MEDNETWorld.com (MEDNET), a leader in Nationwide Health Information Network (NHIN) connectivity and Health Information Exchange (HIE) technologies today announced the appointment of Michael Howe, former CEO of MinuteClinic and Arby’s, Inc., to its board of directors. Mr. Howe brings extensive health care and operational expertise to MEDNET from his experience at MinuteClinic.
Archive for September, 2009
Michael Howe, former CEO MinuteClinic, joins MEDNETWorld Board of Directors
Tuesday, September 22nd, 2009The impact of Inter/Intra HIE and NHIN Connectivity
Tuesday, September 15th, 2009By Chris Smith
As communities and healthcare organizations form Health Information Exchanges, or HIEs, much of the discussion is focused on internal communication and internal interoperability, within the HIE itself. The concept of connectivity to other HIEs, as well as NHIN, for interoperable data exchange is a much needed consideration in the planning of an HIE from day one.
The impact of not planning for the implementation of standards based connectivity, both for internal and external communication, can be significant. In some cases, to upgrade the connectivity infrastructure of a ‘closed’ HIE (for HIE to HIE and HIE to NHIN connectivity, for example) can be as costly as the original investment in the HIE internal infrastructure. A comprehensive planning approach, with interoperable connectivity on the roadmap, is critical to the success of a Health Information Exchange and healthcare community.
If, for example, an HIE focuses on local and regional connectivity only, and thus implements custom connectivity standards, the likelihood of the HIEs growth, sustainability, and the overall business model could be at risk. This ‘locked’ approach limits the ability for additional connectivity, additional services, and additional trading partners for the HIE. Would other HIEs implement a custom connectivity solution each time to interface with each and every HIE and healthcare community across the nation? Overall this ‘closed’ or ‘locked’ model does not scale, and does not lead to interoperability on a national (or global) scale.
HIEs and healthcare communities need to plan for interoperable data exchange and connectivity, (including connectivity to a national, standards based infrastructure
like NHIN) to insure future growth and connectivity. The future lies in additional connections, services, and trading partners in an interconnected healthcare world.
Security and Federated Identity Management
Tuesday, September 15th, 2009-By Jesse Erdmann
Previous newsletter articles have briefly mentioned FIM, but have not fully described the term. This month, Jesse Erdmann, CISSP, shows what Federated Identity Management (FIM) is, how usage of the technology is growing and what it can mean for health care.
Put simply, FIM is a method of allowing one organization to trust the credentials of a user provided by another organization. For example, if a user has a Facebook account and wants to use a service from Google it would be nice for the user to only have to remember one user name and password. With FIM, Google can accept the credentials provided by Facebook and associate those credentials with an account on their service. Essentially, FIM is Single Sign On for a cluster of services that all agree to trust the authentication of each other and share credentials in a secure manner.
On 9/9/09 the White House announced this initiative to encourage federal agency website users to sign up for an OpenID account (http://www.openid.net). When a user first connects to a website supporting OpenID and uses their OpenID credentials the service will create an account within the service based on the credentials provided. Each service is then able to determine the rights and privileges for that account.
Additionally, once a user has authenticated to multiple services with the same credential, the user can allow the services to update each other on behalf of the user. For instance, when a user plans a trip using one application and the user has allowed the trip planner the appropriate access to the user’s calendar, the trip planner could then add the trip automatically to the user’s calendar. This is how Facebook applications are able to update a user’s status on their wall when the user performs an action within the Facebook application.
In a health care setting, the security of the authentication is very important. A site would not want to provide access to an account wherein the user provided an easily guessable username and password combination like ‘jsmith/jsmith1′. Everything in a health care FIM system will need to rely on Public Key Infrastructure (PKI). Users will need certificates to authenticate at their home organization. The credentials will need to have PKI-based digital signatures to be trusted amongst organizations. These credentials also will include information about how secure the user’s authentication method is, for example whether they used a username and password or provided a certificate.
Once a FIM system is in place, many applications can be enabled that were not possible previously. Users from an HIE in Florida can use information from a drivers’ license belonging to a patient injured while on vacation to look up the patient’s health record user a service in the patient’s home state. A general practitioner can schedule a patient at a specialist’s office when they make a referral using the specialist’s scheduling service. A specialist can update a patient’s record at the patient’s general practitioner’s office while updating their own records. It is easy to imagine many things that could be accomplished automatically using a secure, standards based approach to defining services and encapsulating the secure exchange of user credentials.
Thanks for reading this introduction to Federated Identity Management, why it’s growing and how it can be used in a health care setting. Next month, the newsletter will feature an article describing how FIM works under the covers and why it can be trusted with patient data.
Seonho Cloud Computing and Security – Part II
Tuesday, September 15th, 2009By Seonho Kim
In spite of various promising features that make forecast for cloud computing in healthcare “Sunny”, security and patient privacy are the most obvious hurdles to overcome when adopting cloud computing broadly.
Since an individual’s protected health information (PHI) can be transmitted from one organization to another organization over the Internet, cloud computing based services are required to meet Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements, especially The Privacy Rule and The Security Rule. This includes 1)secure transmission of PHI over the Internet (encrypted data transmission), 2) fine grained control on access to PHI to preserve privacy, 3) storing PHI securely (encrypted data store), and 4) ensuring that PHI is accessible only by trusted entities to name a few (strong identity vetting, role-based access control, security auditing).
Many cloud computing service vendors including Amazon.com are making great efforts to ensure their services (SaaS, PaaS, and IaaS) are HIPAA compliant. Readers might find this article by Amazon very interesting as well.
In our previous newsletters, we discussed security and privacy related issues in Health Information Exchanges (HIE). We discussed public key infrastructure (PKI) based solutions to address security and privacy related topics – 4A (Authorization, Authentication, Access Control and Auditing). Thus, many solutions have adopted industry-proven technologies, such as PKI or Public Key Infrastructure, to ensure data security and integrity by encrypting each and every message and to ensure authenticity and non-repudiation of data by digitally signing each and every message. Utilizing a Federated Identity Management solution, along with role-based access control (RBAC) framework, private information and data can now be shared across wide area security domains.
I believe that more and more of the healthcare industry will move into the clouds, and many healthcare clouds will be interconnected to a bigger cloud through initiatives and technologies addressing interoperability (for example, Nationwide Health Information Network, or NHIN). However I also believe security and privacy on the cloud still needs to be practiced very carefully, even with this strong security infrastructure. Security will always remain a hot topic for decision makers, and they need to clearly understand and know how to make the right choices on security and privacy policies. With strong security and privacy features, I believe the forecast for the cloud computing in healthcare is very sunny.