[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: NIST 800-63 call for comments
I found one more privacy related recommendation from VA: · ISSUE: Existing government–centric privacy legislation and guidance are inadequate to protect individual privacy rights that are encapsulated in government and private sector systems, as witnessed by the EHR breaches and cybersecurity threats. Government-centric legislation includes Federal Information Practice Principles (FIPP) that have become “God and apple pie,” not only for government agencies, but have been widely adopted by the U.S. Private sector. Moreover, existing privacy legislation such as the requirement that agencies perform a Privacy Impact Assessment (PIA) is government-focused and largely ineffective in preventing cybersecurity attacks. The existing legislation and solutions are not linked to security of personal identities. Even in the healthcare industry, which has sector-specific privacy legislation (HIPAA Security and Privacy rule, Accountable Care Act and Population Health), digital identifies are not sufficiently safeguarded. Breaches are commonplace, involving the compromise of millions of EHR records, including President Obama’s, e.g., Anthem, and identity theft is rampant. · NIST ACTION: NIST needs to provide policy support for the new generation of privacy protections. There is no privacy policy guidance that attempts to safeguard one’s digital identity. Government sponsored PIV, PIV-I, and PIV-Derived Credentials and their associated Levels of Assurance (LOA) are focused on verification and validation of the token, not on the digital identity of the individual. Privacy here is defined as reasonable assurance of secure access to a person’s Personally Identifiable Information (PII), the possession of a unique digital identity, and the relative sanctity of their Protected Health Information (PHI). An example of a definition of unique digital identity can be found in the draft language available from the NIST/IDESG Healthcare Working Group (HC WG). The new generation of privacy protections includes frameworks and standards developed and piloted by Health Level 7, International, such as Data Segmentation for Privacy, Fast Healthcare Interoperability Resources (FHIR) - a draft standard for the exchange of resources which was recently piloted and demonstrated at the HIMSS15 and RSA meetings in April 2015 as “Privacy on FHIR.” Diana Proud-Madruga, CISSP, GSEC Veterans Health Administration, Security Analyst Engility Corporation (619) 467-5568 (Office) From: pmrm@lists.oasis-open.org [mailto:pmrm@lists.oasis-open.org] On Behalf Of Proud-Madruga, Diana L. (Engility) The link to information for this is: http://csrc.nist.gov/groups/ST/eauthentication/sp800-63-2_call-comments.html Summary from this link: NIST requests comments on SP 800-63-2,Electronic Authentication Guideline. This document describes the technical requirements necessary to meet the four Levels of Assurance (LOA) that are specified in the Office of Management and Budget (OMB) memorandum M-04-04, E-Authentication Guidance for Federal Agencies. Please send questions and comments by May 22, 2015 to eauth-comment@nist.gov. These are the comments that VA and the OASIS Trust Elevation group has come up with: Recommendation: Address privacy risks through user-centric risk assessment As a consequence of being driven by a system-centric risk assessment, NIST 800-63-2 does not sufficiently address the privacy concerns of users. For the most part the document does not address core privacy principals identified by NSTIC (the TFPAP added some to the FICAM mix), but also fail to address privacy as it relates to selection of attributes to present to the world, e.g. a persona. For example, Steve operating as a private citizen (G2C) and accessing a government service has different privacy expectations than Steve, acting as an employee of a contracting company and accessing a government system as part of a job assignment. One size does not fit all. Definition of privacy requirements and inclusion in certain profiles will enable identity services that meet a broader range of privacy needs. Recommendation: Incorporate Privacy Terms Suggest incorporating the following privacy terms in the updated model: • anonymity: the property of a service of not disclosing identifying information about users. • pseudonymity: the property of a service that permits users to identify themselves by aliases and other unverified names. • reversible pseudonymity: the property of a service that performs identity proofing during registration but permits users to identify themselves by aliases and other unverified names. Identified authorities are permitted to obtain the verified name of the user under controlled circumstances. • unlinkability: the property of a service that prevents disclosure of multiple accesses of a service or resource by the same user. Recommendation: Add a privacy component for each of the LOAs. Diana Proud-Madruga, CISSP, GSEC Veterans Health Administration, Security Analyst Engility Corporation (619) 467-5568 (Office) -----Original Message----- PMRM TC Members: Here is the draft agenda for the TC Meeting of 12 May 2015. Please let me know if you have an additions. Thanks. Welcome and Introductions Report on EIC 2015 and privacy/IoT track Update on OASIS London Conference 8-9 July 2015 Update on Use Case - Gershon Janssen Discussion: PRIPARE Methodology Draft - John Sabo Possible Comments on Revision of NIST SP-800-63 - Diana Proud-Madruga Further Discussion: PMRM Revision (Glossary, Committee Notes, etc.) and Outreach Member Reports and Other Business John John Sabo Chair, PMRM TC --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]