Table of Contents:
- Security/Privacy Bloginar: IHE - Privacy and Security Profiles - Introduction
- Consent/Privacy
- FHIR/mHealth
- Blockchain
- User Identity and Authentication
- Directories
- Access Control (including Consent Enforcement)
- Audit Control
- Secure Communications
- Signature - Digital, Electronic
- De-Identification, Anonymization, Pseudonymization
- Security/Privacy Risk Assessment/Management
- Document Sharing Management (Health Information Exchange - HIE)
- Patient Identity
- mHealth
- Meaningful Use
- The Direct Project
- Other
updated: March 19, 2018
Blockchain in Healthcare
mHealth (FHIR) --> See FHIR Topic
User Identity and Authentication
- Is IUA (OAuth) useful in Service-to-Service http REST (#FHIR)?
- Is XUA useful in service-to-service?
- User Account abandonment policy
- Patient as a User - becoming "known to a practice"
- HEART profiles for review, comment, and approval
- mHealth Identities using trusted intermediary
- getting to mHealth solutions - real People
- getting to mHealth solutions - Users
- Internet User Authorization: why and where
- IHE efforts in RESTful security
- IHE-IUA - Internet User Authentication for HTTP profiles
- Identity Proofing and Authentication -- Patient vs Provider
- Level setting on Level of Assurance
- Advanced Access Controls to support sensitive health topics – a simple solution to sensitive health.
- Direct addresses- Trusted vs Trustable
- Identity - - Proofing
- The Emperor has no clothes - De-Identification and User Provisioning
- What User Authentication to use?
- IHE - Privacy and Security Profiles - Enterprise User Authentication
- IHE - Privacy and Security Profiles - Cross-Enterprise User Assertion
- Healthcare use of Identity Federation
- Federated ID is not a universal ID
- Separation of Layers: Security Error Codes
- Authentication and Level of Assurance
Directories
- A broadly usable HIE Directory
- Healthcare Provider Discoverability and building Trust
- Healthcare Provider Directories Profile
- Healthcare Provider Directories -- Lets be Careful
Patient Privacy controls (aka Consent, Authorization, Data Segmentation)
- See Consent topic
Access Control (Consent enforcement)
- Guidance on HTTP Access Denied
- FHIR Oauth Scope
- Break-Glass on FHIR
- Don't disassemble ATNA, what you are looking for is there.
- Why Mutual-Authorized-TLS?
- What does the SAML assertion mean in a XDS/XCA query/retrieve?
- Healthcare Privacy and Security Classification System (HCS)
- Define Atom -- Too many definitions in use today
- Healthcare access control scope constraints on OAuth tokens
- Advanced Access Controls to support sensitive health topics
- Policy Enforcing XDS Registry
- Healthcare Metadata
- Texas HIE Consent Management System Design
- IHE - Privacy and Security Profiles - Access Control
- Data Classification - a key vector enabling rich Security and Privacy controls
- Healthcare Access Controls standards landscape
- Handling the obligation to prohibit Re-disclosure
- Access Controls: Policies --> Attributes --> Implementation
- IHE - Privacy and Security Profiles - Document Encryption
Audit Control
- Extra software/transaction details in FHIR AuditEvent / ATNA Audit Message
- Big audit entries
- Break-Glass on FHIR
- Guest Post: Use-Case - Security Audit Prompts Investigation
- Don't disassemble ATNA, what you are looking for is there.
- Where do I record the Reason that an auditable event happened?
- Searching for an ATNA Audit Record Repository
- IHE-ATNA and HL7-FHIR.SecurityEvent -- recording a Disclosure
- Simplifying Security Audit Standards
- Testing your ATNA Audit Log implementation
- MU Patient Engagement - Activity History Log
- Patient Data in the Audit Log
- IHE - Privacy and Security Profiles - Audit Trail and Node Authentication
- Accountability using ATNA Audit Controls
- ATNA and Accounting of Disclosures
- ATNA audit log recording of Query transactions
- How granular does an EHR Security Audit Log need to be?
- Document Submission: Audit requirements under error conditions
- ATNA + SYSLOG is good enough
Secure Communications
- Is IUA (OAuth) useful in Service-to-Service http REST (#FHIR)?
