Monday, October 22, 2007

Security Standards for the Country

Lack of nationwide security standards has been a major challenge to creating interoperable health records which protect the confidentiality of patients.

On October 15, the national Healthcare Information Technology Standards Panel (HITSP) approved by consensus all the standards needed to record patient consent for sharing data, enable secure communication, restrict records via appropriate access control, and document consistent audit trails of every lookup.

These National standards are described in a series of documents.

HITSP_v1.1_2007_TN900 - Security and Privacy.pdf
HITSP_v1.1_2007_C19 - Entity Identity Assertion.pdf
HITSP_v1.1_2007_C26 - Nonrepudiation of Origin.pdf
HITSP_v1.1_2007_T15 - Collect and Communicate Security Audit Trail.pdf
HITSP_v1.1_2007_T16 - Consistent Time.pdf
HITSP_v1.1_2007_T17 - Secured Communication Channel.pdf
HITSP_v1.1_2007_TP20 - Access Control.pdf
HITSP_v1.1_2007_TP30 - Manage Consent Directives.pdf
HITSP_v2.0.2_2007_TP13 - Manage Sharing of Documents.pdf

Security standards are the foundation for all current and future HITSP work. They will be thoroughly tested over the next year via the upcoming Nationwide Healthcare Information Network Contracts given to 9 groups

Delaware Health Information Network
Indiana University
Long Beach Network for Health
Lovelace Clinic Foundation
New York eHealth Collaborative
NorthCarolinaHealthcareInformationand Communications Alliance, Inc.
West Virginia Health Information Network

and will be incorporated into Certification Commission for Healthcare Information (CCHIT) Technology criteria over the next few years.

The standards selected will be very familiar to CIOs, since many are commonly used internet standards such as X.509 certificate exchange, Web Services (WS-Trust, WS-Federation, WS-Security) and SAML. Some standards may be new to CIOs such as the OASIS Extensible Access Control Markup Language (XACML) and the HL7 Consent standards, but these are truly the most appropriate standards based on HITSP harmonization readiness criteria:

Suitability – The standard is named at a proper level of specificity and meets technical and
business criteria of use case

Compatibility – The standard shares common context, information exchange structures, content or data elements, security and processes with other HITSP harmonized standards or adopted frameworks as appropriate

Preferred Standards Characteristics – Approved standards, widely used, readily available, technology neutral, supporting uniformity, demonstrating flexibility and international usage are preferred

Standards Development Organization and Process – Meet selected criteria including balance, transparency, developer due process, stewardship and others.

With these national standards, payers, providers, employers, labs, pharmacies, and patients have a framework which can support the diversity of regional, state and federal privacy policies. HITSP does not make policy, but provides the security interoperability specifications to support whatever data sharing decisions are made locally.

This is a very exciting development on the journey toward interoperability in healthcare.

1 comment:

Unknown said...

I pick up many friends over time, cause they seek me for cheap (aka free) computer support.

Someone just called me, a Doc has a laptop acting up. He can't send it off cause he keeps sensitive patient info on it (I know the possibilities of data breach that entails).

So there in lies the question. Who can you send that off to, and still maintain HIPAA compliance. Hospitals maintain business associate agreements, but what about small physicians?

This is really true with laptops, where you often have to send a Toshiba back to Toshiba because of proprietary parts.

I just thought it was an interesting problem.