Topics

Security/Privacy Bloginar: IHE - Privacy and Security Profiles - Introduction

User Identity and Authentication

• IHE efforts in RESTful security
• IHE-IUA - Internet User Authentication for HTTP profiles
• Identity Proofing and Authentication -- Patient vs Provider
• Level setting on Level of Assurance 
• Advanced Access Controls to support sensitive health topics – a simple solution to sensitive health. 
• Direct addresses- Trusted vs Trustable 
• Identity - - Proofing
• The Emperor has no clothes - De-Identification and User Provisioning
• What User Authentication to use?
• IHE - Privacy and Security Profiles - Enterprise User Authentication
• IHE - Privacy and Security Profiles - Cross-Enterprise User Assertion
• Healthcare use of Identity Federation
• Federated ID is not a universal ID
• Separation of Layers: Security Error Codes  
• Authentication and Level of Assurance

Directories

• A broadly usable HIE Directory
• Healthcare Provider Discoverability and building Trust
• Healthcare Provider Directories Profile
• Healthcare Provider Directories -- Lets be Careful

Patient Privacy controls (aka Consent, Authorization, Data Segmentation)

• Defining Privacy
• Safety vs Privacy
• Privacy Consent State of Mind
• Defining Privacy
• Universal Health ID -- Enable Privacy
• Texas HIE Consent Management System Design
• Simple and Effective HIE Consent
• IHE - Privacy and Security Profiles - Basic Patient Privacy Consents
• Data Segmentation - now I know where the term comes from

Access Control (Consent enforcement)

• Advanced Access Controls to support sensitive health topics
• Policy Enforcing XDS Registry 
• Healthcare Metadata
• Texas HIE Consent Management System Design
• IHE - Privacy and Security Profiles - Access Control
• Data Classification - a key vector enabling rich Security and Privacy controls
• Healthcare Access Controls standards landscape
• Handling the obligation to prohibit Re-disclosure
• Access Controls: Policies --> Attributes --> Implementation 
• IHE - Privacy and Security Profiles - Document Encryption

Audit Control

• Simplifying Security Audit Standards
• Testing your ATNA Audit Log implementation
• MU Patient Engagement - Activity History Log
• Patient Data in the Audit Log
• IHE - Privacy and Security Profiles - Audit Trail and Node Authentication
• Accountability using ATNA Audit Controls 
• ATNA and Accounting of Disclosures
• ATNA audit log recording of Query transactions
• How granular does an EHR Security Audit Log need to be?
• Document Submission: Audit requirements under error conditions
• ATNA + SYSLOG is good enough

Secure Communications

• Direct addresses- Trusted vs Trustable
• Identity - - Proofing
• Securing RESTful services 
• IHE Encryption choices
• Healthcare use of X.509 and PKI is trust worthy when managed
• SSL is not broken, Browser based PKI is
• Meaningful Use Stage 2 :: SHA-1 vs SHA-2
• Trusting e-Mail
• S/MIME vs TLS -- Two great solutions for different architectures
• Healthcare Provider Discoverability and building Trust
• Using both Document Encryption and Document Signature
• Document Encryption
• IHE - Privacy and Security Profiles - Document Encryption

Signature - Digital, Electronic

• IHE - Privacy and Security Profiles - Document Digital Signature
• Signing CDA Documents
• Using both Document Encryption and Document Signature
• Non-Repudiation is a very old art

De-Identification, Anonymization, Pseudonymization

• Fake it properly
• De-Identification - Data Chemistry
• Guidance Regarding Methods for De-identification of Health Information
• The Emperor has no clothes - De-Identification and User Provisioning
• De-Identification is highly contextual
• Redaction and Clinical Documentation

Security/Privacy Risk Assessment/Management

• Healthcare: Fail Open vs Fail Closed
• Safety vs Privacy
• IEC 80001 - Risk Assessment to be used when putting a Medical Device onto a Network
• More Webinars on Basics of IEC 80001
• IEC 80001 - Security Technical Report presentation
• How to Write Secure Interoperability Standards 
• How to apply Risk Assessment to get your Security and Privacy and Security requirements