- Is XUA useful in service-to-service?
- War against TLS 1.0
- Certificate validation - use of CN
- Don't disassemble ATNA, what you are looking for is there.
- Why Mutual-Authorized-TLS?
- Testing ATNA Secure Communications
- Direct addresses- Trusted vs Trustable
- Identity - - Proofing
- Securing RESTful services
- IHE Encryption choices
- Healthcare use of X.509 and PKI is trust worthy when managed
- SSL is not broken, Browser based PKI is
- Meaningful Use Stage 2 :: SHA-1 vs SHA-2
- Trusting e-Mail
- S/MIME vs TLS -- Two great solutions for different architectures
- Healthcare Provider Discoverability and building Trust
- Using both Document Encryption and Document Signature
- Document Encryption
- IHE - Privacy and Security Profiles - Document Encryption
Signature - Digital, Electronic
- IHE Document Digital Signature (DSG) Profile approved for Final Text
- Extending the FHIR standard to handle provenance
- On-Behalf-Of - FHIR Signature datatype update
- IHE MHD and DSG now open for Public Comment
- Digital Signatures on FHIR
- CDA Digital Signatures inside
- IHE - Privacy and Security Profiles - Document Digital Signature
- Signing CDA Documents
- Using both Document Encryption and Document Signature
- Non-Repudiation is a very old art
De-Identification, Anonymization, Pseudonymization
- #FHIR and Bulk De-Identification
- IHE: Analysis of Optimal De-Identification Algorithms for Family Planning Data Elements
- Apple makes a difference with targeted use of Differential Privacy
- De-Identification for Family Planning
- FHIR does not need a deidentify=true parameter
- NIST seeks comments on De-Identification
- Is it really possible to anonymize data?
- PCAST - Big Data: A Technological Perspective
- De-Identifying free-text
- De-Identification: process reduce risk of identification of entries in a data-set
- Fake it properly
- De-Identification - Data Chemistry
- Guidance Regarding Methods for De-identification of Health Information
- The Emperor has no clothes - De-Identification and User Provisioning
- De-Identification is highly contextual
- Redaction and Clinical Documentation
Security/Privacy Risk Assessment/Management
- Privacy Principles
- Why Mutual-Authorized-TLS?
- Failure of Privacy due to Performance vs Privacy
- Healthcare: Fail Open vs Fail Closed
- Safety vs Privacy
- IEC 80001 - Risk Assessment to be used when putting a Medical Device onto a Network
- More Webinars on Basics of IEC 80001
- IEC 80001 - Security Technical Report presentation
- How to Write Secure Interoperability Standards
- How to apply Risk Assessment to get your Security and Privacy and Security requirements
Document Sharing Management (Health Information Exchange - HIE)
- HIE Future is Bright - stepping into 2018
- HIE from Manual ==> Automated
- HIE from Provider-Centered ==> Patient-Centered
- HIE from Multiple Point-to-Point Connections ==> Single Connection to Hub
- HIE from Updated @ Next Encounter with Patient ==> Notifications When Patient Has Encounter Elsewhere
- HIE from Providers & Payers Working Separately ==> Shared Responsibility for Managing Care
- HIE from Enterprise class API ==> FHIR API to Document Sharing
- Future of HIE is bright
- FormatCode granularity
- Granularity of FormatCode
- Multiple formats of the same Document content
- FHIR documents in XDS
- IHE #FHIR profiles - MHD, PDQm, and PIXm
- MHD - Why use of FHIR Contained?
- IHE FormatCodes are mandatory
- In Wisconsin we have Interoperability
- What is MHD beyond XDS-on-FHIR?
- Health Information Exchange: Centralized, Federated, or Distributed
- Define Atom -- Too many definitions in use today
- Eating an Elephant -- How to approach IHE documentation on Health Information Exchange (HIE)
- Distinction between Documents and Messages
- Understanding XDS metadata - IHE re-documentation effort
- XDS Notifications
- HIE Patient Identity problem
- Healthcare Metadata
- Minimal Metadata
- What is the benefit of an HIE
- Karen's Cross or just Minimal Metadata
- HIE using IHE
- Texas HIE Consent Management System Design
- The French Health Information Systems Interoperability Framework -- Now available in English
- One Metadata Model - Many Deployment Architectures
- Critical aspects of Documents vs Messages or Elements
- Using both Document Encryption and Document Signature
- Document Encryption
- XDS/XCA testing of Vocabulary Enforcement
- Where in the World is CDA and XDS?
