Monday, June 28, 2010

The ONC Privacy and Security Tiger Team

In many previous blogs, I've mentioned that privacy and security are foundational to healthcare information exchange. A suite of policies covering authentication, authorization, auditing, consent, transmission, and encryption constrains technology possibilities and thus empowers consensus processes to harmonize the security infrastructure that supports policy.

ONC has had many groups working on privacy in the Policy Committee, the Standards Committee, and the NHIN Workgroups. Now that Joy Pritts is the Privacy Officer for ONC (in essence the healthcare IT privacy officer for the country) she has unified all these disparate efforts into a single Tiger Team, focused on resolving many challenging healthcare information exchange policy issues over the next few months.

The members are all incredible people who really understand the domain

Paul Egerman, Co-Chair
Deven McGraw, Co-Chair, Center for Democracy & Technology
Dixie Baker, SAIC
Christine Bechtel, National Partnership for Women & Families
Rachel Block, NYS Department of Health
Neil Calman, The Institute for Family Health
Carol Diamond, Markle Foundation
Judy Faulkner, EPIC Systems Corp.
Gayle Harrell, Consumer Representative/Florida
John Houston, University of Pittsburgh Medical Center; NCVHS
David Lansky, Pacific Business Group on Health
David McCallie, Cerner Corp.
Wes Rishel, Gartner
Latanya Sweeney, Carnegie Mellon University
Micky Tripathi, Massachusetts eHealth Collaborative

They have already met numerous times, following a very aggressive schedule. Their early work has been to suggest policies that will support the NHIN Direct effort.

Their basic recommendation thus far is that protected healthcare information should not be exposed in routing, unless necessary for transmission from A to B. Standards that expose more information than necessary in metadata or mix metadata and content should be avoided.

Sometimes inspection of a content payload has value such as ensuring conformance with a standard or providing translation from one standard to another. However, from a policy perspective it is reasonable to say "The payload need not be inspected or changed during transmission”

Tomorrow, the Tiger Team is hosting an important Consumer Choice hearing.

The purpose of the hearing is to learn more about the capabilities of existing consumer choice technology and the potential for future development in this area. The morning session will focus on consumer choice technology in use today in health information exchange. A user of the technology will speak about their specific implementation of the technology, accompanied by a demonstration. The afternoon session will take a look at consumer choice technologies that are in the development stages for use within health information exchange. The developers have been invited to demonstrate either a prototype of the technology or its current use, and discuss its potential for further development within health information exchange.

I look forward to the work of the Tiger Team. When policy and technology are developed in parallel, each supporting the other, everyone wins.


David Bernick said...

Is there any representative on this team from the Infosec community who can help with the technical direction? Hackers, White Hats, etc? I understand this is a 30,000 foot view, but even at that view, it's nice to have some expertise as to what can and cannot be accomplished technically.

e-Older American said...

I am delighted to see the formal addition of a representative from the National Committee on Vital and Health Statistics (NCVHS)to the Tiger Team. "Health Data Stewardship: What, Why, Who, How - An NCVHS Primer" should be required reading for all.

Ahier said...

Here is the link to the "Health Data Stewardship: What, Why, Who, How - An NCVHS Primer" Fred referenced:

I agree this is an important document well worth taking the time to read.

Thanks for the reminder Fred :-)

John Reno said...

I commend the team on the progress that they have made, particularly on the privacy front. Having said that, I participated in the HIT Standards committee meeting today and I believe the privacy and security WG could benefit from some "front-line" information security perspective. One area that could help streamline the discussion is development of a threat model. This is quite helpful in coalescing the discussion on the things that matter. Some education on the actual methods of cyber criminals would also help. PHI is a high value target, the adversaries are well funded and in it for the long term. We need to deal with this reality now as the standards and practices are emerging, rather than try to fix things later (something that rarely works with respect to information security).