National Cybersecurity Center of Excellence (NCCoE) Secure Exchange of Electronic Health Information Demonstration Project, 2953-2954 [2013-00724]
Download as PDF
Federal Register / Vol. 78, No. 10 / Tuesday, January 15, 2013 / Notices
February 15, 2013. If the number of
registrants requesting to make
statements is greater than can be
reasonably accommodated during the
meeting, the International Trade
Administration may conduct a lottery to
determine the speakers. Speakers are
requested to bring at least 20 copies of
their oral comments for distribution to
the participants and public at the
meeting.
Any member of the public may
submit pertinent written comments
concerning the RE&EEAC’s affairs at any
time before or after the meeting.
Comments may be submitted to the
Renewable Energy and Energy
Efficiency Advisory Committee,
Attention: Ryan Mulholland, Office of
Energy and Environmental
Technologies, U.S. Department of
Commerce, Mail Stop: 4053, 1401
Constitution Avenue NW., Washington,
DC 20230. To be considered during the
meeting, written comments must be
received no later than 5:00 p.m. EST on
Friday, February 15, 2013, to ensure
transmission to the Committee prior to
the meeting. Comments received after
that date will be distributed to the
members but may not be considered at
the meeting.
Copies of RE&EEAC meeting minutes
will be available within 30 days of the
meeting.
Dated: January 9, 2012.
Edward A. O’Malley,
Director, Office of Energy and Environmental
Industries.
[FR Doc. 2013–00668 Filed 1–14–13; 8:45 am]
BILLING CODE 3510–DR–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket No.: 120823388–2388–01]
National Cybersecurity Center of
Excellence (NCCoE) Secure Exchange
of Electronic Health Information
Demonstration Project
National Institute of Standards
and Technology, Department of
Commerce.
ACTION: Notice.
AGENCY:
The National Institute of
Standards and Technology (NIST)
invites organizations to provide
products and technical expertise to
support and demonstrate security
platforms for exchange of electronic
health care information by healthcare
providers. This notice is the initial step
for the National Cybersecurity Center of
Excellence (NCCoE) in the Secure
srobinson on DSK4SPTVN1PROD with
SUMMARY:
VerDate Mar<15>2010
17:00 Jan 14, 2013
Jkt 229001
Exchange of Electronic Health
Information project. Participation in the
project is open to all interested
organizations.
DATES: Interested parties must contact
NIST to request a certification letter.
Completed and signed certification
letters must be received by NIST by 5:00
p.m. Eastern time on March 1, 2013.
ADDRESSES: The NCCoE is located at
9600 Gudelsky Drive Rockville, MD
20850. Certification letters must be
submitted to Karen Waltermire via
email at NCCoE@nist.gov; or via
hardcopy to NCCoE, National Institute
of Standards and Technology; 100
Bureau Drive; MS 2000 Gaithersburg,
MD 20899.
FOR FURTHER INFORMATION CONTACT:
Karen Waltermire via email at
NCCoE@nist.gov; or telephone 301–975–
4500; NCCoE, National Institute of
Standards and Technology; 100 Bureau
Drive; MS 2000; Gaithersburg, MD
20899. Additional details about the
Secure Exchange of Electronic Health
Information project will be available at:
https://nccoe.nist.gov/hit.
SUPPLEMENTARY INFORMATION:
Background: The NCCoE, hosted by
NIST, is a public-private collaboration
for accelerating the widespread
adoption of integrated cybersecurity
tools and technologies. The NCCoE will
bring together experts from industry,
government, and academia under one
roof to develop practical, interoperable
cybersecurity approaches that address
the real world needs of complex
Information Technology (IT) systems.
By accelerating dissemination and use
of these integrated tools and
technologies for protecting IT assets, the
NCCoE will enhance trust in U.S. IT
communications, data, and storage
systems; lower risk for companies and
individuals in the use of IT systems; and
encourage development of innovative,
job-creating cybersecurity products and
services. The project is not restricted to
organizations required to comply with
the standards and implementation
specifications promulgated under the
Health Insurance Portability and
Accountability Act (HIPAA) of 1996 or
to organizations using EHR technology
that complies with the standards,
implementation specifications, and
certification criteria promulgated under
the Health Information Technology for
Economic and Clinical Health (HITECH)
Act of 2009. NIST expects that
participation in the project will help
participating organizations gain
knowledge that will help them comply
with these requirements.
