POP Track – August 14, 2012 Directory and Trust Services Policy and Operating Procedures (POP)
Topics for Today’s call • Policy Log/Policy Statements Updates • Identity Management • Directory Attributes & Data • Identity Management Discussion • Data Attributes & Data • Audit Policy Discussion / Starting Point • What are the requirements for auditing? • Next Steps…
Identity (IdM)Management • Purpose: DT&S requires a secure and reliable method of identifying members of its community for access to electronic data resources that handle protected health information (PHI). This requires collecting and maintaining identifying attributes, ensuring that electronic identities match the appropriate person, and mechanisms to authenticate and authorize use of those identities. • Discussion Points: • Unique identifier for each LDS • Role of IdM Coordinator – who certifies? • Information Assurance Profile Standard – categories • Service Provider Standard – some technical considerations here
Directory Attributes & Data • Purpose: Identify and define the minimum set of data elements and attributes needed to affect the secure exchange of health care information treatment purposes between trusted endpoints (which may be a serial set of attributes derived from the provider(s), entity and\or system in question. • Discussion Points: (See attached document) • Minimum Necessary for Discovery: The requirement is to provide sufficient information for a user to decide on whether to establish exchange with another user in the directory. • Minimum Necessary to Enable Exchange: The requirement is to identify what is the minimum needed to enable exchange (i.e., establish connection, routing) Note: These have been compared with comments on S&I Query spreadsheet but someone needs to take action item to flesh this out
Auditing • What are the expectations for use? • Accounting for identity management • Track access (LDS logs access event) SDS • Track authorization (SDS logs that LDS request passed to external entity) • Validation of executed queries • Minimize asset vulnerabilities • Capture privacy/security violations (i.e., data breach) • Correlate with across events • Determine who had access to what information when the seminal event occurred
Next steps? • Need volunteers to draft/finalize at drafting Policy Log entries for the five prioritized Policy items discussed • Acceptable Use/Permitted Uses • Identity Management/Authorized Users • Directory Attributes and Data • Query Management • Auditing • What elements are critical to further frame each Policy item? • Purpose • Scope • Statement • Reference • Other suggestions at this point? Thank you!