Attendees (bold attended):
· Sean Nolan – Microsoft
· Gary Christensen – RIQI
· Greg Chittim – RIQI
· John Feikema – VisionShare
· Brett Peterson – VisionShare
· Don Jorgenson – Inpriva
· Pat Pyette – Inpriva
· Ardi Kazarian – Verizon
· Steven Archer – Verizon
· Peter Tippett – Verizon
· Paul Donfried – Verizon
· Guy Tallent (sp?) - Verizon
· John Moehrke – GE
· Arien Malec – ONC (for portions)
· Ryan Shayto - White House, Director, Cybersecurity Policy at the National Security Staff Cybersecurity Office

Action Items
· Draft a recommendation of trust criteria for CAs
· Schedule a follow-up meeting
o Get more representation from Sec & Trust WG next time – will enhance future conversations
o Need to get more focused for the next meeting – set agenda with specific questions in advance

· Don – what we feel comfortable with is something in between. Not *more* assurance – but appropriate. Declaration that allows a CA to say “this entity is subject to HIPAA regulation, is a covered entity, etc…”
· Brett – in reading thread and on CAB, the expense that the CA would have to pass on for identity and organizational verification, might turn into a catch-22. Especially if we go to an individual verification model.
· Greg – not just cost, but also the operational difficulties of how do you know when new entities that must be trusted (or not) come into the marketplace
· John – some parts of CAB that require you to attest to (like bank accounts) are less necessary when there are additional requirements like BAAs.
· Arien – range of what we could do: no recommendation, set of principles, specific recommendations
o Here are things that you should consider when looking at a CA
o Here is a list of root CAs
· ?? – CAB policy wants to help you both trust the CA, and the entity to which they’ve issues a certificate
· Pat – Cert policy – if this identify is used to transmit health information, and you are covered under HIPAA legislation. How does an individual CA determine which other CAs to trust?
o Criteria for trust
o How do you know when other CAs come into the marketplace?
· Guy – could we look into Bridges? Federal bridges? Other bridges?
· ?? – Cross certified certificates happen by querying the OID. Don’t reinvent the wheel.
· Pat – Not suggesting the federal bridge is not workable. There might just need to be some changes to make it workable for Healthcare exchange.
· ?? – are the needs and cost covering requirements of the federal entities in line with rural doctor capabilities?
· ?? – there are plenty of commercial CAs that are cross certified with the bridge.
· Pat – hoops that have to be jumped through to get a cert are there to mitigate risk inherent in transmitting PHI. Risk profile doesn’t change (but volume does) if you’re a single doctor vs. a large hospital
· Don – question for Verizon – how would you extend the cert to know if it was for a covered entity
· ?? – HIPAA HITECH needs NIST level 3 assurance. Strong multifactor authentication of the human subject.
· ?? – certs generally issued with 1 year lifetime. That’s too long for hospitals – too much latency.
· ?? – need approach for Trust Anchors. Recommendation would be to leverage existing systems like the Federal Bridge. Separate topic of authorization vs. identity.
· Brett – Are we predicating this discussion on the fact that individuals might want to contact individuals that don’t already have a relationship
o Maybe the right way is to handle this out of band
o Our charge should be to make recommendations about how to decide if you should trust someone
· ?? – is Direct an island on its own for trust?