Process: NIST is soliciting responses
from all sources of relevant security
PO 00000
Frm 00015
Fmt 4703
Sfmt 4703
2953
capabilities (e.g., vendors, academia,
and integrators). Interested parties
should contact NIST using the
information provided in the FOR
FURTHER INFORMATION CONTACT section of
this notice. Each interested party will be
provided with a certification letter,
which the party must complete and
submit to NIST by the date provided in
the DATES section of this notice. The
certification letter must be completed
and submitted to NIST by the
responding organization. NIST will
contact interested parties if there are
questions regarding the responsiveness
of the certification letters to the project
objective or project requirements
identified below. NIST will select
participants who have submitted
complete certification letters on a first
come, first served basis within each
category of product components or
capabilities listed below up to the
number of participants in each category
necessary to carry out this project.
Selected participants will be required to
enter into a consortium Cooperative
Research and Development Agreement
(CRADA) with NIST. NIST published a
notice in the Federal Register on
October 19, 2012 (77 FR 64314) inviting
U.S. companies to enter into ‘‘National
Cybersecurity Excellence Partnerships’’
(NCEPs) in furtherance of the NCCoE.
For this demonstration project NCEP
partners will not be given priority for
participation.
Project Objective: Healthcare
providers increasingly need to securely
exchange electronic health information
with each other. The confidentiality,
integrity, and availability of this
information must be protected. Secure
exchange of electronic health
information is often particularly
challenging for small healthcare
providers, who may lack the security
infrastructure or expertise that larger
healthcare providers possess. Other
challenges with secure electronic health
information exchange include the
variety of client devices (desktops,
laptops, and mobile devices) and the
range of healthcare data exchange
standards.
Major security concerns for secure
electronic health information exchange
include, but are not limited to, the
following categories:
• Lack of physical security controls
(e.g., increased risk of loss or theft for
mobile devices, public proximity to
client devices)
• Use of untrusted client devices
(lack of security features or
circumvention of those features)
• Use of untrusted networks (e.g.,
broadband, WiFi, WiMAX, cellular
networks)
E:\FR\FM\15JAN1.SGM
15JAN1
srobinson on DSK4SPTVN1PROD with
2954
Federal Register / Vol. 78, No. 10 / Tuesday, January 15, 2013 / Notices
• Interaction with other systems in
terms of data synchronization and
storage
Although a number of components are
available to address some of these
concerns in some healthcare
environments, security platforms that
are composed of available capabilities in
a secure, usable, and affordable manner
to provide comprehensive solutions are
needed for the very large number of
small healthcare providers. The goal for
this project is to provide a security
platform to enable small healthcare
providers to exchange electronic health
information in support of the U.S.
federal government and the health IT
community.
Requirements: Each organization must
complete and execute the certification
letter and certify that it is accurate and
complete.
Each organization will be asked to
identify which security platform
components or capabilities it is offering.
Product components or capabilities
include one or more of the following:
1. Electronic health information entry
and display devices,
2. Authentication and authorization
mechanisms,
3. Data transfer/communications
components,
4. Electronic health information
storage and retrieval components,
5. Forms generation capabilities, and
6. Printer devices or interfaces.
Specific requirements of the Secure
Exchange of Electronic Health
Information demonstration project are
as follows:
1. Compatibility with various
electronic health record (EHR) systems
in use by small healthcare providers;
2. Use of, or compatibility with,
healthcare data exchange standards and
implementation specifications (e.g.,
HL7, DICOM, IHE), including the
transport standards adopted by the
Department of Health and Human
Services at 45 CFR 170.202;
3. Access by project staff to
component interfaces and the
organization’s experts necessary to make
functional connections among security
platform components;
4. Enterprise security policy
enforcement on the client devices
through a hardware root of trust, such
as implementing secure configuration
baselines for operating systems and
applications; automatically
continuously monitoring, detecting, and
reporting policy violations; and
performing system health checks;
5. Support for standardized security
automation technologies (e.g., SCAP);
6. Strong encryption of data
communications and local storage;
VerDate Mar<15>2010
17:00 Jan 14, 2013
Jkt 229001
7. User authentication, including
support of directory services, multifactor authentication, and key
management;
8. Use of secure infrastructure
components (e.g., DNSSEC, IPv4, and
IPv6);
9. Development and demonstration of
use cases in NCCoE facilities; and
10. Development and demonstration
activities will be conducted in a manner
consistent with Federal requirements
(e.g., FIPS 200, FIPS 201, SP 800–53,
and SP 800–63.
