SlideShare a Scribd company logo

Provider Authentication for Health Information Exchange

Download as PPT, PDF
Brian Ahier
Brian Ahier

Provider Authentication for Health Information Exchange Presentation to Privacy & Security Tiger Team

1 of 21
Privacy and Security TigerPrivacy and Security Tiger Team MeetingTeam Meeting Today’s Topic: Provider Authentication for Health Information Exchange Strawman Recommendations - For Discussion Only November 8, 2010
Objectives and Scope of this Discussion • Define policy recommendations to ensure that authentication "trust" rules are in place for information exchange between provider-entities (or organizations) Authentication is verification that a person or entity seeking access to electronic protected health information is the one claimed Level of assurance is the degree of confidence in the results of an authentication attempt 2
Objectives and Scope of this Discussion • We need to specifically address directed exchange transactions described in Stage 1 of meaningful use, but also consider other information-exchange transactions. It is assumed that: – Identifiable clinical information is transmitted from one provider entity to another for treatment purposes for stage 1 meaningful use – Some of the information will be very sensitive to the individual • We are evaluating these trust rules at the organizational level, and as such, the scope of this recommendation does not include authentication of individual users of EHR systems, or of patients – With respect to individual users, provider entities and organizations must develop and implement policies to identity proof and authenticate their individual users – Beyond Stage 1 of Meaningful Use, policy on individual user authentication may be needed to promote trust among organizations 3
Proposed Questions for the Tiger Team & Public 1. What strength of provider-entity authentication (level of assurance) might be recommended to ensure trust in health information exchange (regardless of what technology may be used to meet the strength requirement)? 2. Which provider-entities can receive digital credentials, and what are the requirements to receive those credentials? 3. What is the process for issuing digital credentials (e.g., certificates), including evaluating whether initial conditions are met and re-evaluation on a periodic basis? 4. Who has the authority to issue digital credentials? 5. Should ONC select an established technology standard for digital credentials and should EHR certification include criteria that tests capabilities to communicate using that standard for entity-level credentials? 6. What type of transactions must be authenticated, and is it expected that all transactions will have a common level of assurance? 4
Assumptions 5
Question 1 – Strength of Authentication/Level of Assurance • What should be the level of assurance for entity authentication? – Although we need a trust framework for provider entity authentication, the question of “level of assurance” (as expressed in the OMB/NIST Framework) applies at the level of individual authentication. This inquiry is not helpful in an organizational context. – Need to leverage existing solutions for now (e.g., digital certificates); Standards Committee should choose a standard • Should consider need to create a reliable trust framework, as well as cost and burden 6
Question 2a: Which Provider Entities Should Receive (or be issued) Digital Credentials • Meaningful users of Health IT • Anyone engaged in health data exchanges • PBMs • Retail pharmacies • DME suppliers • Laboratories • Imaging centers • All healthcare organizations • Non-providers--payers, claims clearinghouses, HIOs • Only Certified EHR systems 7
Question 2b: Requirements to Receive (to be issued) those Credentials • Would we want to include requirements for suitability checks? Suitability could include: – Valid licensure – Business validity (proof of address/corporate existence) – Financial account – Demonstration of certain security criteria – Having a certified EHR, if applicable – Other (e.g. aligning with individual or organizational certification processes accepted today within the healthcare domain) • Actual credentials are electronic – are there registration requirements for receiving those credentials that might need to be considered (electronic, in-person by a business representative)? 8
Question 3a: What is the process for issuing digital credentials (e.g., certificates)? Options might include: • Federated model – providers can delegate to other parties (such as vendors, HIEs) – Requirement that those entities meet minimum criteria or be held liable in some respect for issuing certificates? – How would such criteria be enforced? – Leverage existing protocols (ICANN, Federal Bridge) • Self-credentialing • Establish registration authority services • Federal/state role • Integrate process for issuing digital credentials into other existing provider-entity registration processes 9
Question 3b: What is the process for re-evaluation? • No requirements • Periodic credential refresh • Credential refresh based on occurrence of defined events 10
Question 4: Who can Issue Digital Credentials? • Any entity willing to assume attendant risks and meeting established standards • Establish an accreditation program for authorizing credential issuers • Allow provider-entities to self-credential • Leverage federal or state government role to perform credentialing • Vendors • HIOs 11
Question 5a: Should ONC select an established technology standard for digital credentials • Do not develop standards, allowing vendors and large organizations to lead the way • Yes, selection of a technology standard promotes interoperability – But ensure flexibility to accommodate innovation in the marketplace 12
Question 5: should EHR certification include criteria that tests capabilities to communicate using that standard? • Yes, entity-level credentials should be included in the security requirements • Other options? 13
Question 6: What type of transactions must be authenticated and is there a common level of assurance • Authentication required when transactions involve • patient risk or PHI • system or infrastructure risk • transactions that would normally be authenticated outside of health care • Bulk transactions – Authenticate the transfer not transaction • Under the “authentication at the organization level” assumption, does a single level of assurance seems appropriate? 14
BACKGROUND 15
Authentication: ReCap Definitions • Authentication -- verification that a person or entity seeking access to electronic protected health information is the one claimed • Level of assurance -- the degree of confidence in the results of an authentication attempt – Confidence is a valuation of the various controls implemented to provide security, including: technology, process, policies, and governance • Digital credentials - used to identify and authenticate organizations to each other (e.g., certificates) 16
Authentication Environment 17
The Federal E-Authentication Framework The E-Authentication Framework was jointly developed by OMB and NIST • A framework to map risk to levels of security investment and recommend requirements based on desired security level • Developed to meet increasing need to secure an expanding set of Government-to-Business and Government-to-Citizen interactions • E-Authentication focuses on securing access to transactions available via the Internet – Scope limited to aspects of technology and process 18
E-Authentication Mapping Tool • E-Authentication includes a tool to select an appropriate level of assurance based on impacts due to authentication errors • Levels of Assurance are suitable to different portions of the user community – Level 1 aligned with the general public (e.g., Facebook, Yahoo! Email) – Level 2 aligned with the general public, but with motivation (e.g. PayPal, 401k) – Level 3 aligned with affiliated access (e.g. Patent Examiners, Census Workers) – Level 4 aligned with employee access (e.g. Data Center operations) 19 Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors 1 2 3 4 Inconvenience, distress or damage to standing or reputation Low Mod Mod High Financial loss or agency liability Low Mod Mod High Harm to agency programs or public interests N/A Low Mod High Unauthorized release of sensitive information N/A Low Mod High Personal safety N/A N/A Low Mod/ High Civil or criminal violations N/A Low Mod High
E-Authentication: Summary of Selected Requirements Requirements Area Level 1 Level 2 Level 3 Level 4 Registration The application process for obtaining identity credentials In-person or remote In-person or remote In-person or remote In-person only Identity Proofing The process of verifying an applicant’s identity prior to credentialing None Govt ID or financial account Govt ID and financial account Govt Photo ID and secondary Govt ID or financial account Naming The verification and assertion of meaningful names for applicants None Verified name retained, pseudonyms allowed Verified names only Verified names only Authentication Token Technical components used to electronically prove one’s identity None Single-factor Multi-factor or Combined Single- factors Multi-factor Hardware Device Records Keeping Preservation of evidence regarding credentialing operations None 7.5 years after separation 7.5 years after separation 10.5 years after separation Reuse of Existing Credentials Support for historic investment and existing solutions Any Employers and educational institutions Financial institutions Financial institutions 20
DEA Use of E-Authentication • DEA rules allowing electronic prescriptions of controlled substances in place of paper or other processes • Initial risk assessment led to selection of Level 4 assurance – Several areas of high impact due to authentication errors – Resistance from stakeholders to stringent and atypical requirements • Much attention paid to analysis of burden • DEA introduces mitigating factors to lower selection to Level 3, including • Separation of duties, system access controls, and certification of implementations • DEA decision to accept or mitigate some level of risk in exchange for more practical implementations • Note: DEA tailored use of E-Authentication to exclude options they viewed as unacceptable • Difficulty in finding credentialing services that meet the requirements (e.g., are recognized, can scale for the population, and desire to take on the work) 21

