Thursday, November 19, 2009

HIT Standards Meeting 11-19

The HIT Standards Committee met on Thursday, November 19, 2009. The meeting distilled much of their work and there were some great presentations from the committee, workgroups and stakeholders. The meeting materials from the ONC website and the rough draft transcript of the meeting are below. Also be sure to check out the FACA blog and join the conversation to help "pull adoption forward" and bring our healthcare system into the 21st century.

John Halamka, co-chairman of the committee, gave the following list of guiding principles for standards recommendations which were polished at the meeting:
  • Keep it simple; think big, but start small; recommend standards as minimal as possible to support the business goal and then build as you go
  • Don’t let “perfect” be the enemy of “good enough”; go for the 80% that everyone can agree on; get everyone to send the basics (medications, problem list, allergies, labs) before focusing on the more obscure
  • Keep the implementation cost as low as possible; eliminate any royalties or other expenses associated with the use of standards
  • Design for the little guy so that all participants can adopt the standard and not just the best resourced
  • Do not try to create a one size fits all standard, it will be too heavy for the simple use cases
  • Separate content standards from transmission standards; i.e., if CCD is the html, what is the https?
  • Create publicly available controlled vocabularies & code sets that are easily accessible / downloadable
  • Leverage the web for transport whenever possible to decrease complexity & the implementers’ learning curve (“health internet”)
  • Position quality measures so that they will encourage adoption of standards
  • Create Implementation Guides that are human readable, have working examples, and include testing tools

  • Meeting Materials


  • Rough Draft Transcript:



    Thank you. And welcome to the seventh meeting of the HIT standards committees because this is the Federal Advisory Committee and the operated in public. We have an audience in the room, telephone and the Web. The public will have an opportunity to make comments the end of the meeting. Committee Members, if you could remember to identify yourself or get attribution. Let's start by introducing intersection of the committee. I will begin with DJ.

    I am sitting in and am from the National Institute of Standards and Technology.

    I am Wess and have no conflict of interest.

    I am Judy Murphy from Aurora healthcare with no complex.

    [ Audio/Speaker not clear].

    This is David, a HIT vendor.

    Kevin Hutcheson, no complex.

    .net Perez, --

    Jamie Ferguson--

    Harvard Medical School. I serve on the board of Aviva Health. I am David Lowenthal.

    Good morning, John. Item on the board of national health collectives with no complex.

    I am Anish, the Chief Technology Officer.

    I am Dixie Baker from Science applications International. [ indiscernible ] does work in Healthcare, systems integration for a variety of clients, mostly in the federal government.

    I am Chris from the Mayo Clinic with no conflicts.

    I am Walter, a new member to the standards committee and did not have any complex. I am with Kaiser .

    Martin Harris, Cleveland Clinic, no conflicts.

    [ Audio/Speaker not clear].

    Nelson sitting in for Linda, representing VA.

    Jody dental, Office of the National Coordinator.

    On the phone we have a number of members.

    Done Knapp, are you there?

    This is John and I have no conflicts.

    Anyone else from the committee?

    This is Chris Cross and I have no conflicts.

    Anyone else? With that, I will turn it over to Dr. Bloom and Paul. I am temporarily blinded. Well, another day another standards committee meeting. I do not know if you have day jobs, but we are certainly glad that your employer's are loaning you to the extent that they are to our cause. Your work, I assure you, will not go unrewarded. We are turning through the federal process with respect to the regulations that you have been advising us on, the standard certification rule that has to be issued by the end of the year by law and to which-for which your work is foundational and as the Jodie Daniel can tell you, we have been very much hard at work on that regulation with many colleagues in the federal government. Similarly, the notice of proposed will making for meaningful use is also very much a matter of active discussion right now and is still our plan to have those out for public comment in the very near future, certainly before the end of the year. The end of the year used to see a long way away. Now, it is just six weeks, as hard as that is to believe. Not only what was your work important in laying the groundwork for shows, but it will be important in helping us interpret the comments we received, and who we are already, with your help, looking forward to the next set of rules that will follow and just as the end of the year used to seem a long way away when we began our work, 2011 and 2012 now seem a long way away, but before we know it, we will be engaged in modifying the interim-Well, the final rule that will reflect your work and will have to begin that very soon. I think some of the agenda that we will hear about today with respect to the implementation workgroup and experience in the field will be very, very important to those subsequent modifications. I also think the latter part of this day discussion of cybersecurity will be very, very important both to the national coordinator office and to the field, because security, as is privacy, very much on our mind and during much a priority for our office. This is a better under an area where better information and technology will be critical and we will be talking publicly, I hope, soon, about plans that we have in the security area going forward. Thank you for the here and thank you to the two John's for their continuing leadership and I will now stop using up time and turn it back to the two Johns to take us from here.

    Thank you, David. I thank you not only Dr. Blumenthal but the entire staff of Office of the National Coordinator who is doing heroic work with moving things forward. We directly see their labor but I want all of the people in the web cast and audience to understand that this group is so dedicated. My experience with government [ indiscernible ] is more dedicated to the mission of this, these meetings at 6:00 a.m. and lots of hard work over the weekend. I would like to ignore it all of those people. On quantity for all of the people to back the committee and public who have been such a vital part of the Federal Advisory Committee process. I dialogue with them and it allows us to frame ideas with as much effectiveness as is not only possible but demonstrated. I want to make sure-we have heard some comments from the people that during the broadcast that I will make a point of identifying people by name. You have addressed as to reiterate who is speaking. I will do that throughout. I want to welcome a New member of the committee is because you have heard Walter identify himself, a New member of the committee. He comes to us from his day job as the director of Health IT strategy at Kaiser Permanente and has previously been President and CEO of the Health IT Education Research--President of public health consortium and has a the background in the technical aspects as well as consumer interest and privacy. I appreciate the skills and dedication and you will find out quickly that this is your new day job. Welcome and I appreciate the understanding of your employer. Did not an overstatement to say that the bulk of the work goes on not at the committee meetings between the committee meetings, and I do not believe there has been a period between committee meetings where it has been quiet. Between our meetings there were meetings of the implementation of workgroup and privacy and security workgroup. And not lot of terrific dialogue and discussion be done and I'd like to thank you crisscross, Judy Murphy and [ indiscernible ] for their work. The privacy and security, also. All of the discussions will come to additional debt they will help eliminate our future direction. It was fascinating going through the testimony to the privacy and security and was revealing to me that there are certain things that are very consistent. Perfection is the enemy of the good came through in the sense that there is not balance between satisfy requirements of for security allowing usability to all interest. This is not theme that will emerge today is because this was one of the areas of consistency. How did you get to a appropriate level of privacy and security? It is interesting to me. Identifying the homogeneity of the Environment, greater facility, if you will of locking things down. Conversely, another test of fire offered--There is learning and opportunity. I suspect that we all have ideas about how one achieves that satisfying private and secure environment. In terms of overall direction, as mentioned last time, we had some immediate and urgent work and that was to put forward not set of standards that responded to the meaningful use schedule of activities, meaningful use subgroup of policy committee provided to us. That was a her role of effort. A number of people have asked, how does this get further refinement or clarity? Think of this as a roadmap. It tells us where the future destinations are and where the cities are and where we can stop for gas. It might not identify where every 7-11 is an to the degree that that is under discussion, we will learn from the implementation and working group is what sort of things has facilitators and what things are barriers. This is work that allows all of our constituencies that this group brings together to really understand and take cues as to what lies ahead, to take comfort and make investment decisions and take comfort in making strategic decisions because doctor about just indicated, this process-I have the old republic seal of approval. If it's published under the final rules and comments come. I will ask Dr. John Glasser later to describe the process from the perspective of the Office of the National Coordinator. It is and a wrote back that provide an M.A. degree of roadside content and an insight into future directions. To the extent that we have identified the most usable and used standards, we will look forward to further refinement of our understanding the nuances of implementation and what is helpful as guidance and what is helpful in terms of identifying and surmounting potential barriers. The process to the continuing public [ indiscernible ] will be subject to those changes of nuance but of the direction that is so many have commented is quite helpful. Let me stop there and let me turn to my co-chair, John Halamka for introductory comments and that we will hear from Dr. John Glasser for some degree of discretion over the next set of work, areas that we will need to put more efforts to back over the next few months. Good morning.

    Good morning to everybody and thank you for being here. We have a complete set of the HIT Standards Committee members. We have two important works since today. The first is the implementation workgroup. During the feedback from the greater Group of stakeholders, we have listened to the big guys and little guys and government, industry, and what we have come up with is not set of guiding principles, as you have said, as we refined as roadmap, what are some of the notions that will guide us? I think is not so much that we have heard what we are going to do, but how we are going to do it as we refine the 2011, 2013, 2015 we're going forward. I thought it was an extraordinarily rich discussion and look forward to presenting along with some of those lessons learned that we can come back and have to reflect on the 2013 revisions to the interim final role, how might we ensure everything that we are issuing from this committee can be implemented and we are reducing barriers, where possible? That will be greater clarity and implementation guidance and sometimes it will be tools. Sometimes it might be suggestions to license things so that we make them more accessible to all of the stakeholders. That whole line of work, how do we accelerate? How do we reduce barriers? How do we ensure that the 2013 and 2015 standards chosen are those most lamentable so that we can get meaningful use and achieve your policy goals? We will hear some important testimony on the security side and one challenge that the [ indiscernible ] group has had is what is the balance between policy and technology? In the total absence of policy, you could come up with an enormous technology stock to cover all possible variations, but as policy gets more and more defined and constrain, then technology can be constrained. I hope today up the testimony helps us informed where there is more policy guidance needed, where the technology can be constrained and simplified. Certainly, we want to keep these records private and secure. Confidentiality is the foundation to all that we do and this balance, as you have heard me say before between ease of use and perfect security, it might be that the most perfect library is one that never checked out books, but that might not have the utility that people might want from the library is because the policies and securities that are appropriate and good enough, I look forward to hearing from many Workgroups on helping us that that balance because it should be a very Good day and I look forward to all of your comments and feedback and as you will here in the next presentation, the blog has been very active. I think it was Wes that coined the term blogrolling. To go through and just living by e-mail and Twitter, the rumor mill about our deliberations has been extraordinary. This is a great exchange of ideas and we will never sacrifice process. Clearly, we want to make sure that as we use Social media, people are free to express all of their ideas, but all of those ideas will get this bill to lessons learned and bought back to you through formal processes and be used to change. Whatever rammers you have heard, some might be true and some might be false. People are telling me new rumors today that I have never heard before. And exchange of ideas is what is all about and you will be the alternate adjudicator is to give the path for root.

    Thank you, John. I was reminded by my 11 -year-old daughter was giving me the virtues of social networking site and said before you get a second wife, get a first wife.

    [ LAUGHING ].

    So, we are here today to concentrate on our first wife. Hopefully, that can help with some alignment between the second life in the blog world with us. I also wanted the for the individuals that testified to the testimonies between meetings and our here today is because of it to the business of the meeting. I hope everyone has had not chance to review the minutes from the last meeting when asked if there were any amendments or changes? Okay. We will proceed with those as accepted. Thank you to the staff for capturing of the work and we will move to our first activity, which is the update from the implementation workgroup and look to Aneesh, Judy Murphy and Cris.

    We will come to the front so we can engage in conversation.

    Thank you for the opportunity to present to you the findings of what I thought was a very robust and exciting one month. What I will do this morning is provide the background and process that our group had undertaken. I will then turn to Judy and Cris to walk through some summary findings and we will end with observations from John Halamka at the tail end of this presentation. Let me begin by, of course, as John Perlin had done to thank you members of this working group. It was a month ago the last hearing that we convened this body and several conference calls, a public hearing with a significant number of people attending, an online forum with hundreds of posts and thousands of votes up and down on posts and hits to the site, we are here today Richard for the dialogue that has taken place. Our target was barely straightforward, how we can accelerate the adoption of our standards to deliver on the promise, Health IT and the context of meaningful use we have had a very, very rich process. The beginning thank yous come to Vernette who led us on a very rich debate at a public. Two weeks ago and that public hearing and Bob four Key components and we heard from experts from those that serve in industries outside of healthcare. We have a panel of providers all the way from physicians, solo practitioners or small groups to reap larger, integrated delivery networks and heard from vendors, those that provide the capabilities that are the foundation of the great work we are talking about. Those are the ones that have to adopt the standards. Finally, we heard from a panel of experts on quality because we understand that the ultimate purpose here, is to improve quality and efficiency in our healthcare system. Judy will provide an overview of the lessons learned from that session. The conversation began through an online forum, that very same day. We had several formal presentations online. They included opening remarks, if you will from my post, John Halamka summarize the work of this committee to by those to comment on what we have done today. Market did not make tremendous job of framing his experiences and, today, I believe it has been posted, we have had the ultimate Post, which is the reporting, both by Clay and Dr. [ indiscernible ] from HL7 to comment on what this has meant to them and their prospective going forward. We have continued the online form through Dec. first allowing for got more structured dialogue across seven key areas as I alluded to in the initial blog posting so we can continue what we have been hearing. I will give one final comment. We have had a wonderful network of online forms. Our posts have, essentially, led to conversations that have taken place many of you on this panel have taken these conversations to your domains and the broader Health IT community has been active and robust and I have had a great time of reviewing the broader set of conversations that have taken place. I would like to begin with having Judy Walker is refining from that first hearing and we will have Cris by phone described his experiences on the blog and then you go to the phone. Judy Murphy?

    Of the blood to start by adding my thanks board and people would join us on the panel. For those of you that were able to participate I would just mention the top of the paper apart and leave it at that. We distilled the ideas down to read the Top 10 recommendations. It was not easy. I would like to thank other implementation worker members of for that, as well. Getting it down to a be as simple principles was not easy is because we thought that was better than having a very lengthy, comprehensive document. The purpose was to keep it simple. Think that, but start small. Recommend standards as minimal as required to support necessary policy, objective or business need, and then billed as you go. We heard this loud and clear from the non healthcare industry people in particular and those were the ones that talked about their adoption of standards and how they got things to start and finish, or get to the business at in. The simplicity came through loud and clear, not just from them, but also from our providers, as well. The second recommendation, it did not let perfect be the enemy of good enough. Data them brought that up related to the privacy and security and we use that as a team as well with the implementation work group. The idea is to go for the person that everyone can agree on and send the basics, things like elegies and laps before focusing on the more obscure. Again, it echoes back to the keep it simple, but start with the kind of things that people can adopt more easily and then work into the more complex. Do not try to boil the ocean. Do not try to call and then cross the street with the helicopter kind of thing. Focus on the stuff that is simple and that we know we can adopt and can do and that the providers are looking for. The third recommendation is to keep the implementation cost as low as possible speed of this came through loud and clear. Minimize the costs associated with implementation of standards, particularly eliminating Welty's, licensing fees and other expenses. Open the NIST certification testing process is. That came from Wes and we'll have more discussion on that later. The idea was to get into the space to not to have to pay to be using the standards that have them being adopted at no cost. The fourth principle is to design for the little guy. Make sure they are as broadly as mental as possible so participants can adopt it and not only the one with the best resources. This had not been lot of discussion around the small provider and their ability to enter into this practice, the idea that whatever we are designing for can be implemented through open source type of things and through the types of systems and processes that are going to be used by the little guys. The fifth one, do not try to create one-size, fits, all standard. You're seeing now make common theme in all of these and that is to really try to keep things as basic as possible. Okay, the sixth, separate content and transmission standards. In other words, you are two separate content standards from transmission standards. Of the example prawn out several times during the day, we have lot of discussion about the CCD content standard. That is the HTML relating to the Internet and what is the HTTPS? It is getting confusing when standards are in multiples spaces. Separate the network layer and avoid linking changes between senders and receivers. The idea here is if we are able to have the sender adopt and to adopt the standard at a different time from the receiver, rather than having everyone tried to be synchronized so that if we were changing something for the center, the receiver has to change, as well as. Of the seventh principle is to create publicly available vocabulary's and code sets and ensure they are easily accessible and can be downloaded to update or upgrade. Not something that, necessarily, you would have to go and copy off of the a website, but you would be able to easily download and use it. The eighth is leverage the Web for Transport. The term that was used a couple of times during the day was the health Internet. Use what already works with transporting information's securely on the Internet and decrees complexity as much as possible to shorten the learning curve of the people implementing. Standing on the shoulders, if you will, of what has gone before rather than recreating the wheel and starting from scratch, leveraging standards we know already work on the Internet. The night is to position quality measures so that they motivate standard adoptions. The idea here is to strive for their quality reporting to be an automated byproduct of using certified technology and standards, thereby lowering the administrative burden of reporting to the lowest extent possible. If we begin to incorporate these standards into the way we are looking to receive the quality measures, that would, again, push the adoption of the standards. Last but not least is support the implementers. Facilitate the implementers' use of implementation Guide with the effective national communication plans and publish open source reference implementations. We are giving examples and having tools so that the implementation of the standards are simplified, going right back to that first guideline that we talked about.

    Thank you, very much. What I would like to do if it is okay, get Cris' comments and then have dialogue before we ask John to wrap up. Cris, are you still with us on the phone?

    I am.

    We have the slide of the references the eight Health IT blog. The slide is up for get you to begin your discussion.

    Thank you. I will try to summarize some of the comments on the FACA blog as well as some of the private blogs given below. I could have listed them lot of them but focused on two from people that testified at the committee meeting from Sean and there is free-wheeling commentary and a couple of other ones listed. Let me try to do this to McNamee systematic way as possible. Let's start by going to the FACA post. As of this morning, the initial post from Aneesh Chopra Group 110 responses, many from physicians with the viewpoint on the EHR. [ indiscernible ] generated 39 replies an a lot of Twitter activity we saw on the FACA and off of it is because the last post that went up today was on the topic, but will make the difference in getting standards right for the broadest meaningful use? That is not very provocative post. There is an attempt to get the four themes and got one question, if we can switch to the next slide, please.

    While I am waiting for that, the four themes, let me start with the first, which is, I think we saw throughout all of the posts that one, there is substantial concern about the state of the EHR. There was some positive reports but also a significant of people responding that negative about the ability of the EHR to improve the economics [ indiscernible ]. These are more than anecdotes. The review of current literature would draw similar conclusions that the EHR adoption challenge remains. It is critical that we get this feedback is cents it is meaningful use and technology by efficient, satisfied health professionals. We are not building on a from legacy of consensus on Aneesh as. We are looking for a new pathway for success or extending our current pathway. That should influence our thinking about whether we stay the course or try some alternative or parallel pathway. The second comment to follow much of the comment that Judy just made is the idea of linking been the starting small and adapting fast. This was principally initiated by Mark's subtitles' of goodie of standards and good enough tools. Many of the people posting on the blog argue for taxable focus, evolving standards to adopt the adoption of the meaningful use. There was some corresponding concern that the work that have gone into complex are highly articulated standards would be lost or undercut. For example on November 9 there was a post by Peter in response to Mark's blog that said it would be a big mistake to go backwards and move away from [ indiscernible ] and HL7 standards. This received the most up/down votes, at least Betts of this morning with a type which suggests there Raleigh is divided opinion on these kind of questions. In the same area that was a opposed to that is often referred to as the father of the Internet to Wanda's about over articulate and specifications and wrote that this time to take a careful look that the implications of the present design for ease of implementation, potential for evolution, accommodation for that competition and likelihood of interoperability. The concern is that physicians are not overwhelmingly satisfied with the available products and innovation is important and if the innovation is inhibited we might lose the generation of products [ indiscernible ]. That is the risk we take it. The point of one of the off-the FACA areas of comment, Adam posted his October 29th testimony on his personal blog, and that elicited 92 responses, many of them around the merits of heavyweight versus light weight standards. This dialogue, too, is worth reading by our committee and the ONC stats. The third conclusion is to separate content from Transport and has already been discussed. Sean posted on his blog, was that does a HIT standard breakthrough, quoting several people on the concept of, I think a quote where we need to get the SDOs out of the business of creating HTTP. Finally, the fourth was combined the best of the Internet and informatics thinking. Again, Wes posted about the Internet crowd and the healthcare informatics crowd suggesting there is married and learning from but. Dr.Halamka posted on his personal post about [ indiscernible ] I could not help but post out a couple of excerpts. We need a glidepath that embraces the healthcare informatics crowd and Internet crowd with the best thinking of both and you can read his comments that-and instances where rest might make sense because he concluded that the standards evolved and we can revisit this as long as further [ indiscernible ] does not exceed innovation. It is my hope that for--We can balance standardization and implementation and innovation. There was a quote last week from Dr. David [ indiscernible ] that summarized and inappropriate divide. He wrote on his response, the CCR standard versus the speed of-touch complementaries systems of care. The first is representing the broad use of the Internet and the World wide Web for health data exchange principally concerned with Hamas, chronic disease management. The second is representing the institutional and enterprise sentence for the complex and critical care provided the couple of these environments florist with regards to health data and information exchanges but neither ought to be able to impose the requisite informational Exchange Commission on the other because it would not be in the public interest.

    These points of General conversion then leave a question, which is our complex solutions the best answer to complex questions? This is highlighted in this morning's blog and we hope the public will offer their comments. To tie this back to what we heard in the testimony, there are a couple of things to consider. First, are there examples elsewhere of complex solutions involving complex problems and it was suggested that awful simplicity [ indiscernible ] in property-casualty and insurance industries and automobile supply chain. Second, we have to consider the question that some complexity might be caused by the absence of technology and the need to create work around and some of those issues were Pleasant in many of the comments we saw on the blog. Finally, there is not a strong argument that light weight standards prohibit further elaboration of heavyweight standards, and I think that is what The Post from John Halamka, it in his public and private blog indicate where there can be appropriate separation of domain. To conclude, the blog will be open until December first and there is much more to be learned and we look forward to read further public comment to the recommendations of the Office of the National Coordinator as regulations are drafted.

    Thank you, Cris, both you and Judy did not make great job summarizing. Before we get to read John we will engage with some dialogue with the committee and turn it over to John Perlin to help us point and click to who should go first.

    Thank you, Aneesh. Thank you for [ indiscernible ], the death that came through in Cris' summary. Let's start with [ indiscernible ].

    Thank you. I think like many others I am greatly appreciative of the thought and effort that went into this and I think the conclusions are self-evident to some extent and helpful in the dialog. I want to remind us of a perspective that might bear on this question. In my personal appeal, it is not a question of complexity versus non complexity. the end of the day if we want interoperability and if we believe it in that, then the whole notion is whether we have consistency in what we are entering operating under interoprating with--Rather than complex specification and that begs the question of what is complete as? As many of you know, I am a vocabulary guy and believe that all problems can be solved with vocabulary, at least I did and have come to recognize, much to my horror that vocabulary is not sufficient. It often requires a context. If you put things into a context, you go down the slippery slope of information models and inter relationships. And that is where completeness rears it head. How do we specified of the information that is compatible and consistent in of the way that we have enough specification so that there is not confusion or ambiguity or missing information when we need? This really gets the question of whether interoperability is for people or machines? It is quite simple to make all kinds of assumptions if we are trying to exchange a document so someone can read it. The complete as corruption and the question becomes different if we are trying to exchange information so that clinical decision support and garments, Electronic health Records, best evidence triggering can make use of that information in a their way. Of the question in my mind is can we have a complete specification or ball in a way that involves the complete specification in a with the compatibility and specificity is preserved and the notion we can have one set of standards for prevention and wellness and a different set of standards for institutional or sub specialty care violates this notion of comparability and consistency in my mind and for the more introduces difficulty with [ indiscernible ].

    Great comments.

    Let's ask if anyone on the panel wants to respond, the response is directed them. Among those of you, anything directly responsive? Let's go to Wes Rishel and then when Deb.

    I wanted thank you Cris for eloquently stating the point of view of the informatics crowd.

    [ LAUGHING ].

    I also want to point out to all of us that we can recognize the [ indiscernible ] members by their fresh haircuts.

    [ LAUGHING ].

    The concern I have is not that we do not need that elaborate exploration of all clinical data and how to make it. The concern I have is when you solve those problems, you end up with abstractions that are hard to understand by anyone who does not take them few months and work through them. We have a set of solutions based on those that we are trying to push to implement yours who have not done that, will not do that. They understand the data of their IT system pretty well because somewhere else where in the organization designed it. They do not understand the obstruction that we use to describe it. I have always believed that there was a way to wrap those abstractions in a more simple explanation and get to widespread implementation that way. I am increasingly convinced that we have failed at finding those simple ways and that we need to look at semantic interoperability on a very case by case basis because there is a well established semantic interoperability for Lab data as the goods is not perfect and does not have microbiology real well and things like that, but is well established. There was a little problem to solve the--That has been addressed. For other kinds of data problems, we cannot get three physicians in one organization on the problems, much less have an abstraction that is smart enough to deal with all of those different concepts and communicate it well. They can communicate the diagnosis pretty well. What we need is a series of fairly simplistic and fairly specific sets of standards. If there is someone in the back room making sure they are consistent among themselves, so much the better. We can not Expos the entire industry of enthusiastic Web developers, of intermediate level programmers and vendor organizations, of people in start up operations to that same level of complexity we are using in the back room to make sure we are consistent.

    Let's go to read David.

