TEFCA Governance Structure to Include Cybersecurity Council

April 25, 2022
Johnathan Coleman, recently named the recognized coordinating entity’s CISO, will serve as chairperson of the Cybersecurity Council

At its April 19 monthly informational call, the Sequoia Project, serving as the recognized coordinating entity (RCE) for the TEFCA interoperability effort, provided more detail on security requirements and governance, including the establishment of a Cybersecurity Council.

Qualified Health Information Networks (QHINs) are expected to begin signing TEFCA’s Common Agreement and applying for official designation in the second quarter, according to the RCE’s timeline. The third and fourth quarter will see the onboarding of initial QHINs, the RCE beginning to designate QHINs to share data, and the preparation for TEFCA FHIR exchange pilots.

As part of its governance framework, TEFCA will establish a Cybersecurity Council, which will evaluate the cybersecurity risks to the activities conducted under the Framework Agreements and advise the RCE on ways to remediate the risks.

The RCE Chief Information Security Officer (CISO) will serve as the chairperson of the Cybersecurity Council as a voting member. Johnathan Coleman, a principal with Security Risk Solutions Inc., has been named RCE CISO. Coleman has supported the Office of the National Coordinator for Health IT (ONC) as a program manager and subject matter expert for several standards and interoperability projects. He also participates as an elected co-chair for the HL7 Community-Based Collaborative Care (CBCC) Work Group. He supports the Defense Health Agency (DHA) Cybersecurity Division with support for cybersecurity policy, including support for participation in TEFCA.

The QHIN Caucus will select five CISOs from among the QHINs to serve as voting members of the Cybersecurity Council. The Participant and Subparticipant Caucus also will select five CISOs from among their ranks to serve as non-voting members of the Cybersecurity Council. The Council will meet at the request of the RCE CISO, but no less than on a quarterly basis. It may invite subject-matter experts to participate in meetings to provide input on specific issues.

The RCE also provided details on security certification efforts. Every QHIN is expected to be certified under a nationally recognized security framework from a list of pre-approved certifications/certifying bodies developed by the RCE.

The RCE will maintain and publish a list of certifying bodies which meet the RCE’s security certification requirements as outlined in the standard operating procedure (SOP). Any third-party accreditation or certification body that can demonstrate adherence to the requirements listed in the SOP may be considered for inclusion in the RCE’s list of certification bodies.

As part of a QHIN’s third-party security certification process, the certification body would:
• Use the NIST Cyber Security Framework (CSF) as the basis for its certification program.
• Review the QHIN’s HIPAA Security Analysis.
• Verify Common Agreement requirements for technical audits and assessments are met. This includes making sure they are conducted at least annually, include the necessary scope for security assessments (see below), and include mitigation planning activities.

As part of its progress report, the RCE noted that it has completed work on the following items:

• Governing Council
• Transitional Council
• Advisory Groups
• Conflicts of Interest
• Dispute Resolution
• QHIN Security of TEFCA Information (TI)
• Cyber Security Insurance

Work in progress or to be completed at a later date:
• QHIN Eligibility & Designation SOP and QHIN Application
• Foreign Ownership SOP
• Update Security of TI SOP: Certification Process and Security Certification List
• IAS Implementation SOP
• Exchange Purposes SOP
• Participant Subparticipant Definition SOP
• Participant Subparticipant Security SOP
• IAS Provider Privacy and Security Notice SOP
• Payment and Healthcare Operations Implementation SOP
• Public Health Implementation SOP
• Government Benefits Determination Implementation SOP
• Other Security Incidents and Reportable Events SOP
• Suspensions Process SOP
• Successor RCE & Transition SOP