Recommended

Critical Security And Compliance Issues In Internet Banking
Critical Security And Compliance Issues In Internet BankingCritical Security And Compliance Issues In Internet Banking
Critical Security And Compliance Issues In Internet BankingThomas Donofrio
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
Technology Risk Services
Technology Risk ServicesTechnology Risk Services
Technology Risk Servicessarah kabirat
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Online Intake Best Practices Webinar
Online Intake Best Practices WebinarOnline Intake Best Practices Webinar
Online Intake Best Practices WebinarLegal Services National Technology Assistance Project (LSNTAP)
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessLaura Perry
 
DMEBillingServicesbySunKnowledgeSep_14_2016
DMEBillingServicesbySunKnowledgeSep_14_2016DMEBillingServicesbySunKnowledgeSep_14_2016
DMEBillingServicesbySunKnowledgeSep_14_2016Sammya Sen
 
Clinical Investigator Portal Innovation and Support Profile
Clinical Investigator Portal Innovation and Support ProfileClinical Investigator Portal Innovation and Support Profile
Clinical Investigator Portal Innovation and Support ProfileKevin Shea
 

Recommended

Critical Security And Compliance Issues In Internet Banking
Critical Security And Compliance Issues In Internet BankingCritical Security And Compliance Issues In Internet Banking
Critical Security And Compliance Issues In Internet BankingThomas Donofrio
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
Technology Risk Services
Technology Risk ServicesTechnology Risk Services
Technology Risk Servicessarah kabirat
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Online Intake Best Practices Webinar
Online Intake Best Practices WebinarOnline Intake Best Practices Webinar
Online Intake Best Practices WebinarLegal Services National Technology Assistance Project (LSNTAP)
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessLaura Perry
 
