Tip:
Highlight text to annotate it
X
Copyright Metrics Spec
THIS IS THE SECURITY AND PRIVACY REQUIREMENTS
TO SUPPORT EXCHANGE OF HEALTH INFORMATION.
THIS IS GREAT SEGUE TOPIC FROM THE TOOLS OF TRUST TOPIC
THAT WE JUST HAD IN THE BALLROOM THIS MORNING.
SO THE COMMUNITY
OF HEALTH INFORMATION TECHNOLOGY PROFESSIONALS
IS ON THE PRECIPICE OF DEMONSTRATING
ENCOURAGING HEALTH INFORMATION EXCHANGE RESULTS
WITH RAPID ACCELERATION OF HEALTH INFORMATION TECHNOLOGY
POLICIES, STANDARDS, SYSTEMS AND NETWORKS.
THE CYCLE TIME TO PRACTICAL APPLICATION
OF THESE SYSTEMS IS ALSO SHRINKING,
AND THE RESULT OF THAT, WE HOPE,
IS TO SEE GREATLY IMPROVED HEALTH CARE, CARE AND QUALITY
FOR EVERYBODY.
AND INCORPORATED WITHIN THIS TRANSFORMATIONAL ERA,
WHICH IT IS, IS AN INCREASED EMPHASIS
ON SECURITY AND PRIVACY.
TRUST IS AN OMNIPRESENT ENABLER, NOT JUST FOR H.I.T.
BUT FOR THE BROADER SCOPE
OF OUR NATION'S DIGITAL INFRASTRUCTURE,
AS EVIDENCED BY THE ADMINISTRATION'S APPOINTMENT
OF A NATIONAL C.I.O., C.T.O.,
AND THE NATIONAL-- OR, STILL PENDING, I GUESS,
NATIONAL SECURITY ADVISOR.
WHILE THE SHIFT IN ATTRIBUTING RESPONSIBILITY
AND ACCOUNTABILITY FOR NATIONAL CYBER SECURITY IS EVIDENT,
IT REMAINS UNCLEAR HOW THIS WILL, YOU KNOW,
EXACTLY HOW THIS WILL AFFECT HEALTH INFORMATION TECHNOLOGY
AND MORE DIRECTLY, THE IMPACTS ON SECURITY REGULATIONS,
LAWS, STANDARDS AND POLICIES AND PROCEDURES,
WITHIN WHICH WE ALL NEED TO UNDERSTAND AND COMPLY.
SO WE'RE HONORED TODAY TO HAVE WITH US
2 REPRESENTATIVES FROM POLICY ORGANIZATIONS,
FEDERAL POLICY ORGANIZATIONS--
MS. SUZANNE LIGHTMAN
FROM THE OFFICE OF MANAGEMENT AND BUDGET,
WHO HAS A FOCUS ON FEDERAL SECURITY,
AND MS. JODI DANIEL,
WHO SPOKE VERY ELOQUENTLY ON THESE SAME TOPICS YESTERDAY,
FROM THE OFFICE OF THE NATIONAL COORDINATOR,
WHO HAS H.I.T. POLICY RESPONSIBILITIES
INCLUDING SECURITY AND PRIVACY.
WE'RE ALSO JOINED BY MS. JULIE BOUGHN,
WHO IS THE CHIEF INFORMATION OFFICER, AND MY BOSS,
AT THE CENTERS FOR MEDICARE AND MEDICAID SERVICES.
AND SHE'LL OFFER US FIRST-HAND INSIGHT
ON THE OPERATIONAL END
OF THE CHALLENGES AND OPPORTUNITIES
THAT SHE FACES AND THAT CMS FACES
IN GUIDING THE WORLD'S LARGEST HEALTH CARE PAYOR ORGANIZATION.
SO I ASK THAT WE KEEP THE QUESTIONS TO THE END,
AND HOPEFULLY THERE WILL BE TIME AT THE VERY END
AFTER ALL THE PRESENTATIONS TO TAKE QUESTIONS, PLEASE.
OOP.
OH, I'M SORRY. I FORGOT.
OK, I HAVE TO REMEMBER TO TALK AND PUSH.
SO HERE, JUST REALLY FAST,
SOME OF THE TOPICS THAT WE'LL COVER.
AND THE ORGANIZATION OF THE PANEL IS SUCH
THAT WE WILL START OUT WITH THE BROADEST VIEW--
THE OFFICE OF MANAGEMENT AND BUDGET VIEW--
OF SECURITY AND PRIVACY ISSUES,
AND THEN WE'LL MOVE PROGRESSIVELY
DOWN TO MORE FOCUSED AREAS,
THROUGH OFFICE OF THE NATIONAL COORDINATOR,
WHICH IS ALSO A NATIONAL VIEW,
AND THEN A FEDERAL AGENCY'S PERSPECTIVE
ON SECURITY AND PRIVACY
AND SECURITY ASSURANCE PROGRAMS THAT WE NEED.
AND THEN I WILL REPRESENT THE FHA-SPONSORED
FEDERAL SECURITY STRATEGY WORKGROUP AND WHAT WE'RE DOING
RELATIVE TO SECURITY AND THE CONNECT GATEWAY.
OK. SUZANNE?
DID THEY TURN THIS-- OH, THEY JUST TURNED IT ON.
OK, EVERYONE CAN HEAR ME NOW, RIGHT?
MY NAME IS SUZANNE LIGHTMAN.
I'M THE LEAD I.T. POLICY ANALYST
IN THE OFFICE OF THE FEDERAL C.I.O. AT OMB,
AND MY RESPONSIBILITIES ARE CYBER SECURITY AND H.I.T.
AND I'M GOING TO SPEAK, AS SHE JUST MENTIONED,
MORE ABOUT THE ENVIRONMENT
THAT THE AGENCIES FIND THEMSELVES IN
AS THEY MOVE FORWARD INTO THIS WHOLE WORLD
OF ELECTRONIC HEALTH RECORDS.
OBVIOUSLY, THERE ARE MANY PARTS OF THE U.S. GOVERNMENT
THAT ARE IN THE VANGUARD OF H.I.T.
D.O.D. AND V.A. ARE PROBABLY THE BIG ONES
THAT EVERYONE THINKS OF.
THEY EACH HAVE FULL EHR SYSTEMS THAT THEY USE,
AND THEY USE THEM IN A MEANINGFUL WAY
BY ANY DEFINITION.
BUT THEY HAVE MOSTLY CONDUCTED THESE ACTIVITIES
WITHIN THE U.S. GOVERNMENT
AND NOT WITH A BROAD SWATHE OF NON-GOVERNMENT PARTNERS,
AND THAT MAKES AN ENORMOUS DIFFERENCE
AS THEY MOVE FORWARD.
GIVEN THAT THE U.S. GOVERNMENT IS, WITHOUT A DOUBT,
THE SINGLE MOST REGULATED INDUSTRY IN THE ENTIRE WORLD,
I THINK IT'S IMPORTANT-- AND AS ONE OF THE GROUPS SAID,
"AND SHOWS A LOT OF THOSE REGULATIONS."
I CAN SAY THAT WITH ABSOLUTE ASSERTION.
IT'S IMPORTANT TO ASK
WHAT ARE THE STATUTORY CONCERNS, POLICY CONCERNS
AND THE RESPONSIBILITIES AND NEEDS OF AGENCIES
AS THEY MOVE FORWARD?
FIRST OF ALL, THE U.S. GOVERNMENT
USES HEALTH DATA IN 2 WAYS.
ONE, IT GENERATES IT.
I'M USING VERY ROUGH NUMBERS HERE,
SO NO ONE GO OUT AND THEN QUOTE ME ON THIS.
BUT AROUND 10 TO 15 MILLION PEOPLE
AT ANY GIVEN TIME IN THE U.S., AMERICAN CITIZENS,
ARE RECEIVING CARE FROM SOME ENTITY
IN THE U.S. GOVERNMENT.
THIS INCLUDES THE ANYWHERE FROM 1 TO 2 MILLION--
NO, UP TO 3 MILLION, I THINK, NOW,
THAT ARE RECEIVING CARE THROUGH D.O.D.
THERE'S ANYWHERE UP TO 8 MILLION VETERANS.
THERE ARE THE TRIBAL NATIONS
THAT ARE RECEIVING THEIR CARE THROUGH HHS.
AND THEN THERE ARE A VARIETY OF OTHER SMALL PROGRAMS
THROUGHOUT THE FEDERAL GOVERNMENT
WHERE PEOPLE ARE RECEIVING DIRECT CARE.
HOWEVER, THE FEDERAL GOVERNMENT ALSO RECEIVES ENORMOUS NUMBERS
OF RECORDS FOR WHICH THEY USE FOR OTHER PURPOSES
OTHER THAN PATIENT CARE,
MOSTLY HAVING TO DO WITH PAYING SOMEBODY.
THIS CAN EITHER BE PAYING THE PROVIDERS,
OR IT CAN BE PAYING THE PERSON THEMSELVES
IN THE CASE OF SSA's DISABILITY WORK.
SO WE SIT IN THE PECULIAR POSITION
OF BEING BOTH A USER AND A GENERATOR
OF MEDICAL HEALTH RECORDS,
EASILY ONE OF THE LARGEST IN THE WORLD,
IF NOT THE LARGEST.
SO AS THESE AGENCIES ARE DOING ALL THIS,
WHAT ARE THEIR MAJOR CONCERNS AND RESPONSIBILITIES?
PROBABLY THE LARGEST ONE CENTERS AROUND
THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT.
KNOWN AS FISMA, IT WAS PART OF THE E-GOVERNMENT ACT OF 2002,
AND FISMA AROSE BECAUSE THE CONGRESS
WAS FAIRLY IRRITATED WITH THE AGENCIES
AND FELT THAT THEY NEEDED TO MOVE FORWARD ON SECURITY
IN A MORE AGGRESSIVE WAY.
LET'S JUST LEAVE IT AT THAT.
AND IT ESTABLISHES A WHOLE SERIES OF REQUIREMENTS
AROUND SECURITY FOR FEDERAL SYSTEMS
AND, MORE IMPORTANTLY FOR THIS DISCUSSION,
FOR FEDERAL INFORMATION.
IT REQUIRES THAT THOSE PROTECTIONS, WHATEVER THEY ARE,
BE COMMENSURATE WITH RISK.
IT ALSO REQUIRES THAT SINCE IT--
THE PROTECTIONS MOVE WITH THE DATA
SO THAT CONTRACTORS SHOULD HAVE THE SAME PROTECTIONS
OVER FEDERAL DATA
THAT THE FEDERAL GOVERNMENT FEELS IS NECESSARY
WHEN THEY HAVE THE DATA.
THAT SOUNDS VERY SIMPLE, DOESN'T IT?
WHAT YOU HAVE TO UNDERSTAND IS THAT THE ACT,
WHICH--THE FISMA ITSELF ONLY RUNS, I THINK, ABOUT 20 PAGES--
HAS BEHIND IT A GREAT DEAL OF O.M.B. MEMOS,
WHICH ARE NOT VERY BIG.
WE WRITE VERY THIN MEMOS.
AND THEN A MOUNTAIN OF N.I.S.T. GUIDANCE--
THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY--
THAT COVERS EVERY SINGLE ASPECT--
WELL, ALMOST EVERY SINGLE ASPECT,
'CAUSE THEY HAVE SOME MORE THEY'RE STILL ISSUING--
OF EVERYTHING THAT COULD POSSIBLY BE COVERED BY FISMA.
I WILL TELL YOU, THOUGH, THAT THERE IS ONE THING
THAT IS REQUIRED OF ALL AGENCIES THAT IS NOT IN FISMA,
AND IT'S PROBABLY THE SINGLE PART OF FEDERAL SECURITY
YOU'VE HEARD THE MOST ABOUT,
AND THAT IS "CERTIFICATION AND ACCREDITATION."
I ASSUME THAT MOST OF YOU,
IF YOU'VE DEALT WITH THE FEDERAL GOVERNMENT,
HAVE HEARD THESE DREADED WORDS ECHOING DOWN THE CORRIDORS,
PROBABLY ACCOMPANIED BY SOME VERY CREATIVE LANGUAGE.
CERTIFICATION AND ACCREDITATION
DOESN'T APPEAR ANYWHERE IN FISMA.
I WANT TO MAKE THIS VERY CLEAR.
O.M.B. MADE IT UP.
WE CREATED IT ALL BY OURSELVES,
AND WE PUT IT IN THE CIRCULAR A-130.
THAT HASN'T BEEN UPDATED SINCE THE EARLY PART OF THE CENTURY.
BUT THAT'S WHERE CERTIFICATION AND ACCREDITATION COMES FROM.
SO, BRIEFLY--AND I WANT TO MAKE THAT CLEAR,
BECAUSE WHEN I TELL PEOPLE THAT THEY CAN DO A CERTAIN THING,
THEY'RE ALL LIKE, "HOW DO YOU KNOW THAT?"
AND I'LL SAY, "BECAUSE IT'S OUR REQUIREMENT."
THEN THEY ALL GET VERY NERVOUS
THAT WE CAN CHANGE THE REQUIREMENTS.
CERTIFICATION IS BASICALLY
THE RESPONSIBILITY OF THE AGENCY TO DO A FULL ANALYSIS
OF THE TECHNICAL SPECIFICATIONS AND POLICIES
SURROUNDING A SYSTEM
TO DETERMINE IF THE SECURITY PROTECTIONS
ARE COMMENSURATE WITH THE RISK AND ARE PRESENT AND FUNCTIONING.
THIS, THEN, LEADS TO A RECOMMENDATION
TO AN AUTHORIZING OFFICIAL WHO GIVES THE ACCREDITATION,
WHICH IS THE GRANTING OF AN AUTHORITY TO OPERATE,
ALLOWING THE SYSTEM TO ACTUALLY PROCESS FEDERAL DATA
AND INDICATING THAT MANAGEMENT ACCEPTS THE RESIDUAL RISKS
OF THE SYSTEM.
IT SOUNDS SO SIMPLE.
BUT THERE ARE MANY THINGS ONE MUST DO TO ACHIEVE A C&A.
YOU HAVE TO DO A RISK ASSESSMENT.
THERE'S A FEDERAL INFORMATION PROCESSING STANDARD
PUT OUT BY N.I.S.T.
