HIA WG Concall 2011-05-26 Minutes

Kantara HIAWG Teleconference

Date and Time

  • Date: Thursday, May 26, 2011
  • Time: 10am PST | 1pm EST | 5pm UTC | 7pm CEST (Time Chart)

Attendees

  • Barry Hieb
  • John Fraser
  • Dan Combs
  • Rick Moore
  • Laurie Tull
  • Bill Braithwaite
  • Daniel Bennett
  • Dave Minch
  • Dazza Greenwood
  • Mickey Tevelow
  • David Kibbe

Apologies

  • Rich Furr

Agenda

  1. Intro
  2. Roll Call
  3. Approval of Minutes
  4. NSTIC
    1. Workshops
      1. Governance
      2. Privacy and Usability
    2. Notice of Inquiry
  5. PIDS Face to Face
  6. Open Architecture for Step-Up Authentication
  7. Other Business
  8. Adjourn

Minutes

1. Introduction

Intro by Rick Moore

2. Roll Call

See above.

3. Approval of minutes

5/12 Minutes pending completion, approval postponed to next meeting.

4. NSTIC

Daniel Bennett: Two upcoming events, one in DC, one in Boston

Dazza: June 9th and 10th – NSTIC Governance event in DC – topics of focus:
-    Structures of governance
-    Initiation
-    International aspects

Keynote, panels, breakout sessions, and workgroups will be part of the event, and some virtual participation. Anticipate an NOI will be released prior to the event to help structure content of the meeting.

June 27 and 28 – MIT (Boston / Cambridge) – NSTIC workshop – focus: Privacy and Usability, similar combination of keynotes, panels, breakouts, and workgroups, as well as a deeper level of virtual participation.

Daniel: is anyone going to one or both of them? (Dazza, Dan, and Daniel – all the eCitizen people)

Barry: Is it fair to ask that eCitizen will represent the activities of Kantara?

Daniel Bennett: We will discuss our Kantara work and will talk about our projects.

Barry: I would like to see as set of notes of topics we would like to see discussed at these workshops.

Dazza: I agree.

Daniel Bennett: I would take some time to read the actual strategy to prepare.

Dazza: Be aware  that there’s going to be a Kantara briefing after the governance event and before the privacy and usability event.

Dan Combs: just a reminder, we at eCitizen and Kantara are running NSTIC US, and there’s an opportunity to add information there. We are working on ways to utilize social networking tools to generate buzz before, during, and after these events.

Daniel Bennett: using #PIDS and #NSTIC are good ways to socialize NSTIC and the PIDS project

John: what other Kantara WGs are involved in NSTIC?

Dan Combs: The IAS has been involved, and individual members have participated in various ways.

John: I think Kantara has a vested interest in moving its identity frameworks forward through NSTIC.

Dazza: a lot of the pieces are still being put together and I encourage Kantara to be proactive about getting involved.

PIDS Pilot Presentation in Boston / Cambridge

5. PIDS Face to Face

Daniel Bennett: This will be occurring at MIT immediately after the privacy workshops are done. We hope to have some of the folks who are there for NSTIC participate. I encourage everyone who can be there to attend, and let us know if you plan to be there.

Dan Combs: We are very much looking forward to the boost that should come out of that meeting.

Dazza: This meeting will be specifically to discuss identity in healthcare, it is a great opportunity.

Rick Moore: Do you have an idea of how many people will be attending the NSTIC Meetings, and how many organizations are currently actively engaged?

Daniel Bennett: When we’ve talked to them, it seems they aren’t positive how many people are attending. The registration info is at: http://www.nist.gov/itl/nstic-workshop-june2011.cfm

Dazza: The vendor doing to conference registration said they had 50 people in pre-registration. They are expecting to meet capacity, which is 200-300 people for both events.

Daniel Bennett: you should be able to add the NSTIC calendar to your calendaring capabilities.

6. Open Architecture for Step-Up Authentication

Guest speaker Peter Alterman re: Step-Up Authentication

Intro by Dazza: level of assurance 3 for PIDS project – how do we set upidentity that will be recognized in healthcare system at level 1, 2, or 3? We’re constructing an open architecture for step-up authentication. Standardization is required for this. Peter Alterman has taken a leadership role in focusing that conversation.
National Institutes of Health, is helping bring the national identity ecosystem to light as part of NSTIC.