    Yes, this is David. Cris, I agreed with your eloquent summary of problems that we should seek to avoid, which is creating Koses of information, the acute care complex class and the [ indiscernible ] symbol class and think in the long run that is postponing the inevitable because they will intersect at the physician's desk and EHRs, as we heard are already pushing complexity limits on to physicians in ways that might not be acceptable. We should try to keep things as coordinated and simple as possible. Maybe this leverages what Wes was saying, a middle ground between the CCR world and CDA world and possibly simplifying the CDA world instead of a top down complex hierarchy that exists, as Wes said as describing everything in one model, you break it into chunks or pieces that can operate independently where we understand things really well and problems, how to communicate them, once we figure out what the physician wanted to communicate, we can do that well but do not require that it is a complete and contiguous singles game is because some of the work done by the H data Group approaches the problem by taking what we already have the in terms of the Deep thought around the individual components that need to move around but splitting it up so we can involve those components. Maybe there is a middle ground that leverages the best of both of those worlds without forcing everyone to implement them to separate incompatible world's at the same time. That will lead to more trouble.

    Let's go to Kevin Hutcheson.

    This is a? For the applaud for the committee is because this is not lot of work and the process you use for their giving the people the public involved and to come up with is David Letterman top-10 list of how we should be looking back these recommendations-maybe that is not the best analogy, but as I look the top 10 recommendations for implementation I think we should consider whether these are recommendations on implementation or whether they should be considered guiding principles of for the decisions which we have to make as a standard committee and my comment is more a process comment as if we look these as guiding principles for this committee and the decisions we need to make, how will we ensure the decisions and recommendations we are making our in line with these guiding principles? I think this is an excellent way of crafting what could be a very complex topic.

    I will take a sentence on that comment John. Dr.Blumenthal laid the foundation really well in that 2013 is not that far away. We will be getting to work on 2013 very quickly. This conversation and dialogue, I hope, will be to a set of guiding principles, a methodology, process, that will help us get to the next round of ongoing activity and will making. That is, again, part of the conversation we will have to the. Do we agree with these 10? Ofreasonable? Are they helpful to us by which our committee operates? We are simply is summarizing what these voices have said to this group from the outside and, really, this body is going to deliberate the merits of that. This is really about the goal forward process on 2013, is my humble recommendation.

    Good morning. This is Nancy. I think these principles are excellent in a lot of ways. One of the things I have been discussing with different members in the military health system community are the impacts of these on the actual patients and I were charged to have a virtual lifetime health record. One of the challenges we have all thought about, I think, is if you are charged with having to keep 70 years or 80 years of an individual's information, will I still be able to read it and have it understood as I age and get older? I think these principles, particularly, as caregivers are trying to help their parents, or as their children, the simplicity issue is, can I get information about my loved one quickly to the next caregiver so that they are not compromised in the immediate care that is being-or the choices or solutions that are coming up for Pam? That has been a frustration of many in the American healthcare community and for our caregivers of our wounded soldiers and so forth. How can I explain to the new physician have quickly what are my loved one's problems? I think that-I think what we are also looking that here is that each patient and American consumer will also be charged with-well learn every mother, every caregiver, will understand very quickly what are the important information pieces on themselves that have to be communicated, that have to be available to read every physician that they go to? Not only on implementation for be able to communicate between the providers, but that each individual will understand, after a well, what is the important affirmation they must have or need to communicate between caregivers? It is not just that it will be between institutions, each individual will soon be able to understand what is that is important about themselves that the need to communicate quickly. I think these principles are very good for that aspect, as well, in terms of consumer education, our wounded warrior education.

    If I could that one, to inform the committee, we had testimony from a physician-I was pleased that we had not meant Virginia family doctor testify who literally it said that a patient of mine is moving to Arizona and asked if I could send a copy of her summary, her medical and the medical records of retreat a caregiver in Arizona? Chronically two caregivers had the same software to run their practice. They are few doctors that have adopted this system and were asking the simple question, how do I get this to you? He testified and said I opened up my e-mail and attached a copy of the summary record and send it, obviously with the patient consent. Www.a Standard for. That is the charge of our committee. How does this work, answer the question. I did not know exactly how it went. Your point, Nancy, when you listen to the testimony, brings around, here is a patient that wanted her records and, a physician that was willing to send it had a colleague will to accept it, all of the pieces were there, it was like, it does the plumbing work let's can we get this from year to there? It was interesting testimony.

    If I could just add, one of the key things is having been a caregiver for a parent, would you get them call on midnight on Friday and find your parent has been admitted to the emergency room, how do you get information quickly to help the person in need? That is another piece that's that is the Keep It simple. How can you say that I kappas and will send right to you? I think that is extremely important. Many of us in healthcare fight that once you get the healthcare machinery going, it is very difficult to stop or intervene from a distance and help out. I think that has been an issue for some of our parents of our wounded soldiers. When you find someone in trouble, how did you help them and get the right information so they are helped the right why? Thanks.

    There is a great exchange between Nancy and Aneesh Chopra. The ability through the use of articulation of Standards and appropriate privacy and security contact, to get to and Environment demos as from the personal-computer revolution to the Internet revolution so it is about connecting us to meet the needs of the soldiers, parents or your parent, for at for, with information that is appropriately transmited and toward that end, and Dixie Baker?

    As John knows I am not big advocate of simplicity and think that complexity Brigid's security problems. I believe in keeping things simple but would also say that simplicity is in the eye of the beholder and do not think we should translate simplicity into the lap of complex standards. We need to consider the obstruction can hike complexity. To site Aneesh's example of the doctored/patient exchange, the simplicity needs to be in the eye of the doctor and patient. When they make that exchange they say I know exactly what I need to do here, type it and filed it office because they do not need to know that HTTPS is underneath or [ indiscernible ] is used to encrypt it or that [ indiscernible ] is used to protect the integrity of. But we do need those standards to protect the confidentiality of the information's. We need standards to protect the integrity of the information and to ensure the identity of the endpoints, but the doctor and patient do not need to see that. The simplicity needs to be in the end user's eyes, not, necessarily, in the lack of standards and plumbing.

    Thanks. Well said. Liz Johnson.

    I want to play on what Kevin said and the discussion we had in the implementation work group. And one thing that occurs to me over and over is we clearly have no mission around defecting care and getting the information there but has struck me over and over in the blog and discussions that we kept hearing the word "simple "back that says our communication says very hard, very hard to do this and very complex. That is what we talked about in the work group and we should go back and talk about the lens with which we work--They are critical to get information to move the way you want it to, Nancy and the way we communicate to our public and I know many of us have been out there talking and they felt overwhelmed when we talk about the standard. I look to this as being a way to communicate that is doable and we talked about this during our workgroup, it is very, very important and we must accomplish that. We can do it and need to make sure that the people [ indiscernible ] in us many work in large organizations and we are talking to those organizations about how we are going to get this done and change our language in a way that it feels undoable. Is it does that is not principle which is communications.

    Thank you. Well said. Let's go to Mark.

    Thank you. Just reflecting on the whole series of comments being made, I struggle because I do not know what the right action to take out that this point is, what would I do? As Dixie said, there is a level of complexity that is often required and I think that one of the things that I struggle with when we talk about the program are out of high school that we are trying to get to work on something or whatever or the ones that we hire that have 15 years of experience that we are trying to get to work on things, healthcare is complex for a lot of reasons. We have been successful back fighting the complexity in a lot of Internet Technology. How many would have thought we would have had to disassemble our document into a thousand 24 byte tong's aunt through different routes throughout the Internet with redundancy and loss of riding out that the other and to get our Word document, yet that is what we do this because we did that because the complexity was required. Wes was talking about the challenge over the years about how do we deal with that complexity? How do we-paraphrasing any technology appears by metrics. We need metrics and have not figured out how to do that yet. Part of that is because not the technological complexity, necessarily, but the subjects doming complexity that we often have to deal with and is hard to know where to set that dial. For example, in the HL7 version three, the infamous [ indiscernible ] causes no end of trouble to the people. It was put in please for a very good reason and particular to address some of the issues that Chris raised and articulated with people early and how we strike that balance, how do we-Is there a way to simplify that further to allow it to be adopted versus giving up on the complexity that we have to have? Like I said I am not sure what I would do if I were king, but it does seem that having many ways to get something done is often a way to run into challenges to in the marketplace. When we are trying to simplify, it might actually complexities begun to make good example is the software design. If you have three different ways for the user to accomplish the task, it is often a challenge for the user to adopt and use the software's the goods is not always good to have three ways to do it even though one might be simple and one complex. I am torn about how to reconcile the complexity of the healthcare and domain and, not so much the technology.

    I think this is the subtext that we have not acknowledged. I think every clinician in the room and on down has been participating in this dialog and realizing there are more situations where there is ambiguity rather than diagnostic certainty. That translates to having a Digital representation. A Digital representation is affected by the complexity of the world that is attempting to be encoded. Jamie?

    Thank you. This is Jamie from Kaiser Permanente. What I heard from the testimony and implementation work group and public comments and here in the room today is not couple of themes. One is there are relatively light weight requirements for simple standards for gas consumers and human readability but also complex requirements for the tools of modern medicine. So, understanding that there might be different implementations that might result from these different uses, one of the things that we need to be aware of and seek to avoid is the possible creation of new disparities and in Care. This could occur, I believe, where records that do not need the more complex information requirements are not available for sum patients and so, those patients would not be able to get the benefits of the modern, evidence-based tools and information tools that are available in a variety of care settings. I want to make sure that we are aware that a possibility in Reading a potential 2-track system here.

    I appreciate that definition. We do not want to exacerbate additional [ indiscernible ].

    Thank you, very much. This is Anne Castro. You'll get the last word, anyway, Wes.

    [ LAUGHING ].

    I would just like to balance what everybody is talking about with what we think our consumers, the people out there whose records of information that we are talking about being secure, what they would want done. It here a lot about simple, complex and goes across the board. What it comes down it is it will not work if people do not trust where their data is stored spigots' is not about the vendor is having an easier time of it, only speak is not about the hospital systems that are already established not to have to change to hook up with this only. It is not about the insurance companies who have an interesting that clinical medical record data for decision support only. It is not any of those. I think there is probably a higher weight, a have your weight of influence on the consumer and their interest in making sure the data is secure.

    Such an important point and Dixie might want to comment on this because I have been interested with your work group deliberations because the fighting that has been so educational for me has not been privacy and security as a barrier but has not made fundamental underpinning develop in the trust that allows-not in health yet but to make the Internet purchase, to be available such there is a Trust. The want to comment on that?

    Yeah. I say this the beginning. It is and it essential blur to what we do. If the consumer cannot trust that their information is being protected, if the doctor cannot trust that changes are not being made to the information or can not trust that services will be available when they need them, the EHR will not happen.

    Wes?

    I could never just take my turn. I do not want to disagree with something Dixie said, but I do want to amplify it. Steve said that we do not need-the doctor does not need to know what the standard is behind what they do speak we does have to have the standards there. I think we need to amplify that by paying a lot of attention, because what we do is we, by definition almost, take away some of the ability of the free market to make the decision between complexity and simplicity. We mandate something and it becomes a requirement for certification. Therefore, we have an obligation to be careful to consider the ability of the industry to absorber that which we mandate. Absorption of a standard, whether it and Information Standards for health data set or security standard is done by a lot of people. Thousands, millions, that are not experts in what they do. Physician offices will have when systems of different versions of Windows maintained by the Geek Squad from Best Buy or someone in the office to have been pretty good with computers and the maintenance has fallen to that person. When we get to a debate that we had internally about Shaw I versus Shaw II, which has been resolved, even knowing the people that need to put that recommendation into action know how about going to get on the Windows operating system or Linux or whatever it is is something we need to consider very carefully. Life would be an a lot easier if we knew that all physicians depended on 30 major vendors to provide all of their IT, because then you could make an expectation on those vendors that is higher. We are committed to a market where there is an opportunity for vendors to rival that do not start out big and committed-we do not ever expect physicians to buy all of their IT capability from their EHR vendor. They have some integration jobs in a small office. Fundamentally, I think has the look at mandating something, we have to carefully analyze where is the industry now with respect to that? What is a likely way that we can communicate it to all of those physicians that are implementing, and how fast is it reasonable to expect there to be a FAQ from the supporting from this Windows administration level, what effort is that takes it to be observed into technology. Thanks.

    John, if we can use this the time to bring the rancor in the end with final observations, if you do not mind?

    That would be perfect. Let me provide a? Send the says. This dialog was so helpful in terms of the group's consideration and the discussion of complete specification rather than complex specification was very articulate and an elegant way of helping us get the concept of whether abstraction contents of the city does-that is complexity that is inherent to the subject domain that complicates this. Compatibility, moving from compatibility--and the for privacy and security and coming back to a couple of other points, one that Jamie made, the Digital divide for multiple paths was a good reminder to us of the social good air and, finally, I think this dialogue that Anne, Dixie and Wes initiated, not only does 30 to the a Foundation that allows trust based on the complexity that might be headed, to Wes' point that everyone is to be cognizant of the state of the field that's terrific and what can input. For the last word we will turn to John Halamka. Maybesaid.

    Your comments, turning the testimony into action. How do we use this implementation workgroup to guide our work for Lord? You can imagine the works since we have to back the next couple of months and there will be comments on the final role and we will want to review those comments. There could be a if you. There is going to be, right back around the corridor and into corner the need to polish the 2013 recommendations based on the lessons learned and a need for the 2011 recommendations we have made as far to ensure all the implementation tools are there to reduce barriers. You can imagine using these principles, they might be refined further, as a rubric for this work going forward. HITSBY 14 they have the list, a rubric of what you would judge standard against. Is it available? Are the implementation Guide? Is it done in and open and transparent process? When you heard the account are three standards we could use and there are two guys in no arrived and a group them by thoughtful people and open and transparent, it sounds like this is a good one. You could use what we articulated as the 10 principles to just reflect, as we go through the selection process, as we think about the most simple set of standards, and I should say the least complex, because it could be complex but the right level of complexity, have we follow those 10 guiding principles with whatever we have suggested? So common that couple of concrete thoughts. One of the things I heard in all of the NIST dialogue and the many, many mills are received from you and everybody else in the public, there is not common agreement for the need for the vocabulary. Chris, you will love this. Almost no controversy that having vocabulary can enable many exchanges of information because it builds the [ indiscernible ] between organizations and some people were concerned about vocabulary in inside the organization, do I need to change, rap and replace what I have already done? But we have said in our 2011 guidance is over the wire between organizations that you want to make sure that both categories are used. Whether it is the simple, complex or Internet crowd or healthcare informatics Krupp, everyone said having edged to edge communication of information in a vocabulary way is good and the kind of vocabulary we have all talked about, SNOWMED CT LOINK codes, maybe instead of the whole set their economic constraint said. When I connected lap to a hospital or information exchange that there is a compendium that I can use as opposed to completing my own and RX Norm is across LA for these medications because there might be others, the ICD 9 and 10 and make sure that the mappings aren't available. Meeting to SNOWMED CT might be hard as - - making sure it that whatever people need to take existing legacy systems and proprietary vocabulary's and map them out the edge of the standards, the tools are available and to the extent that they can be free, just as we have had the licensure of SNOWMED CT if there are proprietary vocabulary's or tools that people need, making sure they are universally available to recall stakeholders. We will have a workgroup with Jamie on the vocabulary side to make sure we will have these vocabulary's and meet the needs of all constituents. That is the keep it low cost and keep it simple and make sure vocabulary's are available thes. I have heard from many people, and this might sound like a echy, geeky approach, a restful approach is something that many people think is helpful. This is not just the Internet crowd. I hear it from the informatics crowd, as well. Remember that when we, together, made our 2011 recommendations, back me up, Dixie, it actually says for transmission, here are a complete set of guidance, or rest is accessible speak to something we have already said. There is now revisiting things in the past. It is already there. I do REST Communication with Microsoft, Google, and both are different. No lot of what they have done, instead of putting into the standards of conduct or protocol, they have done it the application of. Expense and question, is there additional guidance we want to provide? Some of it by the policy guidance and some could be implementation so that we do not end up with thousands of REST approaches and each organization doing it to an entirely different way. Keeping it simple and making sure we listened to the little guy. How do we provide guidance without getting a bells and wild flowers blooming. The Dixie has done with her committee is coming up with constructs that represent the needed aspects of authentication--Auditing to support meaningful use, but as policy is further developed, might you might imagine that we can constrain some of those security technologies to make them earn it tad easier to implement, streamlined set of suggestions and implementation guidance. As David was suggesting, I imagine there will be additional policy work in the HIT policy committee to inform us and was collaboration between the standards and Policy committees to make sure as we go forward with 2013 and beyond, we have the rights to the standards, whether complex or not, but there is a right said that supports the policies. Policies can enable us to constrain all of the technology. It is a Great guiding principle and have heard it from everybody today that as we adopt, let's make sure it is the most simple standard to meet the business need. It is the most simple it can be to meet the business need. I always have a hard time with defining what is the fewest and those simple and most parsimonious approach. Sure, as we have heard around the table today, adding that one is from an implementation standpoint easiest for the vendors. Anytime you say or/and, it implies I have to do many. We have also heard the statement, did you take the helicopter across the street? How do we, together, figure out that balance? We keep it as the guiding principle and that discussion as we debate 2013 and beyond and, hopefully, together, but the consensus view with what is most simple for the business needs ahead.

    Let's make sure we continue to gather feedback, making sure the implementation guidance,

    That it's good enough to get this job done. And when HITSP was greeted with the challenge, we had to do what I call interaction. We do not have open license to the property for NCDP and we say here is the guidance and a Web site so suddenly what you have the 17 documents on your desk all pointing to each other and if there was, for example, a common licensure of intellectual property as needed to implement our recommendations the rub the country you might imagine there would be an implementation Guide with everything that you need to get done. So that on the web I could take a joke and push it to a website or whips a fiche -- take a chunk and push it back to a website to make sure that open source information is available. You have heard this in your testimony about making sure those tools are there so I imagine, David, we could end by see where appropriate investments might be made to accelerate the adoption and implementation. Those are some immediate action steps and I think going forward all of the work that has been done over the last month will color our debate so I think of this has a journey, redefining the map and we have guidance to make that refinement.

    I think we're hitting our time, making it happen.

    Dr. B?

    This is terrific. The transmission to action will be most welcome so we look forward with interest and anticipation to the learning that you will bring to west and also the comments on the interim final rule. One thing is that the question if the standard set is complete or whether there's a rule for further standard development. Simple standard development but for their standard development and I think the advice on that issue would, I think, also be welcome it. I do not know if that is something that the committee expects to evolve organically out of the refinements of existing standards or whether there class's the existing standards that a missing in the portfolio and that may not evolve spontaneously.

    Thank you and as you well know the 2013/2015 there is a greater ambiguity and there is greater work to do there but there are things that we understand that need further development in the more immediate freeing as well. John, do you want to offer at any comments?

    I imagine that our call to action will be, the December sometime there will be the notice of proposed rulemaking and the interim of final rules that comes out and a comic period of 60 or 90 days so that, but our next meeting in January, I would think we as a committee would react to those comments and then actually say. Based on all of these comments, is there a gap such that a standard needs to be commissioned? Is there additional guidance because we have been too vague or is there a place that we have been to specific. We, of course, are a federal advisory committee in a. By see what should be in the -- as to what should be in the interim final rule and I am not sure what will be in there but I am sure it will be wise [ laughter ] I cannot predict based on these tend principals what the January meeting will bring but I look forward to the process. This is very much taking the best and brightest and input from all sources in coming up with what we think is the best path forward. That is charging rework and we will continue the work streams that started for the 2011 meeting please criteria it said work on categories and this and this -- -- meaningful use criteria and are working groups and committees will go for with that and the 2013 activities so I see the work streams and the translation into action and I look forward to that interim final rule.

    Thank you.

    Let me think perhaps the entire group, the implementation work group, Judy Murphy, John Halamka and Kris Ross and as we just discussed we will help in the immediate longer-term needs and as we transition to privacy and security I am also reminded of the comment that not that it's easy but that it's doable in the clarity of the road map gets increasingly precise. This is something that I know is valued in to hear that is pretty important and I appreciate it. We heard in the last discussion privacy and security are enablers to make this all possible, the foundation for trust and trusted interaction, a trusted Information. Right now we are going to switch to Dixie Baker who has assembled a terrific panel with held IT issues -- health IT issues and Dixie, thank you for your leadership.

    Okay. Go to the next slide, please. The foundational to the meaningful use electronic health records is ensuring that each individual's privacy is protected and the sensitive and see the critical health information is protected from unauthorized access, use, corruption and lost. The national coordinator is responsible for corporate standards for protecting health information and help information technology standards committee provides advice and recommendations appeared the purpose of this hearing is to solicit input from invited domain experts and health practitioners on potential issues, challenges, breads and solutions on the protection of health information and maintaining trust. Now that our recommendations for 2011 has been submitted we now return to 2013 and beyond. Specifically the testimony discussion from this hearing will be used as input to the privacy and security workgroup deliberation for standard radiation recommendations -- go back to the other one please, thank you. In 2013 beyond. Today we will hear from four panels each addressing a critical element of the overall trust ecosystem within which electronic information can securely and safely be collected, stored, Exchange, and used to provide quality care and improve the health of the U.S. population grew last week Dr. Blumenthal sent out a message about the HITECH Foundation and he cited two preconditions for reaping the benefits of health information exchange. First that Americans must be assured that the most advanced technology and proven business practices will be employed to secure the privacy and security of their personal health information both within and across electronic systems. Second, that persons and organizations who hold personal health data are trustworthy custodians of that information. The panelists that you here today will address these two preconditions, technology and business practices for securing health information and Number two, establishing the trust worthiness of these custodians.

    Our first panel will address challenges related to maintaining the stability and reliability of electronic health records in the face of natural and technological threats. As health-care enterprises become increasingly dependent on electronic exchanges, the potential impact of an interruption in the availability of electronic health and information software applications and network connectivity becomes critical. Indeed, even life-threatening. The panelist will relate their own experience with dealing with service interruptions and system outages. The second panel will address passages related to the trustworthiness of EHRs and health information exchanges in the face of cyber threats such as denial of service, malicious software, and failures of the Internet infrastructure. Who among us here today has not experienced buyers is, we're coming e-mail scam and security updates -- virus, spyware and email spam and this will involve information technology and Security professionals from health care provider organizations across the U.S.. Next slide, please.

    The third paddle moderated by Ann Castro will addressed challenges regarding the accidental loss of data including extortion, at times, and other criminal activities also known as vectors. You may recall earlier this year in which some criminals cleaned to take a new patient records and 35 million prescriptions and tried to blackmail this date by threatening to sell the data if they did not receive $10 million. And last month a British Broadcasting station showed a black market in India that offered information by some of that can be broken down into these categories by request. I am looking at what our panelists have to say about being the latest target.

    The final panel will come to the chase, how to build and maintain trust. In a 2009 survey 1,000 consumers were asked how competent they were that medical records and personal health information's stored electronically in shared through the internet would remain confidential and 51% said that they were not at all confident. Providers have trust issues as well. Can a provider organization trust a health information exchange to provide adequate reliability, for security and data protection against the kinds of threats we will talk about in today's testimony.

    Each of our panelists have been offer an opportunity to provide written testimony which has been made available to you today. We have asked them to describe their organizations and the approaches they are taking to securing health information and to building trust. We have asked them to provide examples of issues they face and other organizations have addressed these issues. We asked about trade talks that they have had to make between security and usability and in consideration of other operations. We asked them about standards, the security standards the using and the challenges they face in implementing the standards, the rule in value of interoperable Standards and the gaps that they perceive and we asked them to give any heads up that they see on the horizon.

    For each of our four panels the moderator will introduce the panelists after which each panelist will be given the opportunity to speak for five minutes pre when all panelists have presented their testimony is the moderator will entertain questions. At the end of the allotted time, the moderator will briefly summarize the testimony and as with all of our meetings, 15 minutes had been reserved at the end of the day for public comments. I would like to thank all of the panelists that are here today for giving us the benefit of your wisdom, and also for taking the time to provide a written and oral testimony. I would also like to thank each of our moderator's for agreeing to moderate the panel.

    So with that, Walter?

    Thank you. I will start by inviting the four panelists to the table. Roger Baker, Steven Warren [ Indiscernible ]

    I wanted to draw a parallel between two areas that I worked on in the past 20 years or so. I think the information security is very much like public health. In many respects we build systems to prevent and to have things that happen to us in our environment. To prevent events from happening. We also in both areas Monterey very closely to identify early threats -- to monitor very closely and implement mechanisms to protect the rest of the environment and to correct those things that are happening. So in great respect, Information Security is something that is very much a work of building systems to prevent events from happening and monitoring and proactive the Acting when such things happen just like what we do in public health. It is interesting that through the testimony that you will probably hear examples from public health situations that created threats and circumstances that are very applicable to information security. So we are. Fortunate to have our first four panelists that will be talking about assistance, stability and reliability you know, security is all about doing three major things. Ensuring, and shall be, availability, and integrity -- confidentiality, availability, and integrity. And those three critical aspects in information security. Let me briefly introduce are four panelists, there bios as Dixie mentioned are included in your packets so I will just mention their current position and affiliation. We will hear first from Roger Baker and Stephen Warren. Roger is the chief information officer with the Department of Veterans Affairs and Steve in is eight Assistant Secretary -- is an assistant secretary with the Department of Veterans affairs. Then we will hear from Ryan Smith who is the assistant vice president for intermountain Health Care and we will also hear from Paul Connelly who is the chief information security officer for the hospital in Corporation of America. And lastly we were here from Lee Olson who is the Mayo Clinic chief information officer based in Rochester Minnesota. So with that, I will turn it to our first panelist. I believe that we have about five minutes for each of their testimonies and we will be taking questions from the committee members at the end of the four presentations. Thank you.

