ITL ADVANCES E-HEALTH
Americans are increasingly concerned about the quality, cost, and
availability of their healthcare. Although it is a major industry in the United
States, the healthcare community has lagged behind other industries in the
application of information technology to improve the delivery of services. In
support of the NIST Healthcare Strategic Focus Area, ITL is working to improve
the quality of healthcare, reduce costs, and provide essential services through
more effective use of information technology.
To receive initial industry input on healthcare requirements, we
conducted two conferences: the Information Technologies for Healthcare:
Barriers to Implementation Workshop and a Pervasive Computing Conference,
which emphasized medical pervasive computing applications. Next we gathered
information from a number of healthcare organizations, including the American
Telemedicine Association, the American Academy of Family Physicians, the ANSI
Health Informatics Standards Board, the Agency for Healthcare Research and
Quality, the Health Level Seven (HL7) Consortium, and others. Among the needs
identified in this process are complete and testable standards for the exchange
of healthcare information, conformance testing and certification, and privacy
and security of electronic health records.
In response to these identified needs, we launched our e-Health initiative. A significant part of this effort involves participation in standards development activities through the ANSI Health Informatics Standards Board, eGOV Consolidated Health Informatics, HL7, Connecting for Health, and others. The demand for online medical information and simplified, standardized methods to access healthcare information and services is crucial in making healthcare safe and available to all. Appropriate standards for healthcare information and systems provide the cornerstone to achieving a healthcare infrastructure. Our e-Health project advances healthcare information standards that are complete and testable. One example is our telehealth workshop, co-sponsored with the American Telemedicine Association, which focused on diabetic retinopathy standards. This effort will result in a portfolio of industry standards and guidelines for the use of tele-retinal imaging to assess diabetic retinopathy, impacting the millions of Americans facing diabetes.
A related project is our development, in partnership with the HL7 Consortium, of a healthcare standards roadmap, metadata, schema, and initial prototype. The healthcare industry has many factions and groups developing specifications and standards for information technology and information exchange spanning a wide spectrum of healthcare activities, such as patient and record management, medical diagnosis and treatment, and patient monitoring. The standards roadmap framework will provide an infrastructure and set of web services for establishing, populating, searching, maintaining, and administering healthcare standards information. The roadmap will not only support standards development efforts, but will also allow vendors, system developers, and integrators to become more knowledgeable of existing and emerging healthcare standards and their use within healthcare systems and applications.
Our e-Health project also provides the conformance tests,
tests tools, and techniques necessary to implement industry standards. The
ANSI-accredited standards organization, HL7, develops the standard for moving
patient information between healthcare applications that is used by 90 percent
of U.S. hospitals. Systems that support the HL7 standard allow clinical data to
be exchanged with other HL7 systems. ITL researchers are collaborating with HL7
members to help ensure that conformance to the HL7 standard can be defined and
measured at an appropriate level. Our development of HL7 V2/V3 conformance
definitions resulted in changes to the HL7 specifications to support
conformance. Another notable project is
our NIST/HL7 Experimental Registry that furthers the correctness of HL7
artifacts and their availability. The registry will serve as a tool to
automatically validate specific HL7 artifacts to relevant parts of the standard
as well as a repository that makes these conformant artifacts accessible for
retrieval and reuse. Conformance tests and tools such as the registry help to
ensure the security and privacy of electronic health records exchanged within
healthcare systems.
In addition to our work with industry consortia, we support the federal government in improving their healthcare information systems. For the Department of Veterans Affairs (VA), we successfully deployed the Enterprise Single Sign-On (ESSO) to all VA hospitals. We demonstrated and documented key principles for integrating ESSO into new system architectures with enhanced security. We created a testbed to build prototypes of emerging VA system architectures. Our efforts improved the quality of the health information systems at all VA hospitals.
By contributing our expertise in standards, conformance testing, and the security and privacy of information systems, ITL is now recognized as a major player in the healthcare arena. The website is http://www.nist.gov/ehealth.
FEDERAL
INFORMATION PROCESSING STANDARDS (FIPS) ACTIVITIES
Secretary of
Commerce Approves FIPS 199
The Secretary of
Commerce recently approved FIPS 199, Standards for Security Categorization of
Federal Information and Information Systems. The Federal Information Security Management
Act (FISMA) of 2002 requires all federal agencies to develop, document, and
implement agency-wide information security programs for the information and
information systems that support the operations and the assets of the agency,
including those provided or managed by another agency, contractor, or other
source.
FIPS 199 addresses
one of the requirements specified in the legislation by providing security
categorization standards for information and information systems. Security
categorization standards provide a common framework and method for expressing
security. They promote the effective management and oversight of information
security programs, including the coordination of information security efforts
throughout the civilian, national security, emergency preparedness, homeland
security, and law enforcement communities. Such standards also enable
consistent reporting to OMB and Congress on the adequacy and effectiveness of
information security policies, procedures, and practices. The website is http://csrc.nist.gov/publications/.