BY THE WAY, F.I.P.S. IS AGENCIES MUST DO WITH NO EXCEPTION.
SPECIAL PUBS. 800s ARE THINGS
THAT YOU EITHER HAVE TO DO TO COMPLY WITH THE F.I.P.S.
OR JUST THINGS N.I.S.T. THINKS IT'S A GOOD IDEA THAT YOU DO.
THE RISK ASSESSMENT REQUIREMENT HAS A F.I.P.S. BEHIND IT.
THEN, OF COURSE, THERE ARE, I THINK, 2 NOW,
SPECIAL PUBLICATIONS ON HOW TO DO THE RISK ASSESSMENTS.
YOU HAVE TO HAVE A SYSTEM SECURITY PLAN.
I THINK THERE'S AT LEAST--
LAST TIME I LOOKED, I THINK THERE WERE 2,
BUT THERE MIGHT BE 3 SPECIAL PUBLICATIONS ASSOCIATED
WITH HOW TO DO THAT.
YOU HAVE TO TEST ALL YOUR CONTROLS AND KEY CONTROLS.
THERE'S A VERY, VERY LARGE F.I.P.S.,
800-53A, ASSOCIATED WITH THAT.
PLEASE NEVER, EVER, EVER PRINT IT OUT. EVER.
YOU HAVE TO DO A CONTINGENCY PLAN.
YOU GUESSED IT.
THERE IS A LARGE SPECIAL PUB. ASSOCIATED WITH THAT.
AND THEN YOU HAVE TO TEST YOUR CONTINGENCY PLAN,
AND THERE ARE ACTUALLY, I THINK, 2 SPECIAL PUBLICATIONS
ASSOCIATED WITH THAT.
SO YOU CAN SORT OF UNDERSTAND WHY THE AGENCIES THINK
THIS IS AN ENORMOUS AMOUNT OF WORK.
I WILL SAY IN DEFENSE OF THE C&A PROCESS
THAT IT AROSE BECAUSE AGENCIES WOULD SIMPLY BUILD SYSTEMS
AND PUT THEM INTO PRODUCTION, AND THEN GO, "HUH.
"WE NEVER CONSIDERED THE FACT THAT SOMEBODY COULD STEAL DATA
OUT OF THIS SYSTEM."
AND C&A WAS AN ATTEMPT TO MOVE THEM FORWARD,
AND MANY OF THE ELEMENTS OF C&A
ARE ACTUALLY INDIVIDUALLY REQUIRED BY FISMA.
SO AGENCIES HAVE TO CONSIDER THAT ENTIRE FISMA, C&A THING.
BUT THERE'S OTHER THINGS AGENCIES HAVE TO CONSIDER,
BECAUSE THAT WOULDN'T BE ENOUGH.
WHILE SOME OF THESE ARE MANY OF THE SAME POLICIES
THAT MOST OF YOU HAVE TO--
HIPAA AND THE REQUIREMENTS OF THE NEW H.I.T. ACT--
OTHERS ARE UNIQUE TO THE U.S. GOVERNMENT.
THERE'S THE PAPERWORK REDUCTION ACT.
YOU WOULDN'T THINK THAT WOULD HAVE A LOT TO DO
WITH H.I.T., WOULD YOU?
BUT THE PAPERWORK REDUCTION ACT REQUIRES THAT AGENCIES JUSTIFY
EVERY TIME THEY WANT TO COLLECT DATA
FROM ANY CITIZEN, OR ACTUALLY ANYBODY, TO DO THEIR SYSTEMS,
SO EVERY TIME THEY START A HEALTH RECORDS SYSTEM
OR A SYSTEM THAT'S GOING TO GATHER HEALTH RECORDS,
THEY HAVE TO JUSTIFY IT.
THERE'S THE RECORDS ACT.
THAT REQUIRES THAT THEY ACTUALLY RECORD EVERYTHING SOMEWHERE
SO AT SOME POINT IN THE FUTURE,
HISTORIANS CAN ACTUALLY LOOK AT IT.
THE PRIVACY ACT,
WHICH REQUIRES THAT THEY PROTECT THE SYSTEMS
AND THE INFORMATION IN THE SYSTEMS
SO THAT YOUR INFORMATION DOESN'T GET SPILLED OUT
ACROSS THE INTERNET, AND--
BUT ALL OF THIS WASN'T ENOUGH,
AND IN 2006,
ONE OF THE AGENCIES, WHO SHALL REMAIN NAMELESS,
SORT OF ALLOWED THEIR DATA TO KIND OF SPILL OUT.
SO O.M.B. PUT SOME NEW REQUIREMENTS IN.
THEY'RE CONTAINED IN MEMO 0616 AND 0716,
AND THEY REQUIRE THINGS LIKE BREACH POLICIES,
NOTIFICATIONS, ET CETERA, ET CETERA.
THESE ARE VERY, VERY STRICT.
FOR INSTANCE, YOU MUST NOTIFY U.S. CERT. WITHIN 1 HOUR
OF DETERMINING THAT THERE WAS A BREACH OF PRIVACY INFORMATION.
IT'S 24 HOURS IF SOMEBODY'S DEAD, YOU KNOW.
YOU HAVE 24 HOURS TO NOTIFY US IF SOMEBODY GETS KILLED,
BUT YOU ONLY HAVE 1 HOUR IF YOU'VE LOST YOUR BLACKBERRY.
[LAUGHTER]
OF COURSE WHEN I TALK ABOUT THESE ACTS,
I'M USING "ACT" AS A SHORTHAND
FOR THE SETS OF LAWS AND REGULATIONS THAT BACK THEM UP.
ALL OF THESE LAWS HAVE A LOT OF REGULATIONS BEHIND THEM.
THERE'S THE REGULATIONS AROUND THE SYSTEM OF RECORD NOTICES,
WHICH YOU HAVE TO PUT IN FOR THE P.R.A. AND THE PRIVACY ACT.
"WE'RE COLLECTING THIS DATA. THIS IS WHY.
THIS IS WHY WE FEEL IT'S JUSTIFIED."
AND THEN WAIT FOR EVERYBODY TO TELL YOU IF IT IS OR NOT.
AND THE PRIVACY IMPACT ASSESSMENTS.
"THIS IS THE INFORMATION COLLECTED, WHY WE'RE COLLECTING IT,
"WHAT WE'RE DOING TO PROTECT IT, HOW WE PROMISE TO DESTROY IT,
HOW LONG WE'RE GONNA KEEP IT."
THEN WAIT FOR EVERYBODY TO TELL YOU IF YOU'RE RIGHT OR NOT.
SO IT'S A LOT OF WORK, AND IT'S VERY COMPLICATED.
BUT ALL OF THESE THINGS EXIST BECAUSE YOU--
BECAUSE YOU'RE THE CITIZENS OF THE UNITED STATES--
WANT TO BE SURE THAT THE VERY, VERY POWERFUL
U.S. GOVERNMENT IS BEHAVING IN A RESPONSIBLE WAY,
AND THE WAY THAT YOU EXPRESS THAT
IS BY PASSING LAWS.
SO I'M NOT SAYING ANY OF THESE LAWS ARE BAD.
I WANT YOU TO KNOW THAT.
I'M JUST TRYING TO EXPLAIN TO YOU
WHY IT CAN SOMETIMES BE SO DIFFICULT
TO DEAL WITH THE FEDERAL AGENCIES
WHEN YOU GO FORWARD IN ELECTRONIC HEALTH RECORDS.
'CAUSE THEY HAVE A LOT OF CONCERNS YOU DON'T HAVE.
I'VE BEEN ASKED REPEATEDLY ABOUT THE ROLE OF FISMA
WITH REGARD TO H.I.T.
"WHAT IF WE DO THIS? WHAT IF WE DO THIS?"
THIS IS ALWAYS BY AGENCIES, BY THE WAY.
AND I'VE ALWAYS SAID, "THE PROBLEM IS
IS THAT FISMA DOESN'T HAVE ANY EXCEPTIONS IN IT."
IT SAYS THAT AN AGENCY HEAD IS RESPONSIBLE
FOR THE INFORMATION AND THE SYSTEM,
AND IT DOESN'T SAY THAT YOU'RE ONLY RESPONSIBLE
UNTIL "X" HAPPENS
OR YOU'RE ONLY RESPONSIBLE IF "Y" HAPPENS.
NO. IT SAYS THAT YOU HAVE AN OBLIGATION TO MAKE SURE THAT
THAT INFORMATION IS PROTECTED WHEREVER IT GOES
AND WHATEVER IT'S DONE AS LONG AS YOU BELIEVE
THAT INFORMATION NEEDS TO BE PROTECTED.
AND THE AGENCIES AREN'T ABSOLVED FROM ANY STATUTORY REQUIREMENTS
WHEN DEALING WITH H.I.T.
SO CURRENTLY, AGENCIES WHO ARE SHARING OR EXCHANGING DATA
HAVE MOSTLY BEEN DOING IT EITHER WITH PARTNERS
WHO ARE WITHIN THE FEDERAL GOVERNMENT...
D.O.D. AND V.A.-- THEY BOTH RATE THEIRS
AT THE SAME F.I.P.S. 199 RISK LEVEL,
THEN THEY LOOK AT EACH OTHER'S C&A PACKAGES
SO THEY KNOW THEY'RE ALL KIND OF ON THE SAME LEVEL.
THEN THEY ARGUE ABOUT IT, IT GOES BACK AND FORTH,
BUT THEY'RE ON LEVEL PLAYING FIELD.
...OR THEY'RE EXCHANGING WITH PARTNERS
WHO THEY HAVE A CONTRACTUAL RELATIONSHIP WITH,
AND UNDER THE FEDERAL ACQUISITIONS REGULATIONS,
CONTRACTORS MUST OBEY THE REQUIREMENTS OF FISMA.
THAT WOULD BE LIKE WHEN SSA IS EXCHANGING RECORDS
WITH AN INSURANCE COMPANY.
BUT WHAT HAPPENS WHEN ALL THE RECORDS
ARE EXCHANGED ELECTRONICALLY?
WHAT DO THE AGENCIES DO
WHEN THEY ARE ASKED BY PATIENTS
TO SEND ELECTRONIC RECORDS
TO PERSONAL HEALTH CARE RECORD PLACES?
WHAT'S THEIR RESPONSIBILITY THEN?
WHAT'S THE RESPONSIBILITY WHEN PEOPLE ARE CARRYING
THOSE RECORDS AROUND WITH THEM?
AT WHAT POINT IS IT NO LONGER THEIR RESPONSIBILITY?
I DON'T HAVE ANSWERS, BY THE WAY.
IF YOU'RE LOOKING FOR ANSWERS, YOU'RE NOT GONNA GET THEM.
BUT I THINK THOSE ARE THE QUESTIONS
THAT AGENCIES HAVE TO ASK THEMSELVES
AND COME TO ANSWERS ON GOING FORWARD IN H.I.T.
THANK YOU, SUZANNE, FOR YOUR INSIGHTS
INTO O.M.B.'s POSITIONS ON SECURITY AND PRIVACY
AND THE OVERVIEW OF THE C&A
THAT'S NOT IN THE FISMA.
[LIGHTMAN LAUGHS]
BUT THAT'S SOMETHING WE'LL TOUCH ON IN JUST A MINUTE.
SO, NEXT...
WE'LL INVITE JODI DANIEL
FROM THE OFFICE OF THE NATIONAL COORDINATOR
TO TALK TO US ABOUT PRIVACY AND SECURITY FRAMEWORK,
SOME BREACH NOTIFICATION
AND INCIDENT HANDLING INFORMATION,
AND SOME RECOVERY ACT IMPLICATIONS.
- THOSE ARE YOURS. - THANK YOU.
OOPS.
THANK YOU VERY MUCH. GOOD AFTERNOON.
I HAD PROMISED WHEN I WAS UP HERE EARLIER, YESTERDAY,
WHEN WE WERE DOING OUR O.N.C. PRESENTATION
THAT I'D BE BACK AND I WOULD BE GOING INTO A LITTLE MORE DETAIL
ABOUT PRIVACY AND SECURITY
AND THE ACTIVITIES THAT WE'RE UNDERTAKING,
SOME OF THE LEGAL ISSUES, AND SOME OF THE PROJECTS
THAT WE SEE COMING UP IN THE FUTURE.
WE...I'M GONNA KIND OF TAKE
ACTUALLY A STEP, I THINK, UP A LEVEL,
'CAUSE WHAT WE'RE LOOKING AT AT O.N.C.
IS HOW WE MAKE SURE THAT INFORMATION IS PROTECTED,
THAT THERE ARE APPROPRIATE PROTECTIONS IN PLACE
REGARDLESS OF WHO'S INVOLVED IN THE EXCHANGE.
SO WE ARE TRYING TO KIND OF LOOK AT VERY DIFFERENT LEVELS.
WE ARE LOOKING AT THE LEGAL STRUCTURE THAT WE HAVE IN PLACE,
AND I'LL TALK A LITTLE BIT ABOUT THE ARRA PROVISIONS.
WE'RE ALSO LOOKING AT SOME OF THE POLICIES
THAT MAY BE BROADER THAT WE WOULD WANT TO APPLY
NOT JUST TO THE FEDERAL FOLKS,
NOT JUST TO FOLKS THAT MIGHT BE COVERED BY THE HIPAA RULES,
BUT TO ANYBODY ENGAGED IN HEALTH INFORMATION EXCHANGE.
AND THEN WE'RE ALSO LOOKING AT SOME SPECIFIC IMPLEMENTATION,
HOW CAN WE TAKE SOME OF THE PRIVACY AND SECURITY
POLICIES OR PRACTICES THAT WE SEE AS IMPORTANT
AND PUT THEM INTO PRACTICE, EITHER THROUGH N.H.I.N.,
THROUGH ELECTRONIC HEALTH RECORDS TECHNOLOGY AND THE LIKE.
I'M GONNA TRY TO COVER ALL THOSE LEVELS
AND TRY TO DO IT QUICKLY, SO LET'S SEE HOW IT GOES.
I FEEL AS THOUGH IN ORDER TO TALK ABOUT PRIVACY AND SECURITY,
YOU HAVE TO TALK ABOUT IT IN THE CONTEXT OF THE VALUE
OF HEALTH INFORMATION TECHNOLOGY.
