Tugboat Captains - PowerPoint PPT Presentation


PPT – Tugboat Captains PowerPoint presentation | free to download - id: 88b0d-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Tugboat Captains


Possible pharmacy application. 27. MHDI PKI Projects. Access to Immunization data ... levels of assurance (emulate Canada) Prototype early 2000, production mid ... – PowerPoint PPT presentation

Number of Views:78
Avg rating:3.0/5.0
Slides: 49
Provided by: holt157
Learn more at: http://www.internet2.edu
Tags: captains | tugboat


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Tugboat Captains

Tugboat Captains CliniciansBoth are in Harms
  • Presented to
  • Internet2 Conference
  • Atlanta, GA - October 31, 2000
  • W. Holt Anderson, Executive Director
  • NC Healthcare Information Communications
    Alliance, Inc. (NCHICA)

Structure of Presentation
  • Implementing a Vision
  • HealthKey
  • NC Projects
  • Federal PKI Bridge
  • The Tugboat Captain

Implementing a Vision
  • Paperless, person-centered health records by
  • Adopted by the following organizations in NC
  • Medical Society
  • Nurses Association
  • Hospital Assn.
  • Health Information Management Assn.
  • Assn.of Local Health Directors
  • Assn. of Pharmacists
  • Health Care Facilities Assn.
  • Assn. For Health Care Quality
  • Assn. For Hospice End of Life Care

(No Transcript)
Definition - Health Record
  • A virtual digital record of an individuals
    health information and all episodes of care
  • This record is maintained by multiple providers
    and shared when necessary for care of that
  • (as allowed by patient consent and/or law)
  • NOT a central master fileof information

Enhancing the Quality of Care
  • Preventing medical mishaps related to drug
    interactions, handwriting, allergies,
    transmissible diseases, etc.
  • (Automated delivery of information)
  • Enhancing quality control through access to

Death by Handwriting
  • Texas cardiologist
  • Prescribed 20mg Isordil 4X / day
  • Pharmacist
  • Filled 20mg Plendil 4X / hday 80mg / day
  • Normally Plendil taken max 10mg / day
  • 42-year old patient died of heart attack
  • Jury found MD and Pharmacist responsible and
    awarded 450K to widow and three small children
  • USA Today 10-21-99

Controlling and Reducing Costs
  • Cost of paper records is said to be at least 25
    of total health care costs.
  • Minimize space requirements
  • Reduce resources for filing, storage and
    retrieval of information
  • Improve access time
  • Less duplication

  • Health Insurance Portability Accountability Act
    of 1996 PL 104-191
  • Administrative Simplification
  • Electronic Transactions Codes
  • National Identifiers
  • Security Electronic Signatures
  • Privacy
  • Generally expected to be implemented by end of
  • Civil Monetary Criminal Penalties

Federal Mandate under HIPAA(in effect since
  • Section 1173(d)(2) of the Act stipulates that
    healthcare organizations (that maintain or
    transmit electronic patient information) shall
    maintain reasonable and appropriate
    administrative, technical, and physical
    safeguards to
  • Ensure the integrity and confidentiality of
    patient information
  • Protect against any reasonably anticipated
    threats or hazards to the security or integrity
    of the information
  • Protect against unauthorized uses or disclosures
    of the information
  • And, ensure the compliance of the officers and
    employees of the organization with this provision.

Proposed Privacy Regulation
  • Covers electronic information (and products of
    and contributors to electronic information)
  • Providers, Health Plans Clearinghouses
  • Requires contracts with trading partners to
    assure continuity of privacy (also in Security
  • Permits sharing for care, claims, certain
    operations (QA, utilization review,
    credentialing) without patient consent
  • Limited sharing for national priority
  • Requires written fair information practices

Penalties for Non-Compliance
  • Violation of transaction or security standards
  • Not more than 100 per violation, maximum of
  • No aggregate maximum
  • Wrongful disclosures (privacy)
  • Not more than 50,000 per violation
  • Imprisonment for not more than one year