    Thank you, on behalf of Secretary Baker -- I don't know, is it time for me to leave [ laughter ] Game over. Assistant Secretary Baker could not make it so apologies on his behalf. I will speak up, how is that? Is that better? I will be effectively cover what is in the written testimony and leave time for questions at the end the VA in terms of the IT component can be centralized into a single organization and we provide support on the health side to over 14 points of care and there is approximately 700 IT professionals at the VA with in the single organization and about 450 of them are officers out at these facilities. They focus on the Information Protection side, if you will. So large focused and a lot of individuals involved. We talked a little bit about Hurrican Katrina we lost the ability to take care of patients at that location and the scattered. Fortunately we had a warehouse capability and Web capability such that quickly we were able to provide the health information for those individuals who used to be in New Orleans. So the ability to bring that information up and the fact that we are 100% electronic health records for all of the second place million of our patients allowed us to be able to pivot, if you will. It was an electronic image. We had to do some paper capture because it was a visual presentation but since that time we brought on the ability to do the changes to the records at any location to a patient the matter where they were. So with the snowbirds for example if they normally get care in the Northeast and are in Florida for the winter we can access their data and update it. So a key point. It is all done in a secure fashion. There is a trade-off, the most secure system is the one that you never turn on, so how did you find that balance between the two? So from there to try to go to challenges. Building up reliable, steaming and as you go to networks where you are more than one location, you need to have more than a single com connection and when you lose that Telco it becomes problematic. The thing that we are starting to wrestle with and is more at the micro level is dealing with the biomedical devices themselves. We have a very active program in place to put virtual LANs in place so that they are isolated from rest of the desktop computers but we see that there are some challenges would how would you update the systems? The normal mode is for the technician is to come in with a U.S. piece drive and plug it in but that is used for many things -- a USB drive and that is used for many things and delivery of viruses is one of them so how do you handle that and as part of maintaining the system you are making sure that the update process by the simple point entry is not compromising itself. So training the staff on how deeply in place and ongoing reviews and make sure that you do not have new things coming on board outside the protected zone. We are working with a partner to set up a hosted patch system. Right now out every single one of your provider's wants to send a patch setting up a secure posted patch server and they come into West and we clean it and we sent it out on the sequence basis. Also one of the next pieces, how do you scan medical devices? The industry recommendation that you don't so how do you figure out when you can and how you can? We are working with one of our providers to figure out how can use can safely? How to you know if the procedure is or is that under way when you do it? A lot of effort in that area. We see it as something that is very important to us because they're really two questions out there. If a medical device is infected, is it still in medical device? Can you so you sit? The second piece is might iPhone and it has what folks described as a triquarter it has sound on it, if I hold it to my chest can it be the cheap EKG, but I use it as my phone, I play games on it and how do I use that? How do you fit it in to the standards standpoint? It is the multiple use device speed when is it in when isn't it? When can I use it and when can I not use it and how can they make sure when I am getting is real versus a virus or something and I look forward to question.

    My name is Ryan Smith and I am with Intermountain Health care and I leave our IT operations for the company and I appreciate the opportunity to be able to address this committee on a few of the point in examples that we are doing to health address some of the Security concerns about the macron system availability and reliability. Let me start by taking a moment by a looking at our corporate department. At this point as a team to about 14 people and they are all certified security professionals. We have had that program in place for the better part of 15 years, it has grown over the years about one per year paid and that group really has responsibility for ensuring compliance with the numbers of regulatory legislative mandates for helping to put together a system level enterprise program and consolidated system level tools for access, authorization, etc. and also helping to mitigate. So let me show you what we have to insure the reliability of our core chemical systems. First of all, we have a design process in place for many years where we design and or architect our systems to run across two geographically separated data centers and I personally would like to see more vendors step up to. And what that really afford does is the ability to update our system so that we can have half of our systems down while we're doing updates while the other half is taking user requests. And clearly helps with a about of the natural threats indigenous to our region which for example, the primary Data Center directly for the Salt Lake International Airport, major storms, etc. let me start off with the lesser common when we're is replicated to geographic data centers by directional. That we users can literally be load balanced some of the system level, infrastructure level, or a full one facility level event occurs we still have capability of the other data center. The other case is an active/passive mode we direct all of our conditions to one datacenter for their needs, get in the other data center we have a hot standby where data is being replicated one way near realtime full application infrastructure is that the other data center and an application vendor or even that will facility has issue and we can swing users over to the other data center. And that helps us with natural parents in the area but more commonly it's not an earthquake or a plane hitting our data center it's absolutely have been did for related or technological faulted one of the other data centers. So that has been a huge comfort to our clinicians that at least in our company we demand a high degree of of time with these systems. If we have a two to three hour scheduled outage so we try to have continuous availability of the system's.

    Also we take a lot of measures with in each data center locations to architect application level redundancy. Each of these core chemical systems would be either in a single system or in a cluster of systems within a single geographic datacenter and that protection against hardware/software faults. And we describe even with that type of plan. Even with some of grades we ended up with a loose 1 inch washer that brought the entire Data Center down and whether it happened during implementation on-site came loose and started to move

    The second example was prior to that time. When the facility was relatively new and the old campus where our IT Operations and health plans it, we had routine annual Fire Department test of our suppression systems and we had some wiring logic errorsability there and due to the sequence of the test put in there of power down command went to the data center even though we were not testing the data center, another complete outed. It is incumbent for healthcare companies to make sure they have good, solid DR plans to mitigate against these type of things. We also have a number of security technologies that we put into place beyond the routine, this day and age, firewall, patch management, password changes, things like that, we take extensive measures to log all activities happening. To date we have about 45 million records today that blow in through our audit repository that we actively mined and do real time reporting on looking for get appropriate access, etc.. That has been on big help from a compliance perspective and let me quickly say in closing like Stephen had mentioned, with the advent of a lot of the smart devices, Web conferencing, crowd computing come up social networking and the like, the days of the tightly managed network are really long gone. It is incumbent upon companies to really educate their end-users on secure computing techniques, as well as ensuring that they have a multi-layered defense strategy for their security processes, and we have found that to be very helpful and, yet, it is always a challenge. Thank you.

    Thank you.

    Paul?

    Yes, I am Paul Connelly and the chief information security officer for get the hospital corporation of America based in Tennessee. I did provide detailed responses to the eight questions and the a rookie I did not get them into your packets by the Judy help me distribute them and we'll get those posted the end of the day. Dixie mentioned the panels would be made above the main experts and practitioners. I am definitely n ot practitioner, not an expert. I think my comments will indicate that I have left-I tend to leave the deeper thinking to the deeper thinking people like yourself and tell me what needs to be done and when and I will focus in on the House and get that done. I appreciate what you are doing and the opportunity to participate today. HCA operates 063 hospitals across the country and [ indiscernible ] outpatient centers and we clearly experience the patients going between the facilities, physicians going between the facilities, and nurses going between the facilities and, therefore, patient data going between the facilities. We have experience, albeit internal, that is easier of exchanging health information between entities. We have several lessons learned. One is that information security plays a key role in the stability and reliability of these systems. And as mentioned, many times already today, there has to be a balance between security and usability or the ability of delivering patient Karen. Another lesson learned is there is no silver bullet. Ryan just said it takes multiple layers of defenses and multiple layers of activity to ensure the stability and reliability that we seek. We have approached this as a risk-based management approach, race-based decisionmaking in each case. Establishing standards, implementation, time lines and certification criteria in each of the key areas you have identified will help us all know that what needs to be accomplished and when, as I have said before. A few key areas that I would like to touch on in more detailed testimony is the need for clear and detailed implementation guidance. I really appreciated all of the discussion about complexity versus completeness and understand this is a upon consideration of the committee. In my view you could have them to hospitals across the street from each other and interpret the HIPPA security role differently and implement it differently and if we ever reach a point for those two hospitals can exchange data in a reliable, stable and trusting fashion, we have to get them built onto the same page on what the implementation Guide need to be. Another area that I would like to bring up is, how do we baked security into clinical IT products? We are five years pass the implementation of the HIPPA security rule and still have vendors of IT Systems, Healthcare IT products selling the systems to our hospitals today without basic security measures built into them. In my more detailed notes, I use the example of the Configer worm good morning that hit earlier this year. We have the devices on our network that had 1700 infected with the Configer worm. Of that 1700, one was a System managed by HCA. I think that indicates the threat to reliability and stability from not baking security into the system. The third point that I wanted to bring out was helpless dealing with new risks. Economic conditions and the stimulus are likely to drive more organizations to use technologies that are managed and supported by third parties. I also mention the use of social media and healthcare and the increasing mobility of devices and users has been brought up already. The threat of organized cyber crime focusing on healthcare. These and provide opportunities and risks that any direction and guidance you can provide to the practitioners would be very helpful. In summary, I think we have a perfect storm scenario, an important goal to see, entities like my colleagues here and many others across the country who are dedicated and committed to doing the right thing and incentives to get it done and the support of other organizations who are committed to providing us tools and support to make that happen. The more clear the guidance you can provide the more meaningful use of the EHR in a stable and reliable way and benefit and protect the patients Research. Thank you.

    Thank you. I am Lee Olson with the Mayo Clinic. Thank you for the opportunity to be here. Similarly to the other testimony, the Mayo clinic employs a Security [ indiscernible ] approach where the business needs to drive the strategy. I thought I would highlight one success story that we found and it has overtones in Some of the recommendations from the implementation where group. It is a eight-point Network Security strategy that supports the defense and that the principal. First is knowing what is on the network. This was a tough nut to? , but every two hours, we know precisely what is on our network in terms of operating systems, Version numbers, patch levels and anti virus, devices that are not up to snuff received those countermeasures in real-time. That has proven to be very effective for us. Establishing configurations and Standards for what connects to the network is driven by information security and we specify configuration standards and use those as criteria for connection. Controlling what connects to the network, devices are either allowed or disallowed, particularly from our remote access direction where if devices do not meet standards, they are put into a protected space where there is assistant and countermeasures available. Articulating and communicating expectations has a very close parallel. We heard about the 80/20 rule where we do not let the perfect the enemy of good enough. Talk intensities of the many outweigh the needs of the few, just to borrow a phrase from Star Trek. This was a major philosophy changed from Mayo. Many of our clinicians and researchers provide them great deal of customization but in the name of consistency, reliability and availability we have gravitated more and more towards standard configurations to the point where we have some more in the neighborhood of 15 or 18,000 devices that are fairly heavy on the client but maintained centrally. It presents unauthorized changes and loss of availability in that respect. We have created protected architectures to isolate high-risk devices and through the risk assessment process we identified three different classes of devices on our network. There are high risk but well-managed. These would be high risk Microsoft devices, well-managed through a centrally determined configuration. Low-risk but generally acceptable or other devices such as McIntosh [ indiscernible ] where there is not, necessarily, a clear and present threat, are okay. When we monitor that situation where we see threats evolving, we do respond to those. Finally, as we heard before, high risk and unmanageable include devices that are provided an armed sometimes supported by vendors. We have all heard of the FDA requirements, the CCR that has been used as an excuse not to maintain the security patch levels and anti virus. We are still hearing about that and I think the FDA put that to rest about five or six years ago. Another strategy point is developing [ indiscernible ] capability to quickly isolate segments will problems might come up and, again, adopting a more homogenous environment where this is really a velocity change, too we have enacted a policy that prompts us to use only a short list of recent, currently supported devices and move the old stuff off of the network. About three years ago we had an incident with the NT server warm that affected a view of our smaller Mayo sites and have broad impact across our on as department that was using [ indiscernible ] pharmaceutical dispensing machines all linked and coordinated through the NT server. On the one hand, some people were slow to adopt the door technology and on the other hand there that was not conscious decision from the May financial standpoint not to replace the equipment that was working just fine until the worm hit, at least. Finally, centralized management which is a little bit alien in and academic/Medical Center environment. It has reaped rewards for us from a stability and reliability standpoint. I see that my time is up. I will end it here.

    Things move pretty quickly. I did not see the clock year. That is great. Thank you, everyone, for terrific testimony and submitting in much more detailed your written testimony. I think there is now lot of the richness in be written responses and detail. I appreciate, on behalf of the committee, I appreciate that level of detail. I think we have enough time here for a lot of questions. We will start going on around the table, perhaps. I see it Judy and Wes. Let's start with Wes.

    No.

    We are going to go Broglie's/girl.

    I am sure we will come back to you, Wes.

    So, it has been interesting to hear how some of the biggest and finest organizations in Healthcare duets. I am thinking about four other clauses of organizations, those that have 40 hospitals, those that have one, those that have 100 physicians and those that have one physician, just as points along the spectrum. implicitly, I was thinking of the three purposes that we could put to the device here. One is that we have to make recommendations on how to certify the a product to be installed and got some good advice about the lack of certain characteristics and vendor products that matter. For those places that sell to develop, we need guidance on how to certify and implementation of a product and, finally, Ali thank Paul, very much, for of the notion of creating the right level of trust to enable information exchange between two organizations. I wonder, what any of the speakers like to say how they would recommend creating trust across these levels of capabilities of organizations or, for that matter, to find an organization. Thanks.

    Effective as a questioned in response, there are almost three different functions, and on the Electronic health site. There is the personal health record that can be transported and accessible. [Audio interference] is an institutional health record that is something that the institution needs that have other things besides what is in the Personal health record and the hospital information system that allows the information to be generated. Which three are you thinking about?

    In the limited-all three. In the limited time I would be happy if you commented on anything, pick anything and comment on it protective of it with this point of your in mind that we have to be responsive to the different organizations and how we organize our work.

    I would say, probably, the easiest one is personal health record because that is the owners saying that, yes not, someone else can use it and making sure you use some of the technologies to allow that access. I should be able to go into my physician and say that I have this record and am willing to give you access and of the ability to do it. Turn on your computer and I will put the code in.

    That is consent. Used spoke mostly about security. How would we translate what you told us into what we should require for Communication three Personal health records? Security is not tough nut to? Because of the organizational difference and trying to get the people who have thought about it the most-this is the, not my job game on a radio show where they are asking you to look that other organizations and how we would think about prescribing for them.

    Again, you have consent, but the foundation for that consent is the security issues. Who is it that I claim I am and who is it that you claim you are and how do I check to make sure you are and then make the connection so that you can [ indiscernible ].

    You have stated a problem. I do not want to be labor this point. You talked about-you all talked about a set of measures to put in plays that were very rigorous. I think you mentioned 450 security information officers throughout your organization. What should we expect of other organizations? What level of security should a one Hospital organization have other a one physician organization have been active the same on that piece. We are saying the patient information is as important as the patient health and the standard should not make a difference between one physician or [ indiscernible ]. There are basic things that are immune to. This because you are big, does not mean you make it harder. As you get bigger, it makes it harder, which is part of the bureaucracy that comes into it. There is not fundamental building block that should not get more complex because the technology might get more complex, but the underpinnings of it should be the same whether it is 100 or one or 1,000. One thing I would add to that is that either we standards are important in is wrong whether you are a small hospital, get large. I know firsthand that security got us thinking about the lot of things and even though I do not agree with all of the standards it help to move along in the it Security process Program. I think that is still important. Smaller facilities will have their IT all source Morris because that is not necessarily the case but there is a small propensity for one, two, three doctor practices. I was going to talk-Steven brought up the issue around PHRs. We are into it where the patients helpful, read only access to their electronic medical record and can securely message with our employed Medical Group physicians and given that we have a health plan as well, they have access to [ indiscernible ] including employee status, etc.. one thing we have found that is difficult for of the patient as we have taken on pretty conservative approach to setting up that initial authentication, the credentials the you have to show up if you're going to message with your physician, you have to be invited by the physician and show up in person to do a in person registration, if you will, but on the insurance side, given that we have annual processes through employer groups, etc., that established the trusted relationship, we allowed an immediate gratification online registration process and how those two dovetail depend on which door you came into to get access to the other services. We take it from there. One concern we have going forward is over the last number of years it has been read only access by Dick 15s and [ indiscernible ] coming in to access the records. We are into some early pilot plots similar to some other healthcare systems where you are allowing the patient contribution to that medical records. One thing I think of committee like this can help with and also the meaningful use Committee on the committee around 56 pieces is how to put some standards in placed in terms of what the expectation is for patient-contributed content in their medical records. FORTRAN of Bob right now is if it is actionable by our clinician, it will probably go through some type of workflow adoption process and be adopted into the medical record. It is more akin to the traditional, non tethered PHR but we are housing the data, we will probably start the data separately and only the patient would have access to the data. Those are the type of standards that I would consider having us think about. In addition to that, as soon as we have external entities pitching records into the EHR within the hospital or even the clinics, there is lot of assumed liability on that and secure software development life cycle practices become very important so that targeted tax, etc., things like fecal injection or cross side scripting, etc., we do not want that to cravat and the corrupt databases are cause access to those records now that there is the main contribution model in place because those are a few thoughts.

    I think you honed in on one of the biggest and toughest questions in this will area. I do think the committee is on the right path and hearing the guiding principles that were discussed by the prior panel, I think there is nonrecognition that there can be a that one size fits all but think there is an opportunity to set standards that say what we want to accomplish and when and allow the entities to figure out how they are going to get to that standard and I think there are not lot of organizations security product vendors and so forth that are ready to jump in with solutions that can work for the big hospital or small physician practice and help them all, at least, get to the point where we are confident that the hospital across the street might not and cannot be doing it the same exact way as we are but working towards the same standards we can have the degree of trust between us.

    Thank you. Let's go to [ indiscernible ].

    That was migrate the in. Thank you for all of your comments. I was particularly intrigued when you call yourself a practitioner because that is exactly-that is what we were asking you to represent on this panel. I appreciate that, as well. I was intrigued by your, and you said it twice, once your testimony and not about to figure out the when and how. We are asking for your advice and began to turn around and give advice and in the context of this simple 80/20 kind of thing, what it does, indeed all of you can quickly comment on this comity that the area of stability and reliability, what advice would you give us on the what and how, so that we can look that implementation guidance? I know that is a hard question.

    Go ahead.

    Can I give this a shot?

    Yeah.

    One thought and we have considered this from a regulatory compliance standpoint, nationally among academic medical centers is when it comes to these smaller and midsize organizations, having something almost like a turbo Tax of security were you have it package somehow we're all of the major points are covered, the confidentiality, integrity, availability, security of information at rest, in motion, perimeter controls, communication between systems, hardening of individual systems and applications, but it kind of covers the whole spectrum, not so much a checklist, but more of a the white, but also some options for doing that.

    Good idea.

    Turn to the credit-card industry. If you look that what it takes to be certified to be able to translate identity and move identity, they have not made very clean set of standards on what you need to me to be able to do that. It is a very good model that many organizations use that have to do electronic transactions and move identity. It really encapsulates it very cleanly, what is it that you need to do to ensure you are doing it in a secure Way?

    I would definitely agree with what Lee and Steven were saying, having a checklist type certification approach to the interoperability Security Standards as well as how small and larger systems think about their information security would be really helpful and it needs to be scalable. There needs to be more burden on the larger systems that are accepting greater risk, etc.. No the less, I could easily perceive for smaller clinics or smaller hospitals would have to providers, service providers that come in and help with the certification process. It is a cookie cutter process to establish those standards and see that as being very, very helpful. There is enough left to the imagination and depending on the creativity of your team, clients and IT Security professionals, it is interesting to see the pendulum on how the company's approach things to be a very patient-center business to ultraconservative and everything in between. It does not lend itself well to moving the ball forward in this area.

    I would just add that I agree with what all three of my colleagues said and what Lee said in the beginning, identifying the specific areas, that is what I had in mind. For example, tell us that you want them to factor authentication. Great. There is a lot of ways that you can? That night and a small hospital might do it--if we are going to exchange information with the hospital, we can feel confident they are the same standard we are at.

    Very helpful. Thank you.

    Thank you. David?

    I want to take that lead, Paul, and ask you, as a Group, if you have thoughts on that issue, precisely, of authentication? It seems to me that the weakest link argument is if we do not know who is out that terminal or device, everything else is a move point and we can have an incredibly secure perimeter but if you do not know who is connected to you and if they say who they say of, the security is pointless because you represent large organizations that have experimented, I am sure, through the years of the brunt of the indication standard. What would you recommend and what have you learned as we build a--Should there be a formal minimum, for example? Is it higher than what we are used to, and when you bring on consumers, would you insist on a higher standard and simple to add passwords for access to this data? I opened it up for your thoughts on authentication.

    If I could start off-that is definitely an area that you run into the challenge or the balance between security and usability of. We definitely have had an issue in the past with our hospitals when authentication was too rigorous and too many passwords and we did not make study done couple of years ago where we followed any more deceit physician through his day and he was spending 20-25 minutes just logging into the system. The ease of use is critical and is also an area where the risk-based decision making comes into play. The environment of an emergency department where there is not lot of people around, you will notice something being out of place immediately and is different than a private office, someplace. Where am I going with this? I think there is the opportunity to create a standard that everybody works towards. Not to digress, but this ties into the issue with vendors' systems, because there are a lot of systems on the market today that does not have basic authentication built into them and it becomes very complex to be standards in this area, things like identity [ indiscernible ] and finding ways we can certify users have called identities so it can be accepted by multiple entities. I think if we can create a standard that we all work toward in those areas, then we get the consistency and trust that we all feel is necessary.

    I am particularly interested in the trade offs. That is a great example. If any of you have comments about how you made those decisions and what the right trade talks might be?

    I mentioned really quickly-I divide into the three bucket, interim organization authentication and also the business partners and who we work with and the consumer, the patient-member Community. In terms of the inter organizations, we have 23--I am sure that there are others that we do not. With that, many of those, obviously, require authentication. Got one thing that is important with the inter with an organization is to have Master use user directory that is the single source that flows from the HR systems. Within the coming as many applications, hopefully the [ indiscernible ] principle applies whereby those applications delegate their authentication at a minimum to the single source of credentials, that is key because we can get through terminations, transfers, new hires, those processes really quickly. The second issue as front-line managers never under any to take them very strong-willed in identity and access Management. No way can make corporate security team by putting out policies and rules will ensure that the right users and the end of the day are the ones getting access to the Systems. There needs to be a tight linkage between those managers out in the field that have accountability for those employees, alternately where for an urgent and generous as, agencies and having a centralized security program that goes through all of that common and very strong leadership and tensing of leadership's support that supports that. As I alluded to having a standard management set of tools across as many of the applications as you can get integrated for requesting provision rights, giving people the right levels, etc.. We see the front line people, and nursing managers, they will say, just set up the access like my access, because it is quick and easy to instead of taking the least privileged approached. There should be thought put round this notion of least privileged the ability to get access in the system and do not the fault creep higher level people that are proving that access to say to set it up like me because I know that will work, for sure. Finally, on the extra organization relationships, that is where I think really tightly managed standards would be very helpful. We have weight too many interoperability standards and is making it very difficult for organizations of all sizes to work electronically in a meaningful may without requiring them lot of staff, attention and support to deal with things. Bob, on the patient side we know if we err on the side of the way the attorneys would like to approach it where we administer those credentials and a. Tight process put in plays, the patient will not use the system. There is balanced and virtually every other industry segment that offers online services, you, in effect, it to figure credentials, your user password and ID. There might be some minimum standards about the prospered but no the less the more it you put that back into the patients and members hands the better security and the packing and get more use out of the system.

    A couple of thoughts, if I could and do not mix of experimentation with ideas we are toying with. Let me talk internal in terms of the practitioners. There our pilots under way with the single sign on, how did you build the different tools together some of the practitioner does not have to log into system after system after system and we have at least two of those taking place, that one of which takes the idea of two things. Your address and cell phone. How do I use my cell phone that is registered to me as my identity? Looking at proximity as having a badge that would logia in so you did not have to touch the keyboard, and more simple things such as teaching the timeout, and knowing what you need to do. On the outside in terms of the patient side where there are no lot of miles you can draw upon, and we are looking up some of them, it gets into the question of how much risk, reliability are you willing to take? an example, about two years ago, we could make the case with our legal department properly, a knowledge-based authentication was fine for the particular application because it really got into recovery of cost. What is the legal side needed from [ indiscernible ] to recover? Based upon that, these three unique things would allow us to say, yes, that is the person. That was not in prison, but remote. We are planning in person is the best one to do first. You can do the chat, card and check to see that that is the person and the top back mechanism such that in, did you get an e-mail saying you just changed your password. Did you, the person who set it up, did you change the password, or the e-mail address was just change, back to the original e-mail address. Argued the person who meant to do that, and is that where you are trying to do? Think about doing that from an auditing standpoint. The record was accessed on this day and this day and the state, did you really do that? The ability to check that, not necessarily the organization auditing, which we have to do, anyway, but allow the patient, if you will, to do their own auditing. It was accessed is under an externally, and was that you? That is your first indication that something is happening. You can also allow levels, do you want to pay $25 for a token, versus does want to do a password and user name. The ability to allow the individual to self select to see what level of insurance they want-there is a whole host of things, externally, the cell phone as one of the known things, your cellphone number is the thing you also go back to the other it is a text for Russian and the correction or did you mean to do this, as well as the e-mail address, did you do this, did you access this, is this really you collapse if you are really concerned, do do this by letter to say that the following thing has changed, is that really you? Did you mean to do that? Again, a whole host of ideas on how to do that. I do not know if the standard is necessary if to say that you will do this and this and this. There on the direction the a range and the minimum acceptable and it becomes a decision on the organizations might as well as individual site to see the option of where you want to take it.

