Version 8.0-1-
Briefing For Public Health Data Standards Consortium
Presented by: Holt AndersonArlington, VA
March 19, 2001
HealthKey Roadmap:Toward a Community-Wide, Privacy and Security Infrastructure
Version 8.0-2-
This briefing provides HealthKey’s perspective on a HIPAA compliant privacy and security infrastructure.
• What is it and why is it important?
• Should organizations and communities invest in it?
• How might it get implemented?
• What are the barriers to implementation?
• How do we overcome those barriers?
Version 8.0-3-
Highlights of what will be covered . . .
• HEALTHCARE INFORMATION IS FLOWING ELECTRONICALLY. There appears to be pent-up demand!!
• We need to focus on PROTECTING this flow of electronic information.
• To protect this information flow, healthcare organizations and communities must COLLABORATE to create a privacy and security infrastructure.
• We believe that progress toward a privacy and security infrastructure will be made across FIVE SECTORS OF ACTIVITY.
Version 8.0-4-
Most healthcare organizations are on their way to exchanging information electronically.
Care Givers
Employers
Health Plans
Pharmacies & PBMs
Reference Laboratories
Hospitals
Increasingly, patients and families are using the Internet as a resource for getting healthcare information.
Patients & Families
Version 8.0-5-
Privacy and Security
Infrastructure
An infrastructure is needed to PROTECT the flow of that information as it moves between organizations AND individuals.
Care Givers
Employers
Health Plans
Patients & Families
Pharmacies & PBMs
Reference Laboratories
This infrastructure serves the entire healthcare community.
Hospitals
Version 8.0-6-
Protecting the flow of information will enable broader acceptance of electronic exchange and corresponding benefits including:
• Presentation of a complete health record assembled from sources spread
across multiple and changing providers and payer sources.
• Allowing prompt access to complete and accurate information to improve the
quality of care through the communication of patient wishes and prevention of
mishaps related to drug interactions, handwriting, allergies, transmissible
diseases, etc.
• Providing more timely access to health information to improve the detection,
assessment and early response of public health incidents, such as epidemics,
emerging infectious diseases and bioterrorism.
• Providing a standard means of controlling and monitoring access to sensitive
information, thereby protecting the privacy of individuals.
Version 8.0-7-
The privacy and security infrastructure must protect against . . .
• System Downtime -- Individuals bringing down machines or causing denials of service
• Unauthorized Access -- Individuals getting access to more information than they are authorized to
• Identity Theft -- Individuals posing as someone else to access applications/databases, receive transmitted information, or generate/transmit mis-information
• Information Theft -- Individuals intercepting email and other transmissions
• Misuse of Information/Breach of Privacy -- Individuals using/distributing information inappropriately
Version 8.0-8-
The risks to organizations of NOT protecting electronic exchange include . . .
• Curtailed business operations from system downtime
• Legal actions from patients
• Civil and criminal fines from non-compliance
• Lost revenue from trading partners or patients
• Increased costs
• “Unethical” behavior
Version 8.0-9-
The risks to individuals of NOT protecting electronic exchange include . . .
• Identify theft
• Exposure of clinical information
• Threat of blackmail
• Possible embarrassment
Version 8.0-10-
We see a privacy and security infrastructure for healthcare as having cascading layers of protection . . .
PrivacyPolicy
Operations Procedures
Legal & regulatory definition of protections for healthcare information
Law
Security Practices What organizations
actually do to implement protections
What information the organization intends to protect and from whom
Organization-Specific Layers
Technologies
&Make sure that Practices work and comply with Policy
Assurance
Version 8.0-11-
Privacy Policy is essential for effective Security Practices.
• Privacy Policy is a clear statement of what information should be protected and from whom. This statement guides the scope and design of technology solutions and operations procedures.
• Privacy Policy establishes an organization’s intent to enforce security practices, and outlines actions that will be taken if the practices are not followed.
• Privacy Policy can act as a tool to educate about why protection is important.
Version 8.0-12-
Select policies & practices must be aligned across organizations to ensure electronic inter-operability with seamless protection.
This type of infrastructure requires community-wide collaboration.
