2020-07-07 Meeting notes

Date

 


Attendees

Goals

  • Discuss Mobile Application Assurance Registry
  • Prepare spec doc for internal review

Discussion items

TimeItemWhoNotes
Mobile Application Assurance Registry
  • Proposed Kantara work item

    • Based on ONC final rule mandate
    • Some level of app certification is required
    • Kantara hosted API to show what apps or developers meet the requirements
    • Supports due diligence
    • Jeff: Will there be testing of assertions? (not at the moment)
      • Rule only states app must be made by certified app developer, so the app needs a cert mark for the user to know if it used a certified developer
      • Self-assertion is US centric, outside third party assertion is normally required, can evolve to a third party process (precedents: CCHIT.org, DEA/NIST rules forbidding electronically prescribing controlled substances, Surescripts); Pete: CCHIT provided test suites
    • Healthcare record providers key grant beneficiary
      • ONC allows (in the commentary, not the rule) EHR to insist that the app used to access and transfer records is developed by a certified developer; Catherine will look at the rule 
      • Sites are being sued for damages for releasing consumers private information. Expect CIOs to enforce requirement certified developer.
      • EHR creates “tethered patient portals” which are hard for patients or their proxies to access. Creates a conflict of interest.
    • Patient matching (Former user (Deleted) )
      • Not identity, just aligning identifier string (like Covid contact tracing)
      • Looking at Nordic electronic identifier
        • Economy is using mobile device as identifier assertion with any app (banks, police, etc)
        • Strong reliant parties, standards/same rules
        • Flexible pricing, features, functionality
        • Low fraud rate
      • Part of the smartphone device itself, not just app
      • Identity verification like FaceID/facial biometric, Photo of physical ID, and others contribute to strong identity assurance when used with strong apps. Binds identity to the app.
    • Concern for App Developers
      • Fraud is a big issue, making sure the patient is insured, will get the payment in
      • Tax supported payors like Medicaid may have some difficulty, while they also have a huge need for combating fraud
    • Two processes
      • Proofing: Assure this person is who they say they are, outcome IAL1 or IAL2
      • Mobile phone app authentication
    • Phone containers segregate the code, digitally signed, virtual machine only allows the program to run in that container.
    • Ease of use, number of users that can apply this
      • Looks simple to use device as authenticator 
      • Can be combined with second factor (facial or PiN)
      • Fast, simple UX, low friction
    • Branded app (insurance company, provider)
      • Confidence: trusted provider
    • Catherine is demoing Thursday at HIWJ, Jim will send invitation to this group




Action items

  • Jim Kragh  to send info to group about Catherine’s presentation