Additional details about the Secure
Exchange of Electronic Health
Information Use Case project will be
available for organizations to look at
specifics that are relevant to capability
and component identification, at:
https://nccoe.nist.gov/hit.
NIST cannot guarantee that all of the
products proposed by respondents will
be used in the demonstration. Each
prospective participant will be expected
to work collaboratively with NIST staff
and other project participants under the
terms of the consortium CRADA in the
development of the Secure Exchange of
Electronic Health Information
capability. Prospective participants’
contribution to the collaborative effort
will include assistance in establishing
the necessary interface functionality,
connection and set-up capabilities and
procedures, demonstration harnesses,
environmental and safety conditions for
use, integrated platform user
instructions, and demonstration plans
and scripts necessary to demonstrate the
desired capabilities. Each prospective
participant will train NIST personnel as
necessary, to operate its product in
capability demonstrations to the
healthcare community. Following
successful demonstrations, NIST will
publish a description of the security
platform and its performance
characteristics sufficient to permit other
organizations to develop and deploy
security platforms that meet the security
objectives of the Secure Exchange of
Electronic Health Information
Demonstration project. These
descriptions will be public information.
Under the terms of the consortium
CRADA, NIST will support
development of interfaces among
participants’ products, including IT
infrastructure, laboratory facilities,
office facilities, collaboration facilities,
and staff support to component
composition, security platform
documentation, and demonstration
activities.
The dates of the demonstration of the
Secure Exchange of Electronic Health
Information capability to the healthcare
community will be announced on the
PO 00000
Frm 00016
Fmt 4703
Sfmt 4703
NCCoE Web site at least two weeks in
advance at: https://csrc.nist.gov/nccoe.
The expected outcome of the
demonstration is to enable healthcare
providers to exchange electronic health
information. Participating organizations
will gain from the knowledge that their
products are interoperable with other
participants’ offerings.
For additional information on the
NCCoE governance, business processes,
and NCCoE operational structure, visit
the NCCoE Web site https://csrc.nist.gov/
nccoe.
Dated: January 10, 2013.
Willie E. May,
Associate Director for Laboratory Programs.
[FR Doc. 2013–00724 Filed 1–14–13; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
RIN 0648–XC442
South Atlantic Fishery Management
Council (Council)—Public Meetings
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice of public hearings and
scoping meetings.
AGENCY:
The South Atlantic Fishery
Management Council (SAFMC) will
hold a series of scoping meetings and
public hearings pertaining to
Amendment 5 to the Dolphin Wahoo
Fishery Management Plan (FMP) and
Amendment 27 to the Snapper Grouper
FMP.
DATES: The meetings will be held from
January 22, 2013, through January 24,
2013 and from January 28, 2013,
through January 30, 2013. All meetings
will be held from 4 p.m. to 7 p.m.
ADDRESSES:
SUMMARY:
Meeting Addresses
1. January 22, 2013: Mighty Eighth Air
Force Museum, 175 Bourne Avenue,
Pooler, GA 31322; phone: 912/748–
8888.
2. January 23, 2013: Hilton Garden
Inn, 5265 International Blvd., N.
Charleston, SC 29418; phone: 843/308–
9330.
3. January 24, 2013: New Bern
Riverfront Convention Center, 203
South Front Street, New Bern, NC
28563; phone: 252/637–1551.
4. January 28, 2013: Jacksonville
Marriott, 4750 Salisbury Road,
Jacksonville, FL 32256; phone: 904/296–
2222.
