Embed Size (px)
Citation preview
HIT Standards CommitteeHIT Standards CommitteePrivacy and Security Workgroup: UpdatePrivacy and Security Workgroup: Update
Dixie BakerDixie Baker, SAIC
Steve FindlaySteve Findlay, Consumers Union
December 18, 2009
1
2
Privacy and Security Workgroup Members
• Dixie Baker, SAIC• Steve Findlay, Consumers Union• Anne Castro, BlueCross BlueShield of South Carolina• Aneesh Chopra, Federal Chief Technology Officer• Ed Larsen, HITSP• David McCallie, Cerner Corporation• John Moehrke, HITSP• Gina Perez, Delaware Health Information Network• Wes Rishel, Gartner • Walter Suarez, Kaiser Permanente• Sharon Terry, Genetic Alliance
• Demystifying Standards (I hope) and Update• Observations from Security Hearing, November 19
Topics to Be Covered
3
• Standards, certification criteria, and implementation guidance are intended for use in certifying EHR products– How these capabilities are used within a healthcare
environment is based on an individual organization’s size, complexity, and capabilities, technical infrastructure, risks and vulnerabilities, and available resources
• Standards and certification criteria help assure that a “certified EHR product” has the technical capabilities an organization will need to: – Comply with HIPAA and ARRA privacy and security provisions– Be ready and eligible for “meaningful use”
Demystifying Standards Recommendations
4
Demystifying 2011 Recommendations
5
HIPAA/ARRA Standards Supporting Standards1. Obtain proof that users and systems are whom they claim to be (i.e., authenticate identity) before enabling them to use the system
• Use the same standard commonly used for web transactions (Transport Layer Security - TLS) to do this for all web-based communications
2. Control access to information and capabilities
• HIPAA Security Rule implementation specifications
3. Provide the capability to encrypt and decrypt information
• Use the NIST-recommended Advanced Encryption Standard (AES) algorithm
4. Create an audit trail of system activities
• Use the IHE Consistent Time (CT) Integration Profile, with Internet standard Network Time Protocols (NTP & SNTP) to synchronize time• Use the IHE Audit Trail and Node Authentication (ATNA) Integration Profile to exchange audit information
Demystifying 2011 Recommendations
6
HIPAA/ARRA Supporting Standards
5. Detect unauthorized changes in content
• Use one of the NIST-recommended Secure Hash Algorithms (SHA) to generate a number that uniquely represents the data – so that if the data are accidentally or intentionally changed, the number will also change • Use ASTM standard as guidance in implementing electronic signatures
6. Protect the confidentiality and integrity of information transmitted over networks (e.g., web)
• Implement encryption and integrity protection using the NIST standards (AES and SHA)
• Use HITSP Service Collaboration 112 as guidance in sharing documents with entities outside the system• Use Internet standard Domain Name Service (DNS) and Lightweight Data Access Protocol (LDAP) to locate resources on the Internet
Demystifying 2011 Recommendations
7
HIPAA/ARRA Supporting Standards
7. Electronically record individual consumers' consents and authorizations
• HIPAA Privacy Rule implementation specifications
8. Provide the capability to create an electronic copy of an individual's electronic health record, record it on removable media, and transmit it to a designated entity
• Use HITSP Capability 120 as guidance in implementing the capability to record unstructured information on removable media (e.g., CD, thumbdrive) or to send to a Personal Health Record (PHR)
9. Provide the capability to de-identify information
• HIPAA Privacy Rule implementation specifications
10. Provide the capability to tag de-identified information with a secured link that can be used later to re-identify if necessary
• Use ISO pseudonymization standard as guidance
• Working Group discovered potential problem with recommended standard for protecting the integrity of data – recommendation excluded an early version of the Secure Hash Algorithm (SHA-1) that is widely used to protect the integrity in web transactions – Hash algorithms don’t keep information secret – they just help
detect when it has been modified
• NIST guidance states that Federal agencies may not use SHA-1 after 2010 for digital signatures and certain other applications, but allowed its use for protecting data integrity
• Latest update of FIPS PUB still includes SHA-1
2011 Recommendations - Update
8
• Changed recommendation to latest version of FIPS PUB hashing standard (which includes SHA-1)
• Changed the certification criteria to:– Explicitly allow SHA-1 for web integrity protection only, and
encourage the use of one of the other 4 hash algorithms included in the standard
– Require one of the other algorithms for protecting the integrity of data at rest
• Changes highlighted in hand-out
Resolution Coordinated Through Standards Committee Leadership
9
1. System Stability and Reliability• Challenges related to maintaining the stability and reliability of electronic health
records (EHRs) in the face of natural and technological threats
2. Cybersecurity• Challenges related to maintaining the trustworthiness of EHRs and Health
Information Exchanges (HIEs) in the face of cyber threats such as denial of service attacks, malicious software, and failures of internet infrastructure
3. Data Theft, Loss, and Misuse• Challenges involving accidental loss of data, data theft, extortion and
sabotage, including criminal activities and other related areas
4. Building Trust• Issues and challenges related to building and maintaining trust in the health
information technology ecosystem, and the impacts that real and perceived security weaknesses and failures exert on health organizations, individual providers, and consumers
Security Hearing Panels – Nov 19, 2009
10
• Keep it simple! – Abstract out complexity – create standards-based components
that hide complexity– Bake security into products– Need for security “toolkit” especially for small practices
• Implement defense in depth – layered security• Days of tightly controlled perimeters are long gone –
need to address distributed, mobile, wireless, and virtual resources, as well as computers embedded in biomedical devices
• Need to measure security “outcomes”
Key Messages
11
• Many existing clinical products lack the functionality needed to support security best practices
• Systems embedded in FDA-regulated biomedical devices are a “huge problem” – present vulnerabilities not easily addressed by “enterprise” security practices– Often managed by vendors – Cannot be modified – no OS updates, anti-viral software– Cell phones are rapidly entering this category
• “Least critical” systems often are those that are compromised and set up as a backdoor for hackers to access more important systems
System Stability & Reliability
12
• Security awareness among healthcare organizations is low, and many organizations are not complying with HIPAA! HIMSS 2009 Survey found:– Fewer than half (47%) conduct annual risk assessments– 58% have no security personnel– 50% reported information security spending ≤3%
• Need to continually monitor and measure effectiveness of security policies and mechanisms– Use “evidence-based” security policies and practices– Today’s security is plagued with dogma – password rules are
antiquated, PC security may not matter, file encryption ineffective
Cybersecurity
13
• Portable devices and wireless access present major vulnerabilities
• Web 2.0 social technologies and cloud computing present new avenues for data loss
• Audit logs from vendor systems may be insufficient to detect misuse of information
• Role-based security is important – but roles vary across institutions, so creating common policy and standards would be challenging
Data Theft, Loss, and Misuse
14
• Security and privacy are foundational to EHR adoption• Health care data are increasingly a target • Security plays major role in protecting patient safety
– Data integrity protection to help ensure accuracy of patient records
– Protection of safety-critical information (e.g., clinical guidelines)
• Need baseline policies and standards for:– Authorization
– Authentication – identity proofing and authentication are foundational since all other security protection depends upon
– Access Control– Audit trail – use statistical profiling
Building Trust
15
