Briefing For Public Health Data Standards Consortium Presented by: Holt Anderson Arlington, VA

Version 8.0-1-

Briefing For Public Health Data Standards Consortium

Presented by: Holt AndersonArlington, VA

March 19, 2001

HealthKey Roadmap:Toward a Community-Wide, Privacy and Security Infrastructure

Version 8.0-2-

This briefing provides HealthKey’s perspective on a HIPAA compliant privacy and security infrastructure.

• What is it and why is it important?

• Should organizations and communities invest in it?

• How might it get implemented?

• What are the barriers to implementation?

• How do we overcome those barriers?

Version 8.0-3-

Highlights of what will be covered . . .

• HEALTHCARE INFORMATION IS FLOWING ELECTRONICALLY. There appears to be pent-up demand!!

• We need to focus on PROTECTING this flow of electronic information.

• To protect this information flow, healthcare organizations and communities must COLLABORATE to create a privacy and security infrastructure.

• We believe that progress toward a privacy and security infrastructure will be made across FIVE SECTORS OF ACTIVITY.

Version 8.0-4-

Most healthcare organizations are on their way to exchanging information electronically.

Care Givers

Employers

Health Plans

Pharmacies & PBMs

Reference Laboratories

Hospitals

Increasingly, patients and families are using the Internet as a resource for getting healthcare information.

Patients & Families

Version 8.0-5-

Privacy and Security

Infrastructure

An infrastructure is needed to PROTECT the flow of that information as it moves between organizations AND individuals.

Care Givers

Employers

Health Plans

Patients & Families

Pharmacies & PBMs

Reference Laboratories

This infrastructure serves the entire healthcare community.

Hospitals

Version 8.0-6-

Protecting the flow of information will enable broader acceptance of electronic exchange and corresponding benefits including:

• Presentation of a complete health record assembled from sources spread

across multiple and changing providers and payer sources.

• Allowing prompt access to complete and accurate information to improve the

quality of care through the communication of patient wishes and prevention of

mishaps related to drug interactions, handwriting, allergies, transmissible

diseases, etc.

• Providing more timely access to health information to improve the detection,

assessment and early response of public health incidents, such as epidemics,

emerging infectious diseases and bioterrorism.

• Providing a standard means of controlling and monitoring access to sensitive

information, thereby protecting the privacy of individuals.

Version 8.0-7-

The privacy and security infrastructure must protect against . . .

• System Downtime -- Individuals bringing down machines or causing denials of service

• Unauthorized Access -- Individuals getting access to more information than they are authorized to

• Identity Theft -- Individuals posing as someone else to access applications/databases, receive transmitted information, or generate/transmit mis-information

• Information Theft -- Individuals intercepting email and other transmissions

• Misuse of Information/Breach of Privacy -- Individuals using/distributing information inappropriately

Version 8.0-8-

The risks to organizations of NOT protecting electronic exchange include . . .

• Curtailed business operations from system downtime

• Legal actions from patients

• Civil and criminal fines from non-compliance

• Lost revenue from trading partners or patients

• Increased costs

• “Unethical” behavior

Version 8.0-9-

The risks to individuals of NOT protecting electronic exchange include . . .

• Identify theft

• Exposure of clinical information

• Threat of blackmail

• Possible embarrassment

Version 8.0-10-

We see a privacy and security infrastructure for healthcare as having cascading layers of protection . . .

PrivacyPolicy

Operations Procedures

Legal & regulatory definition of protections for healthcare information

Law

Security Practices What organizations

actually do to implement protections

What information the organization intends to protect and from whom

Organization-Specific Layers

Technologies

&Make sure that Practices work and comply with Policy

Assurance

Version 8.0-11-

Privacy Policy is essential for effective Security Practices.

• Privacy Policy is a clear statement of what information should be protected and from whom. This statement guides the scope and design of technology solutions and operations procedures.

• Privacy Policy establishes an organization’s intent to enforce security practices, and outlines actions that will be taken if the practices are not followed.

