[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security Interoperability Pilot (fwd)

To: hrac-rfp@cs.fiu.edu
Subject: Security Interoperability Pilot (fwd)
From: Mary Kratz <mkratz@umich.edu>
Date: Wed, 25 Nov 1998 17:43:46 -0500 (EST)
Sender: owner-hrac-rfp@cs.fiu.edu
Might be a nice way to integrate HRAC into current "mainstream" Healthcare
Informatic efforts.  Let me know if you think this would be a good idea
and I'll facilitate introducing HRAC to WEDI and the other participants.

FYI,
Mary

----------------------------------------------------------------- 
Mary E. Kratz 
University of Michigan Health System 
Medical Center Information Technology - Special Projects Division 
4251 Plymouth Road, Suite 3300 Ann Arbor, MI 48105-2785 
mkratz@umich.edu
v:(734)763-6871 f:(734)998-6806


---------- Forwarded message ----------
Date: Wed, 25 Nov 1998 15:26:31 -0600
From: kepa.zubeldia@envoy-neic.com
To: dan.proctor@passporthealth.com, moertel.david@mayo.edu,
    e-authentication@secstate.wa.gov, ed@officemed.com,
    Gcarruth@phxl.bcbsaz.com, john.fraser@mhdi.org, DigSig@state.ut.us,
    Larry.Watkins@per-se.com, phardin@actamed.com, AFEHCT@aol.com,
    bkillian@uhin.com, JParmigiani@hcfa.gov, pthaler@actamed.com,
    Schups@aol.com, mkratz@umich.edu, llorton@hostnet.org,
    Kepa.Zubeldia@envoy-neic.com, robert.poiesz@highmark.com,
    beatty.gary@mayo.edu, bob@pdxinc.com, DSCHINDE@corp.stjoe.org,
    jim.klein@eds.com, rcowling@swbell.net, margaret.weiker@eds.com,
    bruce_horn@AICI.COM, DaveZimmerman@mede.com, Deanna.Hanks@medaphis.com,
    Don.Bechtel@HDX.com, Gordon_Romney@arcanvs.com
Subject: Security Interoperability Pilot

The WEDI (http://www.wedi.org/) annual meeting ended last Thursday.  The 
main topic of the meeting was the implementation of the Administrative 
provisions of HIPAA, including security, that are due in the next two 
years.  Take a look at WEDI's web site for copies of the presentations in 
the next few days.

One of the highlights of the meeting was the presentation by John 
Parmigiani of HCFA of the upcoming HCFA Internet Use Policy.  This new 
policy, still in Draft (attached) should be released in the next week or 
so.  The significance is that ir reverses a long standing HCFA policy that 
forbids the use of the Internet.  With the new policy we will be able to 
use the Internet as long as certain security measures are taken.  Also, the 
new HCFA policy will be in compliance with the security NPRM of HIPAA and HCFA 
will make whatever changes are necessary to be in compliance with the final 
rules once the final rules are published.

While the security and digital signature provisions of HIPAA apply to the 
entire industry, the HCFA Internet Use Policy applies to all HCFA Privacy 
Act-protected and other sensitive HCFA data being sent over the Internet, 
regardless of the end points (nodes) of the paths.  In spite of only being a 
HCFA policy and not a HIPAA policy, it will certainly become a model for the 
entire industry as far as encryption and authentication/identification is 
concerned.

Both the HCFA Internet Use Policy and the HIPAA proposed rules are 
technology independent and leave it up to the industry to determine what is 
the way we will implement the requirements.  While it is great to have this 
flexibility, we must also be aware of the potential interoperability 
problems that could arise with this rapidly changing technology.

For this reason, we are proposing an interoperability pilot to be run in 
the next few months, to see if we, as an industry, can reach a consensus on 
how we will address this particular challenge.  If we cannot reach an 
industry consensus, we will have to gear up for a multitude of encryption 
and authentication solutions.

There are currently several efforts attempting to build industry consensus 
on different aspects of the HIPAA security rules.  For example, the effort 
under HOST to define security policies and Protection Profiles which are 
the basis for the application of security to specific situations.  The 
EHNAC is working on a voluntary security accreditation program.  Also, 
AFEHCT will be preparing a HIPAA Security Compliance Kit to assist small 
providers in their security compliance efforts.

