Wednesday, July 11, 2012

Trusted Identity of Physicians in Cyberspace Public Hearing

ONC did another FANTASTIC job of putting together an agenda and gathering experts. Not only that but the coverage of the healthcare space and coverage of the identity space was exceptional. I hope you all were watching this testimony, if not please get the recording. This was also not just the HIT Standards Privacy and Security workgroup but also the HIT Policy Privacy and Security tiger team. The intention was to inform these groups, not to make any decisions. The decisions and discussion will happen in future meetings.

I am a member of the  HIT Standards Privacy and Security workgroup. I really wanted to be physically at the hearing. I had booked hotel and flight; but the day-job got in the way at the last minute. This day-job took me away from the call a few times, each time I really felt I was missing something useful. Pulling the presentations is not sufficient to get the depth of the presentations. 


I duplicate the agenda below, but encourage everyone to go to the HIT Standards site to get any updates or recording. I include the  agenda simply to inspire you to go get the information.


Trusted Identity of Physicians in Cyberspace Public Hearing
Wednesday, July 11, 2012

9:00 am to 3:00 pm/EDT
The DuPont Circle Hotel
1500 New Hampshire Ave NW Washington, DC 20036
How to Participatehttp://altarum.adobeconnect.com/ONChearing/
Meeting Agenda
Meeting Materials


My biggest concerns:

a) Provisioning identities is important, but MORE important is keeping identities accurate, de-provisioning, and dispute handling.
b) Setting identity assurance levels and authentication assurance levels is important; but there is too much focus on perfecting these identities, vs recognizing that any service that has protected resources will in real-time make the assessment on if the identity and credentials offered on a request are sufficient to authorize that request. Meaning that we can actually be using different levels-of-assurance in the NwHIN; with purpose-of-use and data-classification specific enforcement.
c) Timeframe - In a perfect world we can define great identities and design NEW systems to use them. BUT there is much existing software and systems and organizations involved. Retrofitting everything is expensive.