DMEBillingServicesbySunKnowledgeSep_14_2016
DMEBillingServicesbySunKnowledgeSep_14_2016DMEBillingServicesbySunKnowledgeSep_14_2016
DMEBillingServicesbySunKnowledgeSep_14_2016Sammya Sen
 
Clinical Investigator Portal Innovation and Support Profile
Clinical Investigator Portal Innovation and Support ProfileClinical Investigator Portal Innovation and Support Profile
Clinical Investigator Portal Innovation and Support ProfileKevin Shea
 
Uid security
Uid securityUid security
Uid securityFardin Shaikh
 
Fiserv FCRM Platform Brochure
Fiserv FCRM Platform BrochureFiserv FCRM Platform Brochure
Fiserv FCRM Platform BrochurePaul Stabile
 
Sun Knowledge - Practice Management and Revenue Cycle Management Services PPT
Sun Knowledge - Practice Management and Revenue Cycle Management Services PPTSun Knowledge - Practice Management and Revenue Cycle Management Services PPT
Sun Knowledge - Practice Management and Revenue Cycle Management Services PPTMichael Smith
 
FDA News Webinar - Inspection Intelligence
FDA News Webinar - Inspection IntelligenceFDA News Webinar - Inspection Intelligence
FDA News Webinar - Inspection IntelligenceArmin Torres
 
Claims Processing Services for Insurers
Claims Processing Services for InsurersClaims Processing Services for Insurers
Claims Processing Services for InsurersHCL Technologies
 
Medical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by SunknowledgeMedical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by SunknowledgeZeeshanul Kader
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...
Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...
Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...Oracle
 
Addressing the Data Security Risks of Cloud-Based Software
Addressing the Data Security Risks of Cloud-Based SoftwareAddressing the Data Security Risks of Cloud-Based Software
Addressing the Data Security Risks of Cloud-Based SoftwareKareo
 
Entitlements Management Strategy-White Paper
Entitlements Management Strategy-White PaperEntitlements Management Strategy-White Paper
Entitlements Management Strategy-White PaperAxis Technology, LLC
 
The value of pre adjudication in healthcare claims processing - banc tec's wh...
The value of pre adjudication in healthcare claims processing - banc tec's wh...The value of pre adjudication in healthcare claims processing - banc tec's wh...
The value of pre adjudication in healthcare claims processing - banc tec's wh...Jone Smith
 
Billing compliance results management-2013
Billing compliance results management-2013Billing compliance results management-2013
Billing compliance results management-2013nbattah
 
Healthcare audits: Helping organizations understand audit guidelines and requ...
Healthcare audits: Helping organizations understand audit guidelines and requ...Healthcare audits: Helping organizations understand audit guidelines and requ...
Healthcare audits: Helping organizations understand audit guidelines and requ...guest32a93f
 
Solvency II Offering
Solvency II Offering Solvency II Offering
Solvency II Offering Thinksoft Global
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Ponemon: Managing Complexity in IAM
Ponemon: Managing Complexity in IAMPonemon: Managing Complexity in IAM
Ponemon: Managing Complexity in IAMEMC
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Accelerating your revenue cycle webinar series Draft 2 _ 072013
Accelerating your revenue cycle webinar series Draft 2 _ 072013Accelerating your revenue cycle webinar series Draft 2 _ 072013
Accelerating your revenue cycle webinar series Draft 2 _ 072013Chastity Werner, RHIT, CMPE, NCP
 
HIT Standards Committee Trudel CMS Rules
HIT Standards Committee Trudel CMS RulesHIT Standards Committee Trudel CMS Rules
HIT Standards Committee Trudel CMS RulesBrian Ahier
 
An Overview of Principles and Strategies for Engaging Patients in New Deliver...
An Overview of Principles and Strategies for Engaging Patients in New Deliver...An Overview of Principles and Strategies for Engaging Patients in New Deliver...
An Overview of Principles and Strategies for Engaging Patients in New Deliver...Brian Ahier
 
Where are healthcare cost savings
Where are healthcare cost savingsWhere are healthcare cost savings
Where are healthcare cost savingsBrian Ahier
 
HIT Policy Info Exch Workgroup 12-6-2010
HIT Policy Info Exch Workgroup 12-6-2010HIT Policy Info Exch Workgroup 12-6-2010
HIT Policy Info Exch Workgroup 12-6-2010Brian Ahier
 

More Related Content

What's hot

Fiserv FCRM Platform Brochure
Fiserv FCRM Platform BrochureFiserv FCRM Platform Brochure
Fiserv FCRM Platform BrochurePaul Stabile
 
Sun Knowledge - Practice Management and Revenue Cycle Management Services PPT
Sun Knowledge - Practice Management and Revenue Cycle Management Services PPTSun Knowledge - Practice Management and Revenue Cycle Management Services PPT
Sun Knowledge - Practice Management and Revenue Cycle Management Services PPTMichael Smith
 
