Framing Identity Management Recommendations

Transport & Security Standards Workgroup

November 19, 2014

November 19, 2014 Agenda

2

3:00 p.m. Call to Order/Roll Call— Michelle Consolazio, Office of the National Coordinator

Meeting Objective: Identity Management (IDM) Recommendations

3:05 p.m. Frame IDM Recommendations & Recap of Relevant TSSWG Presentations— Dixie Baker, Chair— Lisa Gallagher, Co-Chair

3:45 p.m. Good Recommendations— Dixie Baker, Chair— Lisa Gallagher, Co-Chair

3:55 p.m. Recommendations for Discussion

4:20 p.m. Discussion of Next Steps

4:25 p.m. Public Comment

4:30 p.m. Adjourn

Office of the National Coordinator for Health Information Technology

3

FRAMING IDM RECOMMENDATIONSDixie Baker, Chair and Lisa Gallagher, Co-Chair

Office of the National Coordinator for Health Information Technology

4

Frame IDM Recommendations

HIT Policy Committee (HITPC) Privacy and Security Tiger Team (PSTT) Recommendations for Provider Authentication (Sept 2012) • Move toward multifactor authentication (NIST level

of assurance (LOA) 3) for remote access of protected health information (PHI)

• Continue to identity proof providers in compliance with HIPAA

• Continue to be informed by the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative

Office of the National Coordinator for Health Information Technology

5

Frame IDM Recommendations

HITPC Privacy and Security Tiger Team (PSTT) Recommendations for Patient/Consumer (2013) • Define best practices for patient/consumer identity proofing

and authentication for accessing patient portals• Define best practices for enabling view, download, and

transmit functions initiated by either he patient or his/her representative

• Engage with NSTIC initiative to help align direction in consumer identity-proofing, authentication, and the use of third-party credentials with the needs of the healthcare industry

Office of the National Coordinator for Health Information Technology

6

Recap of Relevant TSSWG Presentations

• OpenID Connect (authentication)• OAuth 2.0 (authorization) – Related profiles: BB+ and User Managed Access

• Trustmarks• NIST IDM work

Office of the National Coordinator for Health Information Technology

7

Good Recommendations

• Recommends an ONC action• Offers guidance on what is needed, for example:– Regulation/Certification?– FAQ/Guidance?– Pilots?– Coordination? (with federal partners, industry, etc.)– Others?

• Align with the draft interoperability roadmap (10/15 joint meeting)

Office of the National Coordinator for Health Information Technology

8

Recommendations for Discussion

• Multifactor authentication for access to protected health information (PHI)

• Support NIST effort to revamp NIST Special Publication 800-63– Closely follow move from LOA to componentized trust– Recommend appropriate identity-proofing for query-based access

• Consider Data Segmentation for Privacy (DS4P) for authorizing access to behavioral data (later on work plan)

• Track development and piloting of User Managed Access (UMA) profile of OAuth 2.0 as potential standard for consumer consent

WH Executive Order (multifactor authentication): http://www.whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactions