hit policy committee privacy and security tiger team

12
HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair Certificate Authority- Provider Authentication Recommendations June 8, 2011 1

Upload: zahina

Post on 06-Jan-2016

17 views

Category:

Documents


0 download

DESCRIPTION

HIT Policy Committee Privacy and Security Tiger Team. Deven McGraw, Chair Paul Egerman, Co-Chair Certificate Authority- Provider Authentication Recommendations June 8, 2011. 1. Tiger Team Members. Deven McGraw, Chair , Center for Democracy & Technology Paul Egerman, Co-Chair - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: HIT Policy Committee Privacy and Security Tiger Team

HIT Policy CommitteePrivacy and Security Tiger Team

Deven McGraw, Chair

Paul Egerman, Co-Chair

Certificate Authority-

Provider Authentication Recommendations

June 8, 2011

1

Page 2: HIT Policy Committee Privacy and Security Tiger Team

Tiger Team Members

2

• Deven McGraw, Chair, Center for Democracy & Technology • Paul Egerman, Co-Chair • Dixie Baker, SAIC • Christine Bechtel, National Partnership for Women & Families • Rachel Block, NYS Department of Health • Neil Calman, Institute for Family Health • Carol Diamond, Markle Foundation • Judy Faulkner, EPIC Systems Corp. • Leslie Francis, University of Utah; NCVHS• Gayle Harrell, Consumer Representative/Florida • John Houston, University of Pittsburgh Medical Center• David Lansky, Pacific Business Group on Health • David McCallie, Cerner Corp. • Wes Rishel, Gartner • Latanya Sweeney, Carnegie Mellon University • Micky Tripathi, Massachusetts eHealth Collaborative

• Deborah Lafky, ONC• Joy Pritts, ONC• Judy Sparrow, ONC

Page 3: HIT Policy Committee Privacy and Security Tiger Team

Definitions

• On the Internet, the identity of an entity is authenticated using a digital certificate– Contains information

about the entity– Contains public

(freely published) encryption key that, when used in combination with its paired private key (retained by the entity), can be used to authenticate the identity of the certificate holder

• The organization that assigns certificates is called a Certificate Authority, (“CA”).

3

Page 4: HIT Policy Committee Privacy and Security Tiger Team

Authentication Environment

4

Page 5: HIT Policy Committee Privacy and Security Tiger Team

Previous Recommendation—Nov. 19, 2010

• Recommended Certificates an entity-level only, not an individual level

• Recommended High Level of Assurance

• Recommended ONC Accreditation of Certificate Authorities—We were asked to review this aspect

5

Page 6: HIT Policy Committee Privacy and Security Tiger Team

Alternatives Considered

• CAs must operate under the supervision of some accreditation body recognized by the Office of the National Coordinator (ONC)

• CAs must conform to the CA best practices of WebTrust and/or European Telecommunications Standards Institute (ETSI)

• CAs must be cross-certified with the Federal Bridge Certificate Authority (“FBCA”) (either directly or chained up to the FBCA)

6

Page 7: HIT Policy Committee Privacy and Security Tiger Team

Exchange Functionality Considerations

• Almost every healthcare organization will at some point need to exchange health information with a federal health agency (e.g., VA, MHS, CMS, IHS)

• Under FISMA and CIO Council of federal agencies, a federal agency is highly unlikely to accept a certificate that was not issued by a CA cross-certified with the FBCA

• None of the agencies questioned said they would accept a certificate issued by a CA that is not cross-certified with the FBCA– For example, VA requires that certificates used in Direct pilots be cross-

certified

• Federal Public Key Infrastructure Policy has established a Citizen and Commerce Class Common Certificate Authority (C4CA) that is cross-certified with the FBCA for the purpose of federal-private exchanges

7

Page 8: HIT Policy Committee Privacy and Security Tiger Team

Security Considerations

• High Level of Assurance is needed

• Validation of the entity’s identity is necessary prior to issue the certificate to the entity

• Tiger Team rejected second alternative (WebTrust or ETSI) because it does not include entity validation

8

Page 9: HIT Policy Committee Privacy and Security Tiger Team

Implementation Considerations

• Costs

• Competitive Environment

• Technical requirements on entities without an IT department (e.g., small group practices, rural and small hospitals)

9

Page 10: HIT Policy Committee Privacy and Security Tiger Team

Recommendations

1. Certificates required for exchange under the NwHIN brand should be issued consistent with the following principles:

• A high level of assurance with respect to organization/entity identity needs to be obtained.

• The certificate should be acceptable to federal agencies, given the frequent need for providers to exchange health information with the federal health architecture.

• Multiple competitive sources for digital certificates should be available, in order to ensure that small or less resourced provider entities are able to obtain and use digital certificates.

2. All certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a Certificate Authority (or one of its authorized resellers) that is a member of the Federal PKI framework.

10

Page 11: HIT Policy Committee Privacy and Security Tiger Team

Some Direct Stakeholder Concerns

• Concerns that there might exist important operational issues that have not yet been discovered.

• Recommendation may adversely affect the deployment of The Direct Project.

11

Page 12: HIT Policy Committee Privacy and Security Tiger Team

Recommendation adjusted in response

The HIT Policy Committee will revisit (or ask the HIT Standards Committee to revisit) this recommendation if the S&I Framework process to further investigate the costs and implementation burdens of requiring cross-certification to the Federal Bridge reveals new facts that call into question the conclusion that it is financially and operationally feasible for small or less resourced provider entities to obtain certificates pursuant to this recommendation.

12