Privacy and Security Tiger Team recommends federal PKI cross-certification for all NwHIN participants

In the latest round of security recommendations for the Nationwide Health Information Network (NwHIN), the Privacy and Security Tiger Team (a workgroup of the federal Health IT Policy Committee that advises the National Coordinator for Health IT) offered its proposed approach for issuing digital certificates to NwHIN participants. In a brief presentation given at the Tiger Team’s May 23 meeting, the group recommended that all public key infrastructure certificates used in NwHIN exchanges must comply with Federal Bridge CA standards maintained by the Federal PKI Policy Authority and must be issued only by certificate authorities that have been cross-certified with the Federal PKI framework. The simple rationale for the recommendation offered by Tiger Team members is that any organization, commercial or otherwise, that participates in the NwHIN will presumably need or want to exchange data with federal agencies, and the Department of Veterans Affairs (VA) and other key health agencies have indicated that they will only accept certificates that conform to Federal Bridge CA standards.

Given the leading and central role played by the government in the NwHIN, the Tiger Team’s recommendation seems pretty intuitive. Separate from adhering to standards and expectations maintained by DoD, HHS, VA, and other government health entities, the recommendation — if adopted — would also serve to help realize the vision of getting ONC out of the certificate authority business, and also divest it of some of its governance authority over certificate issuers, who would need to apply directly to FPKIPA to receive cross-certification. Despite the award last summer of a contract to Stanley (now owned by CGI) for infrastructure and operations support that includes managing the digital certificate issuance process, ONC has long made it known that it does not want to operate any long-term infrastructure or own service delivery for the NwHIN. This approach would presumably still leave ONC with the governance responsibility of approving organizations for participation in the NwHIN, so as the NwHIN governance policies and procedures continue to evolve, it will be interesting to see what criteria or evaluation standards may be applied to applicant organizations to determine whether they should be allowed to participate at all. It is also important to remember that, regardless of who issues them, the digital certificates used in the NwHIN bind an organization — not an individual — to the certificate. This means that all employees or contractors of the participating organization who might have authorization to conduct data exchanges with other NwHIN participants are in essence sharing the same identification and authentication credential, putting the onus on the organization to ensure that only authorized individuals can access NwHIN-connected systems and initiate or conduct transactions.