[BreachExchange] Analysis: Security Elements of 'Trusted Exchange Framework'
audrey at riskbasedsecurity.com
Tue Jan 9 20:23:54 EST 2018
Federal regulators have released a draft of a trusted health data exchange
framework with some detailed security components that go beyond HIPAA
requirements. The goal is to advance secure, interoperable health data
exchange nationally so that clinicians have quicker access to potentially
life-saving information from multiple sources.
The voluntary framework - from the Department of Health and Human Services'
Office of the National Coordinator for Health IT - proposes some security
components that are more specific than what's required by HIPAA,
acknowledging that not all of the participants in networks that adopt the
framework will necessarily be HIPAA-covered entities or business
associates. Those components include, for example, tougher breach
notification requirements as well as detailed authentication requirements.
HHS is soliciting comments on the draft, including the security provisions.
"We want to see if our perceptions are right and to hear from the industry
about their experiences," an ONC spokesman tells Information Security Media
The office is accepting comment on the 48-page draft framework until Feb.
18. Refinements will be made and a final draft released later this year.
"We recognize as we move to nationwide interoperability that more
information has to be able to move, and move in wider circles," the ONC
spokesperson says. The draft proposal includes the proposition that "HHS
should adopt a general policy that identifiable health information should
be afforded some baseline privacy and security protections wherever it is
electronically accessed, maintained, transmitted or exchanged.
"There may be areas of the Trusted Exchange Framework that go beyond what
HIPAA may require in some areas and establishes a minimum set of elements
that not only covered entities and business associates, but entities that
currently are not subject to HIPAA, would be following. And HIPAA is
currently 'silent' about the specificity that ONC feels needs to be
standardized/consistent across entities to improve interoperability."
The draft framework that ONC announced Friday aims to help fulfill a call
for increased health data exchange in the 21st Century Cures Act that was
signed into law in 2016.
The law is aimed at accelerating medical innovation, including easing the
exchange of data among various health information networks to support
timely, appropriate treatment decisions.
The Trusted Exchange Framework addresses network governance, said Don
Rucker, M.D., national coordinator for health IT, during a Jan. 5 media
"This is around the network of networks concept, where these networks are
typically moving very similar sets of information - and how do we get them
connected," he says.
"In the current space, there are regional health information exchange
networks, and networks that include direct participation of vendors, such
as Commonwell [Health Alliance]," he says, referring to a non-profit vendor
association that is made up of a number of health IT services firms.
"The request from Congress ... was that ONC work to provide a common
agreement in these networks. This brings us immediately to what is
potentially challenging with interoperability - a national challenge that
has not been easy. Folks have made some great progress, but obviously
there's a lot of work to be done." One of the approaches ONC is taking to
achieve improved interoperability is the creation of a trusted exchange
framework, he says.
The draft framework proposes policies, procedures and technical standards
necessary to advance the "single on-ramp to interoperability" requested by
Congress in the 21st Century Cures Act, he says.
Although implementation of the framework is voluntary, it will be
facilitated through ONC in collaboration with a single "recognized
coordinating entity, or RCE, which will be selected through a competitive
process," ONC says.
The RCE will use the Trust Exchange Framework policies, procedures,
technical standards, principles and goals to develop a single "common
agreement" that qualified health information networks will voluntarily
adopt, according to ONC.
The draft framework contains several key security-related components, notes
Genevieve Morris, principal deputy national coordinator for health
information technology. Those include:
- Common authentication processes of trusted health information network
- A common set of rules for trusted exchange;
- A minimum core set of organizational and operational policies to enable
the exchange of electronic health information among networks.
Morris says ONC worked closely with the HHS Office for Civil Rights - which
enforces HIPAA - and the National Institute of Standards and Technology in
crafting the security proposals. Some of the security components, however,
appear to be far more specific than what's required by HIPAA.
The framework draft also notes that while ONC worked with OCR "to ensure
that the proposed Trusted Exchange Framework aligns with HIPAA and does not
contradict HIPAA requirements ... we anticipate that many end users may not
be covered entities or business associates as defined by HIPAA, and the
final [framework] must be broad enough to enable them to appropriately and
securely access health information. Therefore, while the proposed Trusted
Exchange Framework aligns with HIPAA requirements, it also specifies terms
and conditions to enable broader exchange of health information."
Morris notes that ONC set "some minimum policy requirements around identity
proofing and authentication levels, using the new National Institute of
Standards and Technology 800-63 publication," referring to NIST's digital
"We know that's a little bit of a shift for the industry to new levels, but
based on the security issues that we face, we thought that was very
important, and we are certainly looking forward to feedback on whether we
hit the right level of security while not inhibiting access," she says.
The ONC's draft framework notes that each participant in a trusted exchange
who is a covered entity or business associate must comply with all
applicable breach notification requirements under HIPAA. Under HIPAA,
covered entities and their business associates have 60 days to report to
HHS and affected individuals major breaches involving 500 or more
In addition, the proposed framework says each participant must notify, in
writing, the health information network much sooner. The participants must
notify the network "without unreasonable delay, but no later than 15
calendar days after discovery of the breach in order to allow other
affected parties to satisfy their reporting obligations," the framework
draft says. "Upon receipt of such notice, the Qualified HIN shall be
responsible for notifying, in writing, other participants affected by the
breach within seven calendar days."
Morris says that in addition to those security components, "there are also
requirements around OAuth 2.0 and using certificate and PKI [public key
infrastructure] structures to ensure the right folks are accessing data. We
realize as we move forward, there are large amounts of data that will be
inherently moving around under the trusted framework and common agreement.
So we made every effort to make sure that what we're putting in place is
secure and safe for patients so that they can be sure that their data is
going to be shared appropriately."
OAuth 2.0 is an authorization framework developed by the Internet
Engineering Task Force OAuth Work Group.
ONC notes that the proposed trusted exchange framework supports a number of
- Giving patients the ability to electronically access their health
- Enabling the exchange of population-level health information between
healthcare providers and payer organizations accountable for the analysis
of population health trends, outcomes and costs; and
- Using an application programming interfaces, or APIs, to encourage
entrepreneurial, user-focused innovation to make health information more
accessible and to improve electronic health record usability.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the BreachExchange