Peter Alterman: there are a lot of people who are not happy with the federal government, but that aside, the idea is having a web service or online application that requires a level 3 credential. The federal space has defined the assurance levels. Within the context of cyber security, we’re trying to bring some rationality to it. NSTIC is really focusing on the larger world outside the federal space, not that the federal space is irrelevant, but there’s a lot to do with business transactions that have nothing to do with the federal government. NSTIC is focusing on the private sector and the whole electronic world. There is an awful lot out there to build on, like ebay, amazon, online banking. All of these things come into play, and health IT is going to touch everyone. There are numerous privacy related bills in congress right now. The conventional wisdom is that nothing is going to be passed in this session, but one never knows. The important thing to understand is that the health IT space is going to be greatly influenced by the federal government. The Tiger Team is clearly a recognition of that. Assume for the sake of argument that your grandmother who live in North Dakota and has an AOL username and password wants to log into the medicare service to update her profile to reflect her secondary carrier. Her profile required at CMS is a level 3, so what happens? Right now, there are all kinds of bad thing that could happen. She could try her AOL user info and be stonewalled, being told she needs a level 3 credential. Or her credential could be accepted and then her private information becomes vulnerable. The goal is to solidify the practices on the medicare side while allowing users to use the IDs and passwords they are comfortable with. Our online bank has various techniques to ensure she is who says she is. Security questions, verification of IP address, etc. This creates an auditable trail for the bank to ensure that when they are audited, they are prepared to present proof of authentication. What we don’t know yet is how we can generalize this model for the ehealth services field. We have a draft charter for the new technical committee and hope to go live with it in a few weeks or so. We got enthusiastic response from the banking industry, we’re looking at Equifax to get involved. We’ve invited a whole spectrum of entities who would be engaged in this space to join the technical committee in order to determine what’s out there, what the techniques and methods are, then conduct two levels of analysis of the identity authentication methods. This conceptual process will work well wherever there is an assurance of identity hierarchy.

Peter.alterman@nih.gov

Rick: Aren’t there already groups forming these baselines?

Peter: There are, but without a standards structure.

John: the NSTIC effort is to create a standard identity ecosystem?

Peter: NSTIC wants to put in place standard practices and procedures for trust and privacy. This is one of the NSTIC initiatives.

Daniel Bennett: We’re looking at the business, legal, and technical processes and necessities.

Barry Hieb: This is obviously a noble effort. At this point, do you have an idea of what standards agency you are going to call home for this effort, so that you can actually pronounce it to be a true standard?

Peter: We’ve invited some of my colleagues which will engage the feds. OASIS would be the home for the standard. Then we would see OASIS as propagating that out to other, more structured standards bodies.

Dazza: with respect to PIDS by participating with Peter in the OASIS technical committee, we’re hoping to propagate the project and authentication. We can then reference that OASIS standards as part of the architecture. We hope that this leg of the standardization coming out of OASIS can reference participants later to show that they are meeting policy requirements.

Daniel Bennett: I would like to thank Peter Alterman for the great look at the Step-Up authentication efforts that you’re leading. I think to finish up the rest of the call within the hour, I’ll turn it over to the Chair.

Rick Moore: Thank you, Peter, for your explanation and for bringing your group to us to consider joining, and we hope you participate in our group moving forward

7. Other Business

Barry Hieb: The Western Health Information Network and GPII as the subscontractor have gotten a grant to do a launch of the universal health identifier project??? We are going to distribute identifiers to one pilot site, then roll that out to Western LA. We represent a private enterprise solution in what we consider to be a major deficiency in health information exchange.

See GPII’s website for more info www.gpii.info

8. Adjourn

Next Meeting

  • Date: Thursday, June 23, 2011
  • Time: 10 am PDT | 1 pm EDT | 5 pm UTC | 7 pm CEST
  • Dial-In: +1-201-793-9022
  • Code: 4630912