E:\FR\FM\15JAN1.SGM
15JAN1
Agencies
[Federal Register Volume 78, Number 10 (Tuesday, January 15, 2013)]
[Notices]
[Pages 2953-2954]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-00724]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No.: 120823388-2388-01]
National Cybersecurity Center of Excellence (NCCoE) Secure
Exchange of Electronic Health Information Demonstration Project
AGENCY: National Institute of Standards and Technology, Department of
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST)
invites organizations to provide products and technical expertise to
support and demonstrate security platforms for exchange of electronic
health care information by healthcare providers. This notice is the
initial step for the National Cybersecurity Center of Excellence
(NCCoE) in the Secure Exchange of Electronic Health Information
project. Participation in the project is open to all interested
organizations.
DATES: Interested parties must contact NIST to request a certification
letter. Completed and signed certification letters must be received by
NIST by 5:00 p.m. Eastern time on March 1, 2013.
ADDRESSES: The NCCoE is located at 9600 Gudelsky Drive Rockville, MD
20850. Certification letters must be submitted to Karen Waltermire via
email at NCCoE@nist.gov; or via hardcopy to NCCoE, National Institute
of Standards and Technology; 100 Bureau Drive; MS 2000 Gaithersburg, MD
20899.
FOR FURTHER INFORMATION CONTACT: Karen Waltermire via email at
NCCoE@nist.gov; or telephone 301-975-4500; NCCoE, National Institute of
Standards and Technology; 100 Bureau Drive; MS 2000; Gaithersburg, MD
20899. Additional details about the Secure Exchange of Electronic
Health Information project will be available at: https://nccoe.nist.gov/hit.
SUPPLEMENTARY INFORMATION: Background: The NCCoE, hosted by NIST, is a
public-private collaboration for accelerating the widespread adoption
of integrated cybersecurity tools and technologies. The NCCoE will
bring together experts from industry, government, and academia under
one roof to develop practical, interoperable cybersecurity approaches
that address the real world needs of complex Information Technology
(IT) systems. By accelerating dissemination and use of these integrated
tools and technologies for protecting IT assets, the NCCoE will enhance
trust in U.S. IT communications, data, and storage systems; lower risk
for companies and individuals in the use of IT systems; and encourage
development of innovative, job-creating cybersecurity products and
services. The project is not restricted to organizations required to
comply with the standards and implementation specifications promulgated
under the Health Insurance Portability and Accountability Act (HIPAA)
of 1996 or to organizations using EHR technology that complies with the
standards, implementation specifications, and certification criteria
promulgated under the Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009. NIST expects that participation
in the project will help participating organizations gain knowledge
that will help them comply with these requirements.
Process: NIST is soliciting responses from all sources of relevant
security capabilities (e.g., vendors, academia, and integrators).
Interested parties should contact NIST using the information provided
in the FOR FURTHER INFORMATION CONTACT section of this notice. Each
interested party will be provided with a certification letter, which
the party must complete and submit to NIST by the date provided in the
DATES section of this notice. The certification letter must be
completed and submitted to NIST by the responding organization. NIST
will contact interested parties if there are questions regarding the
responsiveness of the certification letters to the project objective or
project requirements identified below. NIST will select participants
who have submitted complete certification letters on a first come,
first served basis within each category of product components or
capabilities listed below up to the number of participants in each
category necessary to carry out this project. Selected participants
will be required to enter into a consortium Cooperative Research and
Development Agreement (CRADA) with NIST. NIST published a notice in the
Federal Register on October 19, 2012 (77 FR 64314) inviting U.S.
companies to enter into ``National Cybersecurity Excellence
Partnerships'' (NCEPs) in furtherance of the NCCoE. For this
demonstration project NCEP partners will not be given priority for
participation.
Project Objective: Healthcare providers increasingly need to
securely exchange electronic health information with each other. The
confidentiality, integrity, and availability of this information must
be protected. Secure exchange of electronic health information is often
particularly challenging for small healthcare providers, who may lack
the security infrastructure or expertise that larger healthcare
providers possess. Other challenges with secure electronic health
information exchange include the variety of client devices (desktops,
laptops, and mobile devices) and the range of healthcare data exchange
standards.