CLEARLY THE WHOLE PURPOSE OF HEALTH INFORMATION TECHNOLOGY
AND HEALTH INFORMATION EXCHANGE
IS TO TRY TO ASSURE HIGHER-QUALITY CARE
BY HAVING INFORMATION AVAILABLE AT THE TIME AND PLACE OF CARE
TO IMPROVE THE TREATMENT OF PATIENTS.
SO, IN DOING THAT, WE NEED TO BE ABLE
TO OBTAIN THE TRUST OF ALL OF THE PEOPLE INVOLVED
IN THAT EXCHANGE--
THE PROVIDERS WHO ARE RESPONSIBLE
FOR PROTECTING THEIR PATIENTS' INFORMATION,
THE PATIENTS WHOSE INFORMATION IS AVAILABLE
TO DIFFERENT PROVIDERS,
AS WELL AS OTHERS IN THE SYSTEM.
SO IF WE DON'T PROTECT--
IF WE DON'T OBTAIN THE TRUST OF THE PROVIDERS AND PATIENTS
THAT ARE INVOLVED IN HEALTH INFORMATION EXCHANGE
AND WHOSE INFORMATION IS INVOLVED,
THEN WE'RE GONNA HAVE FOLKS WHO ARE TRYING TO--
THAT TAKE PRIVACY PROTECTIVE MEASURES
AND EITHER PREVENT INFORMATION FROM FLOWING,
NOT SHARE INFORMATION WITH PROVIDERS THAT ARE IMPORTANT,
AND THAT CAN HAVE SEVERE HEALTH CONSEQUENCES.
WE'RE TRYING TO FIGURE OUT HOW TO MAKE INFORMATION ACCESSIBLE
TO IMPROVE THE QUALITY OF CARE
AND HOW TO PUT IN THE RIGHT PROTECTIONS
SO FOLKS TRUST AND ALLOW THAT INFORMATION TO FLOW.
IT'S A REALLY DIFFICULT BALANCE,
SOMETHING WE'VE BEEN STRUGGLING WITH FOR SOME TIME,
WE'VE MADE SOME PROGRESS ON,
AND WE STILL HAVE SOME PROGRESS TO GO.
SO WHAT'S NEW IN HEALTH I.T. AND HOW DOES THAT AFFECT
THE PRIVACY AND SECURITY DISCUSSIONS?
HOPEFULLY-- THERE'S A GNAT HERE.
I'M NOT AS GOOD AS THE PRESIDENT.
I DON'T KNOW THAT I'M GONNA CATCH IT.
[LAUGHTER]
SO IF YOU SEE ME BATTING AROUND--
THE HOPE IS THAT HEALTH I.T. AND HEALTH INFORMATION EXCHANGE
WILL GIVE INDIVIDUALS THE ABILITY
TO HAVE A GREATER ROLE IN THEIR CARE,
TO HAVE MORE ACCESS TO THEIR INFORMATION,
TO BE ABLE TO BE ENGAGED MORE
IN BOTH THE HEALTH CARE SERVICES THAT THEY RECEIVE
AS WELL AS IN MANAGING THEIR OWN HEALTH
BETWEEN HEALTH CARE VISITS.
SO THAT'S AN ISSUE THAT WE NEED TO THINK ABOUT.
THERE ARE NEW ENTITIES INVOLVED.
WHEN HIPAA WAS WRITTEN, THERE WAS NO SUCH THING
AS A HEALTH INFORMATION EXCHANGE ORGANIZATION.
WELL, MAYBE THERE WAS, BUT THERE WERE VERY FEW.
IT WASN'T SOMETHING THAT WAS CONSIDERED.
PHR VENDORS DIDN'T EXIST BACK THEN,
SO THERE'S SOME NEW ENTITIES THAT ARE ON THE SCENE.
THERE WILL PROBABLY BE NEW ENTITIES THAT COME ABOUT
AS HEALTH INFORMATION TECHNOLOGY TAKES OFF,
AND WE NEED TO THINK ABOUT HOW THOSE ENTITIES PLAY A ROLE
AND HOW WE CAN PROTECT THE INFORMATION HELD BY THOSE ENTITIES.
AND I SEE THE TECHNOLOGY AS PROVIDING NEW, BOTH CHALLENGES
BUT ALSO OPPORTUNITIES FOR PROTECTING INFORMATION.
THE TECHNOLOGY CAN BE LEVERAGED
TO BETTER SECURE INFORMATION, TO HAVE BETTER AUDIT TRAILS,
TO LIMIT ACCESS TO INFORMATION TO THOSE WHO ARE AUTHORIZED,
TO BE ABLE TO TRACK IF THERE IS INAPPROPRIATE ACCESS,
SO TRYING TO FIGURE OUT HOW WE CAN HARNESS
THE CAPABILITIES OF THE TECHNOLOGY
TO IMPROVE PRIVACY AND SECURITY PROTECTIONS
OVER WHAT WAS AVAILABLE IN A PAPER SYSTEM.
AND THEN NEW QUESTIONS AND CONCERNS COME UP.
IF INFORMATION CAN ALL OF A SUDDEN BE QUERIED,
DOES THAT RAISE NEW PRIVACY CONCERNS?
THERE'S LOTS OF DIFFERENT ISSUES THAT COME ABOUT
AS INFORMATION IS FLOWING DIFFERENTLY,
AND SO WE'RE THINKING ABOUT HOW THOSE PLAY IN.
OH, THERE'S NEW-- SOMEBODY PLAYED WITH MY SLIDES
AND MADE THEM MUCH PRETTIER THAN I HAD BEFORE.
THIS IS GREAT.
I HAVE ELVES, I THINK, SOMEWHERE THAT ARE--
GRAPHICS ELVES.
SO, LIKE I SAID, I'M GONNA TALK ABOUT THIS FROM 3 LEVELS--
FROM SORT OF A BROAD, OVERARCHING POLICY PERSPECTIVE,
WHICH KIND OF GOES ABOVE THE LEGAL STRUCTURE
THAT WE HAVE IN PLACE,
TALK ABOUT THE LEGAL OBLIGATIONS THAT ARE OUT THERE
WITH RESPECT TO PRIVACY AND SECURITY AND WHAT'S NEW,
AND THEN TALK ABOUT SOME SPECIFIC IMPLEMENTATION
AND PARTICULARLY PRIVACY AND SECURITY
WITH THE NATIONWIDE HEALTH INFORMATION NETWORK.
SO "THE NATIONWIDE PRIVACY AND SECURITY FRAMEWORK"--
THIS IS A DOCUMENT THAT WE PUT OUT IN DECEMBER OF 2008.
THE GOAL HERE WAS TO HAVE--
TO COME UP WITH A SET OF HIGH-LEVEL PRINCIPLES
FOR PRIVACY AND SECURITY
THAT WERE FOCUSED ON HEALTH INFORMATION EXCHANGE
AND ARE BASED ON FAIR INFORMATION PRACTICES.
SO THE PRINCIPLES THAT ARE SET FORTH
IN "THE PRIVACY AND SECURITY FRAMEWORK" ARE NOT--
ANYBODY WHO'S BEEN INVOLVED IN THIS FIELD
WILL NOT SEE ANYTHING IN THERE THAT IS SHOCKING OR NEW
OR COMPLETELY OUT OF LEFT FIELD.
IT'S BASED ON EXISTING PRINCIPLES
FOR FAIR INFORMATION-SHARING PRACTICES,
BUT WE TRIED TO TAILOR IT TO HEALTH INFORMATION EXCHANGE
AND TO THE NEW ENVIRONMENT THAT WE'RE IN.
WHAT WE HAVE IS A SET OF PRINCIPLES
THAT ARE DESIGNED TO APPLY TO ALL PERSONS AND ENTITIES
INVOLVED IN ELECTRONIC HEALTH INFORMATION EXCHANGE.
SO THIS WOULD BE IF THERE'S A PHR VENDOR
THAT IS INVOLVED IN HEALTH INFORMATION EXCHANGE,
WE WOULD EXPECT THAT THEY WOULD FOLLOW THE SAME PRINCIPLES
AS THE PHYSICIAN WHO'S INVOLVED IN HEALTH INFORMATION EXCHANGE.
SO IT'S TO TRY TO SET A LEVEL PLAYING FIELD
FOR WHAT THE EXPECTATIONS ARE FOR FAIR DATA-SHARING PRACTICES.
WHAT WE'RE EXPECTING TO DO
WITH "THE PRIVACY AND SECURITY FRAMEWORK"
IS BUILD ON IT,
SO THOSE PRINCIPLES SHOULD STAY STABLE.
THAT'S WHY THEY'RE HIGH-LEVEL PRINCIPLES.
BUT OUR NEXT STEP, AND WHAT WE HOPE TO DO,
IS TO DEVELOP SOME IMPLEMENTATION-LEVEL GUIDANCE,
TO DEVELOP SOME SPECIFIC POLICIES
THAT MIGHT APPLY TO HEALTH INFORMATION EXCHANGE
AS WE ENCOURAGE ADOPTION AND PROMOTION
OF HEALTH INFORMATION EXCHANGES ACROSS THE COUNTRY
THROUGH OUR STATE GRANTS.
SO WE'RE GONNA TAKE THAT AS THE FOUNDATION AND BUILD ON IT,
BUILD SOME POLICIES, BUILD IMPLEMENTATION GUIDES
AND BUILD TOOLS TO HELP FOLKS.
WHAT WE EXPECT IS THAT THESE WOULD BE GUIDING PRINCIPLES--
AS SOMEBODY'S SETTING UP A HEALTH INFORMATION EXCHANGE,
AS THEY'RE WORKING WITH PROVIDERS TO GET THEM ENGAGED
IN THE EXCHANGE EFFORTS,
THAT THESE WOULD BE THE PRINCIPLES FOR THOSE ACTIVITIES.
AT THE SAME TIME THAT WE PUT OUT
"THE PRIVACY AND SECURITY FRAMEWORK,"
WE PUT OUT SOME TOOLS THAT WERE COMPANION
TO THOSE PRINCIPLES.
I'M ACTUALLY GONNA START FROM THE BOTTOM UP.
THE FIRST WAS, WE PUT OUT SOME GUIDANCE RELATED
TO "THE PRIVACY AND SECURITY FRAMEWORK" ON HIPAA.
WE WORKED CLOSELY WITH OUR OFFICE FOR CIVIL RIGHTS.
WHAT WE HAD HEARD WAS THAT THERE WERE LOTS OF QUESTIONS
ABOUT HOW THE HIPAA PRIVACY AND SECURITY RULES APPLIED
IN THE HEALTH INFORMATION TECHNOLOGY
AND HEALTH INFORMATION EXCHANGE ENVIRONMENT,
WE HAVE GUIDANCE THAT ARE TIED TO EACH OF THE PRINCIPLES
EXPLAINING HOW, AS A HIPAA-COVERED ENTITY,
YOU CAN MEET THE EXPECTATIONS OF THESE PRINCIPLES
CONSISTENT WITH THE HIPAA RULES,
AND WE'VE CLARIFIED SOME OF THE HIPAA RULES
AND HOW THEY WOULD APPLY IN HEALTH INFORMATION EXCHANGE
AND HEALTH INFORMATION TECHNOLOGY ENVIRONMENTS.
FROM A SECURITY STANDPOINT,
ONE OF THE PRINCIPLES IS ABOUT SAFEGUARDING INFORMATION,
AND WHAT WE FOUND TO BE AN AREA
WHERE THERE NEEDED TO BE A LITTLE BIT MORE EMPHASIS
IS WORKING WITH SMALL PROVIDERS
AND HELPING THEM TO UNDERSTAND HOW TO THINK ABOUT SECURITY.
SO WE CAME UP WITH A GUIDANCE DOCUMENT CALLED
"REASSESSING YOUR SECURITY PRACTICES
IN A HEALTH I.T. ENVIRONMENT."
IT'S A GUIDE FOR SMALL PRACTICES.
IT HELPS WALK A SMALL HEALTH CARE PROVIDER
WHO DOESN'T HAVE A SECURITY EXPERTISE OR BACKGROUND
THROUGH THE KINDS OF ISSUES AND QUESTIONS
THEY SHOULD BE THINKING ABOUT
AS THEY ADOPT AN ELECTRONIC HEALTH RECORD
OR AS THEY ADOPT AN E-PRESCRIBING SYSTEM,
AS THEY START EXCHANGING INFORMATION,
WHAT ARE THE NEW RISKS THEY SHOULD BE THINKING ABOUT?
WHAT ARE THE NEW TECHNOLOGIES THEY SHOULD BE THINKING ABOUT?
HOW SHOULD THEY BE THINKING ABOUT PROTECTING THAT DATA
AS THEY CHANGE THEIR PRACTICES, AS THEY BECOME MORE ELECTRONIC,
AS THEY BEGIN TO EXCHANGE DATA MORE REGULARLY
THROUGH AN ELECTRONIC MEANS?
SO THAT WAS THE PURPOSE OF THAT.
AND THEN THE THIRD TOOL THAT WE'VE BEEN WORKING ON
IS A DRAFT-MODEL PRIVACY NOTICE FOR PERSONAL HEALTH RECORDS.
SO, CURRENTLY, THE HIPAA PRIVACY AND SECURITY RULES,
THE FEDERAL RULES ON PRIVACY AND SECURITY
THAT APPLY TO PRIVATE-SECTOR ENTITIES,
DON'T NECESSARILY APPLY TO PHRs.
IT DEPENDS. THERE MIGHT BE SOME
THAT ARE TETHERED TO A PHYSICIAN'S EHR,
AND IF THE PHYSICIAN IS MANAGING THAT PHR,
IT MIGHT BE COVERED AS PART OF THEIR REQUIREMENTS
TO FOLLOW HIPAA,
BUT GOOGLE HEALTH OR MICROSOFT HEALTHVAULT
OR NOMORECLIPBOARD
OR ANY OF THE OTHER PHR VENDORS THAT ARE OUT THERE
THAT OFFER A STAND-ALONE PHR THAT THEY MARKET TO CONSUMERS
ARE NOT NECESSARILY COVERED BY THOSE RULES.