    Great. Thank you. I would agree, Steve, just with the cell phone is an expensive hardware token that a remarkably high percentage of people possess and makes them lot of sense to leverage that. Just for be brought authentication.

    Just real quickly, it is important to understand what these countermeasures' actually counter. Two factor authentication, essentially, protect against credentialed capture, nothing else. Many of our remote connections between organizations or even remote access by individuals in is day in Age employ some four of virtual, private network and technology where the channel, itself, is corrected where the credentials are protected from point A to point B. If we are thinking about developing standard format the sources of communication we will want to keep the rest in nine for with the countermeasure does for us and what other method of security or technology might provide instead.

    Thank you.

    We are going to have to move faster to get to everybody's questions. Carol? Do you want to continue?

    Sure. Mine will be quick. Of want to just clarify the terminology that you are using when you each use the word "standard." What I hear you talking about in many cases and in your last comments, Paul and Ryan, you said today was what and when and we will figure out how. You did not necessarily mean that when you say there needs to be a security standard, what I hear you saying if, and I want to clarify this, what we require is not common security threshold. In other words, tell us what the bar is and in the context, at least for Some things, in the context of the environment we are in and technologies we are using, we know we need to hit the bar, but it might not be in a way that this committee uses the word "standard core to use the specific technical specifications. In other words, this is the single standard that your application has to write to as opposed to this is the common security threshold that you have to meet. Is that their quest of? Is the correct?

    I use standards anonymously with how you use it versus fighting principles or policy-related things and standards being the how. In my example of St. Extra net connectivity with partners, there is a need for very prescriptive Sanders for how those Federated identities are transferred.

    For something like authentication, what I hear you to be staying on to say is tell us what the bar is, the goal standard what we need to begin it is. We might meet it different ways in context.

    Let me say I can undo it if I can say that what I think this is what you said.

    What is the condition that needs to be mad?

    Yes.

    Normally, when you write a standard you have the technology in my. That is not what we are asking for. What is the condition.

    Barack.

    Otherwise we are solving tomorrow's problem with today of technology and we never get there.

    That is what I was trying to clarify. Thank you.

    Thank you.

    Kevin?

    This is Kevin Hutcheson. One Quick question and you touched on the lot on this so you did not have to go into great detail, but I am curious about the specific environment, small to medium-size physician practices affiliated with your organization. You mention one, Ryan, tightly controlled networks are not thing of the past and we are looking more not be distributed networks and you mention, Lee about VPN Technology. They are expensive and not as affordable to it without the IT stuff. Have you experienced with all of this discussion about remote access, is there anything unique that you should share with the committee around those small-to medium-sized practices that are affiliated with the organizations that would be any different than what we have been discussing today?

    Does not clarification on my part, the affiliated practices, and we have about a thousand that affiliate with us and about 3600 providers, while we have done is provide, basically, the virtual [ indiscernible ] VPN connectivity in those clinics where we trust the site, if you will, and pretty credential process they gain access to our systems. Outside of that, we do not trust the users, unless they have a third factor, secure token to come into to which they are only distributed to the physicians. Other staff are not able to get off site access into that system.

    I would say that we have not figured it out yet. We have done lot of the technology places in place because the VPN and tested Internet connection, we are down to 4 Gateways--We are looking not speak ill of this technology things are happening, but we know it is a Bergen right now on the small organization. Trying to understand how you do that, it is a mind-set change we are going through, not lot of this discussion is we would set up the trust relationship and what I am trying to get the people to understand is we are setting up a does trust relationship, what is the minimal level of distrust I am willing to accept in the exchange.

    [ Audio/Speaker not clear].

    Not proved to be, but you will look that information, but what I need from you is lower than what I need from you if you are going to change information or the type of information you look at. We are all on I have to have absolute perfect trust to give you access point. I can build the most expensive solution possible. I am the at. I am in IT. We build expensive things and it takes them lot of time. The focus should be on the minimum you need and based on what needs to happen. That is not change of in thinking with single solutions to complex things and getting people to start slicing it down and figure out how to escalate or elevate the trust level during the interaction. Not do you do that? Cannot think there are good technology solutions today that allow you to bring it up and down based on what you are doing and what. I did not think we have not right yet. There is not lot of effort of controlling and bring it down and talking and and wrestling with how you make and it just enough for the action that needs to take place, not making it less secure but making it just enough for what you need to do and that is difficult and we still do not have the right answer.

    To David?

    Dixie?

    Getting back to the topic of stability and reliability, the HIPAA security role has been made standard that you need to identify your critical assets and the most sensitive information, etc.. It does not have an a standard-the security role does not contain a standard that says what you do with that. I was wondering whether you use that information-number one, whether you use it all and number two, you each applied an implied you have not continuity application team that plays an and wondering if that is the major input and if not, what is? Of the you come up with a, and the continuity of Operation Plan?

    Just briefly, we have about 2400 applications. We do not have every one of those --Out of absolute operational necessity if we how something like naval on datacenter failure, we have System administrators, DBAs, today's teens, people like that that would not know which of the 1400 physical servers to start bringing back up first. They need manual intervention when you have a hard-core Internet and hunted type of situations because we have developed the criticality of matrix that maps each of those top several hundred critical systems with the business owners and worked out with the business, clinical systems versus Financial administrative systems, etc., within the constituent realms to help us prioritize on the clinical front which to come up first, the lab system? The HIS? Y? Y bring the HIS of First if there are no maps to feed into get? But I'm not lot of chicken and egg discussions and we have made it through those and have a [ indiscernible ] priority listing within the clinical versus administrative, financial realm of how to recover the system that takes immense pressure off of those teams that need to recover those systems, if and when the call comes.

    I would add that what Ryan just described is similar to our situation. I would not say that we have a complete inventory of systems, and no across the entire spectrum of the criticality of all of them is that an unidentified in the patient care area and the systems which we would give the highest criticality ratings to tie that into our continuity of Operation Plan and also recently have begun to find that information into other areas of instant response so that, for example, going back to the Confiker worm example, when we had that on our network and identifying the systems critical and identifying the scarce resources we can focus on identifying, we are starting with the most critical systems.

    Other standards that you use in putting together the plan?

    I am sort of, say that again.

    Other standards that you have with putting together the continuity Plan?

    Yes. I am trying to think what our approaches. Standards are, of course, the key to consistency across the company. That is the approach that we have used. The plans are consistent across the entire company.

    Okay.

    Argued thinking about NIST?

    Whether Baby ISO or NIST, there is not gap with identifying these critical resources and what HIPAA does is says economic recovery plan but does not have not yet know your critical assets, and we want you to do a continuity of Operation Plan. There is no-there is no, what do you do with this information? I was curious to what you do with that information and-obviously you have continuity of operations plan.

    You sort of asking the question, do we need a Standard? Do you use the standard? Do you need another rule to follow to make sure you do your business?

    Is there a Standard? Back to the comment about where there are gaps, maybe there is a standard that we do not know about.

    If my business is based on the information that is held and I cannot do my business unless I have the information available, is the incentive to bring it back up on the right order, I am losing [ indiscernible ] because I am not commercial entity because I need to recoup the pay or cannot do my job, which is the patient ^.

    I would say the same thing about security, we have security standard.

    It needs to be forced discipline. much to have been with a full on outage, you might not have had to think about that. May be someone external mes to help you think about that and maybe evolution. If there were to be any standard in Place, at least from our perspective we would want to see some very strong mapping to the framework and IT Service Management and is it is that are going on so those things can merge together. Other than that I prefer to see guiding principles and criteria that are set. It helps set the watermark.

    A lot of those things exist. Yes, Health IT might be more new, but many of these systems and keeping them up and meeting standards and service levels, that is a body of practice that has evolved. Drop on what is there. When you scratch away the health piece, it is truly how you build and run complex system.

    Right scan in any industry.

    Right. Draw upon that course is not coming up with another one. In the data center you look the convicted person asking do I go with the standard or the standard or the standard? Lawsuit, let me do all three. You get into the light is so hard to do something? I have all of the standards I need to meet and is not clear, so I do them all.

    Let's make it real clear. Today we are not talking about health specific security standards. We are trying to figure out what is being used out there, what is the minimum message but where are their needs for more standards? Not health specific. Today is release security and integrity.

    It probably makes sense to look that the evolution taking place team the government on the business side. If you see how involved you have to do this and this and this and someone said what they wanted to do from a Technologies Standard and brought them bit standard so you would implement the specific technological solution and we are spending lot of money to do reports and plans and studies versus what is the outcome we want? What is the end need to be and whether those guidelines in place so that you can get there without [ indiscernible ] saying it is this one and this and this. Technology changes on a nine month cycle. It takes that long to write. Figure out how to do it so you are not solving tomorrow's problem with yesterday's solution in.

    Lets go with Rick.

    Since we are talking about the debt being used access anywhere, any time by anyone and the amount of data you have on your systems that people can access, do you have standards for those that look up to your system, download data about how they maintain the integrity of that data should they lose it on there and? Www.a lot of cases today-you talk about credit cards in terms of how that is managed. The data is going to get out. Other standards to put in place for the others the Senior Systems and if so, what are those?

    We use an external standards because the external or same as internal. There is now differentiation.

    Anyone who looks up to your system has full data encryption and all requirements are you do not allow them access and you can verify that?

    It is an expensive and onerous process and, as I said, Alberta affiliate's of challenges with that and that is one of the things we wrestle with, how do you do that while ensuring the information is protected. The identity information for a veteran is as important as [ indiscernible ]. You cannot differentiate and say I am doing health, the data is something else. It is hard. Some of the earlier comments, how do you design the technology? That you make sure it is part of what is there. What is owners is a on and was not a part of the thinking. We are adding this. How do you bring and back to it is part of what you put out.

    Verification still remains a major issue?

    And acceptance of the standards is critical.

    On the flip side we are very much not like that is because we do not control the end points by and large with the many partners that we share data with, including patients and members of the goods is by agreement, through the 14 service agreements with our actual affiliated partners were there is not make clearly defined point and after we have done that and handed it off, it is your responsibility, which, unfortunately, the way that liability shifted, this can happen and public perception, we would still be likely to get at least someone of a black i.e. if there was compromising update.

    It goes back to Dixie's point early on that that is not gap that we need to fill.

    Very similar to as we try to manage those risks through contracting business associate agreements with securities schedules that are fairly specific as to what the controls are. Our ability to validate those controls at the end point is virtually impossible.

    Thank you.

    Jodie?

    I have two questions. The first is-You made an a comment that the products, the technology does not always have the capabilities you need to meet the HIPAA security requirements and was wondering if you could elaborate on that or give examples of where you feel the technology does not support your compliance with the existing law?

    I guess there is not broad category of systems that we refer to as vendor products and in a lot of pot and pieces of the Day are FDA-certified. We did not manage but they are on our network and it is very common-we go into every new contract and development implementation effort with our checklist of the things that we need from a security perspective. It is a security to find any product. I am not talking about mom-and-pop vendors, but the biggest clinical IT products out there. They do complex passwords that we talked about before, user authentication, logging, ability to audit, ability to catch, implementation of anti virus, all of those things result, in our case, of close to read and% of the devices on our network that any given time we did not have confidence that they could withstand the latest form that is in the wild. As a result we end up doing things like segmentation and other work arounds that create complexity and I think Dixie said earlier that complexity usually opens the door for additional risk, whether stability and reliability or other security threats.

    These are, basically, the device Software as opposed to the information-I am trying to understand?

    Yes, it is both. To give a example, a [ indiscernible ] system we cannot patch or running on Windows NT and patches are not available, things of that nature, to be more specific.

    Maybe another example at the information level, and I included this in my testimony is that we are deploying [ indiscernible ] among many of our sites and some of our smaller sites have individuals serving more than one wall and we employable based access control and the application does not have the capability of the switching from one will to another. We have had to develop an efficient work arounds where we issue multiple identifiers to the individual so that they can log in Jane Smith has now Mainers here and J. Smith --Jane Smith as a coder.

    This is for you, Lee. You made comment about a FDA regulation. I was wondering if you could comment on what you're referencing of what the issue is?

    I am sorry that I did not go into detail. 21 Port 11 specifies information security controls for devices used in FDA-regulated programs. Too a Long story short, there is a requirement that you need to maintain the integrity of those devices and not make certain changes. The vendors have interpreted that as they are out or do not need to support their devices for operating system patches, anti virus, and so forth. There is a financial incentive there, too. If you do not need to provide for the changes, let you save money. The argument we have heard from the vendors is that our devices are fine, but if your network or security would not have a problems. Then, we get into the security and depth discussion where we have a collective responsibility for security, including the device vendors.

    I had written that down the start of the panel as my top issue, as well, the same FDA-related issues because we were sick and tired of hearing five years after that the regulations have been updated and they really do have a responsibility as device manufacturers to stay up with patch management to let us run virus protection, etc., on those but there is a start deportation where the vendors supports those devices whether that is--for some medical pomp or something like that's because no the less we have come lot of challenges having those upgraded, especially based on any commercial operating system, big problem.

    Thank you.

    David, please.

    I heard loud and clear the message, tell us what we need to do and let us figure are allowed to do it. I am wondering from a practical standpoint how that translates into a it set up requirements? What it sounds like you are saying is to tell us how secure you want our systems to be and then we will work to get there. House sitter should system speed? How do you define that security and how do you know when you have got it? What would be a metric that you would want to use if you were trying to establish whether a performance level had been met? We are struggling with this on the clinical side of healthcare performance and now you have opened up a whole new domain of performance measurements, which could be privacy and security. What level of breach, how frequently it is tolerable, is that a standard? How hard should it be to access for and emergency room physician, is that a standard? And how hard should it be for a patient to access? Does the field think in these terms? If you want it to be driven by performance, those are the kinds of questions you will have to start answering.

    My personal feeling is that, first of all, we should benchmark against other industries and have an honest, open discussion on how important, in relative terms, is patient Information versus other categories of information, financial information, etc.. What do people say about that? Today want to protect their corporate records, bank records or personal health Information? That would help establish if we should be of here with the PCI compliance with the financial industry or something less than that? For the physician access, etc., it is important to continue to support a. The class kind of model where providers can get access to that data and ensure that we have good audit tools put into place that after the fact we can look the appropriateness of that as long as we understand that is the physician accessing the record. That is a very different standard than patients. They do not want patients to break the glass on our systems until they have really proven who they are and what level of access we want them to have. There are some challenges, but I think we did that conversation to understand the relative importance of this data and putting the appropriate level of access controls around that.

    What he said.

    [ LAUGHING ].

    I heard a the reconstructive-house secure do they want systems to be. Of the idea of what the metric is, how many bridges purred year is okay with you, and does your system attain that level of breach security? I do think if we are going to be performance-based, which is perfectly sensible, we then open up this entire domain of performance measurement and performance measurement against some standard. What is the minimum that is sufficient to enable trust, and type of trust that enables the business to work. That might be an important gap for this committee to be thinking about. It is analogous to clinical quality measurement will in an ideal world you would measure outcomes and forget about process and structure and pay based on what your mortality rate is for [ indiscernible ]. What is your complication rate for laparoscopic [ indiscernible ]. A Broadway if you can pull it off. What I hear is the request board an analogous outcome-based measurement system for Security. You do the a standard to measure against.

    Part of that-there or two domain place is because there was the patient domain and benchmark it against the type of information in the Electronic health record is already covered in different industries. Thereko is the financial industry. Those already exist and the question is for the patient in that the main on domain, the different domain is the healthcare provider within and the standards should be different between the two. How do you make sure you do not do one standard that covers all of those things? There might be a different one for the insurance provider. What do you set as the user of the information who is not a healthcare provider? Where do you draw those lines? Draw the lines and setting the domain and what control to put into the domain is almost as important as what the controls are. Was to segment it, it is very easy to manage it within those domains.

    Call, you have not make quick--

    Provided the maker of fine example.

    This is fascinating and always a challenge to talk about security and try to constrain the questions and comments round of particular act of security. We have seen an array of questions and some of them are very directly related to System reliability and stability and some more into other areas of security that we will go back into the other panels, later today. We will have a panel at the and of the day on just around cyberspace and authentication will come back. I wanted thank you for your participation the a to record way to start our session. It will open on whole host of other questions for our next set of Pallas. Thank you and thank you for submitting your comments and testimony in writing. I am sure we will be working with you into the future as we pursue all of these other areas that you are suggesting. I want to make two simple summary comments specific to System stability and reliability. The first is that system stability and reliability is something that concerns everybody, regardless of the size and complexity of the system. Everybody should be aware of that and be able to address. Maybe we use the words too EE in terms of system stability and reliability and too complex for smaller organizations, perhaps, to consider air and it is my belief that is a big issue that needs them lot of people to work on. We heard, also, suggestions in terms of what can be done establishing some tool kits, perhaps, that can be disseminated and this is something that the extension centers that are going to be created can use to support the topic and provide technical assistance on how to do these kind of things with smaller organizations that do not have the level of technical expertise or resources to help with this can benefit from. The other thing I heard is the in order to really handle system stability and reliability, you need to understand your resources and dependency with key providers and you need to understand where your resources are, application resources, and what you're into dependency is with telecommunication providers is. - - those resources are dependence because you need to build contingency plans and contingencies to the contingency plans and be redundant in those respects. There and a number of areas that we heard that would be very good for us to begin to work on and rather than repeating them here, will turn that to John and thank our panelists for a terrific way to get started.

    Thank you. Thank you very much, Walter and I want to 83 Stephen [ indiscernible ] each of you, it thank you, for your participation. I agree with your summary that this keyed up a number of topics that after lunch, and much needed break, that this group will take, we will come back and have discussion on that loss and cyber securities because those resonated throughout the interface with other equipment that might not be proprietary to the institute that is operating the need, as you mentioned with the a system stability and redundancy, even knowing what is on the network, making the security into the devices with an. That the woman Paul offered on terrific closing set of questions that relate teased up a bit of work that dovetails with what Carol Diamond offered, which is, really, what is the differentiation with standards for technical specifications versus specification that need to be met? They can be specified standards, which ever of the two there is likely an outcome measure that determines whether that condition need has been met. That gets into a number of the threads of the other conversation perhaps the to do with Paul one establishes levels of security and the concept of minimum level of distrust that was used. It is very helpful in terms of, not only this dialogue, but believe the dialogue that will be throughout the rest of the afternoon. With that we are at about 12:10. Let's come back, not 12:50 Eastern time as the company to fight to the presenters and members and people will --Who asked questions.

    [Conference on lunch break until 12:50p ET].

    [CAPTIONERS TRANSITIONING].

    Will be starting the meeting in about two minutes, Thank you.

    Good afternoon. We are going to reconvene shortly. Momentarily. I asked people to take a seat and we will get started. Thank you, everybody for getting back together and convening timely. I appreciate that patient a terrific discussion this morning getting a discussion on security. We are addressing - sustainability and system reliability and we are moving now to Cybersecurity. They want to offer any discussion are comments?

    Let's go to Aneesh.

    Thank you Aneesh Chopra for appropriately introduced and we have people joined and Aneesh Chopra is the White house chief technology officer, but he has been wearing another hat, chairing the implementation workgroup to facilitate the discussion here. Welcome and we appreciate your leadership.

    Thank you. But I would like to do is bring the panel to the committee's attention. Just a word before we get to the panel. This is happen to be the president's popularity, the president held a speech in May of letting our commitment to a collaborative model with a private sector to ensure a more robust Cyber security framework. This discussion today in the health sector is a key component of that outreach effort. We have assembled through Dixie's terrific outreach will talented folks to join as across the wide range of stakeholders to share their views on this particular topic. I suppose we can go in order of testimony, however you would like to go to go and the site might provide that introduction for your remarks and the frame work is to get some preliminary baseline data for the group.

    Thank you. I want to thank the Committee for having me here today to provide testimony. My name is Lisa Gallager, Senior Direct director at HIMSS. HIMSS is the membership organization focused on providing leadership for the optimal use of healthcare information technology and management system for the betterment of healthcare. HIMSS represents 24,000 members. 46 regional chapters nationwide HIMSS seat 60 shape industry practices through educational professional development and government relations initiatives designed to promote information contribution to quality patient care. I was invited today to talk about HIMSS and will Security Survey. Now in its second year, it reports the opinions of information technology and security professionals from healthcare provider organizations across the United States. The study collected information on multiple topics including tools and policy organization is currently have have in place to secure data and if those respondents perceptions of their maturity of their security it implementation has changed of the past year by in finally we added cautions that reviewed the organizations perfect preparedness and approach for meeting requirements contained in ARRA. There's a lot of data and you each have a copy in your package. The survey report summarizes the results as well as the report has an appendix that contains charts of all blood survey data. I have not included the charts in my presentation today, but instead summarized million data in my remarks. We are available to answer any of your questions that you might have in the survey and survey report. Let's talk about the survey methodology. We conducted for the second year a web-based survey during the summer months beginning in August and actually going to beginning of October, we focused primarily on accessing individuals with titles that indicated that direct involvement and/or responsibility for the security function at their organization. 196 respondents this year. Titles included Chief Information officers, vice president of IT or YS, director, chief security, chief private talks up officers. Over year over year comparison in the survey Incorporated the respondents - - 155 respondents in order to get through the presentation and the 10 minutes that I have this morning, this afternoon, I have focused on what are the headlines coming out of the survey. Results from this year's survey indicate that despite changes to the security and policy landscape required - - and increasing risk, healthcare organizations have made little change since last year's survey in the number of multiple areas in the security environment. On the slide, I have a couple of salient data points that are important for us this afternoon. Approximately 60% of the respondents reported that their organization spends less than 3% or 3% of left or less of their IT budget on information security. Fewer than half indicate that they have a formally designated Chief Security Officer or Chief Information Security Officer we asked them this year in the question to rate the maturity of their organization Security practice on a scale of one to seven where one is low and seven is high and they become in the mid range of 4.27.

    Clarify your words, the people who responded having a designated CICS Oak flat year-over-year?

    And the number was flat year-over-year also.

    Thank you.

    Moving on to risk analysis and a couple of important finding, the assessment even at this days is not universal. Three-quarters of organization conducts a formal risk analysis. One-quarter of them do not. I think, there is a lot of data in the report regarding the various components of the risk analysis that is being done, how they were able to use the report test results and how it long it took three need it findings. The cetera. For those who see the details and the report, but one more thing I want to bring out is of the organizations that the conduct a risk assessment, three-quarters of them have gone through the risk assessment patient data at risk in their own organization due to inadequate security controls and/or policies and procedures. That indicates that they're finding it to be a useful activity when it comes to protecting health information.

    Sorry. On that same point, this was meant that they would have said that last year, but had no change in investments or leadership?

    Right.

    Thank you.

    Going back to that slide again. I think the budget number is significant as well. 60% spending less than 3% of their IT budget. Okay. Of the responding organizations that conduct ask risk assessment, most of them or 83% said they use the information generated and the risk assessment to determine which occurred controls to be used in their organization percent are also pretty good in monitoring the success of those controls. 85% say they will monitor them pennant 2/3 reported they do some kind of measurement as to how well the security controls are working and in the reporting will find a lot of details, the kinds of measurements they are using. Respondents were asked to identify the types of security controls that are in place in their organization, these are technical controls. And their plans of technology purchases and deployments in the future. You can see from the site that are types of acknowledges that reached a fair amount of saturation in the market including file will use and user access control. We did probed about the satisfaction that they have with the tools that they have in place and generally, that is pretty high. There were a couple of interesting areas with regard as Technology deployment, encryption is used by 67% of responding organizations to secure data and pure than half or 44% encrypt stored data. We talked in the last panel about two factor authentication and we probe for that and the response rate was 33% currently using to factor authentication. When we ask about future deployment of Security Technologies, email encryption, a single sign on a most frequently identified by respondents as not presently installed but planned for future acquisitions and the same two that came out and the top last the year. The survey this year of also assess aspects of organization readiness to comply with the new privacy structure and the ARRA and regulation from HHS. For example, ARRA organizations are required to provide bashed for the patient and protected health information upon request for the patient. Survey address some of the tools that an organization might use to gather the data necessary to provide the information to the patient such as audit logs. The results showed that audit logs are what widely used among healthcare organizations responding to the survey. Data from firewalls application logs and server logs are common sources of information retained in the audit log. At this time only one quarter respondents - - done entirely electronically. Most organizations are doing manual means at this time. Respondents were asked to identify the types of events are a lot. Most frequently identified was security critical events only followed by clinician access to data on patient access to data. Approximately three-quarters of respondents reported that their organization actively uses audit log information for intrusion detection. Another 2/3 uses audit - - with their own corporate policy. Respondents this year least likely to report that they use information from the audit logs to provide the accounting of disclosures to patients. Few were reported that this was used for audit data. Flipping back around, - - providing disclosures to patients, only 46% reported that the audit log is the primary source of this information.

    We asked organization about their current and future plans for exchanging data with external entities. Currently, organizations report that the widely share information with external organizations. 91% said that they do in some form or another. The most frequent external entity in which with which they exchange information state government entities 73% reporting that the exchange that data. 19% currently say the participate in some health information exchange, but 60% said they plan to participate in an HIT or facilitated data exchange in the future healthcare organizations also anticipate increasingly allowing patients and suricates to access information. Next slide. Most organizations do not currently have a plan in place to deal with security breach of so once they have a breach, they attend often to figure out what the cause of the breach was spent half of the Organization report that they do not currently have a plan in place responding to incidents of regarding to related to secure a breeze. They are planning to put a plan in place and 6% say they do not have a plan to put in place. We asked - at zero go over this quickly. We had a question in the survey about medical identity theft. Faster, 23% of organization reported one known incident and this year it was 32%. There was a significant increase.

