technology aspects of health information exchange › presentations › hitsymposium ›...
TRANSCRIPT
![Page 1: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/1.jpg)
Technology Aspects of Health Information Exchange
Steven E. Labkoff, MD, FACPDirector, Pfizer Healthcare Informatics
![Page 2: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/2.jpg)
Pfizer’s Fair Health IT Principles
Patient First
Primacy of Clinical
Judgment
Fair Balance of
Information
Organizing Principles to Ensure Good Clinical Decision-MakingOrganizing Principles to Ensure Good Clinical Decision-Making
Patient First: Patients’ rights and needs must drive the evolution of HII. Essential patient interests include safety, quality, individualized care, privacy, public health, and access to careClinical Judgment: HII should provide greater access to data and support to enable the provider to make better healthcare decisions in collaboration with the patientHealthcare Cost Awareness: New technologies should be used to reduce total costs in healthcare, by improving understanding of long-term costs and outcomes, reducing errors and redundancies, and increasing efficiencyRigorous Standards for Healthcare Information: All parties disseminating information that influences patient outcomes should be subject to equivalent rigorous standards of research, presentation and communicationShared Responsibility:
Shared Governance: All healthcare stakeholders must share the burden of creating and enforcing efficient processes and robust safeguards within HII to assure the adoption of systems aligned with the provision of quality careSystem Affordability: HII must advance in such a way that no stakeholder is unduly burdened by the costs of purchasing technology and constructing infrastructures
Integrity in Technology:Neutral Platform: HII should be provided through neutral platforms that support honest brokers. It should not advance the commercial interests of any party to the potential detriment of patientsInteroperability: HII must conform to prevailing quality and technical standards to facilitate adoption and control costs, but also be flexible to support innovation and improvements
![Page 3: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/3.jpg)
Agenda
The Need for Technical Architectural Standards
Technical Issues of HIE
The Patient/MD Connection
The RHIO-to-RHIO/NHIN connection
Existing Authentication Models
Q&A
![Page 4: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/4.jpg)
Markle Foundation Common Framework: Technology Principles
Make it “Thin”
Avoid “Rip and Replace”
Separate Applications from the Network
Decentralization
Federation
Flexibility
Privacy and Security
Accuracy
![Page 5: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/5.jpg)
eHI’s Goals for Health Information Exchange (HIE)
Support clinicians and patients with interoperable electronic health record (EHR) systems,
Computerized provider order entry (CPOE),
Clinical decision support systems (CDSS) for the purpose of improving the quality, safety, and efficiency of healthcare for patients and providers.
![Page 6: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/6.jpg)
eHI’s Vision of HIE
A network through which all authenticated participants may securely exchange information without loss of meaning:
All message senders and receivers are authorized and authenticated.
All messages are signed and encrypted.
All messages are actively acknowledged or rejected by the receiver in real time.
All messages meet conformance tests for use case specific standards that can support the exchange of clinical information between disparate information systems capable of different levels of interoperability.
All information is exchanged in accordance with a set of principles, policies, and procedures to which each participant has agreed in a binding contract.
