Monday, January 25, 2010

CCHIT - Security Certification Gap Analysis against the IFR

CCHIT has done a gap assessment between the IFR and their current security certification criteria that they updated for ARRA. Given that they know they were the only place in town for Certifications, yet also knowing that they might not be in the future; they worked hard to align their Certification early. They also indicated that any changes to the Certification testing caused by changes in the regulation would be smoothed over in their testing with potentially simple gap testing rather than whole re-testing. This has seemed like a good approach.

So, with security criteria their gap assessment indicates that there is few issues. The majority of their security criteria meet the IFR text, or exceed. They had added Kerberos, and it turns out that was not needed.

They are just as confused as the rest of us on what cross enterprise authentication really means (See Federated ID is not a universal ID). They are also confused about the new Accounting of Disclosures (See ATNA and Accounting of Disclosures). In both of these cases they put conditionals on the need for certification that are not clear to me. I think that these will be made more clear in final form and be essentially not requiring anything as I have already discussed in the other articles.

I have pointed out that the current CCHIT criteria are a more specific and reasonable set of criteria, this should not be too surprising since I was co-chair of the Security workgroup during much of their development. But I also point out that the IFR can NOT be as specific as CCHIT can be simply because the IFR will be regulatory text that is hard to change and thus hard to evolve over time. The IFR must therefore set goals in broad terms and not be prescriptive. Here I recommend that the IFR lean on Security Risk Assessment to stay out of the problem. See Meaningful Use Security Plan