• Privacy Policy can act as a tool to educate about why protection is important.

Version 8.0-12-

Select policies & practices must be aligned across organizations to ensure electronic inter-operability with seamless protection.

This type of infrastructure requires community-wide collaboration.

Version 8.0-13-

• Enhances, rather than restricts, an organization’s ability to differentiate themselves in the markeplace

– Solves common problems in a standard way allowing organizations to focus on their individual interests in unique ways

– Lets each organization implement at their own pace (in “incremental steps” if necessary)

• Addresses a business need that organizations perceive as “real”

• Enables electronic exchange, rather than “getting in the way”

• Can be built using solutions that are available and practical

• Is affordable and justified

We believe that community-wide privacy and security infrastructure will only emerge if it:

Version 8.0-14-

The fundamental trade-off is mitigating the financial risk of doing electronic exchange while minimizing the impact on “ease of use”.

$Impact

Cost to Maintain “Ease of Use” of electronic exchange

Financial Risk of electronic exchange

“Too much” complexity

Sophistication of Privacy and Security Infrastructure

Version 8.0-15-

Will organizations collaborate to build and share a common privacy and security infrastructure?

• There seems to be good reasons for a common infrastructure.– Same trading partners– All want to mitigate the risk– Organization-specific protection methods are sub-optimal.

• But organizations have real world limitations.– Cannot wait for a common solution to unfold– Limited resources to build a ‘near term’ and a ‘long term’ solution

• Vision and Leadership is needed.

Version 8.0-16-

Healthkey’s findings suggest that progress toward a privacy and security infrastructure will be made across five sectors of activity:

1: Enterprise Awareness -- recognizing there is risk/vulnerability and a need to do something

2: Enterprise Preparedness -- preparing the enterprise for external communication with trading partners

3: Enterprise Co-Existence -- enabling protected communication among enterprises

4: Enterprise Affiliation -- implementing standards between enterprises

5: Community-Wide Participation -- getting enterprises, small organizations, and individuals to use a common electronic identity for “users”

Version 8.0-17-

First, enterprises must become aware that they are vulnerable and that they can do something about it.

What could happen!

Enterprise Awareness

Call to Action• There’s risk!

• I’m vulnerable!

• I need to be doing something!

Hacked!

HIPAA

What I should do!

Enterprise Preparedness

Enterprise Co-Existence

Community -Wide Participation

Enterprise Affiliation

• Action Plan

• Resource Commitment

HealthKey’s Roadmap -- to a Community Privacy and Security Infrastructure

Version 8.0-18-

From there, enterprises will take the necessary steps to protect themselves and the communities that they are serving.

HealthKey’s Roadmap - to a Community Privacy and Security Infrastructure

• Each sector of activity contains a number of action steps. There is NO single route through the sectors or action steps.

• Sectors are NOT linear. Progress can be made concurrently within multiple sectors of activity.

• Sectors do represent increasing collaboration and community-wide acceptance.

• Each action step represents a different capability of the infrastructure.

• Capabilities may be implemented at various levels of sophistication.

Version 8.0-19-


Preparing the enterprise for external communication with trading partners

Sector

Capabilities


Validate Servers

Community-Wide Participation

Getting broad base adoption and use of a common electronic identity for “users”

Standardize Identity

Management


Validation

Empower Administrative

Entity

Find an Electronic

identity


Implementing standards between enterprises

Standardize Trading Partner Arrangements

Standardize Privacy Policies


Enabling protected communication among enterprises

Secure Connections

Set Access Control Policy

Set Privacy Policies

Protect Electronic Perimeter

Administer User

Accounts

Enable Single Log-On

Upgrade Applications

Exchange E-mail

Authenticate & Validate

User

Control WHO has access!!

Control WHAT is accessed!

Version 8.0-20-





Community ‘A’


Progress will be made at different rates in each sector, depending upon the community.