Version 8.0-13-
• Enhances, rather than restricts, an organization’s ability to differentiate themselves in the markeplace
– Solves common problems in a standard way allowing organizations to focus on their individual interests in unique ways
– Lets each organization implement at their own pace (in “incremental steps” if necessary)
• Addresses a business need that organizations perceive as “real”
• Enables electronic exchange, rather than “getting in the way”
• Can be built using solutions that are available and practical
• Is affordable and justified
We believe that community-wide privacy and security infrastructure will only emerge if it:
Version 8.0-14-
The fundamental trade-off is mitigating the financial risk of doing electronic exchange while minimizing the impact on “ease of use”.
$Impact
Cost to Maintain “Ease of Use” of electronic exchange
Financial Risk of electronic exchange
“Too much” complexity
Sophistication of Privacy and Security Infrastructure
Version 8.0-15-
Will organizations collaborate to build and share a common privacy and security infrastructure?
• There seems to be good reasons for a common infrastructure.– Same trading partners– All want to mitigate the risk– Organization-specific protection methods are sub-optimal.
• But organizations have real world limitations.– Cannot wait for a common solution to unfold– Limited resources to build a ‘near term’ and a ‘long term’ solution
• Vision and Leadership is needed.
Version 8.0-16-
Healthkey’s findings suggest that progress toward a privacy and security infrastructure will be made across five sectors of activity:
1: Enterprise Awareness -- recognizing there is risk/vulnerability and a need to do something
2: Enterprise Preparedness -- preparing the enterprise for external communication with trading partners
3: Enterprise Co-Existence -- enabling protected communication among enterprises
4: Enterprise Affiliation -- implementing standards between enterprises
5: Community-Wide Participation -- getting enterprises, small organizations, and individuals to use a common electronic identity for “users”
Version 8.0-17-
First, enterprises must become aware that they are vulnerable and that they can do something about it.
What could happen!
Enterprise Awareness
Call to Action• There’s risk!
• I’m vulnerable!
• I need to be doing something!
Hacked!
HIPAA
What I should do!
Enterprise Preparedness
Enterprise Co-Existence
Community -Wide Participation
Enterprise Affiliation
• Action Plan
• Resource Commitment
HealthKey’s Roadmap -- to a Community Privacy and Security Infrastructure
Version 8.0-18-
From there, enterprises will take the necessary steps to protect themselves and the communities that they are serving.
HealthKey’s Roadmap - to a Community Privacy and Security Infrastructure
• Each sector of activity contains a number of action steps. There is NO single route through the sectors or action steps.
• Sectors are NOT linear. Progress can be made concurrently within multiple sectors of activity.
• Sectors do represent increasing collaboration and community-wide acceptance.
• Each action step represents a different capability of the infrastructure.
• Capabilities may be implemented at various levels of sophistication.
Version 8.0-19-
Enterprise Preparedness
Preparing the enterprise for external communication with trading partners
Sector
Capabilities
HealthKey’s Roadmap - to a Community Privacy and Security Infrastructure
Validate Servers
Community-Wide Participation
Getting broad base adoption and use of a common electronic identity for “users”
Standardize Identity
Management
Standardize Identity
Validation
Empower Administrative
Entity
Find an Electronic
identity
Enterprise Affiliation
Implementing standards between enterprises
Standardize Trading Partner Arrangements
Standardize Privacy Policies
Enterprise Co-Existence
Enabling protected communication among enterprises
Secure Connections
Set Access Control Policy
Set Privacy Policies
Protect Electronic Perimeter
Administer User
Accounts
Enable Single Log-On
Upgrade Applications
Exchange E-mail
Authenticate & Validate
User
Control WHO has access!!
Control WHAT is accessed!
Version 8.0-20-
Community-Wide Participation
Enterprise Affiliation
Enterprise Co-Existence
Enterprise Preparedness
Community ‘A’
HealthKey’s Roadmap - to a Community Privacy and Security Infrastructure
Progress will be made at different rates in each sector, depending upon the community.
Community Snapshot
Community ‘B’
50%
25%
75%
Version 8.0-21-
Enterprise Preparedness
Enterprise Co-Existence
Enterprise Affiliation
HealthKey’s Roadmap -- Multiple routes to any destination
Standardize Identity
Management
Standardize Identity
Validation
Find an Electronic
identity
Empower Administrative
Entity
Standardize Trading Partner Arrangements
Standardize Privacy Policies
Secure Connections
Set Access Control Policy
Set Privacy Policies
Protect Electronic Perimeter
Administer User
Accounts
Enable Single Log-On
Upgrade Applications
Exchange E-mail
Authenticate & Validate
User
Can start anywhere!
