Security in CONNECT

Security

The Nationwide Health Information Network “trust fabric” is established via the combination of operating procedures, the data use and reciprocal sharing agreement (DURSA) and the Nationwide Health Information Network service interface specifications. The DURSA is the legal basis for the trust fabric, the operating procedures encapsulate Nationwide Health Information Network-specific operating policies forming the operational and management basis for trust, and the Nationwide Health Information Network service interface specifications are the technical basis of trust in the Nationwide Health Information Network. CONNECT is the technical implementation of the security and privacy controls defined in the Nationwide Health Information Network services, and when implemented and combined with the Nationwide Health Information Network operating procedures and the DURSA, it allows organizations to participate in the secure exchange of interoperable health information among Nationwide Health Information Network participants.

These controls include the implementation of server based PKI and the Nationwide Health Information Network HIE service registry which define and secure the Nationwide Health Information Network core backbone. The messaging platform and authorization framework implement additional security and privacy controls to address the known threats for Web services implementations of service-oriented-architectures. The audit log query service is designed to meet the requirements for HIPAA disclosure accounting. The consumer preferences profile allows consumers to express their preferences for whether or not to share their information on the Nationwide Health Information Network and for more granular control over access to their private information. The CONNECT policy engine enforces those preferences in the runtime environment to insure that the access policies of the organization and the preferences of the consumer are honored in the decision to release health information in response to a request from the Nationwide Health Information Network.

Federal agencies using CONNECT must adhere to FISMA (Federal Information Security Management Act of 2002) requirements in addition to meeting the HIPAA requirements. CONNECT has been engineered to meet these exacting security requirements and is undergoing the HHS Security Certification and Accreditation (C&A) process. For those implementing CONNECT that are required to undergo a C&A in order to get an authority to operate in their environment, they will be able to leverage the security testing that CONNECT has undergone for the HHS C&A to speed them through their own process. Private sector organizations using CONNECT get the benefit of a solution that is built to meet the stringent requirements that the federal agencies must meet in their operational systems.

CONNECT Security Documents

This section provides selected documents from the library of Certification and Accreditation (C&A) documentation for the CONNECT Reference System (CRS). These documents are provided to assist partners implementing CONNECT into their systems who will undergo a similar C&A process. Since all partner systems are unique and have different operating environments, these documents can be tailored to individual partner needs, and should be considered “For Reference Only” in their existing format. Not all systems will be exactly identical and a separate evaluation of security controls by an independent assessor is recommended for each partner system.

CRSAccessControlPolicyandProcedure.pdf