Internet2 Health Sciences Security

Jere Retzer, OHSU

March 7, 2001

2

Security InitiativesTopics to be discussed

• HIPAA raising awareness of security and privacy as an important issue

• MACEmed collaboration

• Potential Med-CERT

• Secure operating systems

• Priority Tasks

3

HIPAA

• GASP workshops developing best practices recommendations

• Do we need to complement this with I2• Resources/expertise?• How does this fit with the I2 mission?• Funding?

4

MACEmed Collaboration

• Bulk of MACEmed related to secure inter-institutional access:

• Identification, • Directories, • PKI, • Shibboleth (authentication and authorization)

• Develop scenarios/templates for inter-institutional access to be used in with Shibboleth, directories (examples follow): worthwhile effort? Group to refine?

• PKI Co-laboratories

5

Inter-Institutional Access Scenarios

1. Visiting physician/nurse/other licensed caregiver: [caregiver type] with a valid certificate issued by the [credential authority certificate] (state medical association for example) either locally certified by [office signature] or else employed by [entity certificate] is authorized patient information for patients assigned to [clinic name(s), inpatient, nursing unit, or physician] and authorized access to the following network resources [public drives, Internet, printers within [group name]] 

2. Resident with valid certificate issued by [office managing residents] is authorized general patient information for patients assigned to [clinic name(s), inpatient, nursing unit, or physician] and authorized access to the following network resources [assigned drive, department [name] drive, public drives, Internet, printers within [general or group name], e-mail]

6

Inter-Institutional AccessScenarios - 2

3. State health department with valid certificate issued by [self or federal PKI?] authorized access to information of the following types: [public health, immunization, state health insurance claims] 

4. Health insurance companies with valid certificate issued by [state health dept or federal PKI?] authorized access to information required to process insurance claims against [company name] for [policy holders with current policy] 

5. Employees assigned to the group [admitting certificate] are authorized access to the following information for inpatients [assigned room, anticipated discharge date] and to the following nonpatient services [list names, for example time and attendance, purchasing] and to [general network resources] 

7

Inter-Institutional AccessScenarios - 3

6. Employees assigned to the group [laboratory name certificate] are authorized access to [lab name schedule, lab name results] to the following nonpatient services [list names, for example time and attendance, purchasing] and to [general network resources] 

7. Employees assigned to the group [physician or nurse certificate] are authorized access patient information for patients assigned to [general, clinic name(s), inpatient, nursing unit, or physician] and to the following nonpatient services [list names, for example time and attendance, purchasing] and to [general network resources] 

8. Employees assigned to the group [non caregiver] are authorized access to the following nonpatient services [list names, for example time and attendance, purchasing] and to [general network resources]

8

PKI Co-laboratories

• Healthkey discussion

• What are the issues, desired outcomes from an Internet2 perspective?

• How should Internet2 participate?

9

Potential Med-CERT

National Research Council For the Record: Protecting Electronic Health Information, National Academy Press 1997, ISBN ISBN 0-309-05697 recommendation 2.2:

• “Congress should provide initial funding for the establishment of an organization for the health care industry to promote greater sharing of information about security threats, incidents, and solutions throughout the industry”

• Med-CERT would (1) acquire reports of incidents; (2) define best practices; (3) recommend standards; (4) define needed research; (5) liaise between health care and computer security;

• Should this be a priority for Internet2 and Academic Medical Centers, particularly in light of efforts needed to implement HIPAA?

10

Secure Operating Systems

• I2 Health Sciences Security Roadmap includes an item for secure operating systems to overcome deficiencies of the current complex, insecure clients

• Recent discussion of open source health care software for mobile providers may be one avenue to tackle this need

11

Priority Tasks

• What should be our priority efforts?

• What resources can we bring to the table and how can we expand our effort?

• Which of these items do members of the leadership team want to take for action?

12

www.internet2.edu

TM