Interagency Advisory Board - FIPS201.comInteragency Advisory Board Meeting Agenda, Wednesday,...
Transcript of Interagency Advisory Board - FIPS201.comInteragency Advisory Board Meeting Agenda, Wednesday,...
Interagency Advisory Board Meeting Agenda, Wednesday, December 5, 2012
1. Opening Remarks
2. The State Identity Credential and Access Management Guidance and Roadmap (SICAM) (Chad Grant, NASCIO)
3. PIV and PIV-I Use in Health IT Relying Party Systems (Mike Magrath, Gemalto)
4. Briefing on Draft NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices (Andy Regenscheid, NIST)
5. Cloud-Sourcing Public Key Enablement (Steve Howard, Certipath)
6. Closing Remarks
PIV-I in the U.S. Healthcare Market
Michael Magrath, CSCIP Director, Business Development - Government &
Healthcare Gemalto
Chair – Smart Card Alliance’s Healthcare Council
IAB Meeting December 5, 2012
Gemalto The Leader in Digital Security
It is most likely you have one or more of our products in your possession right now
! The SIM card in your mobile phone ! The bank cards in your wallet or purse (Mag stripe or chip based) ! Your US Passport ! If you are a federal employee – your CAC or PIV card
30
Identity Mgt &
Authentication
NwHIN
NSTIC
FRAC
Fraud Waste & Abuse
Electronic Prescriptions
PHRs
eGov
myhealthevet ssa.gov
mymedicare.gov
Agenda – Identity Initiatives Impacting Healthcare
31
Key points
! The US healthcare market is quite fragmented. ! It is very inefficient and is riddled with fraud estimated at
over $100 billion annually. ! Large investment in migration from paper records to
electronic records ! Migration from handwritten prescriptions to electronic ! The federal government remains technology neutral and is
determined to let the market decide when it comes to technological solutions. The government is leery of moving forward with a specific technology only to have it obsolete in a matter of years.
32 12/10/12
• NwHIN is a Network of Networks
• Each network can include multiple organizations and partners with different roles and authorities
• Data exchange can include more than one exchange intermediary
• NwHIN data exchange may be between organizations in a region or between different regions or states
• Trust in Question
The Highway for Health Information Exchange
33
HHS Advisory Committees formed via ARRA 2009
! Health IT Policy Committee will make recommendations to the National Coordinator for Health IT on a policy framework for the development and adoption of a nationwide health information infrastructure, including standards for the exchange of patient medical information.
! Health IT Standards Committee is charged with making recommendations to the National Coordinator for Health IT on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information.
34
“Meaningful Use”
The HITECH portion of the American Recovery and Reinvestment Act (ARRA) of 2009 specifically mandated that incentives should be given to Medicare and Medicaid providers not for EHR adoption but for “meaningful use” of EHRs.
! Stage 1 – Effective Jan. 2012 ! Stage 2 – Effective Jan 2014 ! Stage 3 – RFC issued by HIT Policy Committee due 1/14/13
• HITPC recommended that EHRs should be able to accept two factor (or higher) authentication for provider users to remotely access protected health information (PHI).
• NIST LoA 3 is being recommended. No mention of LoA 4 thus far
35
DEA’s Interim Final Rule for ePrescribing controlled substances
! Published in The Federal Register, March 31, 2010 • Two of three factors must be used: a biometric, a knowledge factor
(e.g., password), or a hard token • The rule does not require the use of a specific form of biometric
technology. DEA is establishing standards for biometric systems in conjunction with NIST.
• DEA has revised this rule to allow the use of a hard token that is separate from the computer being accessed and that meets FIPS 140-2 Security Level 1 security or higher.
– Proximity cards that are smart cards with cryptographic modules could serve as hard tokens.
• DEA believes that NIST 800-63-1 Assurance Level 3 as described will meet its security concerns.
36
NSTIC’s Identity Ecosystem
! Carving niche for high assurance credentials ! Healthcare Committee formed ! Advocating for NIST LoA 3 and LoA 4 credentials in
ecosystem ! No grant pilots included smart card technology ! PIV / PIV-I in mobile devices will help in future
37 12/10/12Jan 27, 2010
First Responder Authentication Credential
! 800,000 doctors ! 3 million nurses ! 210,000 EMTs
! A multipurpose electronic identity credential
38
Patient Identity Assurance Reducing Fraud & Medical Identity Theft
Is she whom she claims to be? Identity of Patients in Cyberspace Hearing for the HIT Privacy & Security Tiger Team and Privacy & Security
Workgroup , 11/29/12
39
Medicare, Medicaid & CHIP
A Relying Party
"We want to be a relying party. We don't want to be a credential provider for the government”.…Federated identity management is the end
goal, "where we can accept the level 3 credential, or a level 4 credential, or even a level 2 credential from whoever, federate that and utilize it so a provider will not have to get multiple credentials,"
- Tony Trenkle, CMS’ CIO, 10/18/2012
! CMS is working closely with the NSTIC NPO and HHS ! CMS provides 4 million national provider IDs for the various entities
that do business with CMS, he said. It also has 175 applications currently using seven different access management systems. And with the forthcoming health insurance exchange,
! CMS could eventually be handling access and credentials for 30 to 50 million users
41
Beneficiaries under Centers of Medicare & Medicaid Services
! 91 Million Beneficiaries (Medicare, Medicaid, CHIP) (FY 2010). • Medicare = 48 M • Medicaid = 35 M • Children's Health Insurance Program (CHIP) = 8 M
! 240,000 beneficiaries are added every month
! ACA will add 30 million more individuals to Medicaid bringing the number close to 121M.
! About half the 30 million people gaining coverage under the ACA would do so through Medicaid. Most of the new beneficiaries would be childless adults • 2.7 million would be parents with children at home. • The federal government would pay the full cost of the first three years
of the expansion, gradually phasing down to a 90 percent share. 42 12/10/12
Medicare Common Access Card Act of 2011
Bipartisan legislation (S. 1551 & H.R 2925)
Would establish a pilot program to develop a secure Medicare card using smart card technology to protect seniors personal information, prevent fraud and speed payment to doctors and hospitals.
Removes SSN from front of card and stores in on the chip allowing CMS to continue using the SSN as the claim number
AARP, 60 Plus, American College of Physician Executives. American Academy of Orthopedic Surgeons endorse legislation.
Funded by transferring funds from the Medicare Improvement Fund (MIF) which makes funds available to HHS for the purpose of making improvements under the Medicare Parts A & B programs including program integrity improvements.
www.upgradethecard.org 43
Medicare Common Access Card Act of 2011
PIN
www.upgradethecard.org 44
! At request for Senator Kirk, the Smart Card Alliance commissioned a 3rd party to audit the industry’s estimated cost for the program
! Co-signers in the House and Senate.
! June 2012 - Members of the Senate Finance Committee solicited ideas from interested stakeholders in the health care community regarding effective solutions to improve federal efforts to combat waste, fraud, and abuse in the Medicare and Medicaid programs.
! Nov 15 - Frank Abangale, world renown document security and fraud prevention expert – as well as the subject of the movie Catch Me If You Can, based on his earlier life as a professional forger – testified before a Senate Committee on Aging hearing entitled “America’s Invisible Epidemic: Preventing Elder Financial Abuse.” In advising Congress on how to best protect seniors against identity theft and fraud, Abangale strongly urged Congress to create an upgraded Medicare smart card as described in The Medicare Common Access Card (CAC) Act, S.1551.
! Nov 28 – The House Energy and Commerce Subcommittee on Health held hearing on Medicare Fraud Waste and Abuse. Medicare CAC was discussed. On behalf of the Secure ID Coalition, Gemalto’s Neville Pattinson testified.
! 113th Congress begins January. New bills to be introduced. 45
Medicare CAC - Current Status
12/10/12
NwHIN
NSTIC
FRAC
Fraud Waste & Abuse
Electronic Prescriptions
PHRs (CIV)
eGov
myhealthevet ssa.gov
mymedicare.gov
Identity Initiatives Impacting Healthcare
46
Utopia - Healthcare Identity Management
PIV PIV-I
Commercial Identity Verification (CIV)
47
Benefits of Smart Cards to Improve Provider and Payer processes
! Quickly and accurately identifying patients, reducing medical identity theft and improving quality of care.
! Streamlining patient registration and patient information access at any points of care, reducing routine paperwork and eliminating errors.
! Supporting audit logging and remote access accountability. ! Enabling secure access to healthcare websites. ! Storing all necessary applications and information on the card,
enabling offline access to critical healthcare information using portable readers.
! Additional information on the use of smart cards for healthcare applications can be found on the Smart Card Alliance web site, http://www.smartcardalliance.org/pages/smart-cards-applications-healthcare-identity
48
Smart Card Centered Healthcare
Thank You
Michael Magrath Director, Business Development 4401 Wilson Blvd., Suite 210 Arlington, VA 22203
Office: 512-758-8911 Cell: 703-944-1090 [email protected]
http://twitter.com/healthITidmgt
www.gemalto.com & www.justaskgemalto.com