Document Sharing Management (Health Information Exchange - HIE)

• XDS Notifications
• HIE Patient Identity problem
• Healthcare Metadata 
• Minimal Metadata
• What is the benefit of an HIE
• Karen's Cross or just Minimal Metadata
• HIE using IHE
• Texas HIE Consent Management System Design
• The French Health Information Systems Interoperability Framework -- Now available in English
• One Metadata Model - Many Deployment Architectures
• Critical aspects of Documents vs Messages or Elements
• Using both Document Encryption and Document Signature
• Document Encryption
• XDS/XCA testing of Vocabulary Enforcement
• Where in the World is CDA and XDS?
• Universal Health ID -- Enable Privacy
• HIE/HIO Governance, Policies, and Consents
• IHE - Privacy and Security Profiles - Document Encryption

Meaningful Use (USA centric)

• Stage 2 Final
• Guidance on Deploying MU2 Secure Transport
• Enabling Security/Privacy on Modular EHR certification
• MU Patient Engagement - Activity History Log
• MU2 - Why must healthcare use custom software when Thunderbird and Outlook would do?
• 2014 Draft Test Methods: Wave Four Released for Public Review and Comment
• MU2 - Encryption and Hashing
• Patient Portal - view, download, TRANSMIT
• Meaningful Use Stage 2 - Transports Clarified -- 
• MU2 Wave 1 of Draft Test Procedures -- Integrity Problem 
• On The Meaningful Use Stage 2 Rules 
• Meaningful Use Stage 2 : Transports 
• Meaningful Use Stage 2 - Audit Logging - Privacy and Security
• Minimal Metadata
• Karen's Cross or just Minimal Metadata
• Stage 2 NRM
• Meaningful Use Stage 2 seems to support Security, Privacy, and HIE Transport 
• Meaningful Use Stage 2 FINALLY means Secure and Privacy Protecting
• Stepping stone off of FAX to Secure-Email
• Meaningful Use Stage 2 -- 170.202 Transport
• Predicting Meaningful Use Stage 2 Security
• Stage 1
• Meaningful Use Security Capabilities for Engineers
• Meaningful Use Encryption - passing the tests
• Meaningful Use clearly does not mean Secure Use
• US Audit of Healthcare security concludes that Meaningful use does not mean secure use

Patient Identity

• HIE Patient Identity problem
• Identity Proofing and Authentication -- Patient vs Provider
• Patient Identity Matching
• Universal Health ID -- Enable Privacy
• The Basics of Cross-Community Patient Discovery (XCPD)
• NwHIN-Exchange use of XCPD for Patient Discovery
• Direct addresses- Trusted vs Trustable

The Direct Project

• Direct incompatibility with off-the-shelf e-mail
• MU2 - Why must healthcare use custom software when Thunderbird and Outlook would do?
• Patient Portal - view, download, TRANSMIT
• Karen's Cross or just Minimal Metadata
• Minimal Metadata
• Direct addresses- Trusted vs Trustable
• Implementation Guidelines for State HIE Grantees on Direct Infrastructure & Security/Trust Measures for Interoperability
• Can Direct messages be "delegated/forwarded?"
• Testing your XDM implementation
• Trusting e-Mail

mHealth

• Security Considerations: Healthcare RESTful Resource specifications
• Privacy and Security in Designing an mHealth Application
• mHealth Solution
• Security Considerations: Healthcare RESTful Resource specifications
• IHE efforts in RESTful security
• IHE mHealth Hackathon
• The Magic of FHIR – The HL7 movement toward REST resources, away from v3 and v2 
• IHE Mobile access to Health Documents - Trial Implementation

Other

• I contributed a chapter to a Book published on Healthcare Information Technology
• IHE - Privacy and Security Profiles - Document Encryption
• Encryption is like Penicillin
• Healthcare is not secure - trust suffers
• Creating and using Unique ID - UUID - OID
• Distributed Active Backup of Health Record
• Workflow Automation Among Multiple Care-Providing Institutions
• Effective Standards Evaluation - Guest blog from Karen 
• Are Documents Dead?
• Medical Device Security and Privacy

updated: May 2, 2013