FDA News Webinar - Inspection Intelligence
FDA News Webinar - Inspection IntelligenceFDA News Webinar - Inspection Intelligence
FDA News Webinar - Inspection IntelligenceArmin Torres
 
Claims Processing Services for Insurers
Claims Processing Services for InsurersClaims Processing Services for Insurers
Claims Processing Services for InsurersHCL Technologies
 
Medical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by SunknowledgeMedical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by SunknowledgeZeeshanul Kader
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...
Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...
Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...Oracle
 
Addressing the Data Security Risks of Cloud-Based Software
Addressing the Data Security Risks of Cloud-Based SoftwareAddressing the Data Security Risks of Cloud-Based Software
Addressing the Data Security Risks of Cloud-Based SoftwareKareo
 
Entitlements Management Strategy-White Paper
Entitlements Management Strategy-White PaperEntitlements Management Strategy-White Paper
Entitlements Management Strategy-White PaperAxis Technology, LLC
 
The value of pre adjudication in healthcare claims processing - banc tec's wh...
The value of pre adjudication in healthcare claims processing - banc tec's wh...The value of pre adjudication in healthcare claims processing - banc tec's wh...
The value of pre adjudication in healthcare claims processing - banc tec's wh...Jone Smith
 
Billing compliance results management-2013
Billing compliance results management-2013Billing compliance results management-2013
Billing compliance results management-2013nbattah
 
Healthcare audits: Helping organizations understand audit guidelines and requ...
Healthcare audits: Helping organizations understand audit guidelines and requ...Healthcare audits: Helping organizations understand audit guidelines and requ...
Healthcare audits: Helping organizations understand audit guidelines and requ...guest32a93f
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Ponemon: Managing Complexity in IAM
Ponemon: Managing Complexity in IAMPonemon: Managing Complexity in IAM
Ponemon: Managing Complexity in IAMEMC
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Accelerating your revenue cycle webinar series Draft 2 _ 072013
Accelerating your revenue cycle webinar series Draft 2 _ 072013Accelerating your revenue cycle webinar series Draft 2 _ 072013
Accelerating your revenue cycle webinar series Draft 2 _ 072013Chastity Werner, RHIT, CMPE, NCP
 

What's hot (18)

Uid security
Uid securityUid security
Uid security
 
Fiserv FCRM Platform Brochure
Fiserv FCRM Platform BrochureFiserv FCRM Platform Brochure
Fiserv FCRM Platform Brochure
 
Sun Knowledge - Practice Management and Revenue Cycle Management Services PPT
Sun Knowledge - Practice Management and Revenue Cycle Management Services PPTSun Knowledge - Practice Management and Revenue Cycle Management Services PPT
Sun Knowledge - Practice Management and Revenue Cycle Management Services PPT
 
FDA News Webinar - Inspection Intelligence
FDA News Webinar - Inspection IntelligenceFDA News Webinar - Inspection Intelligence
FDA News Webinar - Inspection Intelligence
 
Claims Processing Services for Insurers
Claims Processing Services for InsurersClaims Processing Services for Insurers
Claims Processing Services for Insurers
 
Medical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by SunknowledgeMedical billing services for urgent care centers by Sunknowledge
Medical billing services for urgent care centers by Sunknowledge
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...
Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...
Stop the fraudster! Pennsylvania Treasury, Industry Expert Chris Doxey and Fu...
 
Addressing the Data Security Risks of Cloud-Based Software
Addressing the Data Security Risks of Cloud-Based SoftwareAddressing the Data Security Risks of Cloud-Based Software
Addressing the Data Security Risks of Cloud-Based Software
 
Entitlements Management Strategy-White Paper
Entitlements Management Strategy-White PaperEntitlements Management Strategy-White Paper
Entitlements Management Strategy-White Paper
 
The value of pre adjudication in healthcare claims processing - banc tec's wh...
The value of pre adjudication in healthcare claims processing - banc tec's wh...The value of pre adjudication in healthcare claims processing - banc tec's wh...
The value of pre adjudication in healthcare claims processing - banc tec's wh...
 
Billing compliance results management-2013
Billing compliance results management-2013Billing compliance results management-2013
Billing compliance results management-2013
 
Healthcare audits: Helping organizations understand audit guidelines and requ...
Healthcare audits: Helping organizations understand audit guidelines and requ...Healthcare audits: Helping organizations understand audit guidelines and requ...
Healthcare audits: Helping organizations understand audit guidelines and requ...
 
