DRAFT HIAWG Meeting Minutes 2013-12-05

Kantara Initiative Health Identity Assurance WG Teleconference

DRAFT HIAWG Meeting Minutes

Date and Time

Date: Thursday, 2013 December 05 
Time: 10:00 PT | 12:00 CT | 13:00 ET
Dial in: TurboBridge Conferencing

Health Identity Assurance Working Group Home Page

HIAWG Wiki Home

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Meeting Minutes Approval: HIAWG Meeting Minutes 2013-11-07
    4. Organization updates - Director's Corner
    5. Upcoming Events page: http://kantarainitiative.org/confluence/x/pYDWAw
    6. Report out from latest LC meeting
    7. Action Item Review
  2. Discussion
    1. Continuation of the discussion on the Feasibility Study work 
  3. AOB
  4. Adjourn

 Attendees

Participant Roster

As of December 3, 2013, quorum is 7 out of 12 voting participants.

Quorum Achieved

 

Voting
  • Pete Palmer (C)
  • Andrew Hughes (V-C)
  • Bob Sullivan
  • Ron Moser
  • Jerry Cox
  • Terry Gold
  • Rich Furr
  • Peter Alterman
Non-Voting
  • Bill Braithwaite
  • Adrian Gropper
  • Brian Ahier
  • Rick Moore
  • Nathan Faut

Staff 

  •  
Apologies
  • Laurie Tull

Administration 

Minutes Approval

Minutes for approval: HIAWG Meeting Minutes 2013-11-07

Motion to approve minutes of 2013-11-07: Furr

Seconded by: Cox

Discussion: None

Motion Carried 

Organization updates

Director's Corner

Upcoming Events page: http://kantarainitiative.org/confluence/x/pYDWAw

  • HIMSS has confirmed Kantara workshop space

Discussion

HIAWG Deliverable
Discussion 5 December 2013
    • Joni Brennan, David Kibbe, Lee Barrett, Pete Palmer, Andrew Hughes
The HIAWG will conduct research and analysis of the feasibility of optimization, harmonization, consolidation or merging of the policy, process and standards requirements, approval programs and associated assessment criteria related to IDP/V of individuals by Approved/Accredited CSP or RA organizations. The feasibility study report will present a small number of viable options and make recommendations to the boards of DirectTrust, EHNAC and Kantara Initiative for consideration and action.
"The overarching objective for the HIAWG work is to find ways to reduce financial and work burden on organizations seeking Approval under DTAAP, Kantara Initiative and FICAM TFS programs. By decreasing burden on our shared customers, DirectTrust, EHNAC and Kantara seek to increase the shared value of our respective programs."
  • Comment: KI is primarily focused on non-PKI. DT is focused on PKI, non-FBCA Cross Certified plus some FBCA compliant, using X509 certificates partially for Groups and Individuals. How is it envisaged to relate the PKI and non-PKI environments? Are there other points of commonality aside from the IDP/V aspects?
    • Note that the DT Certificate Policy is being enhanced - there's the opportunity to line it up as appropriate
  • Worry that there's no current engagement with any Federal Bridge individuals
    • Once DT starts issuing certificates to individuals, it become essential to become FBCA Cross Certified (being compliant isn't sufficient)
  • Q: Is there any chance that the DirectTrust model (where the HISP can hold the Private key + Organizational/Group Certificates exist) can ever become FBCA Cross Certified? A: Opinion is no at the current time. Does not mean that it could not be.
    • There are methods where Group certificates can be implemented in a trustworthy way. However, the general drive (in DoD and DHS) is to move to more restrictive rather than accommodating ways.
  • Starting with the RA Assessments and program processes is worth doing.
  • Currently DT does not do non-PKI - but it might need to in the future. Or Kantara might need to handle PKI.
  • Q: Does 800-63-2 update give Hospitals new abilities to act as LOA3 PKI based credentials? A: Any entity can go to any FICAM/FBCA to get credentials. But it depends on the actual Certificate Policy. It's not really about 800-63-2.
    • However it's probably not a great idea in any case - setting up as a CA is a big and expensive undertaking.
    • Any entity that has satisfied the HIPAA requirements is well on its way to being certified. HIPAA compliance does not address the Privacy Act and or Federal CyberSecurity requirements.

 

  • To get the Feasibility Study work kicked off fast, discussed getting the 4 or 6 primary roles represented: (expert in Approval/Assessment Programs as related to IDP/V; expert as Assessed entity as related to IDP/V) for each of (EHNAC/DTAAP/DirectTrust; Kantara; Federal Bridge CA)
  • Primary contributor assignments below (of course everyone on the call has experience in many boxes, but to keep things efficient it would be helpful to focus on one in the early content rounds):
    • Jerry Cox: familiar with Federal Bridge CP Identity Proofing processes
    • Rich Furr (as Verizon): can provide the Verizon perspective for Kantara Assessee 
    • Peter Alterman (as Kantara Assurance Review Board member): can take on the Kantara Assessment Program front
    • Ron (as EHNAC assessor): DTAAP assessor role
    • Pete (as Medallies): DTAAP Assessee
    • Pete as Relying Party 
    • SAFE BioPharma is there for the FBCA processes if we need to align there too
  • ACTION: Terry Gold to work up a content framework and engage HIAWG by email prior to next HIAWG call

AOB

 

Attachments

 

Next Meeting

DateThursday, 19 December 2013 
Time: 10:00 PT | 12:00 CT | 13:00 ET
Dial in: TurboBridge Conferencing