Many organizations start here
Community-Wide Participation
Validate Servers
Version 8.0-22-
Enterprise Preparedness
Enterprise Affiliation
Protect Electronic Perimeter
Standardize Identity
Management
Standardize Identity
Validation
Find an Electronic
Identity
User Registration Procedures
Transaction Security
Info Sharing Agreements
Cross Validation Procedures
Upgrade Applications
Administer User
Accounts
Enable Single Log-On
Set Privacy Policies
Standardize Privacy Policies
Set Access Control Policy
Secure Connections
Enterprise Co-Existence
Internet Border
DMZ
Intrusion Detection
Assurance & Tiger Team
Not Encrypted
Encrypted Gateway
Encrypted by person
Passwords
Smart ID’s
Biometrics
Certificates
Exchange E-mail
Empower Administrative
Entity
Standardize Trading Partner Arrangements
Authenticate & Validate User
HealthKey’s Roadmap - Implementation Options
SSL/H
Private Circuit
VPN
CA Issued Keys
Self Defined Keys
Validate Servers
Community-Wide Participation
Single CA
Many CAs with Bridge
Many CAs no Bridge
Identification Policy
Deploy Identity Procedures
Support Procedures
User Registration Procedures
- PKI capabilities - HealthKey Projects
Version 8.0-23-
Enterprise Preparedness
Enterprise Affiliation
Protect Electronic Perimeter
Standardize Identity
Management
Standardize Identity
Validation
Find an Individual’s Electronic
Identity
Upgrade Applications
Administer User
Accounts
Enable Single Log-On
Set Privacy Policies
Standardize Privacy Policies
Set Access Control Policy
Secure Connections
SSL/H
Private Circuit
VPN
Enterprise Co-Existence
Internet Border
DMZ
Intrusion Detection
Assurance & Tiger Team
Not Encrypted
Encrypted Gateway
Encrypted by person
Passwords
Smart ID’s
Biometrics
Certificates
Exchange E-mail
Empower Administrative
Entity
Single CA
Many CAs with Bridge
Many CAs no Bridge
Identification Policy
Deploy Identity Procedures
Support Procedures
Standardize Trading Partner Arrangements
Authenticate & Validate User Things most organizations
are already doing!
HealthKey’s Roadmap - Doing Many Things At Once
CA Issued Keys
Self Defined Keys
Validate Servers
Community-Wide Participation
User Registration Procedures
User Registration Procedures
Transaction Security
Info Sharing Agreements
Cross Validation Procedures
Version 8.0-24-
We want to know if the “Roadmap” framework make sense to you?
• Can you see your organization on the map?
• Are there things that you would add or change?
• Is it a useful tool for community education and planning?
• Do you envision a common electronic identity for users? If so, how will you make it happen?
• Will your organization collaborate towards a common privacy and security infrastructure?
If not, is there something else that makes better sense?
Version 8.0-25-
There are a number of Roadblocks between us and this critical infrastructure . . .
• There is confusion! -- “What problem?”
• The complexity is daunting -- infrastructure, technology, social implications, legislation, operations, cost, capital, etc.
• We act competitively, not collaboratively -- and collaboration is difficult
• We are looking for silver bullets -- there are many vendors pushing solutions, not solving problems
• Who’s driving? -- There is a leadership void, organizations are reacting to regulations and vendor offerings
Version 8.0-26-
• Agree on the unique ‘Road Map’ for your community – Convene key stakeholders– Agree upon a big picture of enterprise-specific and shared capabilities– Define approach for building shared capabilities (e.g. Business Associate Agreements,
Privacy Policies, Strategies for User Authentication/Validation)
• Demonstrate leadership of the ‘Critical Few’– Handful of influential organizations necessary to make things happen– Commit to shared capabilities– Work together and with vendors to guide implementation
• Establish and empower a ‘Catalyst for Collaboration’– Trusted individuals and process for sustaining collaboration– Raise awareness/Educate about what is being done and why– Recommend ways to deploy innovation to small organizations and individuals
Recommendations to organizations and communities for making progress towards a common infrastructure.
Version 8.0-27-
Where do we go from here?
• Do you agree with these roadblocks and recommendations? Are they practical?
• Do you see a role for a HealthKey-like program in your community? If so, what would it be?
• Would you contribute to funding the HealthKey-like program?
Version 8.0-28-
Thank you !
For further information:
www.healthkey.org