This commenting opportunity is regarding how to handle the problem that is, issuing Digital Certificates for securing Healthcare IT. The press release is not that helpful, but I will pull it apart for you. First drill down and you will find that there is a really good presentation by the HIT Policy Privacy and Standards Tiger Team (Not the committee I am on). They have done an exceptional job of bringing together very helpful information.
The key areas that ONC wants comments on include:
- What burdens will providers face to obtain and manage these digital certificates both at an individual and organizational level? How can these burdens be minimized?
- Is there sufficient competition in the marketplace to ensure that providers will have access to best pricing and service?
- What role can Health Information Exchange (HIE) and Health Information Service Providers (HISPs) have in providing and maintaining digital certificates for providers and organizations?
- Among the options listed, what are the costs and time requirements for each?
- What is the incremental cost to become a cross-certified certificate authority compared to the cost to become a WebTrust/ETSI-certified CA? What factors contribute to the increased cost?
I recommend that we don't look to lower our standards (that is to make the solution cheep and thus not really secure) but rather raise the usefulness of the Certificate Identity. If the Government would combine many projects 'need' for an identity then we could rationalize an equitable solution. That is to say that all of these needs for identity should be Coordinated.
a) Direct - end-to-end message security/authenticity
b) Exchange - organization participation in a regional and/or national exchange (NwHIN Exchange)
c) Medicare plus - and other insurance exchange needs
d) Prescribing (especially the new eRx on Schedule 2)
e) Medical Records - signatures attesting authorship
f) Quality Reporting - identity of the institute reporting
g) Immunization Registries -
h) Medical Credentials
i) Clinical Trials - attesting each submission is already done this way. But participants in a clinical trial could also attest to their participation
j) Medical Professional Societies - HIMSS, RSNA, AAMI, etc...
*) etc... surely there are others...
Ultimately enough uses of an identity and the costs and inconvenience of getting it well provisioned become insignificant
Ultimately these could then be used for daily authentication to the EHR (or more practically requested on-demand when the system wants to be sure the user is who they say they are. Meaning lesser and more convenient means are used at each touch, possibly RFID/nearField/wireless based)
Tie this to NPI - they already have a directory (private) for NPI.
I would however make sure that the identity is just an identity. Meaning the binding to authority is done outside the identity. That is to say that none of the above use-cases is directly inside the certificate/identity; but rather these are legitimate uses of the certificate/identity. The Authority thus can be granted and revoked while the identity remains constant.