Wednesday, December 10, 2014

The December HIT Standards Committee

The December HIT Standards Committee included a review of the draft Federal Health IT Strategic Plan , recommendations about identity management from the Transport and Security Workgroup, an overview of the Prescription Drug Monitoring Program, and a discussion of upcoming task force work as we all prepare for the publication of the ONC interoperability roadmap and the Meaningful Use Stage 3 Notice of Proposed Rulemaking.

The meeting began with an introduction from Jon White, the new Acting Deputy National Coordinator.   We all know Jon from his leadership of IT initiatives at AHRQ.   He brings new energy and insight to ONC.   A great choice.

I summarized the agenda for the day but also told the group about the Argonaut Project, to clear up any misunderstanding.   The leadership of HL7 wanted to be responsive to work of the JASON task force and ensure HL7 had the necessary standards/implementation guides to support the emerging demand for query/response interoperability.    HL7 needed some additional funding to produce the deliverables by mid-2015.   A cross section of stakeholders passed the hat to provide HL7 extra funding.   Since we’re helping to accelerate JASON deliverables, we thought that those supporting HL7’s work could call themselves the Argonauts.

The Argonaut goal, which is complementary to other projects already in progress like the S&I Framework Data Access Framework (DAF) effort and the Healthcare Services Platform Consortium (HSPC) , is to create two profiles

1.  One which enables query/response of the discrete data elements in the Meaningful Use Stage 2 Common Data Set from an endpoint
2.  One which enables query/response of unstructured data  from an endpoint

using RESTful transport, and OAuth2 enforced authentication between the querier and the responder.

These initial deliverables are a subset of DAF and a subset of HSPC goals, scoped for May 2015 delivery.

Seth Pazinski and Gretchen Wyatt presented the draft Federal Health IT Strategic Plan which has 5 goals, 14 objectives and summarizes the input of 35 federal agencies.  It is well aligned with the triple aim and includes increased collection, sharing, and use of healthcare data.   The next step is for ONC to name two Standards Committee liaisons to the Health IT Policy Committee Strategy and Innovation workgroup, which is charged with providing comments on the plan.

Dixie Baker and Lisa Gallagher presented the identity management recommendations of the Transport and Security Workgroup, which can be summarized as

1. To strengthen the authentication currently certified in EHR technology
a. Continuously protect the integrity and confidentiality of information used to
authenticate users, using the standard specified in §170.210(a)(1) of the 2014
Edition EHR Standards, Implementation Specifications, and Certification Criteria.
b. If passwords are used for user authentication, accept only passwords that meet
the guessing entropy guidelines set forth in Appendix A of NIST 800-63-2.

2. To enable EHR technology to be certified for having implemented multi-factor
authentication, recommend the following certification criterion:
a. Restrict access to the system, or to one or more individual functions within the
system (e.g., prescribing controlled substances), to only those individuals who have presented at least two of the following three forms of authentication -- knowledge of a secret (e.g., password), possession of a physical object (e.g., hard token or smartcard), a biometric (e.g., fingerprint).

3. Recommend that the ONC:
a. Support NIST effort to revamp NIST Special Publication 800-63-2 (Electronic
Authentication Guideline)
b. Closely follow move from LOA to componentized trust
c. Recommend appropriate identity-proofing for query-based access
d. Consider Data Segmentation for Privacy (DS4P) for authorizing access to
behavioral data (TSSWG will address later in the work plan)
e. Track development and piloting of User Managed Access (UMA) profile of OAuth
2.0 as potential standard for consumer consent

We had a rich discussion about the intersection of security technology and policy.   Ultimately, we decided to be less prescriptive and removed 1b. password entropy as a requirement.  Instead, ONC, the Transport and Security Workgroup, and NIST will work together on an update to 800-63-2 which will include a risk-based framework.   Each healthcare organization will mitigate password risk using technologies and policies which adhere to the framework.

Jonathan Coleman and Jinhee Lee described the Prescription Drug Monitoring Program (PDMP) and highlighted some of the current challenges of integrating the state PDMP efforts with pharmacy systems and EHRs including:

-Healthcare Professionals adverse to separate logins and separated workflow
-Complex data workflows involving HIEs, PDMP Hubs, Pharmacy Networks, and HIT
-PDMP governance structure complicates Health IT systems’ ability to seamlessly
integrate into existing medication history patient reports
-PDMP data structures are not natively supported by EHR systems

The committee offered several recommendations to align the PDMP program with emerging standards activities such as FHIR.   Although the backend connections between PDMP sites and between pharmacies might use NCPDP or NIEM approaches, the EHR connections are better accomplished with FHIR approaches.

Finally Steve Posnack described two tasks forces, one for evaluation of the S&I Framework and another for a review of the S&I Provenance work done to date.   The HIT Standards Steering committee will work with Steve to assign workgroup members to these task forces.   He also described the  Certification Program Open Test Method Pilot.   We asked that any certification script writing be done using agile methods with pilot testing and engagement of the stakeholder community to achieve the minimum necessary burden in certification processes.

A great meeting with positive energy from all the Standards Committee members to support ONC at a time of great change.

No comments: