HIT Standards Committee

nervousripΑσφάλεια

5 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

124 εμφανίσεις

HIT Standards Committee

Privacy and Security Workgroup




Dixie Baker, Chair

Walter Suarez, Co
-
Chair


June 22, 2011


Dixie Baker, SAIC


Anne Castro, BlueCross BlueShield of South Carolina


Aneesh Chopra, Federal Chief Technology Officer


Mike Davis, Veterans Health Administration


Lisa Gallagher, HIMSS


Chad Hirsch, Mayo


Ed Larsen


David McCallie, Cerner Corporation


John Moehrke, General Electric


Steve Findlay, Consumers Union


Jeff Jonas, IBM


Wes Rishel, Gartner


Walter Suarez, Kaiser Permanente


Sharon Terry, Genetic Alliance

Privacy and Security Workgroup

NEW MEMBER

Agenda


Provider Directory Standards


Review through May HITSC meeting


Activity since the May meeting


Next topic: Stage 2 meaningful
-
use standards


Recommendations

Enterprise
-
Level Provider Directory (ELPD) Review:

Need Identified by HIT Policy Committee


HIT Policy Committee identified need for national
ELPD system that would provide the capability to
search for and find

discoverable


information
essential for enabling exchange of health information
between enterprises


limited content to:

1.
Basic
entity information
(e.g., name, address, human point
-
of
-
contact)

2.
Externally accessible information describing
exchange
services
(e.g., domains, message protocols, transport
protocols,

inbox


locations)

3.
Security credentials

Enterprise
-
Level Provider Directory (ELPD) Review:

Initial Focus and Recommendation to HITSC


ONC requested that HITSC address immediate need for standards and
certification criteria to support
EHR query of ELPD
per HITPC policy
recommendations


At May HITSC meeting, Privacy and Security Workgroup recommended
tailored subset of IHE Healthcare Provider Directory (HPD) profile as
standard to provide required functionality and content


HITSC Response


Recommendation was good representation of current state of applicable
directory standards, but national ELPD capability may not be necessary for
exchange



Direct Project approach of using domain name service (DNS) query to
retrieve digital certificates may be good enough for the short term, with EHR
query of ELPDs as a longer term vision


Recommended working with HIT Policy Committee and ONC to refine
business requirements


Provider Directory Activity Since May HITSC Meeting


ONC Standards and Interoperability (S&I) Framework launched
work on provider directories, focusing primarily on community
-
based directories


Certificate discovery


Search & retrieval of provider information when provider address is known/not
known


Alternatives for providing national
-
level functionality were
suggested by members of both HITPC and HITSC

1.
Broadly adopt Direct Project

s strategy of using Domain Name Service
(DNS) to retrieve digital certificates

2.
Create health top
-
level
-
domain (TLD)


something like <hospital>.MED to
facilitate end
-
user search for information about trusted health exchange
points

3.
Use embedded microformats to standardize tagged data fields and
vocabulary for providing directory information from a protected web page


Privacy and Security Workgroup considered these alternatives

Results from Consideration of Alternatives


Lack a strong business case for creating health TLD


potential
benefit would not justify significant effort required


Direct Project

s use of DNS to retrieve digital certificates is
working well and has been generally accepted by participants in
Direct pilot


Some browsers and email clients do not currently support
query of DNS for digital certificates needed for secure email
and secure web connections


though DNS specification does
include the capability


DNS cannot be used to retrieve more general directory
information, such as the transport standards supported, or rich
content, such as specialties of provider organizations


Use of DNS for certificate retrieval, along with with publishing of
web pages providing additional directory information as
structured, encoded content warrants further consideration

DNS + Structured & Encoded Web Content: Concept


Organizations create
public web pages
containing directory information
they wish to expose for search


Provider directory information is
structured and encoded into the web
page
, using
standard schema and vocabulary


Improves search engine indexing


Enables extraction of information into local systems (EHR, Exchange
gateway, Direct HISP, etc.)


Organizations can obtain
Extended Validation certificates

to provide
assurance of the authenticity of its web pages


Standard search engines provide a
flexible and free Query Service


DNS is used to retrieve digital certificates
for the published service
address names which have been embedded in the web pages

DNS + Structured & Encoded Web Content


Benefits


Simple, widely available, and highly scalable web technology


Three leading search engines (Google, Bing, Yahoo!) have launched Schema.org
metadata project to provide tools for building common vocabulary for structuring
web page data


Organization maintains control over what information is exposed


Can start simple and build over time


Allows discovery of services and certificates using familiar names,
without requiring advance knowledge of formal identifier (e.g., OID
used in NwHIN Exchange, Direct Address)


Recommend that S&I Framework team consider this approach
for meeting need for nationwide access to directory information
without requiring

national provider directory



Next Topic: Privacy and Security for Stage 2


Stage 2 measures are unlikely to significantly change required
EHR privacy and security functionality or content


However, HITPC Privacy and Security Tiger Team has
recommended policies that do imply new EHR privacy and
security standards and functionality


Privacy and Security Workgroup has undertaken an examination
of these recommended policies to identify new needs for EHR
standards, implementation specifications, and certification criteria

Example Privacy and Security Functionality Derived
from Tiger Team Recommendations


Secure email and web transactions


Retrieval, validation, and use of intended recipient

s digital certificate to
authenticate recipient


Strong protection of sender

s digital certificate


Use of sender

s digital certificate to authenticate sender and to digitally sign
content


Support two
-
factor authentication for high
-
risk transactions, including e
-
prescribing
of controlled substances


Detect and block programmatic attacks, and attacks from unauthorized entities


Enable consumers to securely download their own health information, including
provenance, and to securely send their health information to a third party


Audit events on consumer portals


Require consumer to log into consumer portal before accessing health information


Standard metadata and vocabulary for data fields commonly used in patient
matching (may be a Clinical Operations assignment)

Summary


Recommendation
: Recommend that S&I Framework team consider approach of
structuring and encoding web content, using standard schema and vocabulary,
for meeting need for nationwide access to directory information without requiring

national provider directory



Will present initial recommendations for Stage 2 privacy and security standards,
implementation specifications, and certification criteria at July meeting