Solvency II Offering
Solvency II Offering Solvency II Offering
Solvency II Offering
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
 
Ponemon: Managing Complexity in IAM
Ponemon: Managing Complexity in IAMPonemon: Managing Complexity in IAM
Ponemon: Managing Complexity in IAM
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Accelerating your revenue cycle webinar series Draft 2 _ 072013
Accelerating your revenue cycle webinar series Draft 2 _ 072013Accelerating your revenue cycle webinar series Draft 2 _ 072013
Accelerating your revenue cycle webinar series Draft 2 _ 072013
 

Viewers also liked

HIT Standards Committee Trudel CMS Rules
HIT Standards Committee Trudel CMS RulesHIT Standards Committee Trudel CMS Rules
HIT Standards Committee Trudel CMS RulesBrian Ahier
 
An Overview of Principles and Strategies for Engaging Patients in New Deliver...
An Overview of Principles and Strategies for Engaging Patients in New Deliver...An Overview of Principles and Strategies for Engaging Patients in New Deliver...
An Overview of Principles and Strategies for Engaging Patients in New Deliver...Brian Ahier
 
Where are healthcare cost savings
Where are healthcare cost savingsWhere are healthcare cost savings
Where are healthcare cost savingsBrian Ahier
 
HIT Policy Info Exch Workgroup 12-6-2010
HIT Policy Info Exch Workgroup 12-6-2010HIT Policy Info Exch Workgroup 12-6-2010
HIT Policy Info Exch Workgroup 12-6-2010Brian Ahier
 
8-26 HIE Workgroup Meeting
8-26 HIE Workgroup Meeting8-26 HIE Workgroup Meeting
8-26 HIE Workgroup MeetingBrian Ahier
 
Wolters Kluwer Health Survey
Wolters Kluwer Health Survey Wolters Kluwer Health Survey
Wolters Kluwer Health Survey Brian Ahier
 
HITSC 2010 06-30 slides
HITSC 2010 06-30 slidesHITSC 2010 06-30 slides
HITSC 2010 06-30 slidesBrian Ahier
 
HIT Standards Committee 9 21 2010 Presentation Materials
HIT Standards Committee 9 21 2010 Presentation MaterialsHIT Standards Committee 9 21 2010 Presentation Materials
HIT Standards Committee 9 21 2010 Presentation MaterialsBrian Ahier
 

Viewers also liked (9)

HIT Standards Committee Trudel CMS Rules
HIT Standards Committee Trudel CMS RulesHIT Standards Committee Trudel CMS Rules
HIT Standards Committee Trudel CMS Rules
 
An Overview of Principles and Strategies for Engaging Patients in New Deliver...
An Overview of Principles and Strategies for Engaging Patients in New Deliver...An Overview of Principles and Strategies for Engaging Patients in New Deliver...
An Overview of Principles and Strategies for Engaging Patients in New Deliver...
 
Where are healthcare cost savings
Where are healthcare cost savingsWhere are healthcare cost savings
Where are healthcare cost savings
 
HIT Policy Info Exch Workgroup 12-6-2010
HIT Policy Info Exch Workgroup 12-6-2010HIT Policy Info Exch Workgroup 12-6-2010
HIT Policy Info Exch Workgroup 12-6-2010
 
8-26 HIE Workgroup Meeting
8-26 HIE Workgroup Meeting8-26 HIE Workgroup Meeting
8-26 HIE Workgroup Meeting
 
Hunt Onc Hitech
Hunt Onc HitechHunt Onc Hitech
Hunt Onc Hitech
 
Wolters Kluwer Health Survey
Wolters Kluwer Health Survey Wolters Kluwer Health Survey
Wolters Kluwer Health Survey
 
HITSC 2010 06-30 slides
HITSC 2010 06-30 slidesHITSC 2010 06-30 slides
HITSC 2010 06-30 slides
 
HIT Standards Committee 9 21 2010 Presentation Materials
HIT Standards Committee 9 21 2010 Presentation MaterialsHIT Standards Committee 9 21 2010 Presentation Materials
HIT Standards Committee 9 21 2010 Presentation Materials
 

Similar to Provider Authentication for Health Information Exchange

Privacy and Security Tiger Team Authentication Recommendations
Privacy and Security Tiger Team Authentication RecommendationsPrivacy and Security Tiger Team Authentication Recommendations
Privacy and Security Tiger Team Authentication RecommendationsBrian Ahier
 
Shaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityShaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityNoreen Whysel
 
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009ClubHack
 
Hitpc.20090716.Certification Workgroup
Hitpc.20090716.Certification WorkgroupHitpc.20090716.Certification Workgroup
Hitpc.20090716.Certification Workgroupsdaviss
 
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration TestingProtect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration TestingTraceSecurity
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
29115_briefing_2012_rcb 012012.ppt
29115_briefing_2012_rcb 012012.ppt29115_briefing_2012_rcb 012012.ppt
29115_briefing_2012_rcb 012012.pptLe Duc Anh
 
Information Systems in Managed Health Care Plans
Information Systems in Managed Health Care PlansInformation Systems in Managed Health Care Plans
Information Systems in Managed Health Care PlansLayton Harding
 
IMPERATIVES OF STANDARDS AND PROFESSIONALISM OF IDENTITY VERIFICATION Jelani....
IMPERATIVES OF STANDARDS AND PROFESSIONALISM OF IDENTITY VERIFICATION Jelani....IMPERATIVES OF STANDARDS AND PROFESSIONALISM OF IDENTITY VERIFICATION Jelani....
IMPERATIVES OF STANDARDS AND PROFESSIONALISM OF IDENTITY VERIFICATION Jelani....Abdulkadir Jelani Abubakar
 
