HIAWG Meeting Minutes 2013-11-07

Owned by Former user (Deleted)
Last updated: Dec 05, 2013Version comment

Kantara Initiative Health Identity Assurance WG Teleconference

HIAWG Meeting Minutes - approved 2013 December 5

Date and Time

Date: Thursday, 07 November 2013 
Time: 10:00 PT | 12:00 CT | 13:00 ET
Dial in: TurboBridge Conferencing

Health Identity Assurance Working Group Home Page

HIAWG Wiki Home

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Meeting Minutes Approval: No minutes ready for approval.
    4. Organization updates - Director's Corner
    5. Upcoming Events page: http://kantarainitiative.org/confluence/x/pYDWAw
    6. Report out from latest LC meeting
    7. Action Item Review
  2. Discussion
    1. Continuation of the discussion on the Feasibility Study work 
  3. AOB
  4. Adjourn

 Attendees

Participant Roster

As of September 26, 2013, quorum is 7 out of 12 voting participants.

Quorum achieved with 9 of 12 voting participants present

 

Voting
  • Pete Palmer (C)
  • Andrew Hughes (V-C)
  • Terry Gold
  • Barry Hieb
  • Jerry Cox
  • Rich Furr
  • Laurie Tull
  • Ron Moser
  • Minze Chien
Non-Voting
  • Bill Braithwaite
  • Rick Moore
Staff 
Apologies

Administration 

Minutes Approval

No minutes ready for approval

Organization updates

Director's Corner

Upcoming Events page: http://kantarainitiative.org/confluence/x/pYDWAw

  • November 14-15: NIST-sponsored CyberSecurity in Healthcare - Raleigh - notice was circulated to the List

Discussion

HIAWG Deliverable
Discussion 7 November 2013
  • Update from Terry - same place as last meeting - the draft is in circulation
    • To make progress, HIAWG needs more clarity on the rationale for creating this study from the Sponsors (Pete and Joni have this task)
  • Terry: called for volunteers to help with parts of the study that could be drafted while waiting for Sponsor direction
  • Rich: has reviewed the draft and submitted comments - will send to Terry directly
  • Pete: met with Joni to gain clarity on the purpose of the study
    • HIAWG needs some assurance that the organizations under the MOU will accept the results
    • Joni is reaching out to Kantara Board, DirectTrust and EHNAC to engage and work out material to help justify volunteers providing their time
  • Verizon's perspective - how can appropriate use cases be created for FICAM non-PKI credentials and Federal Bridge PKI credentials?
  • The work effort for PKI v non-PKI will be different (PKI might be easier because its closer to DirectTrust)
    • There are common functions between PKI v non-PKI e.g. Identity Proofing
  • Pete: note that 800-63-2 was built to enact Homeland Security Presidential Directive 12 - purely for Federal Agencies - the correct reference for this is FICAM
  • Andrew asked for a description of the overlap/commonality between Kantara IAF (non-PKI) and DTAAP (PKI)
  • DTAPP is specific to DirectTrust requirements
    • It encompasses the DT Certificate Policy
  • Verizon is looking at the DT Registration Authority - this probably has the most ability to crosswalk to FICAM/Kantara
    • CA requirements - not so - these are the PKI
  • DirectTrust did reference FICAM and Kantara for the RA requirements on the Identity Proofing side
    • There are a few different aspects e.g. Organization Level certificates
    • Other Health IT/ HIPAA Policy aspects relative to Covered Entity status and other specific role types
  • Verizon is working hard to meet these requirements - especially verification of Organization Identities - this is novel in Direct
  • HISP, RA, CA are the three DTAPP accreditations
    •  Much of the HISP criteria relate to the separation of Direct messaging from 'normal' email
    • But the EMR vendors don't use that workflow - the users have a common inbox - this is why Organization Certs came to exist - the S/MIME endpoint is at the Organization level
  • Under MU2 there are 2 years to conform - to be able send a certain volume of messages using Direct Protocol
  • NOTE: the Direct Protocol only deals with encrypting and signing of Direct messaging - not with user->system authentication
  • The individual user still needs to authenticate to the EMR system - might be 2 Factor deployment
  • Clients are struggling with deploying to large numbers of individuals - there are many different solutions that need to be unified or harmonized
    • This is an issue that will have to be dealt with - general consensus that this should be in scope now or soon. Since patients need to access data under MU2.
  • Pete: how do we get Kantara's HIAWG work in front of the official ONC Security and Privacy Standards or Policy Committee to influence MU3 criteria
    • Bill: has some touch points into several groups (Joy Pritz - Privacy officer for ONC)
    • Andrew: who sits on the Standards and Policy Committees?
  • ACTION: Pete will seek out a list of participants
  • ACTION: Rich will locate the Terms of Reference for the various committees
  • ONC has directed Industry to come up with Governance model to meet the Privacy and Security needs - that's what drove DirectTrust in part

AOB

 

Attachments

 

Next Meeting

DateThursday, 21 November 2013 
Time: 10:00 PT | 12:00 CT | 13:00 ET
Dial in: TurboBridge Conferencing