hit policy committee privacy and security tiger team n.
Skip this Video
Loading SlideShow in 5 Seconds..
HIT Policy Committee Privacy and Security Tiger Team PowerPoint Presentation
Download Presentation
HIT Policy Committee Privacy and Security Tiger Team

Loading in 2 Seconds...

play fullscreen
1 / 12

HIT Policy Committee Privacy and Security Tiger Team - PowerPoint PPT Presentation

  • Uploaded on

HIT Policy Committee Privacy and Security Tiger Team. Deven McGraw, Chair Paul Egerman, Co-Chair Certificate Authority- Provider Authentication Recommendations June 8, 2011. 1. Tiger Team Members. Deven McGraw, Chair , Center for Democracy & Technology Paul Egerman, Co-Chair

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIT Policy Committee Privacy and Security Tiger Team' - zahina

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hit policy committee privacy and security tiger team

HIT Policy CommitteePrivacy and Security Tiger Team

Deven McGraw, Chair

Paul Egerman, Co-Chair

Certificate Authority-

Provider Authentication Recommendations

June 8, 2011


tiger team members
Tiger Team Members
  • Deven McGraw, Chair, Center for Democracy & Technology
  • Paul Egerman, Co-Chair
  • Dixie Baker, SAIC
  • Christine Bechtel, National Partnership for Women & Families
  • Rachel Block, NYS Department of Health
  • Neil Calman, Institute for Family Health
  • Carol Diamond, Markle Foundation
  • Judy Faulkner, EPIC Systems Corp.
  • Leslie Francis, University of Utah; NCVHS
  • Gayle Harrell, Consumer Representative/Florida
  • John Houston, University of Pittsburgh Medical Center
  • David Lansky, Pacific Business Group on Health
  • David McCallie, Cerner Corp.
  • Wes Rishel, Gartner
  • Latanya Sweeney, Carnegie Mellon University
  • Micky Tripathi, Massachusetts eHealth Collaborative
  • Deborah Lafky, ONC
  • Joy Pritts, ONC
  • Judy Sparrow, ONC


  • On the Internet, the identity of an entity is authenticated using a digital certificate
    • Contains information about the entity
    • Contains public (freely published) encryption key that, when used in combination with its paired private key (retained by the entity), can be used to authenticate the identity of the certificate holder
  • The organization that assigns certificates is called a Certificate Authority, (“CA”).


previous recommendation nov 19 2010
Previous Recommendation—Nov. 19, 2010

Recommended Certificates an entity-level only, not an individual level

Recommended High Level of Assurance

Recommended ONC Accreditation of Certificate Authorities—We were asked to review this aspect


alternatives considered
Alternatives Considered
  • CAs must operate under the supervision of some accreditation body recognized by the Office of the National Coordinator (ONC)
  • CAs must conform to the CA best practices of WebTrust and/or European Telecommunications Standards Institute (ETSI)
  • CAs must be cross-certified with the Federal Bridge Certificate Authority (“FBCA”) (either directly or chained up to the FBCA)
exchange functionality considerations
Exchange Functionality Considerations
  • Almost every healthcare organization will at some point need to exchange health information with a federal health agency (e.g., VA, MHS, CMS, IHS)
  • Under FISMA and CIO Council of federal agencies, a federal agency is highly unlikely to accept a certificate that was not issued by a CA cross-certified with the FBCA
  • None of the agencies questioned said they would accept a certificate issued by a CA that is not cross-certified with the FBCA
    • For example, VA requires that certificates used in Direct pilots be cross-certified
  • Federal Public Key Infrastructure Policy has established a Citizen and Commerce Class Common Certificate Authority (C4CA) that is cross-certified with the FBCA for the purpose of federal-private exchanges
security considerations
Security Considerations

High Level of Assurance is needed

Validation of the entity’s identity is necessary prior to issue the certificate to the entity

Tiger Team rejected second alternative (WebTrust or ETSI) because it does not include entity validation


implementation considerations
Implementation Considerations


Competitive Environment

Technical requirements on entities without an IT department (e.g., small group practices, rural and small hospitals)



1. Certificates required for exchange under the NwHIN brand should be issued consistent with the following principles:

A high level of assurance with respect to organization/entity identity needs to be obtained.

The certificate should be acceptable to federal agencies, given the frequent need for providers to exchange health information with the federal health architecture.

Multiple competitive sources for digital certificates should be available, in order to ensure that small or less resourced provider entities are able to obtain and use digital certificates.

2. All certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a Certificate Authority (or one of its authorized resellers) that is a member of the Federal PKI framework.


some direct stakeholder concerns
Some Direct Stakeholder Concerns

Concerns that there might exist important operational issues that have not yet been discovered.

Recommendation may adversely affect the deployment of The Direct Project.


recommendation adjusted in response
Recommendation adjusted in response

The HIT Policy Committee will revisit (or ask the HIT Standards Committee to revisit) this recommendation if the S&I Framework process to further investigate the costs and implementation burdens of requiring cross-certification to the Federal Bridge reveals new facts that call into question the conclusion that it is financially and operationally feasible for small or less resourced provider entities to obtain certificates pursuant to this recommendation.