SO WE TALKED TO SOME OF THE PHR VENDORS,
AND WE'RE TRYING TO FIGURE OUT HOW DO WE ENCOURAGE CONSUMERS
TO GET ACCESS TO THEIR INFORMATION,
TO GET MORE ENGAGED IN THEIR CARE,
BUT TO MAKE SURE THAT WE'RE NOT ENCOURAGING THAT
WITHOUT FOLKS CONSIDERING THE PRIVACY RISKS
SINCE WE DON'T HAVE, NECESSARILY, THE AUTHORITY
TO ENFORCE AGAINST PRIVACY OR SECURITY VIOLATIONS
IN THOSE PRODUCTS.
SO WHAT WE STARTED DOING WAS TRYING TO FIGURE OUT
HOW WE CAN MAKE THAT INFORMATION TRANSPARENT,
HOW WE CAN ENCOURAGE PHR VENDORS
TO COMMUNICATE THEIR PRIVACY AND SECURITY PRACTICES TO CONSUMERS
SO THAT CONSUMERS ARE ABLE TO MAKE INFORMED CHOICES
ABOUT USING THOSE PRODUCTS
AND THEREBY-- WE'RE ALSO HOPING
THAT AS WE ENCOURAGE THEM TO BE MORE TRANSPARENT
THAT THEY WOULD WANT TO BE TRANSPARENT ABOUT
AND THINK CAREFULLY ABOUT WHAT THEIR PRACTICES ARE
AND NOT NECESSARILY HAVE TO SAY IN BLACK AND WHITE,
"WE'RE SELLING YOUR DATA"
AND THAT PERHAPS THEY WOULD COME UP WITH
MORE PRIVACY-PROTECTIVE AND SECURITY-PROTECTIVE MEASURES.
WHERE WE ARE IN THAT PROCESS-- WE PUT OUT A DRAFT NOTICE,
AND WE ARE CURRENTLY TRYING TO REVISE THAT,
AND WE'RE GONNA BE DOING A WHOLE SET OF CONSUMER TESTING
ON THE MODEL PRIVACY AND SECURITY NOTICE.
WE'RE ACTUALLY WAITING FOR O.M.B. CLEARANCE
UNDER THE PAPERWORK REDUCTION ACT
BEFORE WE CAN DO THE CONSUMER TESTING,
SO WE'RE A LITTLE BIT ON HOLD RIGHT NOW
'CAUSE WE'RE FOLLOWING OUR LEGAL OBLIGATIONS.
WE'LL TALK LATER.
Lightman: WE'RE JUST TRYING TO MAKE SURE THAT YOU IN FACT JUSTIFY THIS.
YES, WE'LL TALK LATER.
SO OUR GOAL IS TO HAVE--
I THINK OUR TARGET NOW IS SPRING OF 2010--
TO HAVE A TEMPLATE, A NOTICE,
THAT PHR VENDORS COULD USE THAT'S CONSISTENT,
SO THAT CONSUMERS CAN ACTUALLY COMPARE,
THEY CAN UNDERSTAND HOW THE PHR VENDOR
WOULD USE OR DISCLOSE THEIR INFORMATION,
WHAT SECURITY MEASURES THEY HAVE IN PLACE.
WE'RE WORKING VERY CLOSELY WITH THE FEDERAL TRADE COMMISSION,
WHO HAS, IN THE PAST--
WE'VE BEEN TALKING TO ABOUT THEIR ABILITY TO ENFORCE
IF SOMEBODY DOES SOMETHING IN VIOLATION
OF THEIR STATED PRIVACY NOTICE.
SO THAT'S WHAT WE'RE DOING THERE.
WHICH LEADS ME TO ARRA.
THE...
UNDER ARRA, THE HITECH ACT SET FORTH--
AS WE HAD ALL TALKED ABOUT YESTERDAY
IN OUR O.N.C. CONVERSATION--
A WHOLE SET OF ACTIVITIES THAT WE'RE REQUIRED TO DO
TO TRY TO PROMOTE HEALTH INFORMATION TECHNOLOGY
AND HEALTH INFORMATION EXCHANGE, BUT IN DOING THAT,
THEY ALSO ADDED SOME PRIVACY PROTECTIONS
FOR CONCERN THAT THIS NEW ENVIRONMENT
MAY RAISE NEW ISSUES THAT THEY WANTED TO ADDRESS.
I MENTIONED THIS YESTERDAY.
WE HAVE 2 FEDERAL ADVISORY COMMITTEES
THAT WERE ESTABLISHED UNDER THE ACT,
AND THE ONLY REASON I REITERATE THAT TODAY
IS THAT WE EXPECT THAT BOTH THE POLICY COMMITTEE
AND THE STANDARDS COMMITTEE WILL BE GIVING US RECOMMENDATIONS
ON PRIVACY AND SECURITY ISSUES,
THE POLICY COMMITTEE FROM A POLICY STANDPOINT
AND THE STANDARDS COMMITTEE
FROM A STANDARDS AND TECHNOLOGY STANDPOINT,
TO HELP UNDERSTAND WHAT WE SHOULD BE PUTTING
INTO ELECTRONIC HEALTH RECORD CERTIFICATION REQUIREMENTS
SO THAT SYSTEMS HAVE CAPABILITIES
TO PROTECT INFORMATION.
SO WHAT CHANGED UNDER ARRA FOR THE HIPAA RULES?
WE HAD--I CATEGORIZE THESE IN 4 AREAS.
ONE IS MODIFICATIONS TO THE EXISTING RULE.
I WANT TO STRESS THAT WHAT ARRA DID
WAS BASICALLY BUILD ON THE EXISTING FRAMEWORK,
THE HIPAA FRAMEWORK, AND PUT SOME BAND-AIDS,
EXPANDED SOME THINGS TO MORE PEOPLE,
ADDED SOME PROVISIONS
BUT BASICALLY KEPT THE SAME CONCEPTUAL FRAMEWORK
FOR PRIVACY AND SECURITY PROTECTIONS.
I'M JUST HIGHLIGHTING A COUPLE OF BIG THINGS THAT WERE CHANGED.
ONE IS APPLYING SPECIFIC PROVISIONS
TO BUSINESS ASSOCIATES
AND ALLOWING ENFORCEMENT DIRECTLY
AGAINST BUSINESS ASSOCIATES, SO THIS WAS BIG.
IT'S TRYING TO INCREASE THE BUBBLE OF PROTECTION.
THE SECOND IS A BREACH NOTIFICATION REQUIREMENT.
THIS IS NOW A NEW FEDERAL REQUIREMENT
FOR ENTITIES TO NOTIFY INDIVIDUALS
IN THE CASE OF A BREACH
UNLESS THE INFORMATION IS RENDERED UNREADABLE,
UNUSABLE OR INDECIPHERABLE,
AND WE'VE RECENTLY PUT OUT GUIDANCE ON WHAT THAT MEANS
AND HAVE RECEIVED COMMENT ON THAT
AND ARE PROCESSING THOSE AS WE SPEAK.
AND THEN FINALLY THERE ARE SOME SPECIFIC CHANGES,
SO TALKING ABOUT ELECTRONIC ACCESS TO INFORMATION,
ACCOUNTING FOR MORE TYPES OF DISCLOSURES, ET CETERA.
IT ALSO PUT IN A BREACH NOTIFICATION
FOR THOSE PHRs THAT I MENTIONED WERE NOT COVERED BY HIPAA.
WELL, NOW THEY ARE COVERED
BY THE BREACH NOTIFICATION REQUIREMENTS,
SO THAT'S A NEW ADDITIONAL REQUIREMENT,
A NEW TYPE OF ENTITY.
THEY ENHANCED THE ENFORCEMENT ACTIVITIES
BY INCREASING PENALTIES,
ENCOURAGING OCR TO IMPOSE PENALTIES MORE OFTEN,
AND MOST IMPORTANTLY, OR MOST INTERESTINGLY, I THINK,
IS THAT THEY'VE NOW ALLOWED STATE ATTORNEYS GENERAL
TO ENFORCE THE HIPAA PRIVACY AND SECURITY RULES,
WHICH I THINK THE THINKING WAS THAT
THAT WOULD LEAD TO MORE ENFORCEMENT.
WE'RE GOING TO BE WORKING VERY CLOSELY
WITH STATE ATTORNEYS GENERAL TO MAKE SURE THEY UNDERSTAND
THE PRIVACY AND SECURITY RULES
SO THAT THERE ISN'T INCONSISTENT ENFORCEMENT NATIONWIDE,
WHICH IS A CONCERN WE HAVE.
AND THEN THERE IS A REQUIREMENT FOR EDUCATIONAL EFFORTS,
SO THAT OCR HAS TO EDUCATE FOLKS
ABOUT THE HIPAA PRIVACY AND SECURITY RULES
AND COME UP WITH AN EDUCATION CAMPAIGN.
SO, PRIVACY AND SECURITY IN OPERATION,
AND I'M NOT GONNA TALK IN TOO MUCH DETAIL ABOUT THIS.
I TOUCHED ON SOME OF THESE YESTERDAY.
SO WE HAVE BEEN WORKING VERY CLOSELY--
MY SHOP, THE POLICY SHOP HAS BEEN WORKING VERY CLOSELY
WITH THE FOLKS DOING N.H.I.N.
TO MAKE SURE THAT THE POLICIES
AND THE TECHNOLOGIES ARE ALIGNED,
AND THIS IS A CHALLENGING TASK, BECAUSE OFTENTIMES,
THE POLICY CAN'T--YOU CAN'T IDENTIFY THE RIGHT POLICY
UNLESS YOU HAVE THE TECHNOLOGICAL CAPABILITIES
TO IMPLEMENT THE POLICY,
BUT YOU CAN'T DEVELOP THE TECHNOLOGICAL ABILITIES
UNTIL THEY KNOW WHAT THE POLICIES ARE,
SO WE'RE TRYING TO WORK HAND IN HAND.
THE BOTTOM PIECE ON N.H.I.N. IS THIS PRIVACY AND SECURITY.
WE ACTUALLY HAVE A PRIVACY AND SECURITY WORKGROUP
THAT WE HAVE FORMED
TO BRING THE POLICY AND THE TECHNICAL FOLKS TOGETHER
SO THAT WE'RE IDENTIFYING WHAT ARE THE BEST APPROACHES
FROM A TECHNICAL PERSPECTIVE
THAT MEET THE BEST POLICY OBJECTIVES,
AND WE'RE TRYING TO BALANCE THOSE AND WORK THOSE TOGETHER.
GOING UP THE CHAIN...
WE ARE ALSO WORKING SPECIFICALLY ON ONE OF THE USE CASES,
THE CONSUMER PREFERENCES USE CASE,
BECAUSE THIS IS SO WRAPPED UP INTO CONSENT ISSUES
AND AUTHORIZATION ISSUES
AND THE STATE LAWS IN THESE AREAS,
AND WE'RE TRYING TO MAKE SURE
THAT THE TECHNICAL CAPABILITIES ARE THERE
SO THAT WE CAN SET BETTER POLICIES
ON PRIVACY AND SECURITY AND CONSUMER PREFERENCES
AND MAKE THOSE MORE EASY FOR FOLKS TO IMPLEMENT
FROM A TECHNICAL PERSPECTIVE.
AND THEN WE'VE BEEN WORKING VERY CLOSELY WITH THE FOLKS
WHO HAVE BEEN SETTING UP
THE DATA USE AND RECIPROCAL SUPPORT AGREEMENT,
WHICH IS REALLY THE LEGAL FOUNDATION FOR THE N.H.I.N.
IT'S TRYING TO ESTABLISH SOME OF THE BASELINE LEGAL POLICIES
FOR ALL OF THE PARTICIPANTS IN THE N.H.I.N. TO SIGN ONTO
SO THAT EVERYBODY'S FOLLOWING THE SAME RULES OF THE ROAD.
AND THERE'S SOME PRIVACY AND SECURITY ISSUES IN THERE,
AND ACTUALLY HAD A WHOLE LOT OF DISCUSSION--
PROBABLY THE MOST CHALLENGING CONVERSATION WAS ABOUT FISMA
AND HOW DO WE DEAL WITH SECURITY IN THE DURSA,
AND THAT ONE IS STILL AN OPEN-ENDED ISSUE,
AND WE WILL BE TALKING WITH SUZANNE IN THE FUTURE
ON THAT ISSUE AS WELL.
SO WE WORK VERY CLOSELY WITH OUR O.M.B. COLLEAGUES.
WE'RE TRYING TO MAKE SURE THAT AS WE'RE IMPLEMENTING POLICIES,
WE'RE LOOKING AT HOW THE FRAMEWORK FITS IN
WITH SOME OF THE N.H.I.N. SPECIFICATIONS
AND MAKING SURE THAT THE N.H.I.N. SPECIFICATIONS
ARE ENABLING FOLKS TO MEET THOSE PRINCIPLES.
WE'RE TRYING TO MARRY THESE 2 TOGETHER
IN OUR N.H.I.N. ACTIVITIES.
SO THAT'S ON THE EXCHANGE SIDE.
AND WE WILL ALSO BE LOOKING
AT HOW WE CAN IMPLEMENT THE POLICIES WE'RE SETTING FORTH
IN "THE PRIVACY AND SECURITY FRAMEWORK"
THROUGH ARRA, ET CETERA, INTO OUR STATE GRANT ACTIVITIES,
SO THAT AS THE STATES ARE DEVELOPING
HEALTH INFORMATION EXCHANGE CAPABILITIES,
THOSE ISSUES ARE INCORPORATED.
AND THEN FINALLY, WE'RE TRYING TO FIGURE OUT
HOW WE IMPLEMENT PRIVACY AND SECURITY INTO EHRs
BY MAKING SURE THAT THERE ARE CERTIFICATION CRITERIA
TO HAVE THE RIGHT SECURITY PROTECTIONS IN PLACE.
SO IF IN FACT WE WANT TO MAKE SURE THERE IS AN AUDIT TRAIL,
THAT HAS TO BE BUILT IN TO THE PRODUCT,
SO WE'RE LOOKING AT WHERE THERE ARE OPPORTUNITIES
FOR DEVELOPING CERTIFICATION CRITERIA
OR REQUIRING CERTIFICATION CRITERIA
THROUGH OUR REGULATION
THAT WOULD THEN BE REQUIRED TO BE IN A CERTIFIED PRODUCT.