- Universal Health ID -- Enable Privacy
- HIE/HIO Governance, Policies, and Consents
- IHE - Privacy and Security Profiles - Document Encryption
Meaningful Use (USA centric)
- Stage 2 Final
- Guidance on Deploying MU2 Secure Transport
- Enabling Security/Privacy on Modular EHR certification
- MU Patient Engagement - Activity History Log
- MU2 - Why must healthcare use custom software when Thunderbird and Outlook would do?
- 2014 Draft Test Methods: Wave Four Released for Public Review and Comment
- MU2 - Encryption and Hashing
- Patient Portal - view, download, TRANSMIT
- Meaningful Use Stage 2 - Transports Clarified --
- MU2 Wave 1 of Draft Test Procedures -- Integrity Problem
- On The Meaningful Use Stage 2 Rules
- Meaningful Use Stage 2 : Transports
- Meaningful Use Stage 2 - Audit Logging - Privacy and Security
- Minimal Metadata
- Karen's Cross or just Minimal Metadata
- Stage 2 NRM
- Meaningful Use Stage 2 seems to support Security, Privacy, and HIE Transport
- Meaningful Use Stage 2 FINALLY means Secure and Privacy Protecting
- Stepping stone off of FAX to Secure-Email
- Meaningful Use Stage 2 -- 170.202 Transport
- Predicting Meaningful Use Stage 2 Security
- Stage 1
Patient Identity
- Patient ID is critical to Enabling Privacy
- Patient Matching as a Science
- PDQm - Patient Demographics Query for Mobile API
- Policy needs to get out of the way of good Patient Identity management
- HIE Patient Identity problem
- Identity Proofing and Authentication -- Patient vs Provider
- Patient Identity Matching
- Universal Health ID -- Enable Privacy
- The Basics of Cross-Community Patient Discovery (XCPD)
- NwHIN-Exchange use of XCPD for Patient Discovery
- Direct addresses- Trusted vs Trustable
The Direct Project
- What is MHD beyond XDS-on-FHIR?
- Direct incompatibility with off-the-shelf e-mail
- MU2 - Why must healthcare use custom software when Thunderbird and Outlook would do?
- Patient Portal - view, download, TRANSMIT
- Karen's Cross or just Minimal Metadata
- Minimal Metadata
- Direct addresses- Trusted vs Trustable
- Implementation Guidelines for State HIE Grantees on Direct Infrastructure & Security/Trust Measures for Interoperability
- Can Direct messages be "delegated/forwarded?"
- Testing your XDM implementation
- Trusting e-Mail
Other
- Maturing FHIR Connectathon without confusing the marketplace
- MDS2 -- Revision Comment Opportunity
- HHS Fact sheet on Ransomware and HIPAA
- Privacy-by-Design Data-Analytics Platform on FHIR
- FHIR - Input Validation and End-to-end FHIR testing
- I
needfound a job
- FHIR Security and Privacy - tutorial outline
- Response to Keith's ask on my theory of Interoperability
- Applying CyberSecurity Standards to Medical Device Design
- Murky Research Award
- Testing - governance
- Constrained Vocabulary and Schema are good and needed - But Robustness must rule the longitudinal HIE
- I feel BlueButton advancement
- What is a Connectathon?
- Vocabulary Standards make poor User Interfaces
- Major upgrade to MDS2 to align with IEC-80001
- I contributed a chapter to a Book published on Healthcare Information Technology
- IHE - Privacy and Security Profiles - Document Encryption
- Encryption is like Penicillin
- Healthcare is not secure - trust suffers
- Creating and using Unique ID - UUID - OID
- Distributed Active Backup of Health Record
- Workflow Automation Among Multiple Care-Providing Institutions
- Effective Standards Evaluation - Guest blog from Karen
- Are Documents Dead?
- Medical Device Security and Privacy
