• About Us
  • Events
  • Newsletter Sign Up
  • Spotlight Series
  • Webinars
  • WhitePapers
  • Videos
  • Podcasts
    1. Cybersecurity
    2. Frameworks

    TEFCA Governance Structure to Include Cybersecurity Council

    April 25, 2022
    Johnathan Coleman, recently named the recognized coordinating entity’s CISO, will serve as chairperson of the Cybersecurity Council
    Dreamstime Xl 155094584 6266bab915e51

    At its April 19 monthly informational call, the Sequoia Project, serving as the recognized coordinating entity (RCE) for the TEFCA interoperability effort, provided more detail on security requirements and governance, including the establishment of a Cybersecurity Council.

    Qualified Health Information Networks (QHINs) are expected to begin signing TEFCA’s Common Agreement and applying for official designation in the second quarter, according to the RCE’s timeline. The third and fourth quarter will see the onboarding of initial QHINs, the RCE beginning to designate QHINs to share data, and the preparation for TEFCA FHIR exchange pilots.

    As part of its governance framework, TEFCA will establish a Cybersecurity Council, which will evaluate the cybersecurity risks to the activities conducted under the Framework Agreements and advise the RCE on ways to remediate the risks.

    The RCE Chief Information Security Officer (CISO) will serve as the chairperson of the Cybersecurity Council as a voting member. Johnathan Coleman, a principal with Security Risk Solutions Inc., has been named RCE CISO. Coleman has supported the Office of the National Coordinator for Health IT (ONC) as a program manager and subject matter expert for several standards and interoperability projects. He also participates as an elected co-chair for the HL7 Community-Based Collaborative Care (CBCC) Work Group. He supports the Defense Health Agency (DHA) Cybersecurity Division with support for cybersecurity policy, including support for participation in TEFCA.

    The QHIN Caucus will select five CISOs from among the QHINs to serve as voting members of the Cybersecurity Council. The Participant and Subparticipant Caucus also will select five CISOs from among their ranks to serve as non-voting members of the Cybersecurity Council. The Council will meet at the request of the RCE CISO, but no less than on a quarterly basis. It may invite subject-matter experts to participate in meetings to provide input on specific issues.

    The RCE also provided details on security certification efforts. Every QHIN is expected to be certified under a nationally recognized security framework from a list of pre-approved certifications/certifying bodies developed by the RCE.

    The RCE will maintain and publish a list of certifying bodies which meet the RCE’s security certification requirements as outlined in the standard operating procedure (SOP). Any third-party accreditation or certification body that can demonstrate adherence to the requirements listed in the SOP may be considered for inclusion in the RCE’s list of certification bodies.

    As part of a QHIN’s third-party security certification process, the certification body would:
    • Use the NIST Cyber Security Framework (CSF) as the basis for its certification program.
    • Review the QHIN’s HIPAA Security Analysis.
    • Verify Common Agreement requirements for technical audits and assessments are met. This includes making sure they are conducted at least annually, include the necessary scope for security assessments (see below), and include mitigation planning activities.

    As part of its progress report, the RCE noted that it has completed work on the following items:

    • Governing Council
    • Transitional Council
    • Advisory Groups
    • Conflicts of Interest
    • Dispute Resolution
    • QHIN Security of TEFCA Information (TI)
    • Cyber Security Insurance

    Work in progress or to be completed at a later date:
    • QHIN Eligibility & Designation SOP and QHIN Application
    • Foreign Ownership SOP
    • Update Security of TI SOP: Certification Process and Security Certification List
    • IAS Implementation SOP
    • Exchange Purposes SOP
    • Participant Subparticipant Definition SOP
    • Participant Subparticipant Security SOP
    • IAS Provider Privacy and Security Notice SOP
    • Payment and Healthcare Operations Implementation SOP
    • Public Health Implementation SOP
    • Government Benefits Determination Implementation SOP
    • Other Security Incidents and Reportable Events SOP
    • Suspensions Process SOP
    • Successor RCE & Transition SOP

    Continue Reading

    Sponsored Recommendations

    ASK THE EXPERT: ServiceNow’s Erin Smithouser on what C-suite healthcare executives need to know about artificial intelligence

    Generative artificial intelligence, also known as GenAI, learns from vast amounts of existing data and large language models to help healthcare organizations improve hospital ...

    TEST: Ask the Expert: Is Your Patients' Understanding Putting You at Risk?

    Effective health literacy in healthcare is essential for ensuring informed consent, reducing medical malpractice risks, and enhancing patient-provider communication. Unfortunately...

    From Strategy to Action: The Power of Enterprise Value-Based Care

    Ever wonder why your meticulously planned value-based care model hasn't moved beyond the concept stage? You're not alone! Transition from theory to practice with enterprise value...

    State of the Market: Transforming Healthcare; Strategies for Building a Resilient and Adaptive Workforce

    The U.S. healthcare system is facing critical challenges, including workforce shortages, high turnover, and regulatory pressures. This guide highlights the vital role of technology...