Interagency Advisory Board Meeting Agenda, Wednesday, December 5, 2012

Transcription

1 Interagency Advisory Board Meeting Agenda, Wednesday, December 5, Opening Remarks 2. The State Identity Credential and Access Management Guidance and Roadmap (SICAM) (Chad Grant, NASCIO) 3. PIV and PIV-I Use in Health IT Relying Party Systems (Mike Magrath, Gemalto) 4. Briefing on Draft NIST SP , Guidelines on Hardware-Rooted Security in Mobile Devices (Andy Regenscheid, NIST) 5. Cloud-Sourcing Public Key Enablement (Steve Howard, Certipath) 6. Closing Remarks

2 PIV-I in the U.S. Healthcare Market Michael Magrath, CSCIP Director, Business Development - Government & Healthcare Gemalto Chair Smart Card Alliance s Healthcare Council IAB Meeting December 5, 2012

3 Gemalto The Leader in Digital Security It is most likely you have one or more of our products in your possession right now!!!! The SIM card in your mobile phone The bank cards in your wallet or purse (Mag stripe or chip based) Your US Passport If you are a federal employee your CAC or PIV card 30

4 Agenda Identity Initiatives Impacting Healthcare egov NwHIN myhealthevet ssa.gov mymedicare.gov NSTIC Identity Mgt & Authentication PHRs FRAC Electronic Prescriptions Fraud Waste & Abuse 31

5 Key points! The US healthcare market is quite fragmented.! It is very inefficient and is riddled with fraud estimated at over $100 billion annually.! Large investment in migration from paper records to electronic records! Migration from handwritten prescriptions to electronic! The federal government remains technology neutral and is determined to let the market decide when it comes to technological solutions. The government is leery of moving forward with a specific technology only to have it obsolete in a matter of years. 12/10/12 32

6 The Highway for Health Information Exchange NwHIN is a Network of Networks Each network can include multiple organizations and partners with different roles and authorities Data exchange can include more than one exchange intermediary NwHIN data exchange may be between organizations in a region or between different regions or states Trust in Question 33

7 HHS Advisory Committees formed via ARRA 2009! Health IT Policy Committee will make recommendations to the National Coordinator for Health IT on a policy framework for the development and adoption of a nationwide health information infrastructure, including standards for the exchange of patient medical information.! Health IT Standards Committee is charged with making recommendations to the National Coordinator for Health IT on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information. 34

8 Meaningful Use The HITECH portion of the American Recovery and Reinvestment Act (ARRA) of 2009 specifically mandated that incentives should be given to Medicare and Medicaid providers not for EHR adoption but for meaningful use of EHRs.! Stage 1 Effective Jan. 2012! Stage 2 Effective Jan 2014! Stage 3 RFC issued by HIT Policy Committee due 1/14/13 HITPC recommended that EHRs should be able to accept two factor (or higher) authentication for provider users to remotely access protected health information (PHI). NIST LoA 3 is being recommended. No mention of LoA 4 thus far 35

9 DEA s Interim Final Rule for eprescribing controlled substances! Published in The Federal Register, March 31, 2010 Two of three factors must be used: a biometric, a knowledge factor (e.g., password), or a hard token The rule does not require the use of a specific form of biometric technology. DEA is establishing standards for biometric systems in conjunction with NIST. DEA has revised this rule to allow the use of a hard token that is separate from the computer being accessed and that meets FIPS Security Level 1 security or higher. Proximity cards that are smart cards with cryptographic modules could serve as hard tokens. DEA believes that NIST Assurance Level 3 as described will meet its security concerns. 36

10 NSTIC s Identity Ecosystem! Carving niche for high assurance credentials! Healthcare Committee formed! Advocating for NIST LoA 3 and LoA 4 credentials in ecosystem! No grant pilots included smart card technology! PIV / PIV-I in mobile devices will help in future 12/10/12Jan 27,

11 First Responder Authentication Credential! 800,000 doctors! 3 million nurses! 210,000 EMTs! A multipurpose electronic identity credential 38

12 Patient Identity Assurance Reducing Fraud & Medical Identity Theft Identity of Patients in Cyberspace Hearing for the HIT Privacy & Security Tiger Team and Privacy & Security Workgroup, 11/29/12 39

