The two major agenda items of the November HIT Standards Committee were the lessons learned from the Implementation Workgroup activities and security testimony from multiple industry experts in four panels - Stability/Reliability, Cybersecurity, Data Theft/Loss/Misuse, and Building Trust.
We began the day with an overview of the 10 major themes from the Implementation Workgroup testimony. We discussed the ways in which these themes could inform our future work in the upcoming months as we review comments on the interim final rule, consider incremental improvements to the standards supporting meaningful use in 2013/2015, and we consider tools/technologies/education to enhance adoption.
Specific action items include:
*Work hard on vocabularies and try to get them open sourced for the entire community of stakeholders.
*Consider adding a simple REST-based transport method for point to point exchanges between organizations. We already have recommended SOAP (as constrained by HITSP Service Collaborations) and REST as approaches to transport. At present there is no specific guidance as to how REST shoud be used from a policy or technology standpoint.
*Work jointly with the HIT Policy Committee to establish a privacy framework that enables us to constrain the number of security standards.
*As we continue our work, try to use the simplest, fewest standards to meet the need.
*Continue to gather feedback on the 2011 exchanges (ePrescribing, Lab, Quality, Administrative) to determine if there are opportunities to enhance testing platforms and implementation guidance that will accelerate adoption.
Interestingly, several people approached me at the meeting to discuss rumors that the HIT Standards Committee would significantly change the existing 2011 recommendations based on the Implementation Workgroup activities. The purpose of the Implementation Workgroup was to gather feedback, create a set of guiding principles, and ensure we have the best process going forward to ensure the most appropriate standards are chosen. The Implementation Workgroup activities including the blogs, the testimony and hours of discussion have raised awareness of all committee members that will support our future decision making, not revision of the work of the past.
The security testimony was extremely valuable. Here are some of the "Gold Star" ideas
* Many existing clinical products do not provide the functionality needed to support security best practices
* Systems with FDA 501k certifications are often managed by vendors and lack updated operating systems and anti-virus software
* The least important systems are often those which are compromised and provide hackers access to more important systems.
*Security is journey and many healthcare organizations are not well resourced to implement security best practices.
*Security awareness among providers is low.
*We should focus on "Evidence-based security policies and practices". Per the testimony, some dogma in security is not supported by evidence i.e.
- Passwords longer than about 5 characters do not reduce risk in any meaningful way
- Encryption of data at rest in databases and other large systems in data centers typically provide little additional security protection
*Portable devices/Wireless are a major vulnerability
*Audit logs from vendor systems may be insufficient to detect misuse of data
*Role-based security is important. Roles vary in institutions, so it will be challenging to create a one size fits all standard.
*Security should be layered to create an in depth defense
*Data integrity is important to protect patient safety (ensure the record is accurate)
*We need baseline policies and standards for Authorization, Authentication (including identity proofing), Access Control, Audit
A great meeting. I look forward to our next steps - reviewing the interim final rule in mid December based on all the testimony and learning we've had to date.