I do not know the answer to this question but I am trying to figure it out.
I an active member of the Security and Trust Workgroup of the NHIN Direct project. We are making a few decisions there regarding “rubber meets the road” security infrastructure decisions. But we are very intentionally trying to “bubble up” security and privacy policy decisions to other policy making organizations. But I have to admit, I am not sure who those people are.
In one sense, every healthcare provider in the US will have to make security and privacy policy decisions on their own. There are already some good laws regarding health information and one might argue that given those laws, specific policy details should be left up to providers.
Of course, HHS has an ARRA created group called the HITPC or (Health Information Technology Policy Committee) that will apparently be playing a central role in general NHIN policy making. Further there is a sub-committee there called the Privacy & Security Policy Workgroup. Apparently, if there was a single group who my group would “bubble up” issues to… this would be it. Their charter is:
The Privacy & Security Policy Workgroup will address Privacy and Security in the health IT policy context. At a very high level, the new Privacy & Security Policy Workgroup will define and address the policy challenges related to privacy and security; discuss a set of principles around privacy and security; and various methods of ensuring privacy and security.
The term “very high level” is somewhat problematic from my perspective because the kinds of questions I would like to see answered are pretty specific like “What should NHIN Direct users take into consideration as they choose a provider of X.509 certificates?” That does not sound like to me to be “very high level”.
However, there are some people in this group who have technical know-how. At least some of them should be able to speak the language that I am trying to use. Some of them I know personally. Others I have never heard of. I decided that I would share with you what little information I was able to glean about this small group…
- Deven McGraw, Chair, Center for Democracy & Technology Lawyer type.
- Rachel Block, Co-Chair, NYS Department of Health Really could not find a decent bio on Rachel.. but she does have a presentation or two online. She used to work for Howard Dean, so I am going to list her as politician/policy wonk.
- Paul Tang, Palo Alto Medical Foundation Paul is very well known in the Health Informatics community and I have rubbed shoulders with him several times. I presented to him at the NHCVS hearings on meaningful use. I am pretty sure this guy could manage OpenSSL from a unix prompt.
- Latanya Sweeney, Carnegie Mellon University Latanya has done some interesting work on re-identification techniques, and recently submitted testimony regarding NHIN Security that I found pretty useless. She is associated with Dr. Peel and the Patient Privacy Rights group. She went to MIT, whatever else I think of her work, she can handle OpenSSL
- Gayle Harrell, Consumer Representative/Florida Politician.
- Mike Klag, Johns Hopkins University, Public Health
- Judy Faulkner, Epic, Inc. She runs a proprietary health software company. I will give her the benefit of the doubt.
- Paul Egerman, Consultant This guy does proprietary speech recognition software. Again I will give him the benifit of the doubt.
- Dixie Baker, SAIC computer scientist.
- Paul Uhrig, SureScripts Lawyer. He worked with me to make Surescripts more Open Source compatible. Nice guy.
- Terri Shaw, Children’s Partnership Policy Wonk, but its nice to see someone with a child-focus. Health privacy with kids is really hard. They are not the same as short adults.
- John Houston, University of Pittsburgh Medical Center Lawyer
- Joyce DuBow, AARP Policy wonk… she gave some testimony
- A. John Blair, MD, Provider could not be sure who this is..
- Peter Basch, MD, Provider could not be sure who this is
- Justine Handelman, Blue Cross Blue Shield payer… could not find clear bio information
- Dave Wanser, National Data Infrastructure Improvement Consortium Psychologist
- Kathleen Connor, Microsoft I would have guessed techie… but I would be wrong.. she is a policy wonk
This is exactly the type of group that should be overlooking high-level security and privacy issues. They have lots of different perspectives and lots of different skills, but they all have a very relevant role to play in the future of healthcare information privacy in the United States. But I do not think this is the group to answer the question: “What should NHIN Direct users take into consideration as they choose a provider of X.509 certificates?”
I am happy that at least some of the members of this group would at least know what I am talking about.
I hope this linked list of names is more helpful to you then the list at HHS, which does not really tell you much.
-FT
This list is very helpful…we’ll add it to our resources.