AND THERE'S A LOT OF LEVERAGE THERE NOW,
BECAUSE IF SOMEBODY WANTS TO GET AN INCENTIVE PAYMENT
FOR MEDICARE AND MEDICAID,
THEY HAVE TO BE USING A CERTIFIED PRODUCT,
SO I THINK THERE'S A LOT OF OPPORTUNITY THERE
TO REALLY UP THE PROTECTIONS
AND UP THE CAPABILITIES OF THE PRODUCTS
THROUGH OUR AUTHORITY
TO SET CERTIFICATION CRITERIA AND STANDARDS.
SO ALL OF THIS KIND OF FITS TOGETHER.
LIKE I SAID, WE'RE LOOKING AT PRIVACY AND SECURITY
AT DIFFERENT LEVELS
FROM SORT OF THE BROAD POLICY PERSPECTIVE,
FROM THE LEGAL OBLIGATIONS PERSPECTIVE AND HIPAA, ARRA,
AND THEN ALSO FROM HOW DO WE BRING THAT ALL
DOWN INTO THE OPERATIONAL LEVEL AND MAKE IT MEANINGFUL
AND MAKE FOLKS ACTUALLY BE--
HELP FOLKS TO ACTUALLY IMPLEMENT
THE PROTECTIONS THAT NEED TO BE IN PLACE
TO GET THE TRUST THAT WE NEED
SO THAT FOLKS WILL MAKE INFORMATION AVAILABLE
TO BETTER TREAT PATIENTS AND IMPROVE QUALITY OF CARE.
AND WITH THAT, I TURN IT BACK TO ASHLEY.
THANK YOU.
THANKS VERY MUCH FOR SHARING.
[INDISTINCT]
[APPLAUSE]
OK, SO, NEXT WE'LL HEAR FROM JULIE BOUGHN,
THE C.I.O. AND DIRECTOR
OF THE OFFICE OF INFORMATION SERVICES
AT THE CENTERS FOR MEDICARE AND MEDICAID SERVICES,
AND SHE'LL, I THINK,
KIND OF BRING BACK AROUND THE FISMA DEBATE AGAIN
AND WHAT CONCERNS ARE AT THE OPERATIONAL LEVEL FOR US.
THANKS.
THANKS, ASHLEY.
SO I STEPPED DOWN OFF THE STAGE,
BUT I'M GONNA TELL YOU RIGHT UP FRONT
THAT I'M GETTING ON A SOAPBOX.
SO JUST IMAGINE THAT I'VE GOTTEN ON A SOAPBOX
BUT I CAN WALK AROUND.
MY STAFF WILL TELL YOU I ALWAYS LIKE TO WALK AROUND
AT MEETINGS, AND IT'S REALLY SO I CAN LOOK THEM IN THE EYES.
BUT I HAVE A PARTICULAR MESSAGE
THAT I WANT TO BRING TO YOU ALL TODAY
SINCE WE'RE TALKING SO MUCH
ABOUT HEALTH INFORMATION EXCHANGES AND TECHNOLOGY.
YOU HEARD SUZANNE TALK A LOT ABOUT WHAT FEDERAL AGENCIES
ARE SUBJECT TO AND HAVE TO DO
IN ORDER TO MEET OUR FISMA REQUIREMENTS,
AND ONE OF THOSE THINGS IS WE HAVE TO CONTINUOUSLY LOOK
AT OUR SYSTEMS AND TEST THEM
AND MAKE SURE THAT THINGS ARE GOING OK.
AND AT CMS, WE GET A LOT OF HELP IN DOING THAT,
BECAUSE WE HAVE OUR INSPECTOR GENERAL,
WHO LOOKS AT A LOT OF THINGS FOR US AS WELL.
SO A COUPLE WEEKS AGO,
AS PART OF THE CHIEF FINANCIAL OFFICER'S AUDIT,
THEY WERE LOOKING AT SOME OF OUR SYSTEMS,
AND THEY FOUND WHAT IS ACTUALLY
A PRETTY SIGNIFICANT SECURITY VULNERABILITY,
AND I'M GONNA LEAVE IT AT THAT.
AND THESE ARE SYSTEMS-- THIS IS SYSTEMS THAT--
WE'VE BEEN COVERED BY FISMA SINCE 2002.
BEFORE THAT IT WAS GISRA,
AND BEFORE THAT WE WERE ACTUALLY STARTING TO LOOK AT SYSTEMS--
AND THIS SYSTEM'S BEEN AROUND, BY AND LARGE, SINCE THOSE DAYS--
AND WE DID NOT KNOW THIS.
AND THANK GOODNESS THE AUDITOR DID THAT
AND THANK GOODNESS THE AUDITOR WAS LOOKING AT THIS SYSTEM,
BECAUSE NOW WE FIXED IT, RIGHT?
FORTUNATELY, WHEN YOU FIND
SIGNIFICANT SECURITY VULNERABILITIES,
THEY TEND TO BE PRETTY EASY TO CORRECT,
AND THIS ONE ACTUALLY WAS.
BUT IT'S PROBABLY BEEN AROUND FOR A WHILE,
AND THAT'S A DISAPPOINTING THING TO ME
AS THE CHIEF INFORMATION OFFICER.
WHAT I'LL TELL YOU IS THAT WHEN WE LOOK AT OURSELVES
FROM A SECURITY PERSPECTIVE ON A CONTINUOUS BASIS,
AND ALSO WHEN WE'VE BEGUN LOOKING AT--
WE'VE BEEN VENTURING OUT INTO PERSONAL HEALTH RECORDS,
AND WE'VE BEEN VENTURING OUT INTO SOME OTHER AREAS
AND HEALTH INFORMATION EXCHANGES--
AND WE'VE HAD TO LOOK AT NEW AND DIFFERENT PARTNERS
FROM THE ONES THAT WE'VE USUALLY HAD TO LOOK AT
FROM A SECURITY PERSPECTIVE,
BECAUSE, AGAIN, SUZANNE AND HER COLLEAGUES
REQUIRE THAT WE DO THIS.
I CAN TELL YOU THAT WE AS AN INDUSTRY
NEED TO RAISE OUR GAME IN INFORMATION SECURITY.
WE ARE NOT DOING A GOOD JOB.
AND LET ME TELL YOU ANOTHER EXAMPLE, OK?
WE HAVE COLLEAGUES
AT THE DEPARTMENT OF HOMELAND SECURITY
WHO ARE LOOKING AT MALICIOUS SOFTWARE,
MALICIOUS THINGS THAT ARE HAPPENING ON THE INTERNET.
WHEN THEY FIND THINGS THAT HAVE TO DO WITH OUR SYSTEMS,
THEY'LL TELL US ABOUT IT, AND ONE OF THE THINGS
THAT THEY'RE TELLING US ABOUT MORE AND MORE THESE DAYS
IS THE INCIDENCE OF KEY LOGGERS,
KEY-LOGGING SYSTEMS BEING ON USER COMPUTERS
ON THE INTERNET, RIGHT,
WHO ARE THEN ACCESSING OUR SYSTEMS,
AND THE HOMELAND SECURITY PEOPLE CAN TELL US
THAT SOME BAD GUY HAS SEEN, FOR EXAMPLE, USER CREDENTIALS
ACCESSING OUR SYSTEMS OVER THE INTERNET.
SO WHAT WE'VE BEEN DOING WITH THESE PEOPLE--
AND LARGELY, THESE ARE NOT OUR CONTRACTORS, OK?
PEOPLE WORKING ON OUR BEHALF.
WHAT WE'VE BEEN DOING IS LETTING THEM KNOW.
WE, OF COURSE, IMMEDIATELY DISABLE THEIR ACCESS
AND LET THEM KNOW THAT THEY HAVE A COMPROMISED COMPUTER.
IN ONE CASE, THE PARTICULAR COMPROMISED COMPUTER
WAS ACTUALLY CONTROLLING MEDICAL DEVICES, RIGHT,
WHICH MEANS IT'S FDA-APPROVED, RIGHT,
WHICH MEANS THAT IT'S UNPATCHED,
BECAUSE IF THEY PATCHED IT,
THE FDA APPROVAL DOESN'T APPLY ANYMORE, ALL RIGHT?
MIGHT I SUGGEST THE COMPENSATING CONTROL MIGHT BE
THAT THIS COMPUTER SHOULD NOT BE CONNECTED TO THE INTERNET?
BECAUSE NOW WHAT WE HAVE IS A KNOWN COMPROMISED COMPUTER
THAT CAN'T BE CORRECTED
THAT'S DOING MEDICAL THINGS.
- DOES THAT SCARE ANYBODY? - [LAUGHTER]
YOU WANT THAT COMPUTER ON YOUR CARE AT ALL?
SCARES THE YOU-KNOW-WHAT OUT OF ME.
AND THIS IS NOT A COMPUTER
THAT I ACTUALLY HAVE ANY SORT OF AUTHORITY OF
OR RESPONSIBILITY FOR UNDER FISMA,
BUT IT'S JUST AN EXAMPLE OF,
WE AS AN INDUSTRY MUST RAISE OUR GAME, OK?
NOW...
SO I TALKED ABOUT THAT, SO LET'S TALK ABOUT WHAT'S SOME THINGS
THAT HAVE BEEN GOING ON IN INFORMATION SECURITY.
HERE'S A PHRASE I HOPE WE STOP USING REALLY QUICKLY--
"FISMA-LITE."
WHAT THE HECK IS THAT?
OR "HIPAA-PLUS," RIGHT?
AS IF THERE'S SOME MIDDLE GROUND.
AND SUZANNE HAS NOT PAID ME
TO SAY ANYTHING THAT I AM ABOUT TO SAY, OK?
LET ME ASK YOU A QUESTION.
I'M GONNA START WITH THIS QUESTION.
SHOULDN'T WE ALL USE FISMA AS A GUIDE, AT LEAST,
IN HOW WE IMPLEMENT INFORMATION SECURITY?
IS FISMA ASKING US TO DO ANYTHING
THAT'S TERRIBLY UNREASONABLE IN INFORMATION SECURITY?
YOU ARE USING "WE" AS IN NOT THE FEDERAL GOVERNMENT.
I AM NOT SAYING THIS IN TERMS OF JUST AGENCIES, OK?
I ABSOLUTELY AM NOT SAYING THIS JUST IN TERMS OF AGENCIES.
TO ME, FISMA IS A SET OF GUIDANCE
THAT, IN SOME CASES, I WILL SAY I DON'T GET TO MAKE DECISIONS.
WE ALL MAKE RISK-BASED DECISIONS EVERY DAY.
RAISE YOUR HAND IF YOU HAVE A DEADBOLT LOCK
ON YOUR FRONT DOOR.
RAISE YOUR HAND.
HANDS UP IF YOU HAVE A DEADBOLT ON YOUR FRONT DOOR.
KEEP YOUR HAND UP IF YOU ALSO HAVE A SECURITY ALARM SYSTEM.
OK, A WHOLE BUNCH OF HANDS WENT DOWN, RIGHT?
WE ALL HAVE DIFFERENT TOLERANCES FOR RISKS,
AND WE MANAGE THE RISKS IN HOW WE MAKE DECISIONS EVERY DAY.
PROBABLY MOST OF YOU HAVE HOMEOWNER'S INSURANCE,
I WOULD IMAGINE, IF YOU OWN A HOME, RIGHT?
AND YOU HAVE AUTO INSURANCE,
BUT YOU PROBABLY HAVE DIFFERENT DEDUCTIBLES, RIGHT?
WE ALL MAKE THESE DECISIONS EVERY DAY.
AS A C.I.O. OF A FEDERAL AGENCY,
I HAVE SOME LENIENCY IN THE DECISIONS THAT I MAKE,
BUT OTHER PLACES, O.M.B. AND N.I.S.T. TELL ME
I DON'T HAVE ANY, SO I CAN'T DECIDE IT'S OK
NOT TO ENCRYPT MY LAPTOPS AND MOBILE MEDIA.
THEY TELL ME I HAVE TO TO DO ALL OF IT, IT'S ALL DONE.
AND WE CHECK TO MAKE SURE IT'S ALL DONE.
WHAT FISMA ASKS US TO DO.
CERTIFICATION AND ACCREDITATION. THAT'S ONE OF THE THINGS.
BUT I'LL TALK A LITTLE BIT MORE ABOUT WHAT THAT MEANS.
DOCUMENT OUR SECURITY PLANS.
WHAT DO WE DO FOR SECURITY?
HOW ARE WE MAKING SURE THAT THESE THINGS ARE SECURE?
AND TO CONTINUOUSLY MONITOR OURSELVES.
IMAGINE IF I TOOK THIS CERTIFIED AND ACCREDITED SYSTEM
THAT I TOLD YOU ABOUT AT THE BEGINNING,
SAID, "WHOO, THANK GOODNESS THAT'S DONE.
I'LL GO LOOK AT IT AGAIN IN 3 YEARS,"
AND HADN'T BEEN LOOKING AT IT.
I WOULD HAVE NOT KNOWN THIS ISSUE.
ALL 3 OF THOSE THINGS HAVE TO BE DONE COMMENSURATE
WITH THE RISK OF THE SYSTEM.
LET'S TALK ABOUT RISKS.
WHAT ARE WE PROTECTING AT CMS?
OBVIOUSLY AT CMS, WE RUN THESE LITTLE HEALTH INSURANCE PROGRAMS
CALLED MEDICARE AND MEDICAID.
YOU'VE SURELY HEARD OF THESE.
SO WE'RE PROTECTING A LOT OF MONEY.
OVER THE COURSE OF A DAY,
OUR PROGRAMS PAY $1.2 BILLION
EVERY SINGLE DAY, RIGHT?
THAT'S KIND OF A LOT OF MONEY. IT'S A LOT OF YOUR MONEY.
I HAVE A LINE ON MY PAY STUB THAT SAYS "MEDICARE."
IT'S A LOT OF YOUR MONEY.
AND OF COURSE THERE'S THAT FEDERAL TAX LINE.
I LIKE TO MAKE SURE THAT WE'RE ACCOUNTING FOR IT PROPERLY.
