HIMSIG20082208
Liberty Alliance Project
SIG Health Identity Management
August 22, 2008
11:00am-12:00pm EDT
Conference Call
Meeting Notes
Authors: Kurt Kolok
Attendance:
Pete Palmer, Wells Fargo
Dave Weitzel, Mitre
Rick Moore, eHealth Ohio
Greg???
Brett McDowell, Liberty Staff
Eric Tiffany, Liberty Staff
Kurt Kolok, Liberty Staff
Agenda:
Discussion of the HITSP collaboration with Rick Moore, President of eHealth Ohio speaking on the call.
There are 2 main paths: the current work that HITSP was given (emergency response scenario) and a couple of new constructs. There are eight different constructs being considered (directory structure). We have been focusing on international structure (specific schema geared to patients and healthcare professionals). Tier 2 ranking came out as the preferred standard (in white papers) and T64 (identity communications recipient service). There is a nice process to define the structures when we do end up not knowing all of the details for the decision process. Comment periods will allow us to arrive at standards we can all work with. The other path is to avoid or minimize the risk for Aetna and federated networks they are looking at.<br
Security Privacy and Infrastructure Committee did an analysis on the importance of security schemas (C19 and T20). The technical committee might begin discussing assurance levels again. They have a series of webinars to inform the healthcare community regarding what HITSP is doing. They held a security and privacy infrastructure technical committee call with high level constructs, etc… ANTSI, HIMMS and other individual organizations came together to start up HITSP when they won the contract from ONC. The webinar was very good, Rick sent an email listing the details for these events.
The HIMMS group meets on the third Thursday of every month (topics range from general outreach to business meetings with just the HIMMS RHIO chapter).
Are the IHE white pages in T64 associated with XUA? No…it is a branching off of LDAP and part of the structure they need for XUA. The standards they were referencing have become clearer.
Are vendors going to implement these things? Currently we do not see the vendor representation. Within IHE there are a number of vendors working on becoming compliant. If there is a major question that cannot be answered then the group will attempt to find experts to help resolve the questions.
Are HL7 members in the loop with what we are doing in LAP? How do we get HL7 involved?
Action: Rick and Pete will speak with John Murke to find out where things are and align the different organizations (HL7 and LAP).
HL7 considers it a policy situation to set assurance levels, and they believe they should set standards for technology. Mark Cordera from Aetna will help bring the scenario forward to AHIC. Making a level of assurance of 3 necessary is not something they have agreed upon. We could have a list from LAP soon of valuable documents to assist with this conversation.
The published LAP documentation addresses the requirements of IDP. What RPs need to do, etc… The accreditation program is behind schedule but we now have committed resources and it should be done by the end of the year. That will allow us to run a program to allow us to run assessors. We will have a compliance program online to prove interoperability. We hope to have at least one major auditor approved by end of the year. We are working on mapping with GSA to make sure IAF meets their needs.
Through X.EAA we have a specific agreement on how we are going to work with ITU (International Telecommunication Union). They are going to push through LAP work as their own and will be co-published. ISO has joint working group with ITU. It will be a LAP, ITU and ISO standard when it is done. They justified the creation of X.EAA by recognizing the gaps.
LAP will be coming out with a list of examples in IAF. There are abstracts in IAF and they each have examples from different industries. Each use case would recommend a specific level of assurance. For example, in the case of first responders: map X in an ambulance identifies a hurricane perimeter and the abstract would walk through the case in which they would need an assurance level 3. We could also identify what other groups/organizations have identified required levels of assurance for particular industry-specific use cases (guidelines).
Action: Pete will work to put together a working group to look at the above (levels of assurance in different orgs for diff. use cases).
Is there anything from actual federal agencies? Yes. GSA members have that information.
Have they had any further demonstration projects since Chicago? Yes, on the West Coast US.
Deliverable: tie assurance to framework and provide examples that will feed that and credentials that will be issued under those programs. Richard Trefora is leading the Read-Me document work.
Eric: GSA is working on eAuthn profile. When you initiate an SSO in responding you can indicate the sort of authentication that was done. There has been confusion re: authentication context.
Update on IAEG (Identity Assurance Expert Group)—Pete Palmer
This topic will be addressed on a future call.
We will have an open discussion on the next call regarding additional collaboration opportunities, and would like everyone to be prepared to discuss what they are working on in this space.
Action: Dave W. will forward info re: the regularly scheduled HL7(?) call to the mail list.
Action: Brett will send an email to the HIM SIG mail list with a recommendation outlining three parallel solutions from a Liberty perspective.
Action: Rick and Helen will work together to send out an invitation to the list for the HIMMS roundtable session featuring HITSP on Aug. 21.
Action: Rick will send out call details for HITSP meetings/calls.
Meeting Adjourned
