HIA WG Concall 2009-11-12 Minutes
Kantara Healthcare Identity Assurance Work Group Teleconference
Date and Time
- Date: 12, November, 2009
- Time: 9 PDT | 12 EDT
Attendees
- CoChairs:
- Pete Palmer, Surescripts (acted as moderator)
- John Fraser, MEDNETWorld.com (took these notes)
- Rick Moore, eHealth Ohio
- Britta Glade, Kantara
- Barry Hieb, GPII
- Bob Pinero – Independent Consultant and Chair, Consumer Identity Work Group
- Alan Neigleberg, CSC
- Colin Sueter – CSC, Representing a privacy and identity group from Toronto, Canada.
- Mike Kirkwood – Polka, Inc
Apologies
None.
Agenda
- Welcome and Introductions
a. Review of WHIT Show attend by Pete Palmer and John Fraser in Washington this week. - Brief Charter Review, see: Charter:
a. Review plans to build reference implementations - Review California interest in helping to build a reference implementation
a. Rick Moore will report, and perhaps Dave Minch from CA
b. Review health care Shibboleth efforts in MN and Ohio - Open discussion on getting started
- Next steps
Minutes
Meeting Summary:
- California interested in HIE to HIE authentication issues
- Pete and John had a great WHIT show presentation representing Kantara (following Bill Clinton)
- Group in consensus on building a reference implementation
1.WHIT Show Overview:
Pete gave an overview of the WHIT show in Alexandria, Viriginia. Pete gave a overview of the IAF which was given to this group at the kick-off meeting. John Fraser discussed the HIE in Minnesota, called HIE-Bridge, that has implemented a Shib-based federated identity management system requiring Level-3 (PKI) certificates for authentication between hospitals and clinics in the system when searching other facilities. Randy Vanderoof of the SmartCArd Alliance then discussed their efforts which nicely connected Pete and John’s talks together. Pete mentioned a recent 60 minutes show on Cyber-defense, and the vulnerabilities we need to worry about, to figure out the identity assurance needs across DMV (Drivers Licenses) and other industries.
John Fraser also mentioned that NHIN, the Nationwide Health Information Network (NHIN) is getting a lot of new attention and could utilize our reference impormentation for sharing identities between health information exchanges, or HIEs. Without some type of trusted identities it is hard to see how NHIN share will occur, so maybe this group can advise NHIN on this.
2. California Report:
Rick Moore gave an overview of his presentation to the CA Privacy and Security Work Group.
- Will be making rec’d to CA state-wide Advisory Board.
- Did presentation on what we hope to accomplish via the Kantara Initiative. Conversation and questions were appropriate and helpful for everyone. Dave Minch invited us to speak to about 7-9 participants. Want to use simplified sign on’s, with better security. Questions about a single point of authentication, is that secure? Questions about multiple levels of assurance, how do you establish trust? They want to use a Level-3 level of assurance, using something like PKI credentials. Asked if HITSP has incorporated any of Liberty/Kantara standards into their standards? They were also worried about how patient access can be made secure. PKI may be challenging at patient level. Discussed with NHIN and it’s authorization framework and how it would interact with Kantara’s efforts.
3. Reference Implementations Discussion:
Discussion then revolved around the Charter, and that we need to implement both a consumer a health care work federations as part of our promise in the Charter. John Fraser read the Charter requirements for this, and noted that by second Quarter of 2010 we have some deliverables.
Discussion then ensued about what kinds of implementation could we accomplish. Britta mentioned that Kantara has Liberty and a beta of OpenID working together for authetncaiton into Kantara, and it could be a model for a reference implementation. There was much discussion about OpenID. Verisign has an OpenID protected by a browser certificate that could be used. General feeling that issuing PKI smart-cards to patients/consumers is unlikely. One time passwords could be used to get to a Level 3 assurance level according to some of the discussions, although this is not verified and may be up to the policy of the implementation.
The group ran out of time at 1:00 p.m. Eastern US time, and agreed to get together one week from today, same time, to get back on track for every other week meetings after next weeks meeting. John Fraser asked that the group consider what types of technologies we could use, and help recruit organizations to participate to contriube technologies, monies, etc for our reference implementations, and bring that to the next meeting.
Pete adjorned the meeting at 1:00 pm Eastern US time.