The pilot proposed during the WEDI meeting, in conjunction with AFEHCT and 
HCFA, is to develop an industry consensus on the practical use of 
encryption and digital signatures to satisfy the requirements of both the 
HCFA policy and the HIPAA rules.

My initial thoughts are that it should involve the participation of several 
Payers, PMS Vendors, Clearinghouses, and Providers.  These participants 
should independently implement the encryption agreed for the pilot.  The 
agreed encryption (and possibly digital signatures for data integrity) 
should be based or aligned with one of the protection profiles defined by 
the efforts under HOST.  AFEHCT will participate by providing the technical 
coordination of the pilot.  It is envisioned that the pilot, one finalized, will
have established parameters that ensure test boundaries in accordance with 
HCFA's Internet policy.

All the participants at the WEDI meeting responded very favorably to this 
challenge, as we all realize that not having consensus in this matter will 
be very expensive for the entire industry.  Some of the comments centered 
on the importance to keep it an open process and open technology, and also 
to solicit the participation of the different State regulators, so whatever 
the industry adopts is also in compliance with the different Digital 
Signature and Electronic Commerce Acts that have been passed at the state 
level.

In principle we are targeting the first meeting in Washington DC December 
15 or 16, piggy-back at the end of the AFEHCT meeting.  Same hotel, etc.  
See the info at http://www.afehct.org/ for meeting logistics.  We have not 
yet determined whether it will be Tuesday afternoon or running into 
Wednesday.  I will be sending another email with these details.

Right now the thoughts are leaning towards a relatively short pilot, with 
two phases, maybe 3-4 months each, starting around the first of the year.  
There should be several teams (Payer, vendor, provider, clearinghouse) that 
independently proceed to implement the agreed solution, and a second phase 
to test the interoperability of the independent implementations.  At then 
end of this we should have an agreed solution that would work for all 
players.

The meeting in DC should have two parts.  A first part of proposed 
technologies and solutions, and a second part of moderated discussion to 
see if we can agree on one or more solutions.  The reason why I say one or 
more is because we may need a solution for batch and another solution for 
real-time transactions.  Also, we may want to look at parameters to be used with
web-browser (SSL/TLS) solutions, as this is a common environment today. Ideally 
one solution for everything would be best, but I doubt that is possible.  It 
will be great if we agree on only one for batch and another for real time, but I
am not holding my breath on that either.

Over the next few days I will be putting together a mailing list.  If you 
think of someone that should be in it, let me know.  Then I will be working 
with the security group at AFEHCT and HCFA, and other volunteers, to put 
together the agenda, and identify the resources we need.  In about one week 
you should be receiving another email from me with the details.

One thing I am looking for at this time are candidate technologies and 
products, and people willing to make a presentation on them with 
understanding of the healthcare environment, so we can make the meeting as 
efficient as possible.

This is a totally practical, pragmatic, hands-on pilot.  The purpose is to 
try to reach a consensus on how we are going to use encryption and digital 
signatures and authentication/identification in healthcare.  The issues 
concerning the very important matters of policies and procedures and 
protection profiles will be addressed in other forums (i.e. HOST).  So, I 
am looking for skilled technical people that can actually take charge of 
implementing this technology within their corporation.  Before coming to 
the meeting, these people should be informed in the technology options, 
what will work for them and what will not work, and bring a level of 
corporate support to endorse and carry out the pilot, and the resulting 
outcome.

Finally, I would like to stress the importance of formulating a strong 
evaluation plan that not only examines all aspects of interoperability but also 
feasibility considerationsfor implementation across the industry.

By now you should have an idea of what we ar trying to do and what the 
focus is.  At this time it is best not to have too much structure and wait 
for the first meeting to define the rest.  So, here is your invitation to 
participate.  Interested ?  drop me a line.  Not interested ? let me know 
and I will remove you from this list.

Kepa Zubeldia
ENVOY Corporation
WordPerfect 6.1
Prev by Date: HRAC IDL
Next by Date: Re: HRAC IDL
Prev by thread: Re: HRAC IDL
Next by thread: hrac IDL module name
Index(es):
- Date
- Thread