healthcare? Identity assurance is at the heart of the Health IT agenda for electronic health information Excerpt from 45 CFR Part 170 - §170.210 “Standards for health information technology to protect electronic health information created, maintained, and exchanged” (d) Cross-enterprise authentication. A cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails must be used. (t) Authentication. (1) Local. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information. (2) Cross network. Verify that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information in accordance with the standard specified in §170.210(d).

10. What Does It Really Mean?

11. Questions?

12. More information Identity Assurance (Wikipedia) Identity Assurance in the Nationwide Health Information Network (NHIN)... a cross roads of sorts 45 CFR Part 170 - Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Interim Final Rule Kantara Initiative Identity Assurance Framework