    Last year was 20%, this year 32%.

    With us and a question this year as to whether the organization has seen consequences resulting from identity theft. We know patients consequences and and the report that to the healthcare entity and we want to know if any - - only 11% saw any consequences, but we ask them for any examples and that included out additional fines, citations, loss of revenue, additional audits from organizations like The Joint Commission. In summary, there is a couple of things that we have observed from the data that we saw this year and a year-over-year. Organizations are facing increasing challenges with regard to the edge up adoption of electronic health records. It is more complex and legal environment and the threat environment is changing and the level and amount of resources that they are applying are able to apply in this environment to are fairly flat therefore require them to do a lot with a little. I think this is an area I would also serve where we especially with the small size organization are still very much in an educational awareness phase . Especially with regard to the new statutory and regulatory work requirements were very often I find organizations are not well informed about the requirements. Again education and awareness I stress. There is a huge issue around budget resources and knowledgeable staff to help them accomplish these goals. With that I will conclude, thank you very much.

    Thank you very much, Lisa. Next we have Dr. Tippett coming from Verizon. With you please introduce yourself, Peter and begin your remarks?

    I am Peter Tippett, I am the chief medical officer at the rise and. My life - - I started my life as a physician, 23 and I started my life practicing as medicine. I was born a physician. I know you did not have it that locket. Some of you have to go to school and everything. I think the whole thing is going to go this way [ LAUGHTER ] anyway, Verizon has a very large Information Security practice. For is an acquired Cybertrust 2.5 years ago which is the largest services company in the world. Cybertrust division of Verizon provides identity for example to the citizens of 25 countries so that is Paul time hundred million people. We provide security services for multi thousand corporations. Verizon is the parent organization of the independent ICSA lab which is the under - lab function for information and privacy which itself has four or 500 corporations, the vendors who make security it and other - about what we care and security. [ There will be a brief pause for a change of captioner. ]

    In bringing a new exchange to help bring their data into the electronic health records in a secure Way. One thing that is probably not known very much is that 20 years ago we invented Security Standards and applied them to Computer Security products. ICSA, this week, but his a study of the last 20 years of security testing of products, and I could give you the data, but I do not have the time. It is reference 10 in the testimony and is publicly available and you can download it. I would be happy to go with that under an attack over the informational few. Companies that want to make their products secure, they are in the business, over 90% of the time have major problems with their products with regards to the big errors in Security. Even people who care. It takes almost an average of three passes to get their products certified to entry-level standards. We do a lot of studies, probably because I was born a physician and also have a Ph.D. that has too much science to be involved with our organization, we believe in during a lot of studies and bring science to this problem of information security the problem of information security is really in the infancy, like aviation was in the 30's and '40's with 5,000 less likely that you will die on an airline going from Washington to New York and turns out that 500 of that 5,000 fold improvement came from process, not from technology. The engines are more reliable now, and that got you the tenfold improvement, but the other five hundredfold came from the feedback loop, the National Transportation Safety Board investigating every accident or someone died. Be deployed a study, our first three references in my testimony our status call the data breech investigation reports, the studies over the worst cases of computer crime across the world and turns out that Verizon's Computer Crime Investigation team does about 90% of all of the large computer crime cases ever published. It is a huge percentage of the data. Since most of these cases are required to be private by legislation or by restraint orders on the people that know about them, it is hard to get the date of how these things go. We publish a study in the third iteration called the data breech investigation report that looks only the cases where the company was attacked and the attack was successful and the data was breeched. A third of them had nothing to do with packing. I just thought that I'd like to point a couple of the interesting points there. It is easy to go in places where we believe is the right way, but it turns out that we believe leeches would cure tuberculosis. My daughter came from and summer camp 10 10 this summer that same beaches cure broken bones as they go about a third of the things we use for Information Security do nothing to reduce rest. It turns out that password [ indiscernible ] longer than five characters do not have any measurable improvement over past was with five characters. Encryption of data at rest is not measurably valuable. Let me say that again. It turns out encryption of data at rest on large systems is not valuable to reduce mal code or hacking. These are the two categories we care about. Acted and directed toward that is very, very little utility. It turns out the agreement will benefit of patches is faster, almost everyone wants to act quickly and we are told to do it faster and faster. It has no particular benefit. Pating is important but every countermeasure will get better and better until it does not get better any more. It will have diminishing returns some point and you can measure the place where these things have diminishing returns and when we got people to the place where we turn the corner, which turns out to be cheaper and more efficient, it turns up the end user devices are almost never devised involved with losses of the data says the good morning one in 10,000 records lost over the last two and 85 million records lost anything to do an end user devices, does not correlate that to the use headlines, please.

    I am showing you the real data and the use headlines hyper flee the nonsense. That is the problem. I think we should figure out, just like what we have done, we call it and it's based medicine, which is the evidence-based security and make our standards operate around evidence and where it does not exist, we need to make them understand the evidence will come and we should be able to dynamically change our standard. That is my call for today, make sure that we do 93-part mechanism of doing this, the first is to make our standards Expo said only where we really understand that the explicitness is true and, honestly, most of the stuff we believe is dogma. It is hard to imagine this dogma and some is not true, but it turns out that a lot of it is surprisingly so. That is what I gave the examples. The second is we need to require and installed a mechanism to collect and share that information. That is not to say that we need to require that people publish their sensitive to information and get embarrassed by it but a way to share privately and analyze so we can feed back and the National Transportation Safety Board equivalent, otherwise we will never figure out what the right things to do are and get our are thousandfold improvement that we did in Aviation. The final thing is what ever we to for our standard and I recommend we do something very simple, much more simple than the discussion we heard this morning, whatever the first up is, we need to make sure that the feedback is designed into the standard, so that when data is learned, that the standard will adjust, accordingly. Unfortunately, almost all standards of just by adding more, not removing. So, I bet you I will be able to prove with dozens of studies that the encryption of data that at arrest does not do anything for hacking or anything all but it will not come autumn of standards of but it seems to be got one of the most expensive things you can ask. Finally, the standard needs to have a risk-based just like HIPAA does. It is out --It is the single thing that makes the debt and that come up with small and large. If you can prove that this does not apply to me, or that the threat is not relevant to this organization, or that the vulnerability does not make sense or I am doing something else that gets to the same problem as that thing that you explicitly what me to do, and you can check the box with that analysis, you must do that. That has to happen. I apologize because my time is up.

    My time is up.

    I am not passionate about this.

    Not at all.

    Which are set of items on healthcare pregnancy-related issues?

    The study?

    Yeah.

    That is the 25 or 26 study we have done. It has not made significant number of health organizations in it, in the order of 100 organizations, but we run a certification program for organizations, not just for vendors, called the risk-management or security management program and it has over 90,000 organizations with almost 200 healthcare organizations, and lot of data about how healthcare organizations became in the real world.

    Thank you.

    Next we will have David joining us from Vermont. Thank you for the testimony today.

    Thank you, very much an for inviting me to participate because I am the CEO of Vermont to Information Technology leaders [ indiscernible ] state legislative entity that oversees health information exchange for the State of Vermont as well as supporting physicians in the deployment of electronic health records. I would say having heard the panel before luncheon that we are primarily operating with the practice community at the other end of the spectrum. 2-thirds of our positions practice with the 23 and over half of them are independent and as such we are working with them as individual practices connecting to our information exchange, of which is managed as a of Ann spoke model. That is the perspective I will bring this big we happen in the health information exchange business since 2007 sharing Laboratory Information, sharing prescription information, largely by way of direct transactions. We have also been supporting our statewide patient-centered medical home and visited through the exchange of CCDs. We have been at that for about the last 18 months, as well. I want to touch on two or three areas, our approach to [ indiscernible ] to. The second, I want to talk about some of the special problems we see in the small practices and, third, New England is not region with them lot of states and small geography of want to touch on the challenges as states execute different security requirements across the state lines and how those of us because we have taken the same approach to security. We recognize that there there are challenges to it basically balancing security and access and our approach has largely been to take a [ indiscernible ] approach to the security and have the systems better manage the authentication and management processes. the place out we have actually had to struggle with issues that we have talked about today. One was 2-factor authentication and we had discussions about expanding the use of 2-factor authentication beyond what takes place outside the hub to the institutions that connect and recognized the smaller hospitals as well as for the small physician offices that, today, that is the only way to go, not something that is going to build up the use that we want to see, and, thereby, get some of the benefits. Second, and I am delighted to hear that it turns out it might not matter but we have had explicit discussions of [ indiscernible ] [ indiscernible ] encryption and in that some of the institutions on our network can do obligate REST encryption within their organizations because we do not as a to participating on the exchange and one of the challenges we see going forward is that some of the institutions that require it have challenges with exchanging with any institution that does not do it. Some harmonization of those institutional policies the state level is certainly a challenge for us. In terms of the small doctor's offices there are three areas are part to highlight and one is simply knowing that security is an issue. If we look at Insurance as something you never pay attention to until you need it, with some of the small Dr. Offices, frankly, security is in the same vote. We heard of a place with 14 the security - - we deal with by people in the organization, the office manager who is simply the office manager is responsible for all of the technology that takes place in Office. We have seen them fair amount of attention to the use of evaluation of electronic health record vendors but want to see much more of the network established in a way that is secure, and established and managed in a we that is secure and we have requirements to get those that use our organization for deployment to contract with a hardware vendor to establish that that work to remotely manage that network, not only start off with the right design but manage overtime. PC too many examples of deployment and they are not paying enough attention. Cost is an issue. Their economic ways that security can be executed on and the cost issues can be a challenged for the small institutions for picking up the tab. We are looking for ways to do that cost effectively and what looked for organizations like this one to help with some guidance in but the educational side as well as some of the stages that reflect the fact that data that comes out of the small doctor offices, it is every bit as damaging to the patient as something that comes out of many multi-hospital system of the tools to address that have to be very different. I am out of time so will briefly mention that we see the complexity of managing inter-state security policies as adding to some of the risks. Massachusetts, for example, as of next year gap will be required [ indiscernible ] risk encryption. As the exchange information with Massachusetts, does the most severe, most stringent policy apply? Boardthose entities that are not predicted good at it, how does that play out?

    Thank you.

    That is a good one for John Halamka. Our final testimony here is from Professor Masson. This is from the Johns Hopkins be pleasure to have you here.

    My name is Gerry Masson. When you come to John Hawkins added to the first letter of that, you can pronounce it Alice [ indiscernible ]. If you go there and ask for Jucy, you will find me.

    [ LAUGHING ].

    We are an academic, educational and research center and author and Master of Science degree in Security informatics and we have about any one time 20 to 25 faculty members distributed around the University in the computer science area but also in the school of health and School of Business and and they are all doing research and/or teaching in biology and information security assurance. Week of a teaching agenda where Hunter which requires that all students work on projects and are expected by the end of their degree experience to help reduce a deliverable, defended it and we teach people how to attack systems. My opinion is if you cannot break it, you can probably not make it. So, the students are provided with systems technologies of different types and the explorer techniques for attempting to do what those systems were not, necessarily, designed to do. We have been in the business since about 2004 and graduated about 250 students and bet one of the interesting aspects of this is that not significant number of our students have to get a security clearance in order to take their jobs. So, we bed into our educational experience internships that also involve getting a and security clearance because there is an interesting opportunity for does organization that I think could be discussed and have some advantages. There are-So, the majority of students that get our degree go work at federal agencies. NSA, FBI, CIA, the whole alphabet soup of intelligence agencies and get funding to get their degrees under programs referred to as scholarship for Service. It College of for service programs mean that you get a stipend, you get a tuition scholarship and then at the completion of the degree experience you are expected to fulfill the a service obligation lasting about as long as it took you to get your degree. That is a really good deal. We get exceedingly strong students applying for this program. Of our 100 plus students that have received that kind of funding, only one has ever [ indiscernible ] their service the contract obligation in health. That is because DOD has these programs that exist. This organization should consider looking into developing the scholarship for service programs. You attract exceedingly strong students. They work for you for a reasonable period of Time. They become involved in what you do and with a success rate of about 75%, when they complete their service obligation, they stay with that organization. This would be, I think, an area where you could interact with Universities. There are about 50 programs, University programs referred to as DOD Centers for academic excellence and to do that you have to have your educational experience that satisfies-addresses certain field areas. You could do that in health. You would not, necessarily, have, sometimes problematic issues about the security point. So, although I did not provide you much information about the Jucy Research, certainly areas like network security, database security, areas that you would expect we work in, but also areas like our FID technology are all being worked on experimentally. If anyone would want to follow up on mess and visit us in Baltimore, not that far away, we could give you a tour and you could meet some of the students, and they will sell the program to you. You will be able, potentially, to start trying to find ways, perhaps, have a similar health-oriented scholars ----

    Through other aspects of the federal government have stimulus initiative we are working on a number of work force-related activities, and they're being a great area of interest, as it is cybersecurity. I would like to turn it to my colleagues for questions, comments or concerns. David, before I get it in there, I have one for Lisa.

    I have on the phone, too. And Lisa, help me understand or interpret what you shared if the actions of concerns around cybersecurity might be investments in personnel and/or investments in money and in of the examples they are showing the [ indiscernible ] year over year while medical identity theft or medical theft, however you want to identify it has doubled if I did you're welcome right, up 67%, help me understand how to interpret that so I get a understanding. Threats are rising but responses are muted or flat stick to what is the response of the industry on how they are looking not the issue?

    The types of organizations reserve it, most of them were standalone hospitals. There were some ambulatory practices because the issue is one of resources, whether the budget assigned to the function or support. We are surveying people that have some level of responsibility for Security no quarter of them cannot accomplish a risk assessment. To me that means there is an issue of support, as well within the management structure for that is the a useful, productive activity related to the business risk. That has been o n trend, phenomenon that we have seen since the beginning when HIPAA came out and the that they are not applying more resources, people associate that with things like lack of enforcement, etc.. In my mind, I think the sector relapse a focus on security, expertise in Security and does not get off rationalized at the individual organization level in a mature way. To me, if we are having a discussion about meaningful use and putting money or dollars into the sector that we really should think about how we can get some of that funneled to the security function, whether it's his money or education, other kinds of resources that we can make available to the organization so that they can get educated on the disciplines, educated on the requirements and have some sort of tool kit to use to implement.

    Thank you for. Let's go with David than the phone, Martin and then Karen.

    It is David. Peter my, my question to start with you, although anyone should feel free to comment, unlike analog to evidence-based medicine. If we were going to do them clinical trial we have no hypophysis to start the trial and we tested see if we can prove it or disprove it. What would you say about healthcare security be modeled closely after, after financial system security. How would we be doing?

    I like it. I was on this committee with Dr. Lowenthal several years ago and at the time we thought that healthcare was 10 years behind Finance in terms of the IT function certainly not in terms of innovation. If might be more than that, frankly. The document that I wrote for get the testimony suggest we think about this in terms of how PCI things about it. They have the problems of risk basis and [ indiscernible ]. PCI, we measured it. Networks. Remeasured it across thousands of organizations, and it works. A standard that Cyber Trust wrote has been tested on over 1,000 organization and works with a 40 fulled of reduction of risk compared to be batch control companies. It is not hard to do things that are simple and effective. We really have trouble because we tend to want to do things that are hard and keep piling on controls. This logic, I think, because we do not know what works and what does not, so we tried everything and tend to require everything of everybody. And I put in another challenge here. I am doctor and to care about privacy and security, but I do wonder-and I think the answer to Lisa's question is that they have not experienced any losses. It does not happen that offer. Dr.Blumenthal asked before he left that we might measure these things and should we allow them certain amount of breeches a year? That is the right answer, we should. If you have one breech for 100 years and you have 10,000 companies, over the community you have a problems. Over the individual you do not. You have to treat this like community medicine and is the same thought process and we need to figure out what controls are rarely work. There are many that we understand quite well and make sure that those are in please because we can measure how well they reduce the risk to the individual and community. I am bidding circular here. Go ahead.

    I wanted to add something to read David's original question about can we learn from the financial industry? Previous to the in Healthcare I did some consulting in financial and banking and would say that aside from the amount of investment they put into security, which if you look their budget allocation would be in the double digits, they look on to do things as an industry that we do not do and have tried to do but do not happen. They share information about threats and vulnerabilities and come together and require their business partners to meet a standards set of requirements the goods is driven by the industry and necessity to put in please controls over the losses and fraud case. So, I think that is not lot that industry can do modeled after what we see number of successful industry doing elsewhere. Some of the attributes that are talked about are already in place because we can see them and measure them and model femme.

    Let's go to the phone.

    This is Stan. Following on what David said, I was impressed with the idea of evidence-based policies and practices. It certainly has been my impression, as well, that we have a lot of dogma and Best practices that are enforced by inspecting agencies and things that there is very little science or data behind. A specific question-my interest was piqued by the password. What is known about optimal password change time?

    Every two weeks, it feels like.

    We are probably overdoing. Thereko is not meant lot of data but no of the two ways to answer questions. And one is with Einstein, the thought experiment and the other is by measuring [ indiscernible ]. We have lots of ways to do the first with password change requirements. The fact is that from almost everything we do-I will generalize because almost everything we do in Security we do it will be on the point of diminishing returns, almost everything. Everything has a curve and gets better and better until liquids getting much better and the more and more we spend on it. Because we are all perfectionists we push things beyond their point of diminishing returns and change time and passwords is classic. If you look at PINs for ATM machines the average person changes their password 36 tinners 17 years. We laughed that because that's-It puts their financial bottom line. It turns out it is not a problem and, therefore, they do not fix it and no one has been able to show that is worth fixing. So, password changes help against people who have learned your password, directly and that same person is attacking your system. They help against almost nothing else and we change them away too asp.

    Thank you.

    Dr. Harris?

    Does not make quick f ollow-up. In your Survey there were not small ambulatory practices, by and large.

    Is year we had 7% of the people responding were ambulatory practices.

    Or the release more like 5 to 10 physician groups or hundreds?

    There was a MX. We made an effort-the are hard to get to participate. We are going to continue to try so that we get them in the max.

    It really would be critical as you think about your survey. It seems to me this is where the challenge is where we think about bringing on 800,000 physicians and the vast majority of them practiced in groups that are in the 5 to 10 range and the entire organization is less than 15 people. A staff of six or seven as security is never going to happen. Peter, it really brings me to the idea of trying to understand what meaningful use will be for that kind of office practice? My question to you is, have you had enough experience to see a best practice--

    For the small?

    For the small one. I was going to start with David-too a small practice have you seen a set of best practices? Can you speculate on that speculate about where do you think we would have to enforce security if we wanted it to be uniformly, consistent the deployed? I am thinking about certification, and Judy Murphy for Security versus the idea we make it a meaningful use the standard?

    In terms of the best practices, unfortunately we have seen more examples in the other direction to date. The approach that we have taken has been to identify some network and hardware contractor perhaps that will help do the deployment so that we can then managed them, so there is enough scale at that level. Certification we think would be a terrific step forward, but for next or perhaps as a hold so that there is the assessment and efforts to assess where the week points are and what we should be doing about them, but also so that we can combine them with educational programs to actually help people get to a Common-base level recognizing that the risk for the individual patient is the same whether it is a small practice or large institution. The risk for mask data extraction is very different. There are the different parameters. We would see a little bit more stick being useful here so that the education will include not only the technology but the practices in those practices where just within large Institution the big challenges are the practices of the individuals as much as the technology.

    I think we will go to Karen then Wes then backed Dixie.

    My question relates to the HIPAA Security.

    And Walter.

    The HIPAA Security Standards, when they were adopted, initially, they were deliberately very scalable and technology-neutral and, essentially, because of that they sat a floor and do you think the floor is still in the right place and are there any things that are not currently address in the HIPAA security roles that you think the changing environment would dictate we address?

    In General, I think the HIPAA security role does the a Good job in the area of scale ability and has a risk-based polkas and does do risk analysis and assessment and base your control selection balance between technology and policy and procedure based on that risk assessment. I think that is still the way to go, especially if you want a scalable solution for the smaller practices. The area we need to work on is guidance and best practices. So, in the area of authentication we talked about one after versus two factor and as we move to read an environment where a best practice might be emerging, it needs to come out to back the form of guidance and even in the audit process done by whoever does it and this is what we expect today is the goods is very well laid out in the guidance or implementation Guide that come out associated with that but still meets the spirit of HIPAA. You might not need any statutory changes but rarely to reach out and get information into the implementers hand and what we are looking for today and what we might be looking for in the future and that is based on data about what works, what is affordable, tracking the budgets, resources and making sure they match.

    I think HIPAA, basically, is enough, as well. It turns out that identity is probably the closest thing to a silver bullet. We have never been able to accomplish broad identity that is to strengthen the identity-to know better who is logging on and who is not and who is getting access to the information and who is not. I think that will change over the next four or five years and Microsoft has made big push on the identity. The r starting to come together for and understanding that these other technologies are running out of steam, special in the extended enterprises. The problem I see with HIPAA and everything else is that by the time it is a few years old, a bunch of the organizations have made them huge check was that they believe what it means. By the time it gets to some smaller organization, it is daunting and the checklist is the person between that has created it, not the guidance. They are doing that to make their job easier because they can send out college graduates to do assessments. This is required, when people are doing assessments you have to make it more simple for get them to do their job. It would be very helpful if whatever we do and since we have the great opportunity to do it 2.0, to make sure that we have the undo command in there, not just the do command. It is so easy to add and so hard to remove. We need to build it in requirement.

    Wes, is that the title of your next blog, the undo command?

    I am almost afraid to ask Peter a question. Another one of my myths might be shattered. Let me ask you now m ake question.

    [ LAUGHING ].

    Did you profile your responses by organizational size, Lisa?

    Yes. In this year, 49% or standalone hospital.

    For a specific response?

    We can cross tap it. Does not in the summary report, but I can however you would like. If you ask the question I will get the data for you.

    Great. Thank you.

    Peter, taking them chance and asking them question, how would you go about closing the [ indiscernible ], specifically, what are the mechanisms of for creating a consensus group to ask the question, review the answers and put it into practice?

    We are repast and made-I do not know it is made law yet, the requirements for notification. I think that is a perfect starting place. I do think that embarrassment is not a great way to move forward so I think the private notification is a perfect place. One of the things that Verizon will do within the next month to month is release a standard format to categorize various events. It will be an open standard and usable by anybody the same standard we have used for years in the different studies we have done. If someone loses a laptop and someone uses someone, one will call it user abuse, theft or a loss. You cannot even get together and talk about how much things undone things are costing let alone talk about them. I would take the reporting requirements and make sure they have got some meet behind them, not for the public flogging but turned up the private reporting requirements and allow it to be private as much as possible, because it does not help move the ball forward. In aviation-I love aviation as a model, when pilots make mistakes, they carry a Pat in the cockpit, the next loss of form and if you make them mistake and fill it out and send it off to assets within 10 days and get called for that same mistake, you cannot be prosecuted on must you cause an accident or they prove you did it intentionally. It is a very, very good model for reporting and allows NASA to collect information and to all of the cross correlation of it all of the near misses and problems that might be issues. We have reduced the risk some of it in Aviation we cannot wait until accidence to figure out how to fix things any more. We have not made great start with that data. Doing the analytics you can charter someone to do it, whatever. That is relatively inexpensive ones you get the data.

    I am thinking in terms of who gets to decide what should be studied, what is important and how to react to get?

    It is a long discussion and I will not make it one long one here. --diminishing returns and all that. It is okay to make a standard that says whatever we require will be better than the last one. It will be better. You do not have to say it is equivalence. We could find ways to say that we will turn off this thing, maybe the encryption, because these other things were better. As long as you do those other things, you are good to go. Now you have no Magis in the go forward. It is not a best thing to require that Res continually go down and the standard is simple enough, whatever we do in version 2.0 will reduce risk more than version 1.0 By a Good analytic.

    Thanks.

    That was useful. Walter then Dixie.

    Thank you. A couple of quick questions. It was nice to see some of the findings. People are still struggling to designate a privacy or security office offical when it is a common requirement under SP one or a risk assessment to be done, which is an a standard requirement under HIPAA, still and people continue to respond in some of the surveys that they are not doing this or have not designated that's because of his fascinating to see. The first question is, really, do we need to have a much larger picture of what is happening around the country? 196 responses, while it is wonderful to have that perspective, it creates more questions. That is my first question.

    I do think-The reason I did the survey starting last year that is I thought I could not find this data set. A lot of our members say to me, what I would like to have this data from my peers about what they are doing. I did not want to hear from the vendors. I want to hear what my peers are doing and what technology they put in plays and the problem they were there to solve and how they are working and what are they looking not doing as time goes by, etc.. I tried to make sure we were asking the right people. It is not a what open circuit where you get a but I do not know the answers. I think we need the data set about what to implementation is. I will be looking over the next year to partner with other organizations to try to get the sample size larger. Personally, I think we're talking to our members before when I was not security consultant, this does not surprise me all, especially the medium to smaller organizations and what you have here is not person answering the question honestly because their hope is they get more recesses' applied so they can do some of this stuff and there is one our two people in the organization that understand what should be done and there is not enough support to be done. It is a small sample size that is the right people that are responsible or have some management responsibility for this and is important that we stick with the population. I think we need to base our decisions and standards on what is doable in some kind of road map and the only way to do that is by gathering real data on it. I hope that answers your questions.

    Thank you.

    Your new. You can have as many questions as you want.