http://toolkit.ehealthinitiative.org/technology/common_principles.mspx
![Page 7: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/7.jpg)
Real World Challenges to HIE
Standards
Legacy Systems
Variations on implementations (ie: HL7 variations) of data messaging
Lack of agreements between partnering organizations
Funding models to support overall infrastructure
![Page 8: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/8.jpg)
Technical Aspects of RHIOs
Several Emerging VenuesState-wide
City-wide
Community-wide
Multiple Architectures DevelopingNHIN Contracts: CSC, Acenture, IBM, Norfolk Grumman
Major issuesAuthentication: People, applications, processes
Privacy
Speed
Identification
Buy in
Technology is SELDOM the rate limiting step
![Page 9: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/9.jpg)
Federated (Centralized) Model: Schematic of (Indianapolis)
![Page 10: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/10.jpg)
Federated (Distributed) Model: Patient Safety Institute
![Page 11: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/11.jpg)
Centralized — Single Data Repository Model Schematic of INHS
Despite central DB, individual hospitals can shield contracting & financial data
Despite central DB, individual hospitals can shield contracting & financial data
![Page 12: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/12.jpg)
Centralized — Single Data Repository Model Peace Health/Whatcom County HInet Schematic
Dark fibers connect core constituents; community has net accessDark fibers connect core constituents; community has net access
![Page 13: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/13.jpg)
Peer-to-Peer, Indexed Model Schematic of SBCCDE
SBCCDE
AmbulatoryCare EMR
AmbulatoryCare EMR
Public HealthSystem
Regional HospitalHIS System
AmbulatoryCare EMR Regional Hospital
HIS System
Regional HospitalHIS System
LaboratorySystem
MPI
Querying System
data connection utilizing resulting pointers to systems
query path
![Page 14: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/14.jpg)
Authentication
Definition:
Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information. “www.pki.vt.edu/help/glossary.html”
![Page 15: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/15.jpg)
Security & Privacy Framework
Policies, Procedures, Standards & Guidelines
Identity
Infrastructure Security
Subject (EMPI)
User
Logging & A
uditing
![Page 16: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/16.jpg)
Policy & Identity Approach
Policies, Procedures, Standards & Guidelines (PPS&G)
Identity
Subject (EMPI)
User
Core Security Policies
A select number of controls (usually ISO 17799) are identified to be relevant for the project. A core set of policy,procedural, standards and guideline documents to support those controls will be developed.
PPS & G
For many health care settings, there are two distinct identity types in the project: identities as subjects (patients) and identities as users (system end-users). Managing these identities to ensure accuracy of patient data linkage, legitimate access control to data for users and administration across these identity types underpin this implementation and will be performed. Other types of identities and relationships may also need to be managed
Identity Management
![Page 17: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/17.jpg)
Access Control Approach
Patient Data
Role Based AccessControl
What Data Types or SystemFunctions can be used by
The User?
Patient Consent
Has the Patient consented To information being shared
Outside of authoringOrganization (if applicable)?
Patient ProviderRelationships
Does a relationship existBetween the Patient and
The User?
Authenticated User seeks to access Patient Data
Pseudonymisation and Anonymisation
To enable use of data for secondary purposes
![Page 18: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/18.jpg)
Authentication
A user claims an identity and presents evidence to back up the claim. The evidence can be something the user knows has or does and the system evaluates the evidence using stored authentication information. If he present something he knows and something he has, that is termed “two factor”authentication. Authentication in networks must solve a broader problem.
AuthenticationAuthentication
•Passwords
•Smartcards
•Biometrics
Identity Authentication Mutual Authentication•Authentication servers
•X.509 Directory Services
•Kerberos
People Machines
![Page 19: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/19.jpg)
Factors in Authentications
Something you know:
Password
Something you have
TokenSomething you are:
Biometics
![Page 20: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/20.jpg)
Factors in Authentication
1 Factor: you know your username & password (these are 1 factor)
Better than nothing but weak – can be copied easily
2 Factor: RSA Token + PasswordMuch more secure and people feel good about it
3 Factor: Biometrics + Password + Token = 3 factorsUltra secure – not generally used (not all 3 together)
![Page 21: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/21.jpg)
National Institute for Standards Technology Model
NIST Level 1: Public site, no authentication
NIST Level 2: A password known only to the user
NIST Level 2 or 3: A digital certificate; a secret key containedin a normal file
NIST Level 3: A physical Smart-Card or physical token
NIST Level 4: A biometric measurement such as a fingerprint
![Page 22: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/22.jpg)
Authentication in a Single RHIO
![Page 23: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/23.jpg)
Authentication in a Single RHIO
![Page 24: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/24.jpg)
Authentication in a Single RHIO
![Page 25: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/25.jpg)
Authentication Across RHIOs (the NHIN)
HIE?
What happens when two RHIOs don’t use the same authentication process?
HIE?
HIE?
![Page 26: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/26.jpg)
SAFE BioPharma Assoc.
