/
2020-07-07 Meeting notes

2020-07-07 Meeting notes

Mar 26, 2021

Date

Jul 7, 2020 

 

Attendees

Goals

  • Discuss Mobile Application Assurance Registry

  • Prepare spec doc for internal review

Discussion items

Time

Item

Who

Notes

Mobile Application Assurance Registry

@Tom Jones

  • Proposed Kantara work item

    • Based on ONC final rule mandate

    • Some level of app certification is required

    • Kantara hosted API to show what apps or developers meet the requirements

    • Supports due diligence

    • Jeff: Will there be testing of assertions? (not at the moment)

      • Rule only states app must be made by certified app developer, so the app needs a cert mark for the user to know if it used a certified developer

      • Self-assertion is US centric, outside third party assertion is normally required, can evolve to a third party process (precedents: CCHIT.org, DEA/NIST rules forbidding electronically prescribing controlled substances, Surescripts); Pete: CCHIT provided test suites

    • Healthcare record providers key grant beneficiary

      • ONC allows (in the commentary, not the rule) EHR to insist that the app used to access and transfer records is developed by a certified developer; Catherine will look at the rule 

      • Sites are being sued for damages for releasing consumers private information. Expect CIOs to enforce requirement certified developer.

      • EHR creates “tethered patient portals” which are hard for patients or their proxies to access. Creates a conflict of interest.

    • Patient matching (@Former user (Deleted) )

      • Not identity, just aligning identifier string (like Covid contact tracing)

      • Looking at Nordic electronic identifier

        • Economy is using mobile device as identifier assertion with any app (banks, police, etc)

        • Strong reliant parties, standards/same rules

        • Flexible pricing, features, functionality

        • Low fraud rate

      • Part of the smartphone device itself, not just app

      • Identity verification like FaceID/facial biometric, Photo of physical ID, and others contribute to strong identity assurance when used with strong apps. Binds identity to the app.

    • Concern for App Developers

      • Fraud is a big issue, making sure the patient is insured, will get the payment in

      • Tax supported payors like Medicaid may have some difficulty, while they also have a huge need for combating fraud

    • Two processes

      • Proofing: Assure this person is who they say they are, outcome IAL1 or IAL2

      • Mobile phone app authentication

    • Phone containers segregate the code, digitally signed, virtual machine only allows the program to run in that container.

    • Ease of use, number of users that can apply this

      • Looks simple to use device as authenticator 

      • Can be combined with second factor (facial or PiN)

      • Fast, simple UX, low friction

    • Branded app (insurance company, provider)

      • Confidence: trusted provider

    • Catherine is demoing Thursday at HIWJ, Jim will send invitation to this group

 

 

 

 

Action items

@Jim Kragh  to send info to group about Catherine’s presentation