Interagency Advisory Board Meeting Agenda, Wednesday, December 5, 2012

1.  Opening Remarks

2.  The State Identity Credential and Access Management Guidance and Roadmap (SICAM) (Chad Grant, NASCIO)

3. PIV and PIV-I Use in Health IT Relying Party Systems (Mike Magrath, Gemalto)

4. Briefing on Draft NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices (Andy Regenscheid, NIST)

5.  Cloud-Sourcing Public Key Enablement (Steve Howard, Certipath)

6.  Closing Remarks

PIV-I in the U.S. Healthcare Market

Michael Magrath, CSCIP Director, Business Development - Government &

Healthcare Gemalto

Chair – Smart Card Alliance’s Healthcare Council

IAB Meeting December 5, 2012

Gemalto The Leader in Digital Security

It is most likely you have one or more of our products in your possession right now

!   The SIM card in your mobile phone !   The bank cards in your wallet or purse (Mag stripe or chip based) !   Your US Passport !   If you are a federal employee – your CAC or PIV card

30

Identity Mgt &

Authentication

NwHIN

NSTIC

FRAC

Fraud Waste & Abuse

Electronic Prescriptions

PHRs

eGov

myhealthevet ssa.gov

mymedicare.gov

Agenda – Identity Initiatives Impacting Healthcare

31

Key points

!   The US healthcare market is quite fragmented. !   It is very inefficient and is riddled with fraud estimated at

over $100 billion annually. !   Large investment in migration from paper records to

electronic records !   Migration from handwritten prescriptions to electronic !   The federal government remains technology neutral and is

determined to let the market decide when it comes to technological solutions. The government is leery of moving forward with a specific technology only to have it obsolete in a matter of years.

32 12/10/12

•  NwHIN is a Network of Networks

•  Each network can include multiple organizations and partners with different roles and authorities

•  Data exchange can include more than one exchange intermediary

•  NwHIN data exchange may be between organizations in a region or between different regions or states

•  Trust in Question

The Highway for Health Information Exchange

33

HHS Advisory Committees formed via ARRA 2009

!   Health IT Policy Committee will make recommendations to the National Coordinator for Health IT on a policy framework for the development and adoption of a nationwide health information infrastructure, including standards for the exchange of patient medical information.

!   Health IT Standards Committee is charged with making recommendations to the National Coordinator for Health IT on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information.

34

“Meaningful Use”

The HITECH portion of the American Recovery and Reinvestment Act (ARRA) of 2009 specifically mandated that incentives should be given to Medicare and Medicaid providers not for EHR adoption but for “meaningful use” of EHRs.

!   Stage 1 – Effective Jan. 2012 !   Stage 2 – Effective Jan 2014 !   Stage 3 – RFC issued by HIT Policy Committee due 1/14/13

•  HITPC recommended that EHRs should be able to accept two factor (or higher) authentication for provider users to remotely access protected health information (PHI).

•  NIST LoA 3 is being recommended. No mention of LoA 4 thus far

35

DEA’s Interim Final Rule for ePrescribing controlled substances

!   Published in The Federal Register, March 31, 2010 •  Two of three factors must be used: a biometric, a knowledge factor

(e.g., password), or a hard token •  The rule does not require the use of a specific form of biometric

technology. DEA is establishing standards for biometric systems in conjunction with NIST.

•  DEA has revised this rule to allow the use of a hard token that is separate from the computer being accessed and that meets FIPS 140-2 Security Level 1 security or higher.

–  Proximity cards that are smart cards with cryptographic modules could serve as hard tokens.

•  DEA believes that NIST 800-63-1 Assurance Level 3 as described will meet its security concerns.

36

NSTIC’s Identity Ecosystem

!   Carving niche for high assurance credentials !   Healthcare Committee formed !   Advocating for NIST LoA 3 and LoA 4 credentials in

ecosystem !   No grant pilots included smart card technology !   PIV / PIV-I in mobile devices will help in future

37 12/10/12Jan 27, 2010

First Responder Authentication Credential

!   800,000 doctors !   3 million nurses !   210,000 EMTs

!   A multipurpose electronic identity credential

38

Patient Identity Assurance Reducing Fraud & Medical Identity Theft

Is she whom she claims to be? Identity of Patients in Cyberspace Hearing for the HIT Privacy & Security Tiger Team and Privacy & Security

Workgroup , 11/29/12

39

Medicare, Medicaid & CHIP

A Relying Party

"We want to be a relying party. We don't want to be a credential provider for the government”.…Federated identity management is the end

goal, "where we can accept the level 3 credential, or a level 4 credential, or even a level 2 credential from whoever, federate that and utilize it so a provider will not have to get multiple credentials,"