    Is fascinating, the testimony with Peter and I want to take it one step farther. David brought up the concept of performance measurements on security standards and you took it back one step higher to evidence-based measurements. Earlier this year we got a new pledge for something even higher, which is comparative effectiveness to try to assess not just what evidence shows, but what is more effective when you compare two Technologies or two whatever to delivery approaches, treatments or modes of intervention to see which one is more effective. I wonder if in your research, maybe you could also comment, Gerry, on the research side, has there been any direction towards identifying what the - -Comparatively what is the most effective way to make this work, to secure authentication or use encryption for protection of the integrity of the data and things like that?

    Countermeasure effectiveness is our word in the security world and can be measured, especially if you have a big enough sample size and there are plenty of examples sizes. People do not think about it well enough to apply it to a whole standard but is absolutely applicable. In medicine, the outcome is, God help [ indiscernible ] or didn't die. There are relatively few outcomes that you are measuring your effectiveness against. In security you have to talk about the countermeasure effectiveness versus the particular threat. Firewalls have no effectiveness against environmental threats like hurricanes, but have about 90% effectiveness against hacking. It is more tricky because you have to make a matrix to answer the question that can be answered.

    [ Audio/Speaker not clear].

    I respond to that by saying that one of the things we do half Jucy is set ourselves up as a target and make ourselves look like we are now made valuable Target. What always interests me is that the attacks are elegant. They are smart. They are not hacking. They are doing very, very clever things and, so, the extent to which you can defend yourself against really smart malware is not clear to me. One of the things that I think saves us is that we are not always a big enough Target. There is, looming el there some 9/11 type of event, probably Financial. Given what we see, it scares me, especially when I think it might be our students that are doing.

    [ LAUGHING ].

    Walter, if you do not mind I would like to answer it. You asked about effectiveness measures, comparative effectiveness and also mentioned what Dr. Blumenthal mentioned earlier, the performance measurement. I would say I agree with everything that Peters said you have to measure, countermeasure effectiveness against the related effects and caution that we need to be careful we do not measure the wrong things. One thing mentioned earlier is the number of breeches. Based on the statutory requirements, something has to happen when to detect the breech. There is no incentive to detect it in the first place and organizations do not know how to do that. We do not know how many breeches happen that we do not know about. We have to be very careful with what we use as a measurement until we get more sophisticated with our practices.

    We only have about three or four minutes left, maybe if you could go next, Jodie and then Dixie and David, can we get you on the next panel? Thank you, David. Jodie?

    I just wanted to follow up on the make conversation between Wes and Peter and talking about getting data about breeches that occur and the new breech notification requirement so, there is a requirement to report to HHS on the speed of thought and particularly large breeches. My question is, do you have advice to us as far as some key pieces of information that we should be requested on and routine basis as part of that reporting requirement to better understand these trends and that's we have been thinking about this, I would like your idea on that.

    The quick answer is we will let it give you lots of time to figure that out. The short-term answer is the standard we will publish and Scott a nice, simple format and requires the basics of those things. The most simple thing you can do is require an investigation. Is among those in there with a template but they said they need to get, you will get the real answer. If you trust the press, they are only taught-the person who was not constraint is the person who talks to the press and they are the ones that do not know what happened is because we get the data from all the wrong places in the world today and if you only get notified that there was a breech, you need to get under the covers and what the root causes were and that requires an investigation.

    Let me wrap it up with Dixie with the final question for the group.

    I have no specific and general. The specific to Peter is, you said here that encryption of data and other large systems typically provide no value versus the large majority hacking Press scenarios and two lines later you say that database are several orders of magnitude more important targets than the user devices. Those two statements seem exactly opposite to meet.

    I did not say encryption-The question is whether encryption is a good countermeasure for hacking? The answer is it is not. If someone who is bidding gets into some system with an administrator password, if you go to any system with the right user name you get the data whether it is incorrect or not. If you log into the system as you and ask the bank to give your address they give you your old address.

    You are talking about full risk encryption, not encryption of tables in the database?

    Either one.

    Is not true of his individual encryption.

    We can talk about this. There are forms of encryption that are very useful. You have to be careful where you use it and do not. Encryption is very good at physical theft but if you lose something and find it and try to restart it and try to get at it, that's-big databases are already bolted to the for in the server room and are ready very heavy and all kinds of countermeasures that keep physical that from happening to the big databases. We can let the engage you on which forms of encryption are actually useful, but the vast majority of the way we use them in large databases and waits we require them does absolutely nothing.

    Let me ask my more general and something I am more interested in. You talked about, Peter, the effectiveness of mechanisms and we in the security world talk about the effectiveness on mechanism and strength of the implementation. I know that Gerry knows all about the strength of the implementation and resistance to attack and making the systems do what they are not intended to do and that kind of thing that. Was of our standards have really addressed mechanisms, security mechanisms and really have not addressed levels of insurance of implementation against penetration. Do you think that this standard panel should address the strength of implementation, as well as the security mechanisms? I would be interested in what all of you have to say about that.

    Lisa?

    Yes.

    I will say yes, also. One is the product and the other is the enterprise. The Enterprise cannot-You cannot take them lousy product and implement it well is because that is why the last panel said we have to do all of these work arounds to make these products that do not have the right characteristics-we have to isolate them and all of that. the the product to reach the baseline, the software, applications, all of those things. Almost all attack ups that are successful, and no are multi-step and like any accident sequence, like anything else, to stop the attack you need to stop in one Place. it is three or four steps and stop-gap one of them, you have succeeded. You cannot be present everywhere or make them perfect system or make an airplane that runs into a Mountain and everyone gets off in California and said we spelled out or oranges back there. We know we cannot make a safe airplane. Instead we make countermeasures' work together that make it more say this because that is the implementation peas that needs to be part of the problem.

    You would specify that allows that's the only two standards I know that relate to that are the common criteria assurance levels and the NIST assurance levels of authentication. What would you use? Which you just described the resistance to attack, or what?

    But of those are product-oriented standards, the way they are written. The standard, like HIPAA is enterprise oriented. The attack is not against the product or encryption where some little thing to. The attack is to get to the data and get it out and do something with. One of the things I suggest here is that non-critical systems are way more important than people believe because that is how the bad guy gets into the organization and once they are in they do other things to get to the Place. It turns out a light weight control over all the stuff is stronger than heavyweight controls over some of the things in and organization.

    I think we have gone over the time but what I will say is thank you to the panel. You bought and then brought some very impressive statistics and very useful dialogue for our ongoing work. Thank you for your time.

    Thank you, very much, [ indiscernible ] Peter from Verizon, dated from vital and Gerry Masson from Jucy, John Hopkins, very provocative and the provocative. Resisted the temptation to summarize, but lots of information informative to our standard setting and let me turn back to Dixie Baker to introduce the next session on data that, loss and misuse.

    I did before the panelists that just finished. We are getting exactly the kind of input we were hoping to get from this testimony. Thank you. Our next panel is on data theft, lost and is used. Anne Castro is the moderator. Thank you, everybody for this section of. We have had them made positive [ indiscernible ] all day and will continue that's because we have done lot of testimony on security challenges stability and reliability and security challenges related to cyber threat--I did before the people from --we have known for great palace year today and would like to start with Michael Mellor with your five minutes, if you will proceed.

    Good morning. I will try to keep it lead five minutes because I am Michael Mellor and the deputy chief information security offers for epicenters for Medicare and Medicaid services. I came out of the scholarship for service program and appreciate the mentioned blog. I am living proof that once I'm done that once people bread with the state in the program. I wanted to go into talking about what CMS is and give you background for some of my comments. It is a very large insurance provider that in 2008 it was roughly 21% of the overall federal budget with about $270 billion speech is an enormous insurance provider. A couple of little statistics here, fun facts to know and share about CMS. 15billion eligibility requests per Week come in. That is when you going to the doctor and give the entrance information and they do a query of seeing if you are in Medicare. Began 15 billion of those come in every week. Every year there is over $1.2 billion Medicare claims with over $1 billion power structure of the prescription drug claims. Between Medicare and Medicaid represents $0.34 of every dollar that is spent in the United States on healthcare, and substantial amount there. Along with that we have an incredible amount of sensitive information that we have to process, store and Exchange with are different partners to that do business with us and on our behalf. There is also something that is very unique to Healthcare data. If I went around the room and ask people to raise your hand if you have gotten the five letters from your bank that something happened and we lost your data-do we really care about that? You got them new credit card, you use it and do not care that someone stole your old credit-card information. If someone has that it is called the bank and tell them that it was not meet and they reimburse use the common people have gotten information from the doctor's office that we have lost your sensitive information and you need to get a knew the identity? It is pretty hard to get any kind of diagnostic information or sensitive information-you will not be able to do that, obviously. With the sensitive impression we have we take special care to protect that and also consideration is the sensitive population we care for, the over 65 and other vulnerable populations of the United States. The over 65 people are not going out and buying the Tories and things that require loans that are affecting their credits because the credit was compromised or identity compromised. There can be done long black there then someone in a different demographic might experience because some of the security issues related data loss, the majority of incidents we see our relative to the physical laws, someone loses a laptop, a drive, they are losing things. There is also a portion of anything else you can imagine from outside government perhaps trying to break into our system plead identity theft rings and all kinds of crazy things that go on. Some of the trade ofs relative to technology is that-1 that is particularly interesting, going back to the population we serve as, the over 65 and vulnerable populations of the United States, if you think of authentication when users come into our system, how we want to identify and authenticate them, there is all this great technology of there, multi factor, we talked about earlier, it is difficult to use for some of these older populations. That is something we have to consider as part of our system design is, how can we secure that data air and make it so that the people who need to get into the system can get in and is meaningful for em. Some of the security standards, HIPAA and the subsequent [ indiscernible ] publication, some of the challenges that we see is there one of the big ones is the boundaries--As we share data with other entities, if you take the letter of the law, the entities should be [ indiscernible ] compliant, going back to these doctor services that are exciting people that the doctor's office, it is very difficult for them to be compliant. There is not substantial of substantial amount of [ indiscernible ] sharing your information with those entities because we need to find it and take recant your information and also the security can be robust enough for refill comfortable sharing that with them. Another challenge that we see with some of these standards is the lack of verification of going in there and verifying that the entities are compliant with what they say they are compliant with. Part of the [ indiscernible ] compliance--What we see oftentimes we go in there and take them look the organization they are not compliant and there are holes that easily allow for militias individuals to hack in. My time is out. Some of the emerging issues we see is sharing the sensitive information we have with other entities because there is all kinds of great reasons why we share information with other entities including looking for broad abuse and healthcare research and better ways to take care of our beneficiaries. There are great reasons because we want to share information and make sure when we do that the entities we are sharing it with, they have the appropriate security in place and can trust that information with them. Of the court to answer any questions you might have.

    Thank you, Michael. Joanne?

    Thank you. My name is Joanne Conroy and I am an anesthesiologist's. I am the chief healthcare officer with the Association of American Medical colleges in Washington and in that what I represent the interest of over 400 major teaching hospitals and health systems across the U.S.. I am here to talk about the abuse of teaching hospitals and health systems as they face the challenges and threats related to data theft, loss misuse. We have large, complex institutions for a variety of reasons. Many of them are very familiar to the people in the room. Of the number of patients that we serve and the variety, the number of sites at which we deliver service, the number of students and broad range of clinical research that is performed institutions, while there is no teaching typical hospital member, I can tell you that many have between 10 and 20,000 employees and have between 1,002,000 physicians, many of whom are not employed by the system but are voluntary physicians that teach. Out of the [ indiscernible ] for medical education we have hundreds of students and medical students, nursing students, residence and untold numbers of visitors that enter our institution. Iran and large teaching hospital in northern New Jersey and 20,000 people walked through my doors every day. several of our members noted, the diverse nature of our academic medical campuses require that we develop collaborative Security Plans and mitigation strategies that usually involves our IT department and legal compliance officers and to support the efforts, certainly continue to employee education is essential but also ensuring that everyone trained from Stevens Creek residence treat all allied health professionals have the appropriate training and is the titular the challenging given the large number of individuals and number of institutions at which they might deliver some care during their training. Among the approaches that we use our strong security policies, standards and education programs and we do teach our employees to encrypt sensitive data and report suspicious activity, provides secure e-mail to employees. We require them to factor authentication for remote access to the network and many of our non-employee physicians, they have remote access to our data speak local exception of laptops, logging, date of use by authorized users and termination of employment for misuse. That is played out in the public press in several specific instances. One of our biggest challenges, of course, is the use of portable devices, laptops, PDA and thumb drives. It is hoped that the continuing education of this group of our healthcare providers feel the need to provide--Will ultimately ease this problem. Faculty also rotate three different hospitals and often need access to data at Hospital A while working that hospital and at Hospital B. We all take steps to make sure it will not happen--we routinely offer credit monitoring for a year individuals whose information is stolen and many institutions are using the to full does encryption-to try to mitigate the risk, but as you know, most people that what in and out of our institutions to carry on corrected thumb drives. If we had a celebrity patient in any of our institutions there is an additional level of security to ensure that an authorized users were not accessing the data set. Our biggest challenges in the area of clinical research. The research is ongoing and can be identified and once completed there are often reasons why we have to keep the patient data [ indiscernible ]. The emerging issues include the use of social networking and personal devices in our institutions, and ensuring the security of information and our memory sticks and health information exchanges. Our members are aware of the advantages of electronic data but also realize that such data represents many opportunities for pas theft, loss and misuse.--Thank you. I look forward to the discussion of the panel.

    Thank you, Joanne. Hi, thank you for having meet. I am the information security officer for get the New York Presbyterian Hospital. You have to sympathize with me because it is associated with an 2I believe medical schools and each one are independent and have independent employment, employees, students, residence, etc.. I am also the information security officer for the Columbia side of things and coordinate with Cornell. I have dual roles regarding the information security. What I want to do today is this on to talk specifically about data and an audit laws and data theft. In 1996 the Yankees are playing the roles and one of the Yankee players shows up our hospitals because we take care of the present and next thing we know more than 100 people are talking about their issues. That was the start of our audit laws and that proved that students were very callous about it and that's I can tell you that they have not been sense. The dean took care of the problems starting at point. I will do not make the score to lead to the House and. The Presbyterian hospital is working with the New York Hospital. We have 75 Systems. Data is everywhere. Registration system is separate from the clinical system in February of 2008 [ indiscernible ] from Brooklyn sat and started printing from our registration system and handing it over to a friend for Sans a copied. We were contacted. How come you did not know about it? We did not know about it because in the original system we have threshold of 100 Sengupta the registration system we had a threshold of 300. There were two too many--And vendor's audit logs where it substantially that. That is the way I can say. How is that? It put medical record numbers in some records and put the Internal record number in other places so that we could not put the accounts properly, so to speak. It was hard to understand. You must have something that can be easily read and it was not easy to read. We have problems. So, looking that and going back and looking market, could we have been triggered? Yes, if we were doing right. We can get the audit log Standard and in a proper way, you have to get all of the vendors follow the standards because it is not difficult to do. This mender's still does not-not few things we learned from that episode and have added those things, one of the things is if you saw somebody looking 50 medical record numbers, as the question, why are they looking at? It does not happen, only a nefarious person sitting out there and try to keep track of how many he has done would do such a thing. An example we do now is look all of the registers across and see how may be accessed on average and if someone is really an outsider we ask the question, why is that? Another thing we do is based on their past practices if you have been looking at 5360 patients, what are you suddenly working mec 300 today? Any of those would have caught it. I will give unanimous couple of examples because researchers look of Social Security numbers. What would they do that? The reason is because part of the trials they have to make the 15 that was to go to the [ indiscernible ] to find out if they are alive or dead. A Clark changes address of a did fiting, address and name of a patient before cutting a tech and putting it back the way it was because the question is, do not have the [ indiscernible ] so that we can look for something like that? I want to get that message, against. We can talk about other things, but the challenges we have today, one is [ indiscernible ] they are big enough [ indiscernible ] there will be one or two or three. We lost over 5,000 posts and bought thousand [ indiscernible ] on the firewall. That is not enough. This requires national effort. Everybody is talking about biomedical devices and I would add to that waterless. The state of wireless security today is the same level 10 or 15 years ago. It is a disaster waiting to happen in terms of the security or crush of the entire system. 1. I want to make it cost and budget. We can not be seen as financial. Financial spent 10% of their budget on the 14th. Healthcare institutions spend three or 4% [ indiscernible ] we have to make sure that whenever we talk about, more controls [ indiscernible ]. Finally, I will say that one of our colleagues son had ambulatory surgery and we ask the question how many users look that record in trying to take care of the patient? We are supposed to tell them that these are the people who've looked the record. There or 54 people within two days that looked that record whether care, nursing, billing, follow-up, social work. The number of people that looked not the record is very, very large in or institution. Explaining that to patients will be a big problem. The audit logs tell us that and we need to understand how better they can help us manage. Thank you.

    Thank you, Soumitra for. Rodney?

    Thank you.

    I would like to First thank you the HIT Standards Committee for inviting me to participate this afternoon. I am the chief information officer for Healthbridge which is the nation's oldest and largest operational [ indiscernible ]. I would like to offer some of our real world experiences and how we balance usability with the need to defend our data set against the rare but [ indiscernible ] events of theft, loss and misuse. Let me give you might run on Healthbridge. River founded in 1997 with the original goal of enhancing the ability to share clinical information electronically in the Greater Cincinnati tristate area and today we have grown and connect 24 hospitals, about 700 physician practices, 17 local health departments and dozens of other healthcare entities including commercial labs, diagnostic centers, nursing homes, etc.. In our metropolitan area that is about two Point one people, and it has grown in our master patient and next week [ indiscernible ] we have been able to achieve very high adoption rates in our community with roughly 90% of the physicians in our service area are participating in the exchange. From my experience, the setting that presents the greatest challenges of in combining the desire for an ease of use and the need for debt security is the physician practice, itself. We have seen firsthand the complicated and cumbersome process is for access zero will hurt the adoption rates in what are already busy practices. This is compounded by the fact that depending on the size they also tend to be less sophisticated in larger organization with regard to Security and IT in general. Most of our physicians do not want another password to remember and would like to spend their time treating patients. The situation presents a difficult challenge and we have to work hard to strike the balance between usability and Security. To this and we have developed and variety of strategies with theft, loss and misuse is still allow easy access to read all of our systems. One is the full and excessive use--Impose greater controls and burden on the users that have the most privileged access. Users to access with clinical information, they are prompted more would challenge questions and log off sooner than those with more limited administrative access only. But not employ a 1-That's all solution across our community, we are able to raise awareness about security and the practices and provide further protection of our data and not create barriers so that the system ultimately does not get used. This would seem to be a pretty obvious conclusion, but in our experience, many of the software applications currently available do not have the flexibility to support the multi-led security roles and hierarchies required by health Information Exchange, which is unique in that is much connect across across multiple independent organizations, not just a single Enterprise. Often, there is the need to support multiple roles for single individuals, a physician that has a private practice but who also sees the 15s in a nursing Home in the evening. There is still work that needs to be done in this area. We found one important tool that would partner in managing security is the [ indiscernible ] Administrator. We provide tools and processes and a System in maintaining the security and access to the data sets. Powered systems force them to review and acknowledge [ indiscernible ] on of recurring basis and the log and audit all of those changes and get approved by the HIE. Another strategy is the maintaining of a Community directory of healthcare workers so that the system can recognize when an account for a user is requested in New location or organizations because we can verify if the user it authorized in the new location and then act appropriately and can practically disable accounts if not used or that some period of Time. When we get into emerging areas of concern around the tug loss, the increased use of portable devices and the need for controls on things like Web browser caching and cut and paste capabilities out of the systems is an area of concern. For our staff, we have already employed full disk encryption, technologies, we put password encryption is on the PDAs and so forth and additional policies have been put in Place. For Some of the clinical applications that we provide access, there is currently no ability to disable a user from-as was mentioned by one of the other panelists, doing a screen print or doing a cut and paste, there are some mechanisms to minimize this rest, but still is not made big gap that we think will need to be addressed in the future. If we truly want to provide an end to end solution. Over the last decade, we view the collaborative activity as the core function of our HIE. We are running out of time. One last point is that in the rapid changing environment that we have today, we see other HIEs as not having the luxury of many years to develop their own strategies and Best practices like we have. That is that one reason why we have gone down the path over the last few years back lots of establishing an a network of health information exchange to recall the collaborative communities and has allowed us to assist with the rapid establishment of new operational health information exchanges and in the model we share the technology infrastructure, best practices and give new exchange is the ability from day that want to have the tools and robust infrastructure to protect the clinical information without the big star of cost, big resource expenditures. We found having the template is-and exchange, to use it ensures they have what they need from the beginning and facilitate rapid implementation and best practice option. They have the technology in place to verify who is sending it, insure the transports securely and of the user is authorized to see it. In this way we know the standards are very, very powerful.

    Record that your testimony we are past hour time. His time to open for questions from the panel. Elizabeth Johnson was so fast up, she can go first.

    From the last several panels we have heard about role-based security and I think I heard you say, Rodney, that we should make it more robust about the physician's entry into the system because they might have more secure data. Joanne, I would wonder from your perspective as we try to set those threshold as a physician-we have not real dichotomy going on. One says [ indiscernible ]. One says the physician will not use it if it is are to get to. What do you think?

    In our institutions we do have role-based security levels, but when you get to the care of the patient and the multiple use of consultantses, it becomes more problematic as well as the role of the President and medical student the learner and what level do you restrict access not only for patient care but for the educational experience? That is a challenge for as.

    Rodney is that, if I understood you correctly, that you have a system where you require more robust security to get into certain data and because [ indiscernible ] and as I think about Dixie and other settings for that standard, how do you get both?

    What we have tried to do is set the barrier higher when there is greater access. The point that I was trying to get across is we do not want to distance sent people to use the system. We have gone down the path of if Dr. Smith can gain access, he has access to these five systems. We are going to set the bar a lot higher. That requires a system that has that flexibility, is essentially. That has not been our experience with most of the systems we try to integrate into the HIE. We said as a HIE in a unique place in the middle. I think it will become increasingly important to address that gap around specifically access methods that will work across independent, often times competing organizations, right?

    HIPAA says minimum necessary [ indiscernible ]. Doctors get access to everything. We need more work on our end to say that audit logs are going to tell us what the patterns of access are and if a pattern of access is substantially away from other groups of people, we need to investigate. That might be the only control available that addresses authorization that we normally and appropriately [ indiscernible ].

    I will open it to John Halamka.

    One of the challenges we have is what to do with policy and what to do with technology. Let's take some of the examples you elected. I have 26 different roles and in my system. Why? It was invented in 1977 and all we had was space as in one byte field. Should we develop a standard that says we will define a vocabulary-controlled list of roles and you must implement those into your system in the following way. Should we have a policy that says the minimum need to know and the rules might be different by institution? Or audit trails gets you describing for audit trails. To be prescribed an audit trail would be identical for every single application, or if not the application, do you feel like at the application but upon request submitted from your borders, or is it a policy that says on request you must be able to produce and produce a until an audit trail of some type that says to, what, why, where or when?

    [CAPTIONERS TRANSITIONING]. Audit logs can be highly prescriptive. Explicitly to the degree that we can then figure out what is going on because it does not cost anything, it is back to the controls. If you put the authorization that is strict and then it is a friend and problem. That is my opinion.

    A lot of times when you use technology encryption, role based access, these things are great ideas, but you can to implement them at wrong and the not better off by and I think it is important as the gentleman said to have both of those from the policy side in have a high level, this is what we want you to do and this is the goal of what ever technology to use the get this and result, but this is where we want you to be.

    To clarify on this audit trail discussion, I have no idea what the proposed rulemaking may say which regard to certification process but did mention, do you certify that a product must have an audit trail of a very precise nature or decertify a project that have ever come by huge number of applications in your institutions that the institution has an organization and its projects come on meaningful use can produce an audit trail with certain data characteristics?

    We cannot produce audit trail if the vendor it does not [ audio not understandable ] as simple as that. We beg.

    This is a little directly opposite from the feedback from the fenders. [ LAUGHTER ] we have to find the truth.

    The standards are what drive the vendors, if you make the sender's this is what we have to do than the entities when the call-up by product to implement those standards, but if the standards exist, the market will drive.

    Very helpful Wes.



    I did not Hill a conflict. Between with the vendor still does and what the panel told us. In a sense that the vendors objected to a very specific mechanism for creating audit logs and I think it is a [ audio not understandable ] as it is called. We said, maybe specify what they need the give us and if they need to give - to do some PO's processing to do it to us to give to us that is okay. I would say that we are - Well maybe there are vendors that it to say there is not an audit I think I see a path to that apparent conflict Rodney, you are operating in HIE that has both a portal and its systems that exchange data, right? Talk about rule-based access, I was not clear whether DOW was for the portal or for all of the systems? Be made in a comment extenders for all the rules for the edge of systems and require them to follow That standards? Is that how you roll - apply your access SPACE-BAR will ?

    It is a little bit unique in remote access by physicians even when accessing position that said one of our partnering organizations, one hospital for example. We have essentially become a single front door essentially into those systems across a variety of different institutions. The rolebased axis is primarily a round that portal. There are multiple layers beyond that so we are still, it is up to the individual institutions to ensure the security of their own data. It can be open or as restricted and that is up to them. We are part of the process, we have folks that thought and interact directly and we facilitate physicians getting access. We sit in the middle of the process which is another opportunity for education.

