Upload
dothuan
View
213
Download
0
Embed Size (px)
Citation preview
© 2010 Anakam® Inc. 2
Why is Health Information Technology Critical?
Avoidance of medical errors. Up to 98,000 avoidable annual hospital deaths due to medical errors.
Avoidance of healthcare waste. Up to $300B spent annually on treatments with no health yield. We spend 2X per capita as any other industrialized nation. We rank last in population health status.
Acceleration of health knowledge diffusion. Average of 17 years for medical evidence to be integrated into
practice.
Reduction of variability in healthcare delivery and access. Access to specialty care is highly dependent on geography.
© 2010 Anakam® Inc. 3
Why is Health Information Technology Critical?
Promotion of public health and preparedness. Surveillance is fragmented, and untimely.
Empowerment of consumer involvement in health management. Patients currently minimally involved in own health decisions.
Strengthening of health data privacy and protection. Public fear of identity theft and loss of privacy.
Healthcare Reform cannot do these things without HIT Paper records cannot solve these problems!
© 2010 Anakam® Inc. 5
Exam Room
Evolution of Healthcare Paradigm
Paper Records
Electronic Health Record System
Patient Clinician
© 2010 Anakam® Inc. 6
Exam Room
Evolution of Healthcare Paradigm
Patient Clinician
Electronic Health Record System
Clinical Decision Support System
© 2010 Anakam® Inc. 7
Exam Room
Evolution of Healthcare Paradigm
Secure HIE Network
Patient Clinician
Electronic Health Record System
Clinical Decision Support System
© 2010 Anakam® Inc. 8
Exam Room
Evolution of Healthcare Paradigm
Lab Lab Lab
External Electronic
Data Sources
Secure HIE Network
Pharmacy Pharmacy Pharmacy
Patient Clinician
Electronic Health Record System
Clinical Decision Support System
© 2010 Anakam® Inc. 9
Exam Room
Evolution of Healthcare Paradigm
Secure HIE Network
Patient Clinician
Electronic Health Record System
AHRQ
Best Practice Rules Lab Lab Lab
External Electronic
Data Sources
Pharmacy Pharmacy Pharmacy
Clinical Decision Support System
© 2010 Anakam® Inc. 10
Exam Room
Evolution of Healthcare Paradigm
Patient
AHRQ
Clinician
Electronic Health Record System
Secure HIE Network
Best Practice Rules Lab Lab Lab
External Electronic
Data Sources
Pharmacy Pharmacy Pharmacy
Clinical Decision Support System
Public Health
© 2010 Anakam® Inc. 11
Exam Room
Evolution of Healthcare Paradigm
Patient
AHRQ
Clinician
Electronic Health Record System
Secure HIE Network
Best Practice Rules Lab Lab Lab
External Electronic
Data Sources
Pharmacy Pharmacy Pharmacy
Clinical Decision Support System
Public Health
Quality Reports to Clinicians,
Payers, and Public
© 2010 Anakam® Inc. 12
Exam Room
Evolution of Healthcare Paradigm
Patient
AHRQ
Clinician
Electronic Health Record System
Secure HIE Network
Public Health
Best Practice Rules
Complete the Feedback Loop
Lab Lab Lab
External Electronic
Data Sources
Pharmacy Pharmacy Pharmacy
Quality Reports to Clinicians,
Payers, and Public
Clinical Decision Support System
© 2010 Anakam® Inc. 13
Evolution of Healthcare Paradigm
Patient
AHRQ
Clinician
Electronic Health Record System
Secure HIE Network
Best Practice Rules
Complete the Feedback Loop
ID ? ID ?
Lab Lab Lab
External Electronic
Data Sources
Pharmacy Pharmacy Pharmacy
Clinical Decision Support System
Public Health
Quality Reports to Clinicians,
Payers, and Public
© 2010 Anakam® Inc. 14
Future for Healthcare
Goal: High quality, cost-effective healthcare.
Means: Clinician/Patient interaction with Clinical Decision Support System (CDSS).
Requires: EHR (with CDSS and HIE) and: Interoperability with sources of clinical data and sources of
computable rules for best clinical practices. Incentives to incorporate into healthcare practice. Investigations of systemic failures to allow building systems that
detect and prevent errors through feedback at the point of decision making.