IRS Calls for
Mandatory Use of FIPS Encryption by 2005 for all e-file Program Participants
Announced in a Federal
Register notice of December 29, 2003, the IRS will provide the ability for
e-file program participants to use FIPS-approved encryption methods for the
2005 and later filing seasons. The IRS will require the use of a minimum
128-bit FIPS-approved method of encryption for use on trading partner-provided
dedicated line(s). Starting with the 2005 season, the agency will no longer
support non-encrypted options for IRS e-filers. The change to the use of
FIPS-approved encryption methods is expected to enhance and strengthen the
existing security provided by the trading partners’ systems and by the IRS
security zone. The website is http://csrc.nist.gov/cryptval/.
ITL publishes guidance documents, research results, and conference proceedings. The publications listed below are available online:
By Tim Grance, Karen Kent, and Brian Kim
NIST Special Publication 800-61
January 2004
Available at http://csrc.nist.gov/publications/nistpubs/
This guide assists organizations in mitigating the potential business impact of information security incidents by providing practical guidance on responding to a variety of incidents effectively and efficiently. The document discusses establishing a computer security incident response capability, selecting appropriate staff and building and maintaining their skills; emphasizing the importance of incident detection and analysis throughout the organization; maintaining situational awareness during large-scale incidents; and handling incidents from initial preparation through the post-incident lessons learned phase. While technical in nature, all guidance is independent of particular hardware platforms, operating systems, and applications.
By Elizabeth Lennon and Kristi Hawes
NISTIR 7034
December 2003
Available at http://www.itl.nist.gov/FY2003TECHNICALACCOMP.pdf
This report presents the achievements and highlights of NIST’s Information Technology Laboratory during FY 2003. Following the Director’s Foreword and the ITL overview, technical projects in ITL’s research program are described, followed by selected crosscutting themes, industry and international interactions, and staff recognition. For a hardcopy of the report free of charge, e-mail elizabeth.lennon@nist.gov.
UPCOMING TECHNICAL CONFERENCES
Date: February 17, 2004
Place: NIST, Gaithersburg, Maryland
This workshop will focus on various technical issues of e-mail spam. Agenda topics include filtering at the Internet/network and client sides, input from standards bodies on relevant current activities, Internet service providers’ current and future plans to deal with spam, and technical issues regarding the efficacy of proposals to create “do not spam” lists. ITL is also interested hearing about research challenges to developing and measuring improvements in spam control and reduction technology.
Technical contact: Joan Hash, 301/975-3357, joan.hash@nist.gov
Website: http://csrc.nist.gov/spam
NIST completed the
first draft of NIST Special Publication (SP) 800-60, Guide for Mapping Types
of Information and Information Systems to Security Categories. The purpose
of the draft guideline is to assist federal government agencies in identifying
information types and information systems and assigning impact levels for
confidentiality, integrity, and availability. Impact levels are based on the
security categorization definitions in FIPS 199, Standards for Security
Categorization of Federal Information and Information Systems. The draft SP
800-60 is posted in two volumes. Volume I
[pdf] provides guidelines for identifying impact levels by type and suggests
impact levels for administrative and support information common to multiple
agencies. Volume II
[pdf] includes rationale for information type and impact level recommendations
and examples of recommendations for agency-specific mission-related information.
A goal of the document is to independently define the impact level, that is,
determine the impact level without considering counter- measures or controls.
(This is one area that we are continuing to address. Comments and suggested
approaches will be welcomed.) NIST requests comments on the draft by
February 20, 2004. Comments should be addressed to 800-60_comments@nist.gov.
Please e-mail elaine.frye@nist.gov for workshop details and registration information.
Date: March 8, 2004
Place: NIST, Gaithersburg, Maryland
The purpose of this workshop is to discuss the comments received on NIST SP 800-53, Recommended Security Controls for Federal Information Systems, during the public comment period and future plans for modifying and enhancing the security controls document. The target audience includes information security professionals, program managers, information system owners, CIOs, information system security officers, authorizing (accreditation) officials designated representatives, certification agents, auditors, inspectors general, insurers, security product developers, and systems integrators.
Technical contact: Ron Ross, 301/975-5390, rross@nist.gov
Website: http://csrc.nist.gov/sec-cert
FISSEA Conference: Awareness, Training, and Education,
The Driving Force Behind Information Security
Dates: March 9-11, 2004
Place: University of Maryland University College, Adelphi, Maryland
Sponsors: ITL and the Federal Information Systems Security Educator’s Association (FISSEA)
Audience: Information systems security professionals
Learn how federal agencies are empowering their workforce through IT security awareness, training, and education (ATE). Learn how agency security trainers are responding to the latest technologies, regulations, and threats as they impact on ATE. Bring away products, techniques, and practices to enhance your own program. Share your experiences and network with your counterparts across government, industry, and academia.
Technical contact: Peggy Himes, 301/975-2489, peggy.himes@nist.gov
Website: http://csrc.nist.gov/organizations/fissea/index.html
3rd Annual Public Key Infrastructure (PKI) R&D Workshop
Dates: April 12-14, 2004
Place: NIST, Gaithersburg, Maryland
Sponsors: NIH, NIST, and Internet2
This
workshop will consider the full range of public key technology used for
security decisions. PKI supports a variety of functionalities including
authentication, authorization, identity (syndication, federation and
aggregation) and trust.
Website: http://middleware.internet2.edu/pki04/cfp.html
Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.