Major security concerns for secure electronic health information
exchange include, but are not limited to, the following categories:
Lack of physical security controls (e.g., increased risk
of loss or theft for mobile devices, public proximity to client
devices)
Use of untrusted client devices (lack of security features
or circumvention of those features)
Use of untrusted networks (e.g., broadband, WiFi, WiMAX,
cellular networks)
[[Page 2954]]
Interaction with other systems in terms of data
synchronization and storage
Although a number of components are available to address some of
these concerns in some healthcare environments, security platforms that
are composed of available capabilities in a secure, usable, and
affordable manner to provide comprehensive solutions are needed for the
very large number of small healthcare providers. The goal for this
project is to provide a security platform to enable small healthcare
providers to exchange electronic health information in support of the
U.S. federal government and the health IT community.
Requirements: Each organization must complete and execute the
certification letter and certify that it is accurate and complete.
Each organization will be asked to identify which security platform
components or capabilities it is offering. Product components or
capabilities include one or more of the following:
1. Electronic health information entry and display devices,
2. Authentication and authorization mechanisms,
3. Data transfer/communications components,
4. Electronic health information storage and retrieval components,
5. Forms generation capabilities, and
6. Printer devices or interfaces.
Specific requirements of the Secure Exchange of Electronic Health
Information demonstration project are as follows:
1. Compatibility with various electronic health record (EHR)
systems in use by small healthcare providers;
2. Use of, or compatibility with, healthcare data exchange
standards and implementation specifications (e.g., HL7, DICOM, IHE),
including the transport standards adopted by the Department of Health
and Human Services at 45 CFR 170.202;
3. Access by project staff to component interfaces and the
organization's experts necessary to make functional connections among
security platform components;
4. Enterprise security policy enforcement on the client devices
through a hardware root of trust, such as implementing secure
configuration baselines for operating systems and applications;
automatically continuously monitoring, detecting, and reporting policy
violations; and performing system health checks;
5. Support for standardized security automation technologies (e.g.,
SCAP);
6. Strong encryption of data communications and local storage;
7. User authentication, including support of directory services,
multi-factor authentication, and key management;
8. Use of secure infrastructure components (e.g., DNSSEC, IPv4, and
IPv6);
9. Development and demonstration of use cases in NCCoE facilities;
and
10. Development and demonstration activities will be conducted in a
manner consistent with Federal requirements (e.g., FIPS 200, FIPS 201,
SP 800-53, and SP 800-63.
Additional details about the Secure Exchange of Electronic Health
Information Use Case project will be available for organizations to
look at specifics that are relevant to capability and component
identification, at: https://nccoe.nist.gov/hit.
NIST cannot guarantee that all of the products proposed by
respondents will be used in the demonstration. Each prospective
participant will be expected to work collaboratively with NIST staff
and other project participants under the terms of the consortium CRADA
in the development of the Secure Exchange of Electronic Health
Information capability. Prospective participants' contribution to the
collaborative effort will include assistance in establishing the
necessary interface functionality, connection and set-up capabilities
and procedures, demonstration harnesses, environmental and safety
conditions for use, integrated platform user instructions, and
demonstration plans and scripts necessary to demonstrate the desired
capabilities. Each prospective participant will train NIST personnel as
necessary, to operate its product in capability demonstrations to the
healthcare community. Following successful demonstrations, NIST will
publish a description of the security platform and its performance
characteristics sufficient to permit other organizations to develop and
deploy security platforms that meet the security objectives of the
Secure Exchange of Electronic Health Information Demonstration project.
These descriptions will be public information.
Under the terms of the consortium CRADA, NIST will support
development of interfaces among participants' products, including IT
infrastructure, laboratory facilities, office facilities, collaboration
facilities, and staff support to component composition, security
platform documentation, and demonstration activities.
The dates of the demonstration of the Secure Exchange of Electronic
Health Information capability to the healthcare community will be
announced on the NCCoE Web site at least two weeks in advance at:
https://csrc.nist.gov/nccoe. The expected outcome of the demonstration
is to enable healthcare providers to exchange electronic health
information. Participating organizations will gain from the knowledge
that their products are interoperable with other participants'
offerings.
For additional information on the NCCoE governance, business
processes, and NCCoE operational structure, visit the NCCoE Web site
https://csrc.nist.gov/nccoe.
Dated: January 10, 2013.
Willie E. May,
Associate Director for Laboratory Programs.
[FR Doc. 2013-00724 Filed 1-14-13; 8:45 am]
BILLING CODE 3510-13-P