Community Snapshot

Community ‘B’

50%

25%

75%

Version 8.0-21-




HealthKey’s Roadmap -- Multiple routes to any destination


Management


Validation

Find an Electronic

identity


Entity



Secure Connections




Administer User

Accounts



Exchange E-mail

Authenticate & Validate

User

Can start anywhere!

Many organizations start here


Validate Servers

Version 8.0-22-





Management


Validation

Find an Electronic

Identity

User Registration Procedures

Transaction Security

Info Sharing Agreements

Cross Validation Procedures


Administer User

Accounts





Secure Connections


Internet Border

DMZ

Intrusion Detection

Assurance & Tiger Team

Not Encrypted

Encrypted Gateway

Encrypted by person

Passwords

Smart ID’s

Biometrics

Certificates

Exchange E-mail


Entity


Authenticate & Validate User

HealthKey’s Roadmap - Implementation Options

SSL/H

Private Circuit

VPN

CA Issued Keys

Self Defined Keys

Validate Servers


Single CA

Many CAs with Bridge

Many CAs no Bridge

Identification Policy

Deploy Identity Procedures

Support Procedures


- PKI capabilities - HealthKey Projects

Version 8.0-23-





Management


Validation

Find an Individual’s Electronic

Identity


Administer User

Accounts





Secure Connections

SSL/H

Private Circuit

VPN


Internet Border

DMZ

Intrusion Detection

Assurance & Tiger Team

Not Encrypted

Encrypted Gateway

Encrypted by person

Passwords

Smart ID’s

Biometrics

Certificates

Exchange E-mail


Entity

Single CA

Many CAs with Bridge

Many CAs no Bridge

Identification Policy

Deploy Identity Procedures

Support Procedures


Authenticate & Validate User Things most organizations

are already doing!

HealthKey’s Roadmap - Doing Many Things At Once

CA Issued Keys

Self Defined Keys

Validate Servers




Transaction Security

Info Sharing Agreements

Cross Validation Procedures

Version 8.0-24-

We want to know if the “Roadmap” framework make sense to you?

• Can you see your organization on the map?

• Are there things that you would add or change?

• Is it a useful tool for community education and planning?

• Do you envision a common electronic identity for users? If so, how will you make it happen?

• Will your organization collaborate towards a common privacy and security infrastructure?

If not, is there something else that makes better sense?

Version 8.0-25-

There are a number of Roadblocks between us and this critical infrastructure . . .

• There is confusion! -- “What problem?”

• The complexity is daunting -- infrastructure, technology, social implications, legislation, operations, cost, capital, etc.

• We act competitively, not collaboratively -- and collaboration is difficult

• We are looking for silver bullets -- there are many vendors pushing solutions, not solving problems

• Who’s driving? -- There is a leadership void, organizations are reacting to regulations and vendor offerings

Version 8.0-26-

• Agree on the unique ‘Road Map’ for your community – Convene key stakeholders– Agree upon a big picture of enterprise-specific and shared capabilities– Define approach for building shared capabilities (e.g. Business Associate Agreements,

Privacy Policies, Strategies for User Authentication/Validation)

• Demonstrate leadership of the ‘Critical Few’– Handful of influential organizations necessary to make things happen– Commit to shared capabilities– Work together and with vendors to guide implementation

• Establish and empower a ‘Catalyst for Collaboration’– Trusted individuals and process for sustaining collaboration– Raise awareness/Educate about what is being done and why– Recommend ways to deploy innovation to small organizations and individuals

Recommendations to organizations and communities for making progress towards a common infrastructure.

Version 8.0-27-

Where do we go from here?

• Do you agree with these roadblocks and recommendations? Are they practical?

• Do you see a role for a HealthKey-like program in your community? If so, what would it be?

• Would you contribute to funding the HealthKey-like program?

Version 8.0-28-

Thank you !

For further information:

www.healthkey.org

Documents

Briefing For Public Health Data Standards Consortium Presented by: Holt Anderson Arlington, VA