How to Ensure your Healthcare Organisation is IG compliant
How to Ensure your Healthcare Organisation is IG compliantHow to Ensure your Healthcare Organisation is IG compliant
How to Ensure your Healthcare Organisation is IG compliantProofreading4all
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymondspencerharry
 
Short term possabilities for eKYC improvments
Short term possabilities for eKYC improvmentsShort term possabilities for eKYC improvments
Short term possabilities for eKYC improvmentsRonny Khan
 
Short term possabilities for eKYC improvments
Short term possabilities for eKYC improvmentsShort term possabilities for eKYC improvments
Short term possabilities for eKYC improvmentsRonny Khan
 
SOC 2 Certification Unveiled: Understanding the Core Principles
SOC 2 Certification Unveiled: Understanding the Core PrinciplesSOC 2 Certification Unveiled: Understanding the Core Principles
SOC 2 Certification Unveiled: Understanding the Core PrinciplesShyamMishra72
 
FixNix 17 products1.0
FixNix 17 products1.0FixNix 17 products1.0
FixNix 17 products1.0FixNix Inc.,
 

Similar to Provider Authentication for Health Information Exchange (20)

Privacy and Security Tiger Team Authentication Recommendations
Privacy and Security Tiger Team Authentication RecommendationsPrivacy and Security Tiger Team Authentication Recommendations
Privacy and Security Tiger Team Authentication Recommendations
 
Shaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityShaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital Identity
 
NHIN Workgroup
NHIN WorkgroupNHIN Workgroup
NHIN Workgroup
 
Isa 2
Isa 2 Isa 2
Isa 2
 
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
 
Hitpc.20090716.Certification Workgroup
Hitpc.20090716.Certification WorkgroupHitpc.20090716.Certification Workgroup
Hitpc.20090716.Certification Workgroup
 
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration TestingProtect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
Protect Cardholder Data and Maintain PCI Compliance with PCI Penetration Testing
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
Sample audit plan
Sample audit planSample audit plan
Sample audit plan
 
29115_briefing_2012_rcb 012012.ppt
29115_briefing_2012_rcb 012012.ppt29115_briefing_2012_rcb 012012.ppt
29115_briefing_2012_rcb 012012.ppt
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
 
Information Systems in Managed Health Care Plans
Information Systems in Managed Health Care PlansInformation Systems in Managed Health Care Plans
Information Systems in Managed Health Care Plans
 
IMPERATIVES OF STANDARDS AND PROFESSIONALISM OF IDENTITY VERIFICATION Jelani....
IMPERATIVES OF STANDARDS AND PROFESSIONALISM OF IDENTITY VERIFICATION Jelani....IMPERATIVES OF STANDARDS AND PROFESSIONALISM OF IDENTITY VERIFICATION Jelani....
IMPERATIVES OF STANDARDS AND PROFESSIONALISM OF IDENTITY VERIFICATION Jelani....
 
How to Ensure your Healthcare Organisation is IG compliant
How to Ensure your Healthcare Organisation is IG compliantHow to Ensure your Healthcare Organisation is IG compliant
How to Ensure your Healthcare Organisation is IG compliant
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymond
 
Authentication Best Practices
Authentication Best PracticesAuthentication Best Practices
Authentication Best Practices
 
Short term possabilities for eKYC improvments
Short term possabilities for eKYC improvmentsShort term possabilities for eKYC improvments
Short term possabilities for eKYC improvments
 
Short term possabilities for eKYC improvments
Short term possabilities for eKYC improvmentsShort term possabilities for eKYC improvments
Short term possabilities for eKYC improvments
 
SOC 2 Certification Unveiled: Understanding the Core Principles
SOC 2 Certification Unveiled: Understanding the Core PrinciplesSOC 2 Certification Unveiled: Understanding the Core Principles
SOC 2 Certification Unveiled: Understanding the Core Principles
 
FixNix 17 products1.0
FixNix 17 products1.0FixNix 17 products1.0
FixNix 17 products1.0
 

More from Brian Ahier

AMA Digital Health Study
AMA Digital Health Study AMA Digital Health Study
AMA Digital Health Study Brian Ahier
 
DoD onboarding slides
DoD onboarding slidesDoD onboarding slides
DoD onboarding slidesBrian Ahier
 
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...Brian Ahier
 
Remarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyRemarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyBrian Ahier
 
Accountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsAccountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsBrian Ahier
 
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataFTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataBrian Ahier
 
Mobile Device Tracking Seminar
Mobile Device Tracking SeminarMobile Device Tracking Seminar
Mobile Device Tracking SeminarBrian Ahier
 
HIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateHIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateBrian Ahier
 
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBig Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBrian Ahier
 
Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Brian Ahier
 
ONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaBrian Ahier
 
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Brian Ahier
 
DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13Brian Ahier
 
Patient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingPatient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingBrian Ahier
 
Frisse - One Step at a Time
Frisse - One Step at a TimeFrisse - One Step at a Time
Frisse - One Step at a TimeBrian Ahier
 
The Pulse of Liquid Health Data
The Pulse of Liquid Health DataThe Pulse of Liquid Health Data
The Pulse of Liquid Health DataBrian Ahier
 
Direct Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesDirect Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesBrian Ahier
 
Direct Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsDirect Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsBrian Ahier
 

More from Brian Ahier (20)

Draft TEFCA
Draft TEFCADraft TEFCA
Draft TEFCA
 
Future is Now
Future is NowFuture is Now
Future is Now
 
AMA Digital Health Study
AMA Digital Health Study AMA Digital Health Study
AMA Digital Health Study
 
DoD onboarding slides
DoD onboarding slidesDoD onboarding slides
DoD onboarding slides
 
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
 
Remarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyRemarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT Policy
 
Accountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsAccountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft Recommendations
 
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataFTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
 
Mobile Device Tracking Seminar
Mobile Device Tracking SeminarMobile Device Tracking Seminar
Mobile Device Tracking Seminar
 
HIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateHIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA Update
 
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBig Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
 
Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations
 
ONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification Criteria
 
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
 
DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13
 
Patient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingPatient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder Meeting
 
Frisse - One Step at a Time
Frisse - One Step at a TimeFrisse - One Step at a Time
Frisse - One Step at a Time
 
The Pulse of Liquid Health Data
The Pulse of Liquid Health DataThe Pulse of Liquid Health Data
The Pulse of Liquid Health Data
 
Direct Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesDirect Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse Directories
 
Direct Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsDirect Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory Pilots
 