Penalties for Non-Compliance (cont)
  • False Pretenses (privacy)
  • Not more than 100,000 per violation
  • Imprisonment not more than five years
  • Intent to sell, transfer, or use (privacy)
  • Not more than 250,000 per violation
  • Imprisonment for not more than ten years

Scope of Compliance
  • More than just technology
  • Policies
  • Operational Procedures
  • Physical Security
  • Business Partner Agreements
  • Personnel
  • Management Supervision
  • Training

Security Standard
  • Defined
  • Set of requirements with implementation features
    that providers, health plans, and clearinghouses
    must include in their operations to assure that
    individual health information remains secure.
  • Scalable applies to all size organizations
    larger organizations may be held to a higher

Security Requirements by Category
Physical Safeguards
Technical Security Mechanisms
Certification Chain of Trust Agreements Contingenc
y Plan Formal Mechanisms Records Info Access
Control Internal Audit Personnel
Security Security Configuration Security Incident
Procedures Security Mgmt. Process Termination
Procedures Training
Assigned Security Responsibility Media
Controls Physical Access Controls Policy -
Workstation Use Secure Workstation
Location Security Awareness Training
Communications/Network Controls Integrity
Controls Message Authentication
Implementation Features Under Each Requirement
Technical Security Mechanisms
Objective Ensure processes are in place to guard
against unauthorized access to data that is
transmitted over a communications network
(intercept and interpret), and to protect systems
from external access.
Communications--Open Network
  • Where the network is open (e.g., shared data
    line, Internet, switched WAN), then the following
    must be in place
  • Alarm (sense abnormal conditions)
  • Audit Trail
  • Entity Authentication
  • Event Reporting
  • Encryption is stated as should be employed

If You Use Electronic Signatures
  • Must have
  • message integrity
  • non-repudiation
  • user authentication
  • May have
  • ability to add attributes
  • continuity of signature capability
  • countersignature capability
  • independent verifiability
  • interoperability
  • multiple signatures
  • transportability

HealthKey Secure E-Health Solutions
A Program funded by The Robert Wood Johnson
HealthKey Origins
  • Funded by 2.5 million Robert Wood Johnson
    Foundation grant - Fall 1999
  • Collaboration to advance the development of
    health information infrastructure
  • Market-driven, community-based approach
  • Coordinated pilot efforts in 5 states

HealthKey Participants
  • Massachusetts Health Data Consortium (MHDC)
  • Minnesota Health Data Institute (MHDI)
  • North Carolina Healthcare Information and
    Communications Alliance (NCHICA)
  • Utah Health Information Network (UHIN)
  • Community Health Information Technology Alliance
    (CHITA) -- WA

HealthKey Strategy
  • Identify interoperable, standards-based solutions
    to real business problems
  • Showcase pilot participants as leaders in
    testing evolving health information
  • Identify approaches to achieve HIPAA compliance

64,000 Question
  • Is PKI a valid infrastructure for the
  • health industry?
  • If so, what is the likely architectural model?

MN NC to pilot Bridge CA
  • Developed by Mitretek for the Federal Dept of
  • Allows validation of digital certificates from
    multiple CAs
  • Aggressive timeframe - demo by Spring 2000
  • Additional states/projects can tie in after pilot

  • NCHICA PKI Projects
  • Rekmote access to immunization registry
  • Shared access to clinical info for Medicaid
    high-maintenance patients
  • Remote primary care provider access to
    neonatal/perinatal patient info
  • Remote primary care provider access to patient
    info for children with special needs
  • Access to emergency dept. database
  • Possible pharmacy application

  • MHDI PKI Projects
  • Access to Immunization data
  • Transmit newborn screening results from MN Dept
    of Health
  • Provide secure access to Central Query Service
    for eligibility inquiries
  • Other States
  • Additional projects underway

Provider Access to Immunization Registry Securely
What is PAiRS?
  • Combines immunization records from both public
    and private sources in a common database
  • Widely accessible, inexpensive and secure inquiry
    only access to immunization records via the
  • Reliably identifies relevant records for an
    individual in the absence of a unique identifier

