HIT Policy Committee Privacy and Security Tiger Team. Deven McGraw, Chair Paul Egerman, Co-Chair Certificate Authority- Provider Authentication Recommendations June 8, 2011. 1. Tiger Team Members. Deven McGraw, Chair , Center for Democracy & Technology Paul Egerman, Co-Chair
Deven McGraw, Chair
Paul Egerman, Co-Chair
Provider Authentication Recommendations
June 8, 2011
Recommended Certificates an entity-level only, not an individual level
Recommended High Level of Assurance
Recommended ONC Accreditation of Certificate Authorities—We were asked to review this aspect
High Level of Assurance is needed
Validation of the entity’s identity is necessary prior to issue the certificate to the entity
Tiger Team rejected second alternative (WebTrust or ETSI) because it does not include entity validation
Technical requirements on entities without an IT department (e.g., small group practices, rural and small hospitals)
1. Certificates required for exchange under the NwHIN brand should be issued consistent with the following principles:
A high level of assurance with respect to organization/entity identity needs to be obtained.
The certificate should be acceptable to federal agencies, given the frequent need for providers to exchange health information with the federal health architecture.
Multiple competitive sources for digital certificates should be available, in order to ensure that small or less resourced provider entities are able to obtain and use digital certificates.
2. All certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a Certificate Authority (or one of its authorized resellers) that is a member of the Federal PKI framework.
Concerns that there might exist important operational issues that have not yet been discovered.
Recommendation may adversely affect the deployment of The Direct Project.
The HIT Policy Committee will revisit (or ask the HIT Standards Committee to revisit) this recommendation if the S&I Framework process to further investigate the costs and implementation burdens of requiring cross-certification to the Federal Bridge reveals new facts that call into question the conclusion that it is financially and operationally feasible for small or less resourced provider entities to obtain certificates pursuant to this recommendation.