Trust through agreement on standards for interoperable security and privacy (including patient consent).
© 2010 Anakam® Inc. 15
HIE is the Backbone of Reform
Standardized, encoded, interoperable, electronic, clinical HIE saves money*: Net Benefits to Stakeholders of $78B/yr.
o Providers - $34B o Payers - $22B o Labs - $13B o Radiology Centers - $8B o Pharmacies = $1B
Reduces administrative burden of manual exchange. Decreases unnecessary duplicative tests.
HIE + EHR + CDSS => SAVES LIVES and $! e.g., Kaiser, Geisinger, VA, …
Interoperable HIE is KEY to Meaningful Use of HIT which, in turn, is KEY to health reform! *Center for Information Technology Leadership, 2004
© 2010 Anakam® Inc. 16
Trust is the Ligament -- that Holds It All Together
Loss of perceived control of PHI Provider not in charge.
Access to large amounts of PHI accumulated by HIE. Increased risk.
Providers must trust the HIE system Lack of trust = no information exchange.
Patients must trust the HIE system Lack of trust = no permission to disclose health records.
HIE will fail without access to PHI.
Trust depends on believable privacy and security mechanisms and a clean track record …
Large-Scale, Cost-Effective, Authentication and Identity Management Solutions
© 2010 Anakam® Inc. 17
Believable Security Requires Identity Assurance
High level of assurance that the person who is sending information is who say they are. Message non-repudiation.
High level of assurance that the person who is receiving information is who we think they are. Including mechanisms to prevent information from being changed or
viewed by anyone else.
High level of assurance that the patient identified in the information is who we think they are. Patient identification accuracy.
These mechanisms are dependent on high assurance identity proofing and multi-factor authentication. NIST defines requirements for high assurance at Level 3
Large-Scale, Cost-Effective, Authentication and Identity Management Solutions
© 2010 Anakam® Inc. 18
Identity of Patient
No national standard for how to uniquely identify patients
Merge records from multiple locations Matching probability is not 100%
In-person identity proofing is impractical VA currently requires it for MyHealthyVet.gov Providers don’t want the job
Electronic access to medical records Internet access to patient portal requirement of “meaningful use” to
fulfill consumer engagement goal
Electronic recording of consent directives
Fraud prevention in public programs E.g., Medicare and Medicaid
Large-Scale, Cost-Effective, Authentication and Identity Management Solutions
© 2010 Anakam® Inc. 19
Identity of Provider
Remote access to patient information (HIPAA) Access from home Access from wireless devices Access from patient home
Access to government held PII OMB, FISMA, NIST
Submission of quality information Pay for performance programs Meaningful Use incentive programs (CMS)
Electronic prescribing
Large-Scale, Cost-Effective, Authentication and Identity Management Solutions
© 2010 Anakam® Inc. 20
DEA IFR for Controlled eRx
Only a DEA registrant may sign the prescription.
To sign, the registrant must complete a two-factor authentication protocol that meets the requirements of NIST Assurance Level 3 and uses two of the following three factors: 1) Something only the practitioner knows, such as a password or
response to a challenge question. 2) Something the practitioner is, biometric data such as a fingerprint
or iris scan. 3) Something the practitioner has, a device separate from the
computer to which the practitioner is gaining access.
To obtain an authentication credential the registrant must pass identity proofing that meets the requirements of NIST Assurance Level 3.
Large-Scale, Cost-Effective, Authentication and Identity Management Solutions
© 2010 Anakam® Inc. 21
Identity Issues
Health information is now a target for identity theft. HIPAA requires security to be a dynamic program responding
constantly to new risks. Risk of breach increases as amount of information increases.
o HIE aggregates data and risk from many sources.
Single factor authentication is inadequate for remote access to information under federal regulations: Two factor authentication (TFA) is now a requirement under CMS
guidance and OMB Memoranda. o FISMA requirement for all federal information systems.
TFA required for electronic prescribing of controlled substances. o DEA regulation effective June 1, 2010.
CMS requiring TFA for submission of quality data. Some HIEs are also adopting strong authentication.
o California and New York policy documents a TFA requirement for remote access.
© 2010 Anakam® Inc. 22
HITECH Addresses Trust
Secretary shall annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the HIPAA security standards.
New federal security breach notification requirements for covered entities, business associates and personal health record providers.
New privacy and security requirements for business associates.
New restrictions on sale of electronic health information and use of health information for marketing and fundraising.
New individual rights to restrict disclosure of health information to health plans and to obtain an accounting of disclosures of health information in electronic health records.
Increased penalties for privacy and security violations.
© 2010 Anakam® Inc. 23
Improved Enforcement
HIPAA Civil and Criminal Penalties shall apply to a business associate in the same manner as they apply to a covered entity.
Secretary shall formally investigate if a preliminary investigation indicates violation is due to willful neglect.
Tiered penalties increase up to $50,000 (maximum $1,500,000).
An individual who is harmed by an offense may receive a percentage of any civil monetary penalty or monetary settlement.
The Secretary shall provide for periodic audits to ensure that covered entities and business associates comply with requirements.
A State attorney general may bring a civil action in a district court to enjoin further violation or to obtain damages.
Connecticut Attorney General filed a lawsuit 1/13/2010 charging a health plan with violations of the HIPAA privacy and security rules
© 2010 Anakam® Inc. 24
Extending Trust under HITECH
New entities are Business Associates: Health Information Exchange. Regional Health Information Organization. ePrescribing Gateway. Vendor of personal health record that contracts with a covered entity
to allow that covered entity to offer a PHR to patients as part of its EHR.
Implementing NPRM to be published 7/14/2010 “Modifications to the HIPAA Privacy, Security, and Enforcement
Rules under the Health Information Technology for Economic and Clinical Health Act”
© 2010 Anakam® Inc. 25
It’s Only Logical …
1. Health Reform Expectations Depend on Meaningful Use of HIT
2. Meaningful Use Depends on Functional HIE
3. Functional HIE Depends on Trust in the System
4. Trust Depends on Believable, Consistent and Well Implemented Security Practices
5. Believable Security Depends on High Assurance of Electronic Identities for Patients and Providers
Everything in the Chain of Dependencies Must Work!
Large-Scale, Cost-Effective, Authentication and Identity Management Solutions
© 2010 Anakam® Inc. 26 Large Scale, Cost Effective Authentication and Identity Management Solutions
Strong Identity Management with Anakam Identity Suite®
Registration ID Proofing Credentialing Authentication Authorization Change Management
Identity Management Lifecycle
Public Records
Enterprise Records
Electronic Health
Records Management
Online Financial
Transactions
eCommerce
eGovernment
© 2010 Anakam® Inc. 27
Anakam.TFA® Two-Factor Authentication Platform
The most comprehensive range of security vectors in the marketplace
Out-of-Band Challenges
Large-Scale, Cost-Effective, Authentication and Identity Management Solutions
One-time Passcode Text (SMS) to Existing Mobile Phone
Synthesized Voice (IVR) Passcode Delivered to Cell Phone or Landline
Voice Biometric Retrieval of One-time Passcode
Passcode sent to End-User’s Primary Email Account
IP Geolocation pinpoints location where end-user is logging in
PhishAvert™ Secret Phrase and Security Questions
Existing device in wide use (no Tokens, Fobs or Smartcards)
Ubiquitous Hardware used for out-of-band challenge to increase security
True Two-Factor Authentication confirms user’s identity
Verification Link designed to combat Man-in-the-Middle attack scenarios
Login attempts from high-risk locations can be setup to trigger automatic challenges
User verifies site to combats Phishing while random questions verify user identity
Device ID placed on personal computer helps to confirm user identity
Enabling Device Authentication combined with unique User ID for flexible access enforcement
Enable authentication enforcement based on predefined time or frequency of log in.
Provide different authentication parameters for multiple users sharing the same computer system
© 2010 Anakam® Inc. 28
Questions?
William R. “Bill” Braithwaite, MD, PhD, FACMI Chief Medical Officer
Anakam Inc.
Large-Scale, Cost-Effective, Authentication and Identity Management Solutions