framing identity management recommendations transport & security standards workgroup november...
DESCRIPTION
FRAMING IDM RECOMMENDATIONS Dixie Baker, Chair and Lisa Gallagher, Co-Chair Office of the National Coordinator for Health Information Technology 2TRANSCRIPT
![Page 1: Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014](https://reader036.vdocument.in/reader036/viewer/2022082510/5a4d1b4e7f8b9ab0599a6b13/html5/thumbnails/1.jpg)
Framing Identity Management Recommendations
Transport & Security Standards Workgroup
November 19, 2014
![Page 2: Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014](https://reader036.vdocument.in/reader036/viewer/2022082510/5a4d1b4e7f8b9ab0599a6b13/html5/thumbnails/2.jpg)
November 19, 2014 Agenda
2
3:00 p.m. Call to Order/Roll Call— Michelle Consolazio, Office of the National Coordinator
Meeting Objective: Identity Management (IDM) Recommendations
3:05 p.m. Frame IDM Recommendations & Recap of Relevant TSSWG Presentations— Dixie Baker, Chair— Lisa Gallagher, Co-Chair
3:45 p.m. Good Recommendations— Dixie Baker, Chair— Lisa Gallagher, Co-Chair
3:55 p.m. Recommendations for Discussion
4:20 p.m. Discussion of Next Steps
4:25 p.m. Public Comment
4:30 p.m. Adjourn
![Page 3: Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014](https://reader036.vdocument.in/reader036/viewer/2022082510/5a4d1b4e7f8b9ab0599a6b13/html5/thumbnails/3.jpg)
Office of the National Coordinator for Health Information Technology
3
FRAMING IDM RECOMMENDATIONSDixie Baker, Chair and Lisa Gallagher, Co-Chair
![Page 4: Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014](https://reader036.vdocument.in/reader036/viewer/2022082510/5a4d1b4e7f8b9ab0599a6b13/html5/thumbnails/4.jpg)
Office of the National Coordinator for Health Information Technology
4
Frame IDM Recommendations
HIT Policy Committee (HITPC) Privacy and Security Tiger Team (PSTT) Recommendations for Provider Authentication (Sept 2012) • Move toward multifactor authentication (NIST level
of assurance (LOA) 3) for remote access of protected health information (PHI)
• Continue to identity proof providers in compliance with HIPAA
• Continue to be informed by the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative
![Page 5: Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014](https://reader036.vdocument.in/reader036/viewer/2022082510/5a4d1b4e7f8b9ab0599a6b13/html5/thumbnails/5.jpg)
Office of the National Coordinator for Health Information Technology
5
Frame IDM Recommendations
HITPC Privacy and Security Tiger Team (PSTT) Recommendations for Patient/Consumer (2013) • Define best practices for patient/consumer identity proofing
and authentication for accessing patient portals• Define best practices for enabling view, download, and
transmit functions initiated by either he patient or his/her representative
• Engage with NSTIC initiative to help align direction in consumer identity-proofing, authentication, and the use of third-party credentials with the needs of the healthcare industry
![Page 6: Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014](https://reader036.vdocument.in/reader036/viewer/2022082510/5a4d1b4e7f8b9ab0599a6b13/html5/thumbnails/6.jpg)
Office of the National Coordinator for Health Information Technology
6
Recap of Relevant TSSWG Presentations
• OpenID Connect (authentication)• OAuth 2.0 (authorization) – Related profiles: BB+ and User Managed Access
• Trustmarks• NIST IDM work
![Page 7: Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014](https://reader036.vdocument.in/reader036/viewer/2022082510/5a4d1b4e7f8b9ab0599a6b13/html5/thumbnails/7.jpg)
Office of the National Coordinator for Health Information Technology
7
Good Recommendations
• Recommends an ONC action• Offers guidance on what is needed, for example:– Regulation/Certification?– FAQ/Guidance?– Pilots?– Coordination? (with federal partners, industry, etc.)– Others?
• Align with the draft interoperability roadmap (10/15 joint meeting)
![Page 8: Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014](https://reader036.vdocument.in/reader036/viewer/2022082510/5a4d1b4e7f8b9ab0599a6b13/html5/thumbnails/8.jpg)
Office of the National Coordinator for Health Information Technology
8
Recommendations for Discussion
• Multifactor authentication for access to protected health information (PHI)
• Support NIST effort to revamp NIST Special Publication 800-63– Closely follow move from LOA to componentized trust– Recommend appropriate identity-proofing for query-based access
• Consider Data Segmentation for Privacy (DS4P) for authorizing access to behavioral data (later on work plan)
• Track development and piloting of User Managed Access (UMA) profile of OAuth 2.0 as potential standard for consumer consent
WH Executive Order (multifactor authentication): http://www.whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactions