April 21, 2011
Attendees (phone and in-person):
- Ira Thompson, Infinite Systems Support
- Dr. Arnold Widen, Office of the Attorney General
- Vince Keenan, Illinois Academy of Family Physicians
- Jay McCutcheon, Lincoln Land HIE (LLHIE)
- David Nicol, Information Trust Institute – University of Illinois
- Mary Ring, Illinois Critical Access Hospital Network
- Crystal VanDeventer, LLHIE
- Mark Chudzinski, Office of Health Information Technology (OHIT)
- Ivan Handler, OHIT
- Krysta Heaney, OHIT
Introductions: Chairman Ira Thompson opened the meeting at 2 p.m. The meeting was hosted by OHIT at the James R. Thompson Center, with a telephone conference call-in number provided for participants unable to attend in person. Roll call was taken.
Minutes Review: No changes noted; the minutes from March 24, 2011, were unanimously approved.
ILHIE Update: Mark Chudzinski presented a draft ILHIE privacy and security compliance strategy to the Work Group (presentation distributed to Work Group members prior to the meeting). The pillars of the strategy consist of securing provider and patient trust in the ILHIE. An overview of the following was provided:
- Provider confidence in the availability of a complete and reliable data environment
- Public confidence that protected health information (PHI) is adequately secured and protected from unauthorized disclosure or use
- Implementation of HIE system design and rules for data privacy and security at the point of care, at the point(s) of access and use, and the point(s) of storage and transmission
- Privacy and security rules investigation and enforcement
- Privacy and security standards and rules for ILHIE system participants
- Stakeholder buy-in and participation
- Control objectives for assessment and application audits
Ivan Handler raised two concepts concerning access and authentication: 1) 'transitive' security, and 2) real-time monitoring. Transitive security refers to the creation and application, for example through the use of security tokens, of standardized rules for consent across all HIEs within Illinois. Real-time monitoring may include the development and implementation of standardized audit trails and procedures to maintain and regularly review records of ILHIE system activity and use.
To increase security for the ILHIE, the Authority will need to move beyond penetration testing to implementation of real-time or near-real-time monitoring.
Several Work Group members raised questions regarding the implementation and applicability of the various security procedures discussed.
Ira Thompson asked how interoperability and the verification of tokens would be achieved across states and HIEs. Ivan Handler explained that Illinois will engage in conversations with neighbor states to discuss interoperability of security standards.
David Nicol asked whether the ILHIE audit functions would require systems to run specified audit processes and/or allow for external audits/auditor to access their system. Ivan Handler clarified that the ILHIE will be responsible for executing audits.
Jay McCutcheon proposed the Work Group develop use cases for the various the HIE audit functions discussed; suggesting this would provide clarity for HIE implementers. Ivan Handler suggested determining a minimum set of standards to be applied globally and that the Work Group could work on creating use cases around consent management and flush out several scenarios for implementation.
Jay McCutcheon asked at what level the forensic audits would occur and with what frequency. Ira Thompson explained that the audits will need to be maintained over time to ensure maintained security.
Audit Sub-Committee Update: Ira Thompson summarized the recent Audit Sub-Committee recommendations for compliance with the HIPPA audit control standard – 164.312 (b). The summary recommendations will be distributed to the Work Group following the meeting. Ira Thompson also stressed the importance of promoting vendors to incorporate specific audit functions available within their software solutions.
Jay McCutcheon recommended the Work Group closely monitoring the activities of the Privacy and Security Work Group of the Office of the National Coordinator's Health Information Technology Standards Committee. Mark Chudzinski said that OHIT continues to make progress regarding privacy and security and continues to align with what it anticipates will be the guidance provided at the federal level. Mark Chudzinski also recommended ongoing communications with representatives from the Strategic Health IT Advanced Research Projects (SHARP) Program at the University of Illinois.
Next Steps: The next meeting of the ILHIE Privacy & Security Work Group was scheduled for May 19, 2011, at 2 p.m.
Meeting Adjourned: 2:45 p.m.