13 Medicare, Medicaid & CHIP

14 A Relying Party "We want to be a relying party. We don't want to be a credential provider for the government. Federated identity management is the end goal, "where we can accept the level 3 credential, or a level 4 credential, or even a level 2 credential from whoever, federate that and utilize it so a provider will not have to get multiple credentials," - Tony Trenkle, CMS CIO, 10/18/2012! CMS is working closely with the NSTIC NPO and HHS! CMS provides 4 million national provider IDs for the various entities that do business with CMS, he said. It also has 175 applications currently using seven different access management systems. And with the forthcoming health insurance exchange,! CMS could eventually be handling access and credentials for 30 to 50 million users 41

15 Beneficiaries under Centers of Medicare & Medicaid Services! 91 Million Beneficiaries (Medicare, Medicaid, CHIP) (FY 2010). Medicare = 48 M Medicaid = 35 M Children's Health Insurance Program (CHIP) = 8 M! 240,000 beneficiaries are added every month! ACA will add 30 million more individuals to Medicaid bringing the number close to 121M.! About half the 30 million people gaining coverage under the ACA would do so through Medicaid. Most of the new beneficiaries would be childless adults 2.7 million would be parents with children at home. The federal government would pay the full cost of the first three years of the expansion, gradually phasing down to a 90 percent share. 12/10/12 42

16 Medicare Common Access Card Act of 2011 Bipartisan legislation (S & H.R 2925) Would establish a pilot program to develop a secure Medicare card using smart card technology to protect seniors personal information, prevent fraud and speed payment to doctors and hospitals. Removes SSN from front of card and stores in on the chip allowing CMS to continue using the SSN as the claim number AARP, 60 Plus, American College of Physician Executives. American Academy of Orthopedic Surgeons endorse legislation. Funded by transferring funds from the Medicare Improvement Fund (MIF) which makes funds available to HHS for the purpose of making improvements under the Medicare Parts A & B programs including program integrity improvements. 43

17 Medicare Common Access Card Act of 2011 PIN 44

18 Medicare CAC - Current Status! At request for Senator Kirk, the Smart Card Alliance commissioned a 3 rd party to audit the industry s estimated cost for the program! Co-signers in the House and Senate.! June Members of the Senate Finance Committee solicited ideas from interested stakeholders in the health care community regarding effective solutions to improve federal efforts to combat waste, fraud, and abuse in the Medicare and Medicaid programs.! Nov 15 - Frank Abangale, world renown document security and fraud prevention expert as well as the subject of the movie Catch Me If You Can, based on his earlier life as a professional forger testified before a Senate Committee on Aging hearing entitled America s Invisible Epidemic: Preventing Elder Financial Abuse. In advising Congress on how to best protect seniors against identity theft and fraud, Abangale strongly urged Congress to create an upgraded Medicare smart card as described in The Medicare Common Access Card (CAC) Act, S.1551.! Nov 28 The House Energy and Commerce Subcommittee on Health held hearing on Medicare Fraud Waste and Abuse. Medicare CAC was discussed. On behalf of the Secure ID Coalition, Gemalto s Neville Pattinson testified.! 113 th Congress begins January. New bills to be introduced. 12/10/12 45

19 Identity Initiatives Impacting Healthcare NwHIN egov myhealthevet ssa.gov mymedicare.gov NSTIC PHRs (CIV) FRAC Electronic Prescriptions Fraud Waste & Abuse 46

20 Utopia - Healthcare Identity Management PIV PIV-I Commercial Identity Verification (CIV) 47

21 Benefits of Smart Cards to Improve Provider and Payer processes! Quickly and accurately identifying patients, reducing medical identity theft and improving quality of care.! Streamlining patient registration and patient information access at any points of care, reducing routine paperwork and eliminating errors.! Supporting audit logging and remote access accountability.! Enabling secure access to healthcare websites.! Storing all necessary applications and information on the card, enabling offline access to critical healthcare information using portable readers.! Additional information on the use of smart cards for healthcare applications can be found on the Smart Card Alliance web site, 48

22 Smart Card Centered Healthcare

23 Thank You Michael Magrath Director, Business Development 4401 Wilson Blvd., Suite 210 Arlington, VA Office: Cell: &