WE HAVE PROTECTED HEALTH INFORMATION
FOR MORE THAN 90 MILLION ALIVE PEOPLE
AND ANOTHER ABOUT THAT SAME NUMBER
OF DEAD PEOPLE, BELIEVE IT OR NOT,
BECAUSE MEDICARE BENEFICIARIES HAVE A TENDENCY TO DIE,
BUT WE KEEP THEIR DATA.
BUT ALMOST MORE IMPORTANTLY
THAN THE PROTECTED HEALTH INFORMATION
AND THE CONFIDENTIALITY
IS THE CARE DECISIONS THAT HAPPEN AS A RESULT,
EVERY SINGLE DAY, OF THE DATA IN OUR SYSTEMS.
WE ARE A VERY LARGE HEALTH INSURANCE COMPANY.
WHEN YOU GO TO THE DOCTOR,
ONE OF THE FIRST THINGS THEY'LL ASK YOU
BEFORE YOU EVEN SEE THE DOCTOR
IS, "IS YOUR HEALTH INSURANCE INFORMATION THE SAME?"
AND YOU KNOW WHY THEY ASK YOU THAT?
BECAUSE BEFORE YOU GET IN TO SEE THE DOCTOR,
THEY'RE GONNA SUBMIT A QUERY TO YOUR HEALTH INSURANCE COMPANY.
"ARE YOU GONNA PAY ME IF I SEE THIS PERSON TODAY?"
RIGHT? "OR IF I DO WHAT I THINK I NEED TO DO TO THIS PERSON,
ARE YOU GONNA PAY ME?"
SO WE ARE A HEALTH INSURANCE COMPANY.
WE HAVE THAT SAME CAPABILITY.
AN ELIGIBILITY INQUIRY AND RESPONSE, IT'S CALLED.
SO IF THAT DATA IN OUR SYSTEM DOESN'T HAVE INTEGRITY
AND IT DOESN'T GIVE THE RIGHT ANSWER BACK TO THE PROVIDER
WHO'S TRYING TO MAKE A CARE DECISION ON THE SPOT
FOR A MEDICARE BENEFICIARY,
THEN THE DECISION ABOUT WHETHER TO PROVIDE CARE OR NOT
COULD BE INCORRECT, RIGHT?
THAT'S IMPORTANT TO ALL OF US, ISN'T IT?
THINK ABOUT, YOU KNOW, YOUR OWN CARE, RIGHT,
WHEN YOU'RE IN ANY SORT OF MEDICAL PROVIDER ENVIRONMENT
AND YOU WANT THAT CARE TO BE RIGHT,
AND THEY'RE RELYING ON DATA IN SYSTEMS TO DO THAT.
SO WE HAVE A LOT OF IMPORTANT STUFF TO PROTECT,
AND PROBABLY THE MAJOR DIFFERENCE BETWEEN CMS
AND OTHER PLAYERS IN THE HEALTH INDUSTRY
IS WE'RE REALLY BIG, RIGHT?
WE HAVE A LOT.
BUT EVERYBODY HAS THE SAME SORT OF LEVEL OF RISK.
IS THIS IMPORTANT STUFF TO PROTECT?
I'M SORT OF SEEING HEADS NODDING,
SO HOPEFULLY I'VE GOT YOU AGREEING WITH ME HERE.
SO...ONE OF MY COLLEAGUES MENTIONED THIS.
I THINK IT WAS SUZANNE.
OUR FRIENDS FROM O.M.B. ARE ALWAYS SO HELPFUL.
IN 2006, THERE WAS KIND OF
A WELL-PUBLICIZED INFORMATION SECURITY INCIDENT, RIGHT?
NEVER GONNA LIVE THAT DOWN.
[LAUGHTER]
THIS HAS COLORED MY THINKING, OBVIOUSLY, FOR THE LAST 3 YEARS.
IMAGINE WHAT WOULD HAPPEN
FROM OUR FRIENDS IN CONGRESS AND THE ADMINISTRATION
FROM O.M.B., FROM OTHERS IN THE INDUSTRY,
WERE THERE TO BE A SIMILARLY WELL-PUBLICIZED
SECURITY INCIDENT INVOLVING HEALTH INFORMATION DATA
OR A HEALTH INFORMATION EXCHANGE.
YOU THINK IT'S BAD NOW? RIGHT?
WE'LL GET TOLD WHAT TO DO REALLY, REALLY QUICKLY.
AND WHAT I REALLY WORRY ABOUT IN THAT REGARD
IS THAT WE AS AN INDUSTRY
CLEARLY HAVE A MANDATE FROM THIS ADMINISTRATION, RIGHT,
AND EVEN THE PREVIOUS ADMINISTRATION
TO TAKE TECHNOLOGY INTO HEALTH CARE.
THAT'S WHY WE ARE ALL HERE, RIGHT, TODAY--
TO TAKE TECHNOLOGY INTO HEALTH CARE
AND TO MAKE IT REAL, MAKE IT MEANINGFUL,
MAKE IT ACTUALLY HELP.
IF I HAVE TIME, I'LL TELL YOU MY GRANDMOTHER'S STORY
IN A SECOND, BUT I'M NOT SURE I'M GONNA HAVE TIME.
IF WE SET THAT MANDATE BACK
BECAUSE WE ALLOW AN INFORMATION SECURITY BREACH
JUST ON THE PUBLICITY SIDE
OF THE ONE THAT HAPPENED IN 2006 TO HAPPEN,
WE WILL BE DOING THE COUNTRY A MAJOR DISSERVICE.
THAT IS OUR MANDATE.
SO LET ME GO BACK TO FISMA, OK?
I WANT TO SCRUTINIZE IT JUST A LITTLE BIT MORE CLOSELY.
SO I BROUGHT SHOW-AND-TELL STUFF.
Lightman: OOH, SHOW AND TELL.
SUZANNE WILL KNOW THIS ONE.
THIS IS LAST YEAR'S O.M.B. MEMO
TO C.I.O.'s ABOUT WHAT WE HAD TO DO
IN OUR ANNUAL REPORT, OK?
THIS IS THE KIND OF STUFF THAT SCARES PEOPLE ABOUT FISMA.
THEY SAY, "OH, MY GOD, IT'S TOO EXPENSIVE,
I CAN'T POSSIBLY DO IT, AND I HAVE TO HAVE FISMA-LITE."
SO I'M GOING TO READ YOU SOME STUFF FROM THIS MEMO,
AND YOU ASK ME IF THIS SEEMS UNREASONABLE
FOR THOSE OF US WHO ARE PROTECTING THE STUFF
THAT WE HAVE TO PROTECT.
"THE HEAD OF EACH AGENCY SHALL BE RESPONSIBLE"--
AND IMAGINE IF THAT WAS HEALTH CARE PROVIDER
OR HEALTH CARE ENTITY-- "SHALL BE RESPONSIBLE
"FOR PROVIDING INFORMATION SECURITY PROTECTIONS
"COMMENSURATE WITH THE RISK AND MAGNITUDE OF THE HARM
"RESULTING FROM UNAUTHORIZED ACCESS, USE, DISCLOSURE,
DISRUPTION, MODIFICATION OR DESTRUCTION."
DOES THAT SEEM LIKE AN UNREASONABLE THING
FOR A SYSTEM THAT HAS YOUR DATA IN IT?
THAT I ACTUALLY HAVE TO CARE ABOUT PROTECTING IT?
SO LET'S GO BACK TO WHAT'S IN THE ACTUAL REPORT.
I ACTUALLY HIGHLY ENCOURAGE YOU TO READ THIS, RIGHT?
IN THE ACTUAL REPORT, I HAVE TO ANSWER QUESTIONS
ABOUT MY SYSTEMS INVENTORY.
IS IT UNREASONABLE TO EXPECT A HEALTH CARE ENTITY
TO KNOW WHAT THEIR SYSTEMS INVENTORY IS?
I DON'T THINK SO.
LET'S TALK ABOUT C&A A BIT-- CERTIFICATION AND ACCREDITATION.
"OH, MY GOD. THAT'S SO HARD TO DO. I CAN'T POSSIBLY DO IT."
ALL IT REALLY SAYS IS THAT I LOOKED AT MY SYSTEM
FROM A SECURITY PERSPECTIVE.
ARE THE SECURITY REQUIREMENTS
THAT I DOCUMENTED AT THE BEGINNING
ACTUALLY IMPLEMENTED AND WORKING?
THAT DOESN'T SEEM LIKE A HARD THING TO DO
OR EVEN AN UNREASONABLE THING TO DO
WHEN YOU THINK ABOUT WHAT WE HAVE TO PROTECT.
SO TAKE A LOOK AT THIS, THIS O.M.B. MEMO.
IT'S ACTUALLY NOT THAT FRIGHTENING.
RIGHT. THEN THE THING THAT REALLY SCARES PEOPLE.
YES, I'VE BROUGHT IT.
YOU CAN RUN SCREAMING FROM THE ROOM.
THIS IS N.I.S.T.'s SPECIAL PUBLICATION 800-53.
IT HAPPENS TO BE THE FINAL PUBLIC DRAFT
THAT JUST CAME OUT THIS MONTH OF A NEW UPDATE TO IT.
HUH? NO, NO, NO, IT'S NOT THE THICKEST ONE.
THIS IS ONE THAT HAS THE FAMOUS 170
INFORMATION SECURITY CONTROLS,
RIGHT, THAT MAKE FISMA IMPOSSIBLE FOR ANYBODY
BESIDES BIG, HUGE FEDERAL AGENCIES
WITH MASSIVE BUDGETS TO IMPLEMENT.
BUT I'LL GO BACK TO "COMMENSURATE WITH RISK."
RIGHT. SO, LET'S LOOK AT WHAT'S--
LET ME LOOK AT A COUPLE OF THESE,
AND I'LL ASK YOU IF YOU LIKE THIS.
I JUST SORT OF RANDOMLY OPENED THIS UP.
I DIDN'T ACTUALLY PICK ONES THAT SEEM PERFECTLY REASONABLE.
HERE'S ONE.
THIS IS ACTUALLY A CONTROL ENHANCEMENT, BELIEVE IT OR NOT.
"THE ORGANIZATION ANALYZES NEW SOFTWARE
"IN A SEPARATE TEST ENVIRONMENT
"BEFORE INSTALLATION IN AN OPERATIONAL ENVIRONMENT,
LOOKING FOR SECURITY IMPACTS."
[LAUGHTER]
IS THAT HARD? IS THAT SOMETHING YOU WANT HAPPENING
WITH THE THINGS THAT PROTECT YOUR HEALTH INFORMATION?
I DO, RIGHT? THEN ANOTHER ONE.
CONFIGURATION MANAGEMENT IS ONE OF MY FAVORITE TOPICS.
I PICKED THAT ONE BECAUSE IT'S AN AREA
THAT AT CMS, WE HAVE A LOT OF ROOM TO IMPROVE.
SO THIS ONE IS ANOTHER ONE IN THE CATEGORY CALLED
"DENIAL-OF-SERVICE PROTECTION."
OK? AGAIN, THIS IS A CONTROL ENHANCEMENT.
"THE INFORMATION SYSTEM RESTRICTS THE ABILITY OF USERS
"TO LAUNCH DENIAL-OF-SERVICE ATTACKS
AGAINST OTHER INFORMATION SYSTEM OR NETWORKS."
DON'T YOU WANT YOUR SYSTEMS TO DO THAT?
THESE ARE--SOME OF THESE ACTUALLY ARE HARDER.
OK? I ADMIT THAT.
BUT SHOULDN'T THEY ALL BE LOOKED AT
WHEN WE'RE TALKING ABOUT SYSTEMS
THAT DO WHAT THESE SYSTEMS THAT WE'RE TRYING TO PROTECT DO
AND WHEN WE'RE TRYING TO MOVE INFORMATION AROUND?
SO, IT'S YOUR DATA.
RAISE YOUR HAND IF YOU WOULD LIKE YOUR DATA
IN A SYSTEM THAT'S PROTECTED BY FISMA-LITE.
YOU'RE KIDDING. OH, WAIT. ONE PERSON. REALLY?
ARE YOU SERIOUS? FISMA-LITE WOULD BE OK WITH YOU?
Man: ACTUALLY, I WOULD LIKE TO CONTROL MY DATA
IN A PATIENT'S RESPECT,
SO THAT I HAVE THE AUTHORITY TO MAKE AVAILABLE
MY INFORMATION TO WHO I WANT TO MAKE IT AVAILABLE TO.
GOOD POINT, EXCEPT FOR ONCE IT GOES
TO THE HEALTH CARE PROVIDER--
HE WANTS TO PROTECT HIS OWN DATA AND HAVE CONTROL OF IT.
WHO DOESN'T? I CAN'T TURN THIS INTO AN INTERACTIVE THING.
I'LL RUN OUT OF TIME AND GET LECTURED,
BUT I DO LIKE INTERACTIVE THINGS, USUALLY.
BUT ONCE YOU HAND IT OVER TO SOMEBODY,
IT'S IN THEIR SYSTEM, RIGHT?
AND THEN THEY'RE TRYING TO MAKE DECISIONS FOR YOUR CARE.
YOU WANT THEM PROTECTING IT, I THINK,
COMMENSURATE WITH HOW YOU THINK IT SHOULD BE PROTECTED.
THIS IS NOT THAT FRIGHTENING OF A DOCUMENT,
AND IT'S PROBABLY ONE THAT SHOULD BE LOOKED AT
BY ORGANIZATIONS WHO HAVE THE THINGS TO PROTECT
THAT WE'RE TALKING ABOUT PROTECTING.
AND, AGAIN, COMMENSURATE WITH RISK.
IT'S ALWAYS COMMENSURATE WITH RISK.
SEE, I HAVE TO WRAP IT UP.
YOU'RE NOT GONNA BE ABLE TO HEAR MY GRANDMOTHER'S STORY.
SORRY ABOUT THAT. [LAUGHS]
[LIGHTMAN, INDISTINCT]
[LAUGHTER]
Corbin: SO, PLEASE, TELL THE STORY.
ALL RIGHT. SO MY GRANDMOTHER IS 92 YEARS OLD,
AND SHE'S A MEDICARE BENEFICIARY.
AND I, THROUGH SOME MAJOR FAMILY DRAMA,
HAVE PRIMARY RESPONSIBILITY FOR MAKING SURE SHE'S OK.