    The point I am trying to drive towards is there is a level of rolebased access control that is incumbent on anyone who provides clinical system to users whether it is HR or portal that users and there is a level of rule-based access control that is part of the bookkeeping, the overhead that you operate when you are exchanging data between systems. It is in the background. In order to be able to exchange rolebased information about the users, we have to have a standard for what those rules are. That standard has to have been rolled out and implemented in all the systems that conform to the standard. I think that is a really big challenge. I am very happy to see that Healthbridge has roles and rule-based access control I would hate to say that the Veterans Administration Hospital in Cincinnati and several other hospitals with have this use the SAML definition in order to exchangedata.

    This is Deena Pressman, I have a couple of questions along the lines of John's questions varying process policy standard around monitoring usage. What are your thoughts about monitoring usage with brick glass versus not break glass and is there that level going on within your organization?

    In our case, doctors have access to all data. It did not have the great glass. And our HIE there is a break class functionality. And our HIE, we work with HIE bidirectional. Anybody who looks at our patient will need to know and what ever our people are looking at we need to know, we need to note the class and read letters from. I think that is what you would find in other places also.

    My second question is around intrusion detection and in terms of minimum standards around intrusion detection, do you have any thoughts?

    You have heard from my practitioners here that we all do security in depth. We put multiple controls around. For instance if you put multiple controls, but we take that apart and looking at best practice. Does that help for this committee to say thou shalt not have firewall, but thou shalt have a and IDPS and IPS, I don't know. I did not know if you want to go to the network level that is changing every day. I think the standard around healthcare data specifically is very useful because it is at that place where fast and other words I am not following day [ audio not understandable ] issue, somebody from outside and from your perspective, but you are addressing the issue of internal thread. When we look at what exactly is being stolen today, from our experience of what ever the breach that we see, we see celebrity, whether George Clooney or Britney spears. Or it is a local celebrity that means you don't know about them, but it could be - or somebody else. Or love time goals which are on the rise [ LAUGHTER ] and it is a subsidiary unfortunate aspect of that is [ Audio is unclear or faint. ] there is other [ audio not understandable ] related to your relatives and your employees, the people that you know. To address the [ audio not understandable ] is not something that you do buy audit log. You have to know has [ audio not understandable ] so we do not go there as much, but we want to be able to see if there is - we want to know from the locks, with sufficient details that if the access - this and there is deviation, and we want to [ audio not understandable ]. If that catches the people then that is good.

    How do you define this pattern?

    We defined based upon statistically and research in this area. You take of the registrar's and take their - here is an example. You take the Daily number of access and do a box plots on it and if you do a box plots and sort them out and look at this way anybody going on that site that is an anomaly.

    We do set up surveillance around certain patients. Track that and it is an on the educational opportunity when we identify the people that should not have access the record so they tend not to do it again.

    Walter?

    Thank you. A couple of quick comments and questions I guess with security, there is always a challenge of to what extent the extent we are looking at standards for interoperable communication between organizations and looking at standards that apply inside the firewall the organization. There is much more interconnection and interrelationships between the standards inside the organization and interoperable standards when communicating externally insecurity than some other areas. That is always a challenge and in a lot of the things that I heard today, I heard recommendation about standards that apply both internally to an organization or how we internally define our things as well as standards that apply to exchanges between organizations throughout HIE or other. The question, we talked about our back and some of the areas around that and indeed we have - international standards for identifying roles I so developed one and it is pretty well defined a standard my question is not about the who, it is the what. A couple of you have mentioned the importance with respect to Data theft, sensitive help affirmation. You use the word that sensitive a couple of times. There is a big challenge that we have is to extend and in what ways can there be a description, definition, classification of health information that allows entities to implement policies that are much more stringent for protecting such data versus other data as yet what is your perspective and experience categorizing and classified internally information into that is more sensitive?

    Social Security number is the number 1 problem. The reason health care data after the event we had to go to the district attorney's office in a long wooden table and had to explain what health care data is all about. There were surprised to find Healthbridge data. It had mother's name, Father's name, address, Social Security number and plenty of other things. All that is very desirable from the entity theft perspective. If you could move the social to carry I know it is impossible, but if you could remove a whole set of people that will be interested in the data aspect of data itself. Every other sensitivity about clinical data, difference upon that [ audio not understandable ] if it is a celebrity who has a problem with the hand than the I looking at the data flows associated with hand part. The inference is the specification, generic looking for something sensitivity is entirely - dependent upon the content.

    What kind of mechanisms have you been implemented to fly data and do you have a categorization of bad data, for example behavioral health data or - bust?

    It is in a lock and key someplace. We do not have higher than the other high police. We simply say if it is there, it is there. Sometimes people will make cash will mistake, this is not where I wanted to be I type of medical record ROM. There is a pattern associated with how quickly went in and went away. If I am looking at somebody and they're looking at one category of data across 10 patients, 15 patients now which is a pattern that any to ask the question why it would be. Is there a legitimate question or nefarious reason? Not whether it is sensitive, but how about how [ audio not understandable ].

    Rick ?

    A couple comments by the Social Security number is up and people worry. One of the people lost the laptop and - - it is in one place and people now have other numbers and I am not sure what why health care this not do that. That eliminates the high risk side and still be able to get the work done. The question is a high level one and goes back to John's question earlier, to understand how we put in place the right standards in regulatory requirements in place? From your perspective, is it better to have standards which some industries are involved with or being in the hotly classified the ODS side in the black world or regular regulated oversight and a couple range of compliance the we have? There is Association the pull together and make it mandatory for Health IT that organization that must be part - there is a huge amount of learning that occurs. Where do you think we ought to be in this spectrum? I late regulated oversight audits, all the way down to have the standards or somewhere in between the help make sure we are meeting our Standards requirement?

    I think somewhere in between is where we will end up. The problem that we see is we have probably 100 hundreds of entity every year that come to us, the it has stores and say everything is secure and we're good to go and we put all your standards and to go in there and we have the people look at things and break into the system, they almost always find the opposite, there is gaping hole and - without doubt on the piece and there without the verification of someone going in there and verifying that the security is as it's supposed to be as it is you will always have a huge hole. Somewhere in the middle is the problem for a lot of the bigger organizations, for the small doctor office, and people that work there, that is going to because restrictive where they will not able to hire someone. It is a give-and-take somewhere in the middle that will end up.

    To drill-down more, one last time on this policy versus technology question. Let's talk about the business case for having standards around defined roles, I will mark over how you are listening in the meeting just emailed me that the - defined roles because there was a need and business need to said that I want to declare rolls across the organization to begin the exchange. There's two ways. You could do that, but I wonder as a patient, do I consent tour will to look at my data or do I can set to an access level? Let's say the record is segmented to demographic, standard care, HIV, mental health and substance abuse and you the institution decide how many will see how and map those rules to the segment the clinical access level. I am curious upon your experience, advising us what is going to be the greatest help to defining segmentation of the record, doing a technology solution on will based access control, a set of policies for which then you can implement as you choose? How can we implement policy, but we can be a part of the policy implementation exercise?

    I will take a stab. Sadly, for which solution you choose it is going to depend on the institution year talking about. For a small community HIE, a physician office, they need more prescriptive standard. What to implement, how to implement, because they do not have the resources and Chile to decide on their own frankly. When you get into larger institution then there is a desire and need, the ability, Resources spokesman for specifically. What basically you decide how to implement it at that .1 thing I tried to touch on is I think the smaller organization, they need the tool kit frankly.

    Patients the not consent that way today. I do not want them to consent that way. It will affect the care and some level. The there thing about rule-based access control is that there is always two or three people within that will who do much more than that role. Sometimes they're doing it because there temporary filling in for somebody else or they are just superstars. We do not want to pull superstars down. We want to make them do what they do and if they get the default will and we add additional privileges to them a call just because there superstars. I think we want to be careful in the very prescriptive nature of this thing, when I think you're saying goes across HIE, when the physician is related to the two hospitals and they need to get the two hospitals data and not any other hospital data which is different from internal to the hospital where we get to decide in terms of our operational functions what makes more sense, but the month. Spinet when more policy question following up on REXX comment. When I think of PC and compliance, it turns out I have one server for harbored for which it acquired passes. It is not at least that I implemented PCI compliant. Set of standards that require that have very specific policy that I had to choose vendor products that may not be quite variable that achieve a certain level of security characteristics.

    There is audited ETC. As, here is a set of function and functionality that you must achieve and we will audit you in go out what you'd do what you feel like. So this is the balance and can come up with the matrix that is a prescriptive on the technology standard and it is self and forcing or it has been there on the technology stack, but within the policy is quite prescriptive. So PCA has this easy solution which is due not - that just pass it through.

    Health care, on the other hand, data Wednesday and needs to be shared. We do not have that luxury to be just the sort prescriptive and WebServer to that and we are done. We right definition share data and the way health care - we chair too much data with to many systems. We just have to many systems. We can't acknowledge that here today. Each of those have to be managed. Their perspective on do this, do this, do this. I think within six months to one year, you have to come back to tell us again because technology is [ audio not understandable ] that becomes a very hard target to follow we all are doing a risk Management Environment Pepco it is the same story. Hospitals are not supposed to kill patients, but patients died and sometimes we don't kill patients, I did not say that. Similarly, we intend to do the right thing by Security, but incidents to [ audio not understandable ] and there will occur because the system is no benefit to it Packard them period . - - . That is not good - [ LAUGHTER ] and they did the right thing by us. They gave the dollar that we need to have. That is a risk trust mechanism. The larger organization not really the smaller really must have this different set of rules, but there's no way they can do this. Larger organizations can afford the rules and that helps manage the problem.

    When other variable we have not talked about is that trend for people to be practicing at the top of their license which we are not currently doing and I think roles and responsibilities are going to start changing. Nurses will have a wider scope of practice. Small physician's office, there are a lot of bottle washers that do everything. I thank you get into dangerous areas when you start to restrict around rules because there will change as soon as the ink is dry on that recommendation.

    We only have a few minutes left. Wes and David, if you can take them both were quick. Wes go head.

    At no disrespect to the panel I need to respond to something Walter said. [ audio not understandable ] has Senate for real names and - has standard for roles.

    I so. There are standards for low road names and the four heard one thing this morning that we pick out in this meeting and take every time we discuss this topic it is to think about the impact of applying that standard and organizations and all I'm saying about standards for rules is that the impact of applying it to to a couple hundred thousand physician practices is really substantial and we should really not take it on unless there is an absolute mandate to do so.

    David.

    Equip, and on the notion of segmented data this is for the whole group just an opinion. I think any static partitioning of sensitivity is the tend to to fail because it is always contextual and if we bylaw have certain static required segmentation's, but we should seek to minimize those I would rather see us change things so that the data can't hurt you some sensitivity is compromised and Gina, the genetic information nondiscrimination Act is a step to that direction and I would like the market that all medical data is genetic data so it all to be protected and if it is to disclose we should not hurt you. Rather than trying to par sell it and a static boundaries which is would not be sufficient.

    I would like to think the panel for your testimony to doubt it today and I'll turn it back over to one of the Johns.

    You get me to introduce the break [ LAUGHTER ] we will take a 15 minute break and return at 3:30 p.m. and will have the last bundle on building trust and as usual will have time for public comment at the end. That has been a rumor that the FAA computers or down. I understand that has the effect of that land and the Southeast and they are backed up. The fact that [ audio not understandable ] is so, that all the computer systems are safe. See you in 15 minutes.

    (The HIT Standards Commitee meeting is on a 15 minute recess. The session will reconvene at 3:30 p.m. Eastern Standard Time. Captioner on stand by. ).

    Can you take Jersey to please. I think we are ready to begin.

    Okay well, we are reconvened for our next panel on building trust. Very robust discussion and Dixie and I were just talking about it and we have raised so many interesting ideas today. A quick call on the upcoming days, Monday and Tuesday next week, to put folks in our committee to reflect well it is fresh on our minds. On the Building Trust Panel, will hear from Alain Sheer, from Chad Skidmore from the Inland Northwwest Health Services, and from J. Brent Williams from Anakam Inc. And from John - from MIT. Elaine, what don't you start as of.

    Thank you very much, I appreciate the opportunity that we learned from the commission.

    Put the mic a little bit closer.

    Thank you for the opportunity about the lessons we learned about the information security program. Before I start, my remarks and comments are my own and not necessarily those of any commission or commission itself. Through the information security program that the commission is operating, we brought 26 cases under statutes and rules that require companies to have that information appropriate information security. The six cards roles about - and the Pratt that looked a commission and. The save cards or rolled refers to - - and requires them to use reasonable and appropriate measures to protect set of information. The FTC Act prohibits - deceptive acts and practices. What I am going to describe today as well as in and electronic security cases including the faces of electronics breach and the need to practice defense in depth. What we have seen seems to be relevant to the security practices involving health information for a number of different reasons. When is that the same basic electronic technology and network structures are widely used across in the industry's including the health-care industry and the industry's in the respondents in the number of our cases. It is likely that some of those things that we have seen in our cases will show up in the - side. There has been various reasons that raised concern about the discovery of Health Information. Articles and other things describing how health information has been found floating around on peer-to-peer networks and other sorts of indications that security problems. A couple of our cases have involved health. Permission directly. Lastly, the reason why things might be relevant or experience might be relevant is that the commission is in forcing roles HHS and forces that require firms to adopt reasonable and appropriate administrative physical and technical state cards and as you can see from the commission's website and some of the things I will talk about today, we have had a very active as security for practice enforcing these roles and statutes. In our cases, they involve a variety of industries, a variety of types of information and various kinds of security problems. For example, our respondents include credit-card processor, security software vendor, mortgage brokers and lenders, data brokers like toys point and Lexus nexus at, many Thatcher like Eli Lilly, pharmacy chain like PBM XDS Care mark and retail margins of various sizes sizes including Vijay and TJX and others. The types of information that we have been addressing in these cases are information about consumers and employees and they include things like financial information such as credit card information, but account information, matters that involve employment information and records, help information such as prescription information, a number of cases in which Social Security numbers and driver's license and other types of Barry sensitive information were disclosed. The types of problems that we have seen in these cases are pretty widespread. That is the said there is a big range of them, but they include electronic security problems, such as inadequate wireless security, they include kind of low-tech security problems such as improper disposal of paper documents and electronic devices like hard drives. Some of the cases showed that respondents were alleged to have dropped in and secure public late at accessible dumpsters, sensitive information about employees and consumers. Hard drive containing very sensitive information was not cleaned before it was sold on some market. So we see all of these things and we also see that some of our respondents simply did not have an adequate security plan or all of the above. Electronic, improper disposal, poor Security Plan all-in-one Case. The case is the we have are based on the idea, the company must make reasonable and appropriate must take reasonable inappropriate measure to protect sensible information. What is reasonable and approach it depends on the circumstances. Depends on the size and complexity of the firm, the nature and scope of its activities and the sensitivity of the information collected. The approach is flexible, scalable and recognizes the notion that one size does not fit all echo the standard is not perfect security, it is security that is reasonable and appropriate under the circumstances the basis up basic observation that invariably the respondents did not practice defense in depth, that is to say didn't did not have a series of coded its QMS shares in place, what we find is that Barry important practice to have in place, for a lot of different reasons, one simply is that security matures might not perform as expected. That my simply because people make mistakes, a network administrators have been known to miss configure devices, sometimes they forget the patch and update things back of sometimes they just missed security issues that are present. Another reason for defense in depth and why a particular measure may not perform as intended or expected is that the equipment and devices are down and they fail. They become outmoded and the third reason is that new vulnerabilities are discovered after that equipment or devices are applications have been put in service and so there is not and nine opportunity to correct before things start. Defense in depth simply means that an intruder faces different security measures at different phases of the breach. It makes it less likely than an intruder will be able to find one whole in any network and get in find information and from there. Let me tell you a bit about the way we have characterized the breaches that we have seen. A stylized cat to characterization, I am not a security professional, but if this is what pops out as an Intel is interested layperson. What we have is a first phase is entry. This is what it sounds like, and interference and an two-point on a network, in our cases this might involve finding a wireless connection that is not properly configured. With security in mind. So that intruder can sit in a food court and turn on a laptop with wireless capability, listen in on communications within a merchants, and personate the wireless device that the merchant is using and jump into the network, we have seen that in a number of cases. It could be simply be a simple as not having secure user credentials. That is to say allowing the users to use passwords and IDs that are easy to guess. If that happens and the intruder is able to guess them, that into there's going to be able to do whatever the legitimate user could do and access any of the information that the legitimate user can access. The second phase is an exploration. That is the instance where the intruders on the network, is running around the network to try to find out what it its parameters are part in this is a way of for exploring the network and find sensitive information is and keeping out with other kinds of networks can be connected to and this might involve looking for a database server and checking to see if the default password on the server has been changed, it has not been changed and the default password is available online, as often is the case, and triggers going to be able to inspect the information on that database server and perhaps even use it and the course of the interaction. Another way to explore might simply be to send requests from a website to a back end database to see the kind of information can be obtained from that database. May be the database was set up so that it contains both product information and transaction information. The firm wants or the owner and once visitors of the website to be able to see the product information but maybe they did not separate the information in an effective way so by taking advantage of weaknesses in the website and application, the intruder is not just able to see the product information, they are also able to see the transaction Information. The third phase that we find this this is the phase of installing tools to further the instruction. Maybe that involves using tools that are already on the network or maybe involves installing note new tools and what we have seen in our case, the kinds of tools and get it installed in these networks are the so-called go home programs which basically initiates and outbound communication from inside the network to remote computer controlled by the intruder. It might be a program to find password files. It might be a sniffer program to captures sensitive information in transit in the network Pepco it might be a program to use it and compress files so that they can be exported and not detected. Maybe a program that allows the intruder to store files containing sensitive information on the network so they can send it out later. It might be program that allows that intruder to schedule jobs on the network such as by certain top kinds of information, stored in files and every other day, week and month every regular basis and export that information out to a remote source or computer under the intruders control. Fourth stage is what you would imagine, there on, there have explored and they have noted tools and make use of tools and already on the network and they have the information and there are going to export it. Once you get to the point where they have and they are on the network and that the information and appropriate tools to use, the information is gone. What we find also in these cases is that the faces of the breach are usually couple of missed opportunities to detect or respond to an intrusion. There are a lot of ways this happens. Maybe it is that an anti virus are intrusion detection or other system is not being used. There is it not a method for warning about institutions or block into options. It may be that the firm actually has anti virus a intrusion detection to protect and respond, but they are not configured correctly or they are not patched and updated and as a consequence they will not recognizing the kind of attack. It may be that the firm turns off that intrusion detection system for certain parts of its network let the website and Web applications and as a consequence, they are not protected. It may be that they're not locking, not logging traffic on its network. It has no real way to find traces of the intrusions. It cannot follow the steps to figure out what information was obtained, when it was sent, what was done with it or where it went. In effect by not logging, the respondent is basically blind. Maybe they enabled locking which often is the case, but they do it in a way that is ineffective. Such as by not talking enough information, or not regularly reviewing the logs, in some of our case is what happens is the company is collecting information but not enough to follow the trail. Or it is collecting a lot of information but not reviewing it in a systematic way and it does not discover that there has been a problem until it is too late. Last but not least, among these other circumstances and missed opportunities, the idea that some of these companies and our respondents are restoring storing information in clear readable text or Ballmer book format and that creates a risk that is often exploited by intruders. The point of all this is really to show that the defense in depth is really a necessary thing. It is a necessary practice so that if one of the defense's fails, there is a backup and something to stop this intuition from going further and you might understand more forcefully why this is so important to considering this hypothetical - suppose an application on the network automatically increase and decrease information, so it automatically increase it and it is stored and automatically be creeks so the user can use it. Suppose also the user credentials for someone who has the authority to use that application are weak if that happens, an intruder is able to guess what the credentials of that user are then the intruder will be able to impersonate that an intruder to use the application to decrypt that information and even those encrypted, it is not protected were supposed alternatively, that the key is used to encrypt and decrypt and that key management practices of the firm are pour. In fact what they do is they keep the keys in a file on the network. Intruder is on the network to - discovers the file with the key Senate and use the keys to decrypt information and exported out. It is detected in a sense that it is in corrupted, but it is still vulnerable because all the other practices are inadequate. Finally, suppose that the controls on entry and exit are not very good, maybe there is a wireless or password weakness, maybe there's a website and Web application vulnerability, but there is a critical unpatched vulnerability and if public facing server or the server is holding the sensitive information and a separated adequately from the REST of the network, maybe there's no filter on outbound traffic to traffic and go to an unknown IP addresses. Intruders on this network finds the encrypted file, it cannot decrypt but exports it anyway. Now time is on his side. The intruder has information off the network, can work at decrypting it without having to worry about being detected, bidding on the network and being detected. Processing power at least I am told doubles every 18 to 24 months which means the intruder over time will be able to bring greater computing power to bear to break the file. They can work at it at their leisure as I say, and if the information does not have a short like to spawn, there's pretty good chance that that information will be decrypted and we will be able to use in a way that it should not. To get to the end of our cases, what we find it is in these cases is that the company typically fail to address multiple attack and they miss opportunities to prevent detect and respond to an introduction. The security problem that we found often are well known, easy to fix, and can actually be fixed in a fairly straightforward way. What our complaint complaints allege is that the respondents engage in a number of practices that taken together fail to provide reasonable and appropriate security under the circumstances. Lastly and this is all and I will and after this, let me tell you a bit about the orders that we get in these cases and the kinds of remedies that are imposed and all of the 26 cases I mentioned, settlements or entered into and they are all very similar. Typically what they're required is the respondent has to implement a comprehensive information security plan, they require the respondents to obtain third-party assessments of the effectiveness of their security plans or up to 20 years. And the invoice monitoring and compliance provision as well. The plan that we included in these orders are the requirement, the requirements of the compressed of information security plan that is imposed under these orders those goes back to what we started with and it has to be reasonable and appropriate under the circumstances, but it has to have some kind of administrative, physical and technical safeguards. This include having someone who is designated as responsible for the program, assessing risk on a regular basis, installing safeguards that address the risk in a timely kind of way, using care to to service providers with whom information will be shared to make sure that the service providers are capable of protecting the information adequately Pepco lastly, they require adjusting safeguards as circumstances change as of this kind of a built-in continual review and assessment to see what whether circumstances have changed and a requirement that if they do change, safeguards that are intimate implemented must change as well. Thank you very much.

    Thanks a lot Alain. I would note that the FTC statement in the book is a good survey of what the FTC is up to in this area and four years is very comprehensive. Brent.

    My name is Brent Williams I am the CTO of a company named Anakam Inc. For the health-care government, education and banking industry. I can today with a series of prepared remarks, but having listened to a lot of the remarks of the day and the advantage of having it being the last person I chose to speak a little bit extra uproariously about the issues that had arisen about the dialog to today. The remarks that I have provided stand at the same time I would like to focus more on the key elements of that dialogue and some issues that you have been wrestling with as Alain mentioned, the fundamental concept of network and application and security is already understood. They are well communicated, date we have assessment programs around the was so what is trust. How does a trust established. A were fundamental ways on the ultra grip balls are on the role of the identity within the network wouldn't that infrastructure. The challenge becomes the paper-based Healthcare Information moves away from paper and into the IT environment, the relationship between the patient and the data and a practitioner of the data that we provided is the keys trust relationship that we need to control. In order to control the, the technology are available today that allow you to be able to know, risk adjusted as Alain mentioned, be sure that the person you are dealing with is the right person is has the right access and a rolebased system and at the same time to protect and permission from people not having access. The key fundamental concept is that the capability exists independent of application in the network in the system based infrastructure that exist. That capability for identity protection and data protection exist independent of the technological direction that you are trying to establish standards and policies going forward. Whether the health-care industry determines from and health care of point of view, you want to set a technological direction and standard based direction that cloud based data is the preferred storage mechanism. There's plenty of challenges that at the prevention of that at the same time it is throughout and it accretion it is the data at REST point or data stored within the application whatever the source of the direction the industry takes, the key capability that needs to be ascertained is whether another person accessing the data is a person entitled to do that Pirko you spent a lot of time today discussing rolebased controls. The access is rolebased rolebased control is excellent and defining the roles and understanding of the people are. The real understanding is who is the person who is assigned to that role and is the person presenting themselves each and every time. We look at identity as a life cycle. The lifecycle of identity begins with the concept of registration and identity proofing. And the type of thing is selling that the person you are dealing with is the person you are intending to deal with and a social to carbon based life form that is presenting themselves with the electron bit like form that can be done face-to-face, you like that one, working with a lot of Star Trek fans with that one. [ LAUGHTER ] NEW-LINE to make sure whether it is face-to-face transaction which supports the situations which might be highest risk or at a remote transaction which we might do some knowledge based authentication of the individual of that transaction or preferential where I as the parent might say that this is my son and this is the email address give him a log in and you have no way of knowing that is my tab, but that is a reference of action. Those are all different level of identity proofing. That identity proofing transaction is bound to eight credentialing transaction. I am not talking about the electronic I am talking about professional. We as a patient trying to get professional credentials of my patient list, I did not have to assert that level, but as practitioner, we have to assert some level of credential when we establish credential. As we ascertain the identity of the individual via remote identity proofing or face-to-face, VSOs HIPAA was professional credentials. After that, we provide a mechanism to authenticate that authenticate again to go back to an issue that we talk about a lot today that authentication mechanism me to be RISC-based. You might is proximity cards, cards, tokens, you might use SMS one-time password devices, user name passwords, the goal is to understand the risks presented and that did that turn to the data to it. That interesting is about identity is there are two is% the. When is the security of the identity and access that you will are going to be providing an the other is the non repudiation. It is important to separate those two risks. When is that security. If I am a base and providing information to the PHR, I am sells supplying that information, my so concerned is not our repudiation it is only that I a private information that I want to govern access to and what the control glass access to it. Alternatively, we talked earlier about the whole concept of audit logs. Who actually went in and got access to that system and started printing of screenshots. Of the system or who did that electronic prescribing transaction. That is not a repudiation. Ability to say that was not me. Right now we all know within the ePrescribing have been out of the petitioners potentially give out their credentials to other people in office and they accept the liability of that. Transformation is occur in the business process and Operations within the medical practice itself that allow the practitioner to be held responsible for the park transaction as well as people in office for example, we have such a practice are that the data, we do not have a the two the specific of the different people within the practice.