Current Project Status
  • Approximately 1.5 million children (0-18) and an
    associated 12 million vaccine doses
  • 28 pilot sites, 172 users
  • Over 1 million in in-kind contributions

(No Transcript)
Challenges to Successful Implementation of PAiRS
  • Initiation of use
  • Recognition of PAiRS value
  • Accessibility of computers
  • Computer skills of nurses and physicians
  • Busy practices with established service delivery
  • Security Interoperability

Where do we go from here?
  • PAiRS participation expansion
  • PKI for user authentication and security
  • Regional PAiRS project - demonstration project to
    facilitate inter-state exchange of immunization

(No Transcript)
NCEDD Project Description
  • 3 goals (putting down a railroad track)
  • select a standard data format (DEEDS)
  • demonstrate secure data exchange
  • statewide ED database for injury surveillance,
    EMS outcomes, best practice (NCEDD)

Use of NCEDD Data
  • Public Health Surveillance
  • Disasters, bioterrorism, reportable conditions
  • Research using hospital discharge dataset
  • Injury surveillance, Trends/impact of new
    facilities, HMO penetration, substance abuse
  • Linkages- outcomes, episode of care
  • EMS
  • Trauma Registry
  • Hospital Database
  • Aggregate format
  • Oversight Committee of participating hospitals

NCEDD Security
Security/Access Concerns
  • Confidential data over Internet
  • Patient
  • Facility
  • Provider
  • Authentication of users - multiple organizations
  • Public health staff - SCHS, Epidemiology
  • STEER staff - Chapel Hill, Wilmington
  • Participant hospitals ?

Federal PKI Approach(with thanks to Richard A.
Guida, Chair, Federal PKI Steering Committee)
  • Establish Federal PKI Policy Authority
  • Develop/deploy Bridge CA using COTS
  • Four levels of assurance (emulate Canada)
  • Prototype early 2000, production mid 2000
  • Deal with directory issues in parallel
  • Border directory concept White Pages
  • Use ACES (Access Certs for Electronic Services)
    for public transactions

FBCA Overview
  • Non-hierarchical hub for interagency
  • Ability to map levels of assurance in disparate
    certificate policies
  • Ultimate bridge to CAs external to Federal
  • Directory contains only FBCA-issued certificates

FBCA PKI Architecture
US Federal
Potential Architectures
  • Multiple CAs within membrane, with single signing
  • Single CA
  • Multiple CAs within membrane, cross-certified
    among themselves

Multiple CAs, Cross-certified
  • In essence, the quark model
  • Certificate path length may be 1
  • Adding CAs within membrane should be
    straightforward albeit not necessarily easy
  • Requires solving inter-product interoperability
    issues within membrane rather than outside -
    which is good

Current Status
  • Decision cross-certified CAs within membrane
  • Multiple vendor products Initially Entrust and
    GTE for prototype FBCA
  • Migration from prototype to production FBCA will
    entail adding other CAs inside the membrane
  • GSA/FTS has responsibility to execute

PKI Use and Implementation Issues
  • Misunderstanding what it can and cant do
  • Requiring legacy fixes to implement
  • Waiting for standards to stabilize
  • High cost - a yellow herring
  • Interoperability woes - a red herring
  • Legal trepidation - the brightest red herring

The Tugboat Captain
  • TJ Hooper v. Northern Barge Company 60 F.2d 737
    (2d Cir. 1932)
  • Long Island Sound - storm comes up and tug loses
  • Plaintiff was barge owner
  • Plaintiff found negligent because Captain had no
    weather radio
  • Rationale to avoid negligence, keep up with
    technological innovations - they set the standard
    of care in the industry

The price of good navigation is eternal vigilance
  • W. Holt Anderson, Executive Director
  • NC Healthcare Information Communications
    Alliance, Inc. www.nchica.org

Thank you !
  • www.nchica.org
About PowerShow.com