Last winter, the Health and Human Services Health Information Technology Policy Committee gave the following broad charge to the Privacy and Security Tiger Team (Tiger Team).

The charge is as follows: “The Tiger Team is charged with making short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the  American Recovery and Reinvestment Act of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”

Since February 2011, the Tiger Team has conducted a number of public meetings on a variety of issues related to achieving public trust in health IT. The Tiger Team released  the  findings for public comment on April 11, 2011. The Tiger Team presented their finding to the HITPC on April 13, 2011. The complete briefing can be viewed on the www.healthit.hhs.gov/portal.

The following is a summary of the Tiger Team recommendations:

Organizations that are seeking to exchange information as part of the Nationwide Health Information Network (NwHIN) should be required to adopt baseline user authentication policies that require more than just user name and password for remote access. At least two factors should be required .
For more sensitive, higher risk transactions, an additional authentication of greater strength may be required. Similar to the Drug Enforcement Agency policy covering prescribing controlled substances.
The Office of the National Coordinator for Health Information Technology (ONC) should also work to develop and disseminate evidence about the effectiveness of various methods for authentication and reassess NwHIN policies accordingly.
ONC should work with the National Institute of Science and Technology (NIST) to provide guidance to […]