Provider Authentication for Health Information Exchange

  • 1. Privacy and Security TigerPrivacy and Security Tiger Team MeetingTeam Meeting Today’s Topic: Provider Authentication for Health Information Exchange Strawman Recommendations - For Discussion Only November 8, 2010
  • 2. Objectives and Scope of this Discussion • Define policy recommendations to ensure that authentication "trust" rules are in place for information exchange between provider-entities (or organizations) Authentication is verification that a person or entity seeking access to electronic protected health information is the one claimed Level of assurance is the degree of confidence in the results of an authentication attempt 2
  • 3. Objectives and Scope of this Discussion • We need to specifically address directed exchange transactions described in Stage 1 of meaningful use, but also consider other information-exchange transactions. It is assumed that: – Identifiable clinical information is transmitted from one provider entity to another for treatment purposes for stage 1 meaningful use – Some of the information will be very sensitive to the individual • We are evaluating these trust rules at the organizational level, and as such, the scope of this recommendation does not include authentication of individual users of EHR systems, or of patients – With respect to individual users, provider entities and organizations must develop and implement policies to identity proof and authenticate their individual users – Beyond Stage 1 of Meaningful Use, policy on individual user authentication may be needed to promote trust among organizations 3
  • 4. Proposed Questions for the Tiger Team & Public 1. What strength of provider-entity authentication (level of assurance) might be recommended to ensure trust in health information exchange (regardless of what technology may be used to meet the strength requirement)? 2. Which provider-entities can receive digital credentials, and what are the requirements to receive those credentials? 3. What is the process for issuing digital credentials (e.g., certificates), including evaluating whether initial conditions are met and re-evaluation on a periodic basis? 4. Who has the authority to issue digital credentials? 5. Should ONC select an established technology standard for digital credentials and should EHR certification include criteria that tests capabilities to communicate using that standard for entity-level credentials? 6. What type of transactions must be authenticated, and is it expected that all transactions will have a common level of assurance? 4
  • 6. Question 1 – Strength of Authentication/Level of Assurance • What should be the level of assurance for entity authentication? – Although we need a trust framework for provider entity authentication, the question of “level of assurance” (as expressed in the OMB/NIST Framework) applies at the level of individual authentication. This inquiry is not helpful in an organizational context. – Need to leverage existing solutions for now (e.g., digital certificates); Standards Committee should choose a standard • Should consider need to create a reliable trust framework, as well as cost and burden 6
  • 7. Question 2a: Which Provider Entities Should Receive (or be issued) Digital Credentials • Meaningful users of Health IT • Anyone engaged in health data exchanges • PBMs • Retail pharmacies • DME suppliers • Laboratories • Imaging centers • All healthcare organizations • Non-providers--payers, claims clearinghouses, HIOs • Only Certified EHR systems 7
  • 8. Question 2b: Requirements to Receive (to be issued) those Credentials • Would we want to include requirements for suitability checks? Suitability could include: – Valid licensure – Business validity (proof of address/corporate existence) – Financial account – Demonstration of certain security criteria – Having a certified EHR, if applicable – Other (e.g. aligning with individual or organizational certification processes accepted today within the healthcare domain) • Actual credentials are electronic – are there registration requirements for receiving those credentials that might need to be considered (electronic, in-person by a business representative)? 8
  • 9. Question 3a: What is the process for issuing digital credentials (e.g., certificates)? Options might include: • Federated model – providers can delegate to other parties (such as vendors, HIEs) – Requirement that those entities meet minimum criteria or be held liable in some respect for issuing certificates? – How would such criteria be enforced? – Leverage existing protocols (ICANN, Federal Bridge) • Self-credentialing • Establish registration authority services • Federal/state role • Integrate process for issuing digital credentials into other existing provider-entity registration processes 9
  • 10. Question 3b: What is the process for re-evaluation? • No requirements • Periodic credential refresh • Credential refresh based on occurrence of defined events 10
  • 11. Question 4: Who can Issue Digital Credentials? • Any entity willing to assume attendant risks and meeting established standards • Establish an accreditation program for authorizing credential issuers • Allow provider-entities to self-credential • Leverage federal or state government role to perform credentialing • Vendors • HIOs 11
  • 12. Question 5a: Should ONC select an established technology standard for digital credentials • Do not develop standards, allowing vendors and large organizations to lead the way • Yes, selection of a technology standard promotes interoperability – But ensure flexibility to accommodate innovation in the marketplace 12
  • 13. Question 5: should EHR certification include criteria that tests capabilities to communicate using that standard? • Yes, entity-level credentials should be included in the security requirements • Other options? 13
  • 14. Question 6: What type of transactions must be authenticated and is there a common level of assurance • Authentication required when transactions involve • patient risk or PHI • system or infrastructure risk • transactions that would normally be authenticated outside of health care • Bulk transactions – Authenticate the transfer not transaction • Under the “authentication at the organization level” assumption, does a single level of assurance seems appropriate? 14
  • 16. Authentication: ReCap Definitions • Authentication -- verification that a person or entity seeking access to electronic protected health information is the one claimed • Level of assurance -- the degree of confidence in the results of an authentication attempt – Confidence is a valuation of the various controls implemented to provide security, including: technology, process, policies, and governance • Digital credentials - used to identify and authenticate organizations to each other (e.g., certificates) 16
  • 18. The Federal E-Authentication Framework The E-Authentication Framework was jointly developed by OMB and NIST • A framework to map risk to levels of security investment and recommend requirements based on desired security level • Developed to meet increasing need to secure an expanding set of Government-to-Business and Government-to-Citizen interactions • E-Authentication focuses on securing access to transactions available via the Internet – Scope limited to aspects of technology and process 18
  • 19. E-Authentication Mapping Tool • E-Authentication includes a tool to select an appropriate level of assurance based on impacts due to authentication errors • Levels of Assurance are suitable to different portions of the user community – Level 1 aligned with the general public (e.g., Facebook, Yahoo! Email) – Level 2 aligned with the general public, but with motivation (e.g. PayPal, 401k) – Level 3 aligned with affiliated access (e.g. Patent Examiners, Census Workers) – Level 4 aligned with employee access (e.g. Data Center operations) 19 Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors 1 2 3 4 Inconvenience, distress or damage to standing or reputation Low Mod Mod High Financial loss or agency liability Low Mod Mod High Harm to agency programs or public interests N/A Low Mod High Unauthorized release of sensitive information N/A Low Mod High Personal safety N/A N/A Low Mod/ High Civil or criminal violations N/A Low Mod High
  • 20. E-Authentication: Summary of Selected Requirements Requirements Area Level 1 Level 2 Level 3 Level 4 Registration The application process for obtaining identity credentials In-person or remote In-person or remote In-person or remote In-person only Identity Proofing The process of verifying an applicant’s identity prior to credentialing None Govt ID or financial account Govt ID and financial account Govt Photo ID and secondary Govt ID or financial account Naming The verification and assertion of meaningful names for applicants None Verified name retained, pseudonyms allowed Verified names only Verified names only Authentication Token Technical components used to electronically prove one’s identity None Single-factor Multi-factor or Combined Single- factors Multi-factor Hardware Device Records Keeping Preservation of evidence regarding credentialing operations None 7.5 years after separation 7.5 years after separation 10.5 years after separation Reuse of Existing Credentials Support for historic investment and existing solutions Any Employers and educational institutions Financial institutions Financial institutions 20
  • 21. DEA Use of E-Authentication • DEA rules allowing electronic prescriptions of controlled substances in place of paper or other processes • Initial risk assessment led to selection of Level 4 assurance – Several areas of high impact due to authentication errors – Resistance from stakeholders to stringent and atypical requirements • Much attention paid to analysis of burden • DEA introduces mitigating factors to lower selection to Level 3, including • Separation of duties, system access controls, and certification of implementations • DEA decision to accept or mitigate some level of risk in exchange for more practical implementations • Note: DEA tailored use of E-Authentication to exclude options they viewed as unacceptable • Difficulty in finding credentialing services that meet the requirements (e.g., are recognized, can scale for the population, and desire to take on the work) 21