SAFE BioPharma Association• Non-profit coalition sponsored by the
Bio-Pharmaceutical industry • Unique electronic identity credentials for
legally enforceable & regulatory compliant digital signatures
SAFESatisfies NIST Level 32 factor authentication; something you know & have (hardware cryptography)Provides credentialing and nonrepudiable digital signaturesClosed user community, based on mutually agreed legal rules,to ensure global enforceability among participating entities
![Page 27: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/27.jpg)
Anakam GoVirtTM
Anakam LLC • For-profit, privately-owned security
software firm • Provides innovative solutions for
identity management & authentication; particularly for online banking and ecommerce.
GoVirt Multifunction Authentication Satisfies NIST Level 32 factor authentication; something you know & haveCompletely software based; no additional hardware necessary2nd factor authentication can be provided on multiple platforms; ie. mobile phone, voice technology, encrypted PC, etc.
![Page 28: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/28.jpg)
PGP, Inc.
PGP, Inc.• For-profit, private coalition sponsored by
the Bio-Pharmaceutical industry • Global customer standard for encryption
and digital-signature solutions
PGP Encryption PlatformSatisfies NIST encryption standardsAuthentication via PKI & symmetric key (cryptographic signature)Suite of tools that can encrypt data, data storage, and mobile devices
• 2 Factor Authentication, but supports 1 or 2 factors – policy issue for organizations using this solution
![Page 29: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/29.jpg)
GSA E-Authentication
General ServicesAdministration (GSA)• Government agency to help federal agencies serve the
public by offering superior workplaces, expert solutions, acquisition services and management policies.
• Consists of the Federal Technology Service (FTS), the Federal Supply Service (FSS), and other offices…
E-AuthenticationBased on Security Access Markup Language (SAML)2 Factor AuthenticationCan satisfy NIST levels 1-4Browser based protocol securityProvides single sign on in a federated environment forapplication logon
![Page 30: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/30.jpg)
Shameless Plug
eHI’s Technical Working GroupLooking for volunteers to assist in vetting out some of the questions around technical issues concerning RHIOsLooking at technology proper and policyGoal is to add info to the eHI took kitCurrent leaders – Hugh Zettel, GE, Bob Steffel, Health BridgeContact Info> [email protected]> 212-733-4766
Special Thanks to Daijin Kim, Healthcare InformaticsBrian Kelly, AccentureAsh Evans, SAFE Biopharma
![Page 31: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/31.jpg)
Backup Slides
![Page 32: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/32.jpg)
SAFE BioPharma Assoc.
Key Clients/ Partners:
Bio-Pharma; AstraZeneca, BMS, GSK, J&J, Merck, Pfizer, etc.
Governments; NCI, FDA, EU Medicines Evaluation Agency, etc.
Research Site & IRBs; Mayo Clinic, Moffitt Cancer Center, etc.
Vendors; Adobe, Bearing Point, IBM, etc.
Benefits:
Real-time identity assurance
Standards mandate identity proofing and registration in person
Globally enforceable digital signature with authentication
Concerns:
Limited adoption outside of Bio-Pharma
![Page 33: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/33.jpg)
Anakam GoVirtTM
Key Clients:
Not publicly available
Benefits:
No additional hardware required; no additional costs for 2nd level
2nd level authentication can reside on various platforms; mobilephone, voice technologies, encrypted PC, wallet card
Administration of authorization to determine security level
Low cost implementation for large populations; ie. online banking
Concerns:
Proprietary technology
![Page 34: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/34.jpg)
PGP, Inc.
Key Clients:
84% of Fortune 100
Pharmaceutical, Manage Care Organizations, Medical Facilities
Aerospace & Defense Companies
Petroleum refining companies
Benefits:
Published product source code for peer review
No requirement for complex passwords
PGP can also encrypt data and data storage devices
Concerns:
Complexities of implementing PKI infrastructure
![Page 35: Technology Aspects of Health Information Exchange › presentations › hitsymposium › labkoff_1b.pdf · Essential patient interests include safety, quality, individualized care,](https://reader033.vdocuments.mx/reader033/viewer/2022060505/5f1e2fdbb0928d5a7c0a145b/html5/thumbnails/35.jpg)
GSA E-Authentication
Key Clients/ Partners:
Government portal applications
Benefits:
Open standards and industry accepted protocols
Ease of administration due to federated environment and single sign on
Platform neutral
Concerns:
Browser based security is susceptible to various types of attacks