- Tony Trenkle, CMS’ CIO, 10/18/2012

!   CMS is working closely with the NSTIC NPO and HHS !   CMS provides 4 million national provider IDs for the various entities

that do business with CMS, he said. It also has 175 applications currently using seven different access management systems. And with the forthcoming health insurance exchange,

!   CMS could eventually be handling access and credentials for 30 to 50 million users

41

Beneficiaries under Centers of Medicare & Medicaid Services

!   91 Million Beneficiaries (Medicare, Medicaid, CHIP) (FY 2010). •  Medicare = 48 M •  Medicaid = 35 M •  Children's Health Insurance Program (CHIP) = 8 M

!   240,000 beneficiaries are added every month

!   ACA will add 30 million more individuals to Medicaid bringing the number close to 121M.

!   About half the 30 million people gaining coverage under the ACA would do so through Medicaid. Most of the new beneficiaries would be childless adults •  2.7 million would be parents with children at home. •  The federal government would pay the full cost of the first three years

of the expansion, gradually phasing down to a 90 percent share. 42 12/10/12

Medicare Common Access Card Act of 2011

  Bipartisan legislation (S. 1551 & H.R 2925)

  Would establish a pilot program to develop a secure Medicare card using smart card technology to protect seniors personal information, prevent fraud and speed payment to doctors and hospitals.

 Removes SSN from front of card and stores in on the chip allowing CMS to continue using the SSN as the claim number

  AARP, 60 Plus, American College of Physician Executives. American Academy of Orthopedic Surgeons endorse legislation.

  Funded by transferring funds from the Medicare Improvement Fund (MIF) which makes funds available to HHS for the purpose of making improvements under the Medicare Parts A & B programs including program integrity improvements.

  www.upgradethecard.org 43

Medicare Common Access Card Act of 2011

PIN

www.upgradethecard.org 44

!   At request for Senator Kirk, the Smart Card Alliance commissioned a 3rd party to audit the industry’s estimated cost for the program

!   Co-signers in the House and Senate.

!   June 2012 - Members of the Senate Finance Committee solicited ideas from interested stakeholders in the health care community regarding effective solutions to improve federal efforts to combat waste, fraud, and abuse in the Medicare and Medicaid programs.

!   Nov 15 - Frank Abangale, world renown document security and fraud prevention expert – as well as the subject of the movie Catch Me If You Can, based on his earlier life as a professional forger – testified before a Senate Committee on Aging hearing entitled “America’s Invisible Epidemic: Preventing Elder Financial Abuse.” In advising Congress on how to best protect seniors against identity theft and fraud, Abangale strongly urged Congress to create an upgraded Medicare smart card as described in The Medicare Common Access Card (CAC) Act, S.1551.

!   Nov 28 – The House Energy and Commerce Subcommittee on Health held hearing on Medicare Fraud Waste and Abuse. Medicare CAC was discussed. On behalf of the Secure ID Coalition, Gemalto’s Neville Pattinson testified.

!   113th Congress begins January. New bills to be introduced. 45

Medicare CAC - Current Status

12/10/12

NwHIN

NSTIC

FRAC

Fraud Waste & Abuse

Electronic Prescriptions

PHRs (CIV)

eGov

myhealthevet ssa.gov

mymedicare.gov

Identity Initiatives Impacting Healthcare

46

Utopia - Healthcare Identity Management

PIV PIV-I

Commercial Identity Verification (CIV)

47

Benefits of Smart Cards to Improve Provider and Payer processes

!   Quickly and accurately identifying patients, reducing medical identity theft and improving quality of care.

!   Streamlining patient registration and patient information access at any points of care, reducing routine paperwork and eliminating errors.

!   Supporting audit logging and remote access accountability. !   Enabling secure access to healthcare websites. !   Storing all necessary applications and information on the card,

enabling offline access to critical healthcare information using portable readers.

!   Additional information on the use of smart cards for healthcare applications can be found on the Smart Card Alliance web site, http://www.smartcardalliance.org/pages/smart-cards-applications-healthcare-identity

48

Smart Card Centered Healthcare

Thank You

Michael Magrath Director, Business Development 4401 Wilson Blvd., Suite 210 Arlington, VA 22203

Office: 512-758-8911 Cell: 703-944-1090 michael.magrath@gemalto.com

http://twitter.com/healthITidmgt

www.gemalto.com & www.justaskgemalto.com