AND 2 WEEKS AGO ON SUNDAY, SHE FRACTURED HER HIP,
AND THE MONDAY FOLLOWING THAT,
SHE HAD PARTIAL HIP REPLACEMENT SURGERY,
WHICH WENT GREAT, AND THEN SHE GOT RELEASED
TO A REHAB HOSPITAL IN BALTIMORE
ON THE THURSDAY FOLLOWING THAT.
WAS BEEN DOING FANTASTIC.
I'VE BEEN MAKING PLANS TO MOVE HER BACK TO HER APARTMENT.
YESTERDAY, SHE HAS A LITTLE BIT OF SETBACK.
SHE HAS SOME BLEEDING HAPPENING IN THE SURGICAL SPOT,
AND SO THEY, AT THE REHAB HOSPITAL,
CAN'T DEAL WITH THIS,
SO THEY CALL AN AMBULANCE
AND SEND HER TO A LOCAL ACUTE CARE HOSPITAL
WHICH IS NOT THE HOSPITAL WHERE SHE HAD HER SURGERY.
SO I MEET HER OVER THERE.
THIS IS A DIFFERENT HOSPITAL IN BALTIMORE.
WHAT THEY SENT FROM THE REHAB HOSPITAL
WAS PAPERS IN AN ENVELOPE THAT FOR SOME REASON
THE PEOPLE AT THE NEW HOSPITAL WEREN'T READING.
BECAUSE IT HAD ALL THE INFORMATION,
AND THEY KEPT SAYING TO ME,
"WHAT BRINGS YOU HERE TODAY? HOW DID YOU GET HERE?"
THIS IS A REPUTABLE HOSPITAL. DON'T GET ME WRONG, OK?
AND AT THE REHAB HOSPITAL, THEY'D X-RAYED HER HIP,
BUT DO YOU KNOW WHAT THEY DID AT THE NEW HOSPITAL?
X-RAYED HER HIP. AGAIN.
AND SHE'S STABLE AND HOPEFULLY...
THE NEW HOSPITAL DOESN'T WANT TO DEAL WITH HER.
THEY WANT THE DOCTORS WHO DID THE SURGERY TO DEAL WITH HER.
IT WAS ACTUALLY KIND OF FRUSTRATING FROM MY PERSPECTIVE
TO BE ANSWERING THESE QUESTIONS AGAIN
TO MAKE SURE THAT KNEW WHY SHE WAS THERE,
WHEN SHE'D HAD HER SURGERY, WHICH WAS ONLY 2 WEEKS AGO,
WHAT MEDICATIONS SHE WAS TAKING. HAD SHE TAKEN THEM THAT DAY?
WHAT WAS THE RESULT OF THE X-RAY?
WE NEED TO MAKE THIS STUFF HAPPEN, RIGHT?
WE NEED TO MAKE THIS STUFF HAPPEN,
AND IF WE SCREW UP THE SECURITY AND PRIVACY,
IT WON'T HAPPEN, OK?
SOAPBOX. I PROMISED YOU I WAS GONNA BE ON A SOAPBOX.
I'M A LITTLE HOT ABOUT THIS
'CAUSE I WAS AT THE HOSPITAL TILL AFTER MIDNIGHT LAST NIGHT,
SO I'M RANTING A BIT.
SO, FISMA REQUIRES THAT WE IMPLEMENT
A RISK-BASED INFORMATION SECURITY PROGRAM.
MY ASSERTION TO ALL OF YOU
IS THAT THIS IS NOT TOO MUCH TO ASK OF US AS AN INDUSTRY.
SUZANNE DID NOT PAY ME.
I'M NOT HERE TO DO THIS.
WE ARE BEING ASKED TO DO THIS
BECAUSE IT'S WHAT THE COUNTRY NEEDS
IN ORDER TO MOVE HEALTH CARE, TO ADVANCE HEALTH CARE FORWARD.
WE NEED THIS TECHNOLOGY STUFF.
SO, AGAIN I'LL ASK YOU,
IS FISMA-LITE OK FOR YOUR DATA?
RIGHT? AND IF IT'S NOT OK FOR YOUR DATA,
WE SHOULDN'T ACCEPT IT FOR EVERYBODY ELSE'S DATA,
AND I NEED YOU ALL TO JOIN ME
IN RAISING THE INFORMATION SECURITY BAR.
ASHLEY?
[APPLAUSE]
THANK YOU, JULIE.
NOW, IN STARK CONTRAST
TO JULIE'S PERIPATETIC PRESENTATION,
I WILL GIVE THE CAMERA GUYS A BREAK IN THE BACK,
AND I WILL STAND HERE HOLDING ON FOR DEAR LIFE
TO THE PODIUM.
[LAUGHTER]
SO I'M GOING TO TAKE THIS DOWN A NOTCH,
AND WHAT WE'RE GONNA BE TALKING ABOUT,
WHAT THE FEDERAL SECURITY STRATEGY WORKGROUP
HAS BEEN DISCUSSING AND BUILDING A PLAN
FOR SECURING, AND THEN AN ACTUAL--
AND WE'RE ACTUALLY CERTIFYING AND ACCREDITING
THE CONNECT REFERENCE ARCHITECTURE GATEWAY SOFTWARE,
SO I'LL TALK A LITTLE BIT ABOUT THAT.
VERY LITTLE, ACTUALLY, ABOUT THAT.
SO, AS CO-CHAIR, ALONG WITH DAN GALIK
IS THE HEALTH AND HUMAN SERVICES
CHIEF INFORMATION SECURITY OFFICER,
WHO IS MY CO-CHAIR OF THE WORKGROUP,
WAS CONVENED OF FEDERAL PARTNERS, INITIALLY,
TO WORK THROUGH, WHAT ARE THE BARRIER--
ARE THERE BARRIERS AND WHAT ARE THOSE BARRIERS
TO MORE WIDESPREAD EXCHANGE
OF HEALTH INFORMATION...
AND HOW DO WE BRIDGE THAT GAP?
AND WE TALKED A LOT ABOUT THAT IN THE DURSA MEETING,
'CAUSE ALL OF THESE THINGS ARE SORT OF ORBITING TOGETHER
TO MAKE THIS HAPPEN.
SO THE FEDERAL SECURITY STRATEGY WORKGROUP
FALLS UNDER THE PURVIEW
OF THE FEDERAL HEALTH ARCHITECTURE GROUP
WITHIN THE OFFICE OF THE NATIONAL COORDINATOR.
IT WAS CONVENED ON SEPTEMBER 30th, 2008,
AT THE URGINGS OF JULIE BOUGHN
AND OTHER REPRESENTATIVES FROM CMS TO--
AND SHE SAID THIS.
IF WE CAN'T SECURE AND SAFEGUARD THE DATA WE'RE GONNA SHARE,
THEN WE CAN'T SHARE THIS DATA. WE CAN'T DO IT.
SO THE GROUP WAS CONVENED IMMEDIATELY,
5 DAYS AFTER THE DISCUSSION,
TO START FOCUSING ON HOW TO MAKE THAT HAPPEN.
AND WHEN YOU GET A ROOM FULL OF SECURITY PROFESSIONALS
AND PRIVACY PROFESSIONALS,
NOT A LOT HAPPENS, ACTUALLY. [LAUGHING]
THERE'S A LOT OF TALK... SORRY.
THERE'S A LOT OF DISCUSSION...
[APPLAUSE]
...AND, ACTUALLY, I'M TOTALLY JOKING.
BUT THERE IS A LOT OF TALK AND THERE IS A LOT OF PAPER
ABOUT WHAT THIS MEANS.
HOW DO WE GET THERE FROM HERE?
AND SO I THINK WE'RE PROBABLY IN A PLACE NOW
WHERE WE NEED TO ESCALATE THE CONVERSATION
TO THE AGENCY HEADS,
AND I THINK THAT IS OUR NEXT PLAN
IS TO HAVE THE AGENCY HEADS COME TOGETHER
OF CMS, V.A., D.O.D.,
I.H.S., SSA, NIH, CDC--
I THINK THEY'RE THE HEAVY HITTERS
IN THE HEALTH CARE REALM--
AND TO MEET WITH O.M.B. SPECIFICALLY,
AND TO TALK ABOUT WHAT--
HOW DO WE MAKE THIS A PRACTICAL THING,
NOT JUST TO TALK ABOUT SECURING THE DATA,
BUT HOW DO WE MAKE IT PRACTICAL?
HOW DO WE AFFORD DOING
THE SECURITY TESTING AND EVALUATIONS?
HOW DO WE AFFORD HAVING REGULAR CYCLES
OF CONTINUOUS MONITORING OF THAT INFORMATION?
Lightman: WHY IS IT YOU ONLY TALK TO US WHEN YOU WANT MONEY?
[LAUGHS] WE'RE GONNA START TALKING TO O.N.C.
FOR MONEY THIS ROUND, I THINK.
BUT, ACTUALLY, THIS IS A PERFECT EXAMPLE
OF HOW WE MOVE THIS OUT OF THE FEDERAL PURVIEW
AND REALLY MAKE THIS A PUBLIC/PRIVATE COLLABORATIVE,
AND THAT WE ALL PAY INTO THIS TOGETHER
BECAUSE WE WANT THE SAME THINGS OUT OF IT.
SO...
SO WE'RE NOT REALLY TALKING ABOUT MONEY,
BUT THERE IS AN IMPRESSION THAT IT IS EXPENSIVE
TO BE IN COMPLIANCE WITH FISMA--
I WAS GONNA SAY SOMETHING ELSE--
AND THAT YOU NEED A STAFF OF PEOPLE
TO MONITOR AND CONTROL THE MANY DOCUMENTS
THAT YOU DEVELOP AND TRACK
OVER THE LIFE CYCLE OF YOUR VARIOUS SYSTEMS THAT DO THIS.
BUT...AND WE'LL TALK ABOUT THIS IN A MINUTE,
BUT WE'LL SEE THAT WE CAN WORK THIS OUT TOGETHER
AND KIND OF CHUNK UP THE PIECES OF IT.
RIGHT NOW THE FEDS PAY FOR ALL OF IT, ACTUALLY,
FOR THOSE CONTRACTORS AND ENTITIES
WHO ARE DOING WORK ON BEHALF OF US.
WE COVER ALL OF THAT NOW,
BUT THAT'S NOT A REALLY GOOD WAY TO GO FORWARD,
AND AS WE BROADEN THE SCOPE OF THE EXCHANGES
AND WITH NON-TRADITIONAL PARTNERS,
PEOPLE WITH WHOM THE FEDERAL AGENCIES
ARE NOT DIRECTLY CONTRACTING FOR SPECIFIC BUSINESS ACTIVITIES,
THAT'S NOT VERY FEASIBLE TO DO THAT, SO...
THOSE ARE SOME OF THINGS THAT REALLY NEED TO BE WORKED OUT,
AND THAT'S WHAT THE FEDERAL SECURITY STRATEGY WORKGROUP
IS DOING KIND OF BEHIND THE SCENES.
SO...ONE OF THE THINGS--
I JUST HAVE A LITTLE STATISTIC
THAT MAY BE INTERESTING TO SOME OF YOU.
ABOUT ROUGHLY 60% OF THE HIPAA SECURITY RULES
MAP DIRECTLY TO THE FISMA CONTROLS,
THE SECURITY CONTROLS,
AND SO THAT KIND OF MEANS THERE'S SOME BIG GAPS
AND THERE'S SOME SMALL GAPS THERE,
BUT THAT KIND OF MEANS THAT ONLY 60%
OF AN ORGANIZATION THAT'S ONLY COMPLYING WITH HIPAA
IS, YOU KNOW, ALSO ABLE TO COMPLY WITH FISMA, SO--
AND THAT'S FOR KIND OF MODERATE SYSTEM
OR A SORT OF GARDEN-VARIETY SYSTEM, ACTUALLY--
BUT WE ARE TALKING ABOUT--
THAT DOES CONTAIN P.I.I. OR P.H.I. INFORMATION.
SO THE FEDERAL SECURITY STRATEGY WORKGROUP
AND OTHER WORKGROUPS-- JODI MENTIONED--
AND THERE ARE SEVERAL.
THERE'S ACTUALLY A LARGE NUMBER OF GROUPS
WHO ARE VERY CONCERNED ABOUT SECURITY AND PRIVACY,
AND THEY'RE WORKING THAT FROM THE N.H.I.N. PERSPECTIVE,
FROM THE LARGER FRAMEWORK PERSPECTIVE,
AND FROM A PRAGMATIC,
HOW-DO-WE-MAKE-THIS-HAPPEN PERSPECTIVE.
OOPS.
SO...
I'M NOT REALLY GOOD ABOUT PRESSING--
MOVING FORWARD IN THE SLIDES. SORRY.
WHICH IS WHY IT'S ALWAYS A GOOD CHOICE
NOT TO HAVE SLIDES, I GUESS.
SO THE FEDERAL SECURITY STRATEGY WORKGROUP
HAS, IN FACT, DRAFTED SOME INTERIM GUIDANCE
THAT'S STILL UNDER REVIEW.
IT HASN'T BEEN SHARED
OUTSIDE OF THE FEDERAL PARTICIPATION ARENA,
AND IT'S REALLY LARGELY FOR THE FEDERAL PARTNERS
THAT FOCUSES, AS JULIE MORE THAN MENTIONED,
ON A RISK-MANAGEMENT-BASED,
ADEQUATE SECURITY ASSURANCE UNDER FISMA.
AND, IN FACT, THIS GUIDANCE IS ALREADY BUILT INTO FISMA--
800-53--THAT SAYS WHOEVER THE AGENCY DESIGNATED
APPROVING AUTHORITY--
IT MAY BE THE C.I.O.,
IT MAY BE A CHIEF INFORMATION SECURITY OFFICER,
IT MAY BE ANOTHER DESIGNEE BY THE HEAD OF THE AGENCY--
HAS THE AUTHORITY TO APPLY
A COST-EFFECTIVE, RISK-MANAGEMENT-BASED APPROACH
TO ALLOW HEALTH INFORMATION EXCHANGES
BETWEEN FEDERAL ENTITIES AND NON-FEDERAL ENTITIES
IF AN ASSURANCE OF ADEQUATE SECURITY
CAN BE MANIFESTED THERE.