    [ There will be a brief pause for a change of captioner. ]

    The last piece of it is understanding what role a person has an. The interesting link we have come across as people do not understand that the patient and the doctor can be the same person. We are in multiple instances of basing the circumstances where the practitioner who is practicing on Long Island, practicing in Manhattan and Rochester might also be a patient in Manhattan and needing to log into those systems and the fact is we need to be able to understand their role is not defined for the person, also based upon the context of what they are performing in the system as an egotistical and then getting access to reap large bolts of informations. I wanted to summarize that as an end to end view of identity practice and understanding there is a Live cycle and if you just focus on individual components of that life cycle you lose the ability to control the process. Does looking not the thought of having--And arrest and authentication and identity proving all go hand in and with the process and understanding how they are bound together through your business processes and logic are critical to that. Thank you for your time. Any questions, I will be happy to answer. Chad?

    First of all, thank you. I am with the inland Northwest health Services. We are an interesting organization in which we are one of the oldest HIE too the country and get one of the very few that are self sustaining which we think is somewhat notable. I like to think that means that it is mostly working most days and get one of the interesting things about our environment is we provide the court system to shy of 40 hospitals today through the night pretty good-sized geographic region and the hospitals range from 25 bed critical access, relatively world type facility to be major metropolitan area, 700 plus bed type of facility. We have not made fairly diverse customer base within our customer practice. On our physician practice site, it is roughly about 700 different physicians Today the we provide physician practice management systems to and hosted outsource model. Goes also range from fairly large multi-specialty, multi provider technical environments down to the very small, 1-2 provider the immense. We also have a fairly diverse customer base and manage our own wholly-owned rehab hospital service and other things that we think puts us into more of an owner/operator type model. one of the other no working under noteworthy things is all of those things compete against each other. We are in an interesting position where they all have to trust us to at least some degree and, frankly I look any of them and do not trust any of them, at least, not completely, because I think is foolish if we just every gap one of them, completely. For them to do business with us and do good about that we have to maintain a trusted partner status and help them understand that we are not aligning ourselves with the competing hospital down the street. Literally, in some of our areas we have four hospitals, all of which we are 100% the IT organization and they all competing against each other. It has come lot of trust issues in that environment. When we start to look that trust, we talked about reliability and stability earlier today and those are, frankly, pretty easy, comparatively speaking and within our environment it gets into economies of scale but we can do things one 25 dead critical the hospital that they could not do themselves. Security is a whole different ball game and got one of the things that in is year in particular I started to spend number lot more time on the defense security issues, personally, and one of the things I have seen is that most people think that is someone else's problem and that is where the problem starts. Got one of the things I found myself talking to people about is the 12th step programs because you have to admit your a problem first and I have gone so far-I have a sticker on my laptop that says I am a liability and have gotten some raised eyebrows from that. That is the first thing is to realize I am the liability to the security and integrity of the data within the organization. That changes the mindset of little bit. They need to take some amount of ownership's because it is not just a IT problem. One of the other things I thought as I have gone through the day today-I threw out everything was going to say and have changes based on what I heard-1 of the things I thought was interesting is when people are talking about security, the only thing I have heard is the loss of the data, patient identity and have not heard about loss of life. We are doing risk assessment work earlier this year we really up our came from security standpoint. We use to the chat to chat pod security stuff that most people do and this year and we started doing our core penetration testing with no scope. We are some people and say within Ms. Period of time, compromise Oz. Do not tell us when you are going to do it. You have this window and just make it happen. It is interesting the things you will learn when you go down that road and that one of the risk elements we talked about was, what is the most important thing to use the "people thought the patient data is the most important thing and we were thinking in terms of context of loss of that data set. We thought that was not the most important thing. The most important thing is if someone wanted to do me harm? By me, I mean my business or the facility or in as day and age the battlefields are changing and it sounds and little bit far out there, but the end of the day we have nation states that are investing them tremendous amount of dollars in cyber warfare and the best way to do that is to destabilize the population. I heard it mentioned earlier today that there is this prediction that we might see the impact like the financial system and if you added to that the massive impact on the healthcare system that now says that 30% of all of the patient plots, and I made him about 4,000 discrete patients within my systems, what it did to 25% of those and said 25% of the people that were allergic to penicillin are not anymore and I start killing patients "what if they start to manipulate material Management. I think I have drugs or blood and those kind of things and I do not any more and start to manipulate that date? That is the stuff that keeps me up night and fairly scared and when we start to think about legislative action, we have heard the healthcare to 14 is relatively poor despite the quality of the panelists you have seen today. The underspend dramatically by 50% to 2/'3 compared to other security sectors with even a smaller portion of that. Healthcare has had an opportunity to self select and up their game and have elected not to. I am generally opposed to it legislating where people can self select to improve their environment but do think we need legislative action to improve that and it comes by way of certification. I heard that earlier but did not hear with the recertification. the certification of an implementation, not a product, and ongoing recertification of that is back one way to start to change that. I see my time is up. Thank you.

    Thanks, Tom.

    Tom?

    My name is Thomas Hardjono. I am with the MIT consortium based in Cambridge, Massachusetts. I'd like to thank you the tiers, Dr. Baker and the HIT members board the opportunity to address the community on that committee. [ indiscernible ] is that one of the most successful protocols. It was invented over 20 years ago MIT and is the foundation for authentication in different enterprises because tens of millions of authentication events occur using Kerberos--Kerberos is the core of security subsystems within the Microsoft active directory--In the open source project, Kerberos is the defacto authentication protocol Japan in platforms would. This wide acceptance is largely due to the fact that Kerberos is an extremely well study protocol and that the MIT code base has been available, open source it under the licensing since the inception in the late 1980's. The licensing model is more lucid than the [ indiscernible ].

    That basically means you take the code and do whatever you want, which is a more loose model. The MIT Kerberos consortium was established about 18 months ago as a formalized and for the development of new Kerberos features--The membership today consists of over two dozen organizations and vendors including MIT, Microsoft, Apple NASA, Google and other higher education systems. If it is and a Community common and very vibrant community of all the answers communicators [ indiscernible ] developers nationwide. It represents MIT's continued commitment read excellence and excellence in Technology transfer from Research to industry and also indicates the IT's continued support of this building block within the enterprise. Kerberos is standard base and only use algorithms that have been standardized. The Kerberos protocol was standardize that in the Mint and the mid-1990s within the Internet [ indiscernible ] taskforce. All new features of Kerberos continued to be standardized. The consortium itself is not member of a number of standardization bodies and different security standards already include Kerberos support. We talked about [ indiscernible ] and Web services, the Web Services Standard already has built in support for Kerberos since 2005. In Oasis that is the open standard that works in it Tamil standards, it does work that is underway to provide needed support within the 2.0 Standard and within [ indiscernible ] environment. And it is the foundation for a number of the main-specific profiles bobs and architectures including, most recently, the healthcare across Enterprise Security and privacy authorization profile. Some of you might be aware of this work. It is complete standardization and will be published by Oasis at the end of this month. Additionally, a number of activities and initiatives are underway to bring Kerberos into new field of development that include mobile environments, web authentication and single sign in, usage with trusted hardware such as [ indiscernible ] and the trusted platform module script that is present in most, if not all laptops and desktops. Has the concerns some a considerable amount of resources is devoted to the improvements that address the new security issues, blubs attendants that are reported from the broad security community and from government organizations, such as NIST. Members of the MIT consortium are active in these different bodies that include Oasis . ITF and others and I serve as the co-chair of the Oasis security Services Technical Committee that is the home of the 2.0 Standard and in the past I have served for five years of the chair of the trust computing and the structure working--On the board of directors. I have served three different ITF groups of the past decade and [ indiscernible ] I would like to take record this opportunity to address the the HIT Standards Committee. The MIT Kerberos committee looks bored to sharing our thoughts and for supporting your work security three.

    Thank you, very much. I appreciate your comments to us, today. We will open it up to questions and hope we can keep them [ indiscernible ] even though the day is fading and we are all getting a little tired. Questions? David?

    Yes, anyone should feel free to respond. This is David. The focus, if you would, for a second on broad rollout to consumers for access to something that exposes them lot of new kind of health data set, called it the health internet or consumer facing, however that evolves, what is-what would your thoughts be about a cost effective way to create the right balance between identity management and free-flowing consumer access and management of the health data? Where I am headed with this is all around the cost side because a few dollars per head in an institution where you are paying employees in some cases hundreds of thousands of dollars a salary each year is not a large Costa in a consumer rollout over millions, potentially tens of hundreds of millions of patients, it is a huge cost. We have heard some suggestions that the banking model, the financial industry, banking portals is a good model to set has something to follow. What are your thoughts about what is cost effective? Is that not cost-effective way to role out to the large numbers of consumer population and are the tradeoffs opprobrious?

    Fantastic custom. I will prepare an intimate couple of pieces speak first of all we have work effectively in the banking industry and what is very fascinating is over the past by years there has been maturation of banking industry because of the asset you are protecting. As a company, what we have refocused on is, what is the asset we are protecting? In the banking industry the asset you are protecting is money and it has recently shifted because of the privacy implications and identity implications but three to five years ago it was largely money was the asset you were protecting. If money is taken away from you, you can restore money and make a risk-adjusted decision to restore that money. However, in Healthcare, government and areas where there is sensitive, private information, that is not [ indiscernible ]. What's your behavioral health records are released, you cannot put the toothpaste back in interoperability. We have been very cautious to approach those industries distinctly and separately. At the same time, we recognize their debt is a testing the for usability and ease and cost and with how we do that and we're one normally things of 2-factor authentication solutions, which are the defined solution, if you look that the NIST special publications standards that are the generally accepted standards across many of the healthcare organizations, if you look the level three standard that is a card-based solution, the interesting piece is that nowadays Technology access that allow those deployments to the [ indiscernible ] has opposed to $ a user. I will not seamlessly go into how that is done. Of the free to check our Web sites to see how that is done this because the technical capability exists to do it over massive scale audiences. That does exist. At the same time, but I think it's important is understanding the risk-based adjustment on this and allow a patient to control what they want to see. If you look some of the dust cloud based data providers now, having the patient have the ability to say that four directors simplicities sake I want to accept the risk that I will use the user name and password to get into the system and what we heard earlier that a five character password is safe enough, you can buy those user names and passwords on the Web for about $50 while they say that the date on the backside of the systems is anonymous, the date on the backside is anonymous but I am going to target your data I will have your user name and password so I know you aren't. I have to make, as a patient I have to make America's adjusted decision of our will allow it into the system or of the for something just pennies more. Allowing the patient to make the decision on how their information is protected up for it flexibility in the Industry. Of the technological capability exists to do so for a very, very cost-effective solution.

    Would comment on the use of cell phones had an identity token?

    Came up earlier in the discussion and with the trees to know what you think.

    That is what my company does. I put the right on the table. What we do is the concept of the multi factor authentication. Cell phones provide a capability to perform 2-Director of vindications because not everybody has a cell phone. Had the use a cell phone to conduct those transactions? You enter your password and name 2--At the same time there is something you have. What is past the NIST level three capabilities is the registration of a cell phone registration address has been done is that add and second factor. The something you have is your cell phone. If it falls out of your hand and some of the Pasco, as they do not know the user name and password. If they know the user name and password but did not have the cell phone, you are walking down the street and get notification to enter this number into the website and were not asking for it, you know your kids aren't the computer buying and sailboat or something. The whole idea is 100% valid and there are some key documents within the federal government that such find it and and that it has to be two separate devices and NIST defined that it has to be two separate devices the captives, and it does not end with the cell phone. We have been numerous studies for good as people that did not have the cell phone, the ability to deliver that passed the three telephone is critical, being able to deliver through voice, whether to section that's being able to receive it through voice and received in different languages. It is Key that is not just a telephone call that you answer the phone and up. You not to receive the code and enter into the website so you are confirming not that you can pick up the phone but a human interacting with the telephone and entering from the one channel into another and the West is to achieve that through biometrics speak we can do that from any phone and did not speak to develop system that has the ability to handle ubiquity but at the same time has the capability of mass scale identity proving, as well as.

    Tom?

    I think there is a broader issue. It is also the consent on the part of the user as to which pieces of data is being released to which service provider. To answer your question about cost, if we have not made standard that does that, and I think we are getting to 1 called and folk art, and that is shipped on most if not all platforms, then I think that eases the deployment headed and reduce the cost of deployment because it's built into machines, by default.

    If I might, I want to make clear on Info Card, all of the standards are great standards for detecting authentication between machines and systems, but the challenge becomes, what do you use to confirm your identity to the machine such that the Info Card is released? That is the key piece of that, whether second or first actor or whatever you might choose to do.

    That was the gist of my question. I appreciate the answer to.

    Walter?

    My question is about-the role of this committee, which is the findings and recommended standards and in this case, the standards on security, and it has been mentioned already the difference, the balance we have to make between standards that are used for exchanges of information between organizations and then how much or how many auric in which instances those type of standards need to be considered by the organizations themselves, internally. We are the map that stays in security of trying to identify which types of standards are rarely and two and type of Standards. Dutch-access control and audit, which one or all of them, which entered would you say are truly things that need to be defined in terms of standards, end to end rather than firewall to firewall?

    I am more than happy to take a Staff at. If you look each of these you have to look not them differently. If you define them standard around each of them, each need a standard and will benefit from a policy surrounding them. We have done as you look across the organizations we are interacting with is associating a standard with a certain type of minimum data requirement or minimum type of functionality is the best thing to establish a floor. There is a for that sets the behavioral norms, a floor and on the audit logs, authentication, access control, establish that for an established before if you are accessing your own personal information to do it this way and multiple people, you are accessing it this way, accessing special protected health information might behavioral health Information HIV market you need an additional level of authentication or consent, as Thomas said. Once you establish that is up to the enterprise dealing with the issues that they face, particularly, to an address above and beyond that. Upon the risk-based concern's that Alain mentioned, but in would ever products you want to annex the date and time again we want to but having minimum floor that says-when they talked about that curve today, there is not very clear curve when things become private or sensitive and you want to pretend that it's because of the policy for and standards for at the bottom and let people do what they need to be on that.

    I would say it is definitely multiple standards, not just one that define the discrete elements, taken together that apply to the end to end set of transactions.

    Out of the I would go for audit. One of the requirements is secure locks because if laws are not somehow made tamper resistant or tamper evident, that is pretty much useless. I do not think there is a World wide adopted standard just to deal with logs and audit.

    Thanks. Dixie?

    I wanted thank--Protecting treatment guidelines. I showed that anybody could have gotten the treatment on that site and changed any of those treatment guidelines. The audit log would have been wrong. Let's put it that way. This was not very large, integrated delivery network, not like Joe's local clinic. It was very large and got me thinking about all of our conversations, they have to do with PHI. I did not access any PHI but did show you could have changed any of the treatment guidelines they were using. I am wondering if we are approaching this wrong. Too single focus on privacy and confidentiality and not enough on the patient safety issues. I would be interested in during our thoughts about that.

    I would agree. Perhaps it is too focused on PHI and that was one of the most notable things I heard today. You have to start someplace. We are really talking about taking healthcare security from past in some cases not even meeting what is required. People are not compliant, even today, and we are looking to catapult them well past what current compliance is. We really need to focus on a smaller piece of the problem, and not the widespread problem. I would agree that you need to address the patient safety. We argued proponents of evidence-based medicine and integrate that into many of our systems and that is one of the things we have talked about. They do not have to access the PHI to manipulate the health and God outcomes, if I so choose. You could argue that the clinician is responsible for making the final decision in regards to the treatment plan and effect and outcome, but at the end of the day, over time, as people get accustomed to utilizing these systems, they will question it less and less. That makes it a wonderful attack the vector.

    If I could add that one thing, as you are looking that the standards of this, what I have heard very concisely from the panel is the adoption of international standards, understand that all of these international standards are written on a from Merck the stock and bond integrity, confidentiality--what we talked about openly about confidentiality, the protection for debt confidentiality, which is the audit logs and fire walls and all those network and application securities, they are providing the fundamental interest and an investor Report that the integrity piece of this, too which goes directly to the patient safety. Do not feel it is not addressed when you are looking that the standards of how to protect whether it is the certification and accreditation programs or the international standards with NIST without protective systems, it is will be fined.

    It might go back to John's comment on policy versus security and policy versus the standards, and it might be when we get into the policy arena, which to make sure that we are not only addressing PHI but also addressing safety-critical information.

    Absolutely and continue to make the point that compliance does not equal security. You will see that that is the case. The PCI industry is an example. Will define and and credit-card companies, if you look out the audits, the past but were breached. That does not translate the a secure environment. The heading down the road is PHI now and assuming that many of those same practices are going to have the benefit to patient safety is not reasonable and safe assumption and Disney's to be an iterative process. It is not done once the first ever comes out. Your number lot about evidence-based medicine and this needs to be continually evolving-type process where the investigation of breech thoughts and it's loss as we learn some things and now apply that on a going forward basis become make no mistake, this is information warfare, which is done and whether it is the miscreant looking for financial [ indiscernible ] they are well funded and more technically astute than the IT system they are talking and will win some point if you are complacent and meet the requirements today and walk off. It needs to be a iterative process and encourage you as you and credit standards and associated legislation to ensure that that is a component of whatever you protist.

    Thanks. Wes?

    Thanks. I have not make quick question for Thomas an a couple of questions for Chad. You told us about a standard called Info Card and plans to be adopted.

    It might be in the next release. I cannot mention names.

    That is fine. Really, what I want to understand is the process by which that event translates into-let's not say ubiquitous coverage, but let's say [ indiscernible ] coverage, 80% of the systems that would be used, even in small businesses would be protected by the Info Card.

    I think what will happen is this technology would be tested or deployed first with non value-carrying transactions, just ordered the service providers to gain experience and scale and managing scale. We are talking hundreds of millions of hits per day. Once you a prison scenario like that, you could add features to the basic protocol and start looking not different environments such as banking and healthcare where you do have valuable data.

    So, what I am understanding is-I am really making a point about adoption of standards in general, not trying to pick on you. What I understand is we have this great idea and spend a lot of time developing it and understand that the first implementations will the trial of some sort. There might need to be operations that are specific to Industries. At Some point we will have a baseline of experience and have the elaboration and baseline experience with the elaboration and then is it a matter of bringing up a new release of the operating system? Will become of in major batches? That whole process, are we talking five years, tenures, a year a ...?

    I am putting the next couple of years.

    Within three years, say, we would have 80% of the computers putting the in small businesses that have Info Card operational?

    Yeah.

    the moment, just to back the last two weeks there have been some alignment of the stars, so to speak in this phase and some agreements reached and understand that they can argue only so long about which Technology. The [ indiscernible ] is moving forward so they have to decide.

    That is great. It is card for me to understand-unless they role out as patches to the operating system, I do not see how it could be out in three years. Thank you. Chad, just to confirm what I think I understand about Inland, you provide a computer-based record system and a practice system to-you dominate the market where you are, is that right?

    Yes.

    Are those remotely hosted, locally hosted?

    We centralize those, but the physician and the court system and several hundred ancillary systems that go along with it.

    At a bit of an actor and an exaggeration, one could argue for your area, the particular measures-you were recommending, effectively, confirmed compliance, as opposed to checklists and so forth, if you did it, then your area would be covered?

    To a large degree, yes. For the locations where we are what% of the IT organization--

    I am going to assume that you do that.

    We do have hybrids where we do not do all of the IT, we might do some attend the HIS Sea step on the system and some ancillary applications.

    In General, in terms of what we look at in terms of a committee, remotely hosted provision of IT services, always under and it always offers and faster path to achieving any level of accomplishment for the practices that locally hosted.

    Yes.

    I know these are rough numbers, there art 10,000 hospital-like organizations in the country and 150,000 businesses that do healthcare in terms of Dr. Offices and things like that, do you see it a way to get to that level of observed compliance or verify compliance for these small businesses, or should we really be focusing on an environment where you have to be remotely hosted to survive?

    I think is viable. I think there are other ways, other examples of that. I would say that someone mentioned earlier and I was thinking of it hat the time, a patient life, single physician practice is exactly the same as but one of the 150 physician practices, the value of that life, the data does not change.

    To talk about the need and I am talking about the mechanism to accomplish it.

    You are not trying to, necessarily, all of these problems but put a framer together to allow people to step up and solve the problem would be my assumption is because I think there are ways to do that that would apply across all of them with different degrees of criteria based on the size, type of practice in some cases the code you would not want to apply all of the same requirements to lead an ophthalmologist that you would to a pulmonary specialist. There will be different criteria for some of those people.

    So, let's say that there is a lower set of standards, meaning less details, or something, that applies to the physicians that practice in very small groups. How would you go about confirming that? Had someone visit each office? What would be the mechanism?

    To the airline industry, or the FAA analogy's earlier were interesting. You have general aviation pilots that the a certain set of criteria and there is a testing process for and mechanisms to do that and is different for [ indiscernible ], which is not commercial operator. While they are not exactly the same, they are somewhat analogous and the way that you do that validation and testing, you can draw lessons learned from those kinds of environments.

    Thanks.

    Any further questions from the panel members? Any further comments from you, spontaneously? Very much.

    Thank you, very much, for contributing today. I do not think I will attempt to, this final hour, summarize this panel. I think it was a challenge to get to the building trust part when we talked about setting this up. That was always going to be a challenged. Perhaps we can talk about another way of getting at that, although mentioned all throughout the day, and we know what the issues are. I think we do not know how to do. You provided some valuable input into that in concert. I will turn it back to the two Johns and turn to the public comment period.

    Thank you, very much to the four of you. It was very helpful. So, let us turn to the public comment. We have three minutes each for the public, perhaps and for people on the fund, do you have instructions?

    We do have a microphone in the room in.

    We have three minutes each for dead people in the room and telephone and we have the phone number now. Dawdle 1-877-705-6006. If you are already connected, please press *1 to speak. To have anyone in the room that would care to make a comments? Go ahead.

    I want to bring you back to the conversation this morning about the implementation would rub. U.S. division is to share their EHR implementation experience is so that you can learn what works and what does not speak so they told you and from the summary this morning it was clear that you listened intently to what they said. I will share of the Chinese spotlight--Technology and the level of dissatisfaction amounts physicians. We are not building on a legacy of success here. According to the recent article in The New York Times, this technology is unproven--physician plots are not overly satisfied with the technology. Is - - have not an alarming rate even intended cent of the penalties--specifically related to the implementation experience on the blog document painful and costly installations or explain the reasons why physicians did not even try to implement this type of technology. The problems cited in the comments are the - - this thes will not purchase productivity decreasing Software. Recipients of the EHR notes said they were of little value. Required data entry detracts from the physician's ability to spend with the patient and find the primary care focus of the software that does not relevant for there needs. You talk about complexity this morning. It is not just the complexity of standards that is the problem, the complexity of the EHRs. It is no reason to expect the adoption experience to be different if you did not address the structural problems. If we address the standards and corporate and into the same does-we are not seeing the forest through the trees. You recognize the need for innovation. As described by physicians with great detail--physician thought are adopting them of the men with great success and reducing cost. These people was an innovative and great way to give public experience because we encourage you to incorporate what you have learned upon whose participation of the program and their success depends.

    Thank you.

    Any other comments in the room? A okay. Neighbor the wonderful day and have taken copious notes and tried to put the Internet may few ideas and what we will be having over the next month are multiple calls, multiple work group activities, continuing the blog activities were we will gather those posted today and more commentary lessons learned and have our next meeting in December 18th through the phone and avoid travel in the middle of winter and, of course, it is around the holiday season and between now and then I am sure that much of the testimony we have heard about today will be distilled into some further action items to refine our work and see the publication and this is proposal making and will lead us to read a body of 14 and January. I felt that today was extraordinary and learned quite numbing great deal and think that, the Keating, court challenge is to turn all of the Security testimony into a matrix of action that will empower all of our stakeholders. Jonathan?

    I want to thank you Jonathan for the summary comments and I think that there has been a tremendous amount of work and was that. It might not show every 7-11 but increasing clarity as to where to get gas along the way. That is fuel, not digestion.

    [ LAUGHING ].

    Toward that end, we have more work and as John just mentioned, the publication of the final role comes up and their debt is not made public comment. Mack and we will be in the position of advising in response to that. There is work ahead. Remember the open boxes in 2013 and 2015 call out for the clarity and as discussion occurred earlier there are areas that need some implication in terms of current work and I look for writ to the continuing dialogue but the in the blog as well as right year on implementation guidance. I am sure there will be some carry forward work that comes to us. Of Fundy the 16 and Policy Committee I want to add my teapot for an extraordinary day. People have been very generous with their time and I think you saw the people that came to the committee to present but not great deal of effort into the operation and what the materials are useful to all be on this committee, specifically has tremendous resources and think a great deal of insight from today's because it has been on long day, very productive and thanks to all the members of the committee and, especially, to the public that participate but virtually no of those of you that came year Today. We stand adjourned.