Press Release

OASIS Members Form New Committee to Enable Exchange of Healthcare Security and Privacy Information

IBM, Axiomatics, Cisco, Red Hat, US Department of Veterans Affairs, and Others Collaborate to Meet HITSP Requirements

Boston, MA, USA; 8 October 2008 — OASIS, the international open standards consortium, has formed a new group to standardize the way healthcare providers, hospitals, pharmacies, and insurance companies exchange privacy policies, consent directives, and authorizations within and between healthcare organizations. The OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) Technical Committee will specify healthcare profiles of existing OASIS standards to support reliable, auditable methods of confirming personal identity, official authorization status, and role attributes. This work aligns with security specifications being developed within the U.S. Healthcare Information Technology Standards Panel (HITSP). A cooperative partnership between the public and private sectors, HITSP is a national, volunteer driven, consensus-based organization that is working to ensure the interoperability of electronic health records in the United States. “Electronic Health Records (EHR) systems must be interoperable so that patients, physicians, hospitals, public health agencies and other authorized users can share health related information with adequate security and privacy protection,” explained Johnathan Coleman, facilitator of the HITSP Security, Privacy and Infrastructure Technical Committee. In accomplishing the work of the XSPA Committee, OASIS is focused on addressing the very sensitive issues related to the access of patient information. “While the primary focus of our work will center on the HITSP interoperability specifications, we expect XSPA will have broad applicability to health communities beyond government regulated transactions,” said David Staggs, co-chair of the OASIS XSPA Technical Committee. “We intend to solicit use cases from other instances of cognate data exchanges–particularly in healthcare privacy contexts–to improve our work.” The work of the OASIS XSPA Technical Committee may even extend beyond healthcare to general business models and other industry applications where support for privacy rights is needed, such as finance. “Privacy and authorization are areas of security that need to be addressed for standardization. A standard format for privacy, consent directives, and authorization data exchange will foster interoperability and simplification of complex heterogeneous systems,” said Anil Saldhana of Red Hat, co-chair of the OASIS XSPA Technical Committee. XSPA will be developed at OASIS alongside other core security standards, such as the Security Assertion Markup Language (SAML), Web Services Trust (WS-Trust), and the eXtensible Access Control Markup Language (XACML). The XSPA work will draw on these standards and the expertise behind them, as part of its goal to identify and fill in the gaps. XSPA will be offered for implementation on a royalty-free basis. Participation in the OASIS XSPA Technical Committee remains open to all interested parties. Archives of the work will be accessible to both members and non-members, and OASIS will offer a mechanism for public comment. Support for XSPA IBM “The formation of this technical community represents a major milestone in taking OASIS security technology, such as XACML, WS-Trust, and SAML, to the next step by applying standards to solve specific industry challenges. This effort helps provide the foundation for a concrete standard for much needed interoperability within the healthcare industry,” said Anthony Nadalin, IBM Distinguished Engineer and chief security architect, IBM Tivoli Software. US Department of Veterans Affairs “The work of the OASIS XSPA Technical Committee is a major step towards achieving the goal of international security and privacy interoperability. We are delighted to help lead the creation of these critical healthcare profiles supporting OASIS, HITSP, and the Office of the National Coordinator,” said John (Mike) Davis of the Department of Veterans Affairs. Additional information:

OASIS XSPA Technical Committee XSPA FAQ

About OASIS: OASIS (Organization for the Advancement of Structured Information Standards) drives the development, convergence, and adoption of open standards for the global information society. A not-for-profit consortium, OASIS advances standards for SOA, security, Web services, documents, e-commerce, government and law, localisation, supply chains, XML processing, and other areas of need identified by its members. OASIS open standards offer the potential to lower cost, stimulate innovation, grow global markets, and protect the right of free choice of technology. The consortium has more than 5,000 participants representing over 600 organizations and individual members in 100 countries. Press contact: Carol Geyer OASIS Director of Communications +1.978.667.5115 x209 (office) +1.941.284.0403 (mobile)