AND THE FEDERAL DESIGNATOR OR APPROVING AUTHORITY
SHOULD CONSULT WITH OTHER FEDERAL AUTHORITIES
IF THAT EXCHANGE INCLUDES ANOTHER FEDERAL PARTNER,
'CAUSE YOU WANT TO MAKE SURE
THAT ALL THE FEDERAL PARTNERS INVOLVED
CAN DO THE SAME KIND OF THINGS TOGETHER.
EVEN THOUGH WE'RE SUBJECT
TO THE SAME REGULATIONS AND STATUTES,
WE DON'T ALWAYS NECESSARILY IMPLEMENT THEM THE SAME WAY,
BECAUSE WE HAVE DIFFERENT DATA NEEDS
AND DIFFERENT BUSINESS MODELS,
SO THERE MAY BE A DIFFERENCE THERE.
AND SO THE ONE SITUATION THAT I'M REALLY FOCUSING ON
IS WHERE THERE'S NO COVERAGE, REALLY,
OTHER THAN THE INDIVIDUAL ORGANIZATION'S DECISION
TO COVER AND SAFEGUARD THE DATA,
IS WHERE AN ENTITY IS NOT DOING WORK
ON BEHALF OF THE GOVERNMENT,
THEN WHAT LAWS APPLY?
AND SO THAT'S THE GAP THAT WE WANT TO FIX, RIGHT?
OTHERWISE, FISMA APPLIES FOR US.
SO, THE INTERIM PLAN CALLS FOR SPECIAL OR ADDITIONAL AGREEMENTS
LIKE DATA USE AGREEMENTS OR MEMORANDA OF UNDERSTANDING
TO BACK UP THE RULES OF ENGAGEMENT,
THE RULES OF BEHAVIOR IN THIS EXCHANGE
IS VERY IMPORTANT.
YOU KNOW, THE OBJECT OF THIS GAME
IS TO DETERMINE THE RISK
TO THE PARTICIPATING ORGANIZATIONS' OPERATIONS
AND THEIR ASSETS
AND THE ACCEPTABILITY OF SUCH RISK.
SO THIS IS A LITTLE GLIMPSE, A VERY HIGH-LEVEL GLIMPSE
INTO WHERE THE FEDERAL SECURITY STRATEGY IS GOING,
LOOKING AT A WHOLE INFORMATION SECURITY SERVICE MODEL,
AN APPROACH TO BUILDING A PUBLIC/PRIVATE COLLABORATIVE
FOR SECURITY AND-- OR PRIMARILY SECURITY.
AND THE SERVICE MODEL APPROACH
IS COMPRISED OF THE FOLLOWING COMPONENTS.
WE WOULD USE SECURITY STANDARDS,
SUCH AS N.I.S.T., O.M.B., HISSB, ET CETERA.
THE LIST IS RATHER LONG, I THINK, THERE.
MAY DETERMINE--
WE WOULD USE CERTIFIED PRODUCTS--
SOFTWARE PRODUCTS, REFERENCE ARCHITECTURES--
LIKE THE CONNECT TOOL,
AND THERE WE HAVE CCHIT IS A FACTOR,
AND THEN EVEN, IN TERMS OF CERTIFICATION
THAT SUZANNE TALKED ABOUT,
THE CERTIFICATION AND ACCREDI--
[CLEARS THROAT] EXCUSE ME.
AND ACCREDITATION OF THE TOOL ITSELF
WOULD FALL UNDER THIS CATEGORY.
AND THEN THERE'S AN IMPORTANCE
OF VERIFYING THE EXCHANGE OF INFORMATION,
AND THEN ALSO, AN ASPECT OF THAT
IS A WHOLE KEY PIECE OF IDENTITY MANAGEMENT,
WHICH WE REALLY HAVEN'T TOUCHED ON TOO MUCH
IN THE SEMINAR OVERALL YET, YESTERDAY OR TODAY,
BUT THAT'S A HUGE OPPORTUNITY, I GUESS,
AND CERTAINLY A CHALLENGE
FOR HOW WE MIGHT ACTUALLY MANAGE TO SPARE PARTIES,
KNOWING THAT WHO'S REQUESTING THE DATA
IS REALLY WHO IT IS
AND HAS THE AUTHORITY TO REQUEST THAT DATA.
SITE MONITORING.
'CAUSE PART OF FISMA INCLUDES PHYSICAL SECURITY ASPECTS
AND THAT YOU'VE IMPLEMENTED YOUR SYSTEMS AND YOUR SOFTWARE
IN A WAY THAT MEETS THE NEEDS OF WHY YOU'RE USING IT.
AND THEN GOVERNANCE OVER ALL OF THAT,
WHICH INCLUDES THE WHOLE ENFORCEMENT FACTOR.
SO IF THERE IS A NAUGHTY PLAYER IN THAT EXCHANGE,
HOW DO WE DEAL WITH THAT?
SO, WE MOVE FROM THE, YOU KNOW, THE WORK WE'RE DOING
AND THINGS WE'RE THINKING ABOUT
TO WHAT WE'RE ACTUALLY DOING
FOR THE CONNECT REFERENCE ARCHITECTURE SOFTWARE.
SO, YOU KNOW, THE FIRST 3 BULLETS HERE,
IF YOU'RE AT ALL--
I MEAN, THESE MAY BE VERY FAMILIAR
WITH PEOPLE WHO DO WORK WITH THE FEDERAL GOVERNMENT.
THIS IS THE SORT OF METHODOLOGY
TO PRESENT, TEST, CERTIFY AND ASSERT
THE SECURITY POSTURE FOR A SYSTEM
USING THE SELECTED CONTROLS,
YOU KNOW, DEPENDING ON THE PURPOSE OF THAT SYSTEM
AND THE TYPE OF DATA IT HAS,
AND SECURITY ASSURANCE IS ARRIVED AT
ON THE BASIS OF THE SECURITY ASSESSMENT
AND RISK ACCEPTANCE
WHICH IS ULTIMATELY APPROVED
BY THAT DESIGNATED APPROVING AUTHORITY.
ONE OF THE THINGS-- AN IMPORTANT THING TO--
AND WHY WE'RE DOING
A FULL-SCALE CERTIFICATION AND ACCREDITATION
OF THE CONNECT PRODUCT
IS BECAUSE CONNECT IS A VERY AGILE...
CAN I SAY "PRODUCT"? IS THAT OK? OK.
...AGILE AND FLUID IN ITS EVOLUTION,
YOU WANT TO ESTABLISH, YOU KNOW, A BASELINE
OF ITS SECURITY EFFICACY,
AND SO AS THE TARGET ARCHITECTURE CHANGES OVER TIME,
YOU'RE ABLE TO ALSO MONITOR
AND SHOW THAT YOUR SECURITY PARAMETERS ARE ALSO,
AND YOUR WHOLE SECURITY PROGRAM
IS MOVING WITH THOSE CHANGES OVER TIME, TOO.
AND ONE OF THE BENEFITS OF-- OR A KEY BENEFIT OF DOING THIS
IS THE DEVELOPMENT OF COMMON ARTIFACTS
AND DOCUMENTS AND CONTROLS
THAT SUZANNE AND JULIE HAVE SPOKEN TO
THAT EVERYBODY CAN SHARE.
YOU HAVE A CENTRALIZED PRODUCT THAT IS CERTIFIED,
AND EVERYONE WHO USES THE GATEWAY
ALSO SHARES IN THAT CERTIFICATION,
AND THAT HELPS TO INFORM YOUR EDGE SYSTEMS
AND YOUR PARTNERING SYSTEMS FOR THAT, TOO.
SEE? IT CAN BE COST EFFECTIVE WHEN WE SHARE.
SO, ONE OF THE THINGS THAT WE HAVE TO DO
IS IDENTIFY SECURITY CONTROLS
AND REUSING THOSE COMMON CONTROLS ACROSS THE PARTNERS.
THAT'S ALL THIS IS TALKING TO.
AND I GUESS WE'RE OVER TIME, AREN'T WE?
I DIDN'T GET MY RED CARD.
AND THE IMPORTANT THING-- I THINK WE EMPHASIZE...
IN A MINUTE. JUST LET ME CLOSE ON ONE THING.
...IS THAT THIS IS NOT A ONE-TIME DEAL.
YOU HAVE TO BUILD IT INTO YOUR BUSINESS MODEL, YOUR WORK FLOW,
SO THIS BECOMES A PART OF HOW YOU SEE YOUR BUSINESS
AND HOW YOU SEE YOUR DATA ASSETS
AND WHY YOU'RE DOING THAT.
AND I THINK--
DAVE, DO YOU WANT TO SAY SOMETHING
ABOUT WHEN SOME OF THIS MIGHT HAPPEN?
- SURE. - OK.
DO YOU WANT ANY OF THOSE?
YEAH. IT DOESN'T MATTER ON THAT SLIDE.
I'M DAVE RILEY, THE CONNECT INITIATIVE LEAD.
SECURITY AND PRIVACY IS OBVIOUSLY A CONCERN IN THE NHIN
AND SOMETHING THAT WE'VE BEEN WORKING VERY ***
AT THE SPECIFICATION LEVEL.
IN TERMS OF CONNECT AS A PRODUCT,
OBVIOUSLY THE FACT THAT IT'S BEING BUILT
BY FEDERAL AGENCIES
AND FEDERAL AGENCIES HAVE TO MEET FISMA REQUIREMENTS,
IT'S GOING TO MEET FISMA REQUIREMENTS,
SO THERE'S NO QUESTION ABOUT THAT.
AND SO AS A PART OF THAT,
WE'RE DOING THIS CERTIFICATION AND ACCREDITATION
THAT IS CURRENTLY UNDERWAY,
AND WE EXPECT THAT THE C&A PACKAGE
WILL BE COMPLETE FOR THE 2.1 RELEASE,
WHICH IS OCCURRING ON JULY THE 7th.
WE'LL DO AN UPDATE TO THE PACKAGE
TO REFLECT THE CHANGES
THAT ARE COMING OUT WITH THE PRODUCT THEN.
WE SHOULD SEE A COMPLETION OF THIS BY THE END OF SEPTEMBER,
WHICH IS IN TIME FOR FEDERAL AGENCIES
THAT ARE PLANNING TO GO INTO PRODUCTION,
LIMITED PILOTS IN THE LAST QUARTER OF THIS CALENDAR YEAR.
WE TAKE THE SECURITY AND PRIVACY CONCERNS VERY SERIOUSLY
IN THE DEVELOPMENT OF CONNECT.
I USE A NUMBER OF TOOLS TO LOOK AT THE SOFTWARE CODE ITSELF,
AND SO ONE OF THE ENHANCEMENTS
THAT WE'LL BE DOING IN THE NEXT RELEASE CYCLE,
AS A PART OF OUR TESTING CYCLE,
THERE HAVE BEEN IDENTIFIED
APPROXIMATELY 700 SECURITY PRACTICES, IF YOU WILL,
OR FLAWS THAT PROGRAMMERS COMMIT ON A REGULAR BASIS
WHEN THEY'RE BUILDING SOFTWARE,
AND SO THERE ARE SOME TOOLS THAT WE CAN NOW USE
AS A PART OF OUR TESTING SEQUENCE
TO GO LOOK FOR THOSE THINGS ON A REGULAR BASIS.
WE'VE RUN THE TOOL
AGAINST THE EXISTING VERSION OF THE SOFTWARE
AND HAVE SYSTEMATICALLY KNOCKED OUT
AS MANY OF THE THINGS THAT WE HAVE FOUND
WITH RESPECT TO DEFECTS OR FLAWS
IN TERMS OF CODING PRACTICES,
AND AS WE MOVE FORWARD,
WE INTEND TO RUN THIS ON A DAILY BASIS
AGAINST THE CODE BASELINE
SO THAT EVERY TIME WE DO A NIGHTLY DEPLOYMENT OF THE SOFTWARE,
WE WILL BE RUNNING THIS TOOL AGAINST IT
AND GENERATING REPORTS SO THAT WE CAN IDENTIFY,
AS NEW PROGRAMMERS BECOME INVOLVED WITH WHAT WE'RE DOING,
IF THEY COMMIT ONE OF THESE SECURITY SINS,
AND FROM A PROGRAMMING PERSPECTIVE,
WE'LL DISCOVER IT EARLY AND ELIMINATE IT EARLY.
AND SO THIS, AS JULIE HAS POINTED OUT,
IT REQUIRES CONTINUOUS MONITORING,
AND SO WE WILL BE CONTINUOUSLY MONITORING THE SOFTWARE
THROUGHOUT THE DEVELOPMENT CYCLE
SO THAT WE CAN RAISE THE BAR IN TERMS OF SECURITY
FOR THE WHOLE INDUSTRY.
SO AS FOLKS ARE ADOPTING THE USE OF CONNECT
IN THEIR ENVIRONMENTS,
THERE ARE ADDITIONAL THINGS
THAT THEY NEED TO DO ORGANIZATIONALLY.
CONNECT BY ITSELF IS NOT GONNA MAKE YOU FISMA-COMPLIANT.
THERE ARE ADMINISTRATIVE AND ORGANIZATIONAL,
OPERATIONAL THINGS THAT YOU NEED TO PUT IN PLACE
TO BE FULLY FISMA-COMPLIANT.
BUT THE POINT IS, IS IT GETS YOU SIGNIFICANTLY ALONG THE WAY
TO WHERE YOU WOULD NEED TO BE IF WE RAISE THE BAR
TO THE LEVEL THAT JULIE'S TALKING ABOUT.
I DON'T SEE ANY REASON WHY WE SHOULDN'T BE CONCERNED
ABOUT OUR PRIVACY AND PROTECTING OUR DATA IN THAT WAY.
SO THIS IS A TOOL THAT WE'RE TRYING TO PUT OUT THERE
TO MAKE AVAILABLE FOR FOLKS
TO HELP GET US TO WHERE WE NEED TO BE
SO THAT WE CAN SECURELY PROTECT THE DATA
AND ENHANCE PRIVACY AND CONFIDENTIALITY FOR PATIENTS.
Corbin: THANK YOU.
THANK YOU VERY MUCH, DAVE,
AND THANK YOU, PANELISTS, FOR YOUR TIME
AND SHARING INFORMATION.
[APPLAUSE]
I THINK WE'RE-- IT'S LUNCHTIME.