Federated Identity Management in Healthcare: What is Needed and What is Feasible
Download
Report
Transcript Federated Identity Management in Healthcare: What is Needed and What is Feasible
Federated Identity
Management in Healthcare:
What is Needed and What is Feasible
2006 Spring Member Meeting
April 26, 2006
Holt Anderson – NCHICA Executive Director
William Weems, Univ. of Texas Health Science Center at Houston
Casey Webster, IBM
1
Session Outline
• Holt Anderson
• Background of National HIT Initiatives from ONC
• Casey Webster
• Challenges & Approaches in Developing the Nationwide
Health Information Network (NHIN) Architecture
• Bill Weems
• What is Possible Today!
• Question & Answer Session
2
Background of National HIT
Initiatives from ONC
Holt Anderson
3
Compliance
Certification
Nationwide Health
Information Network
Privacy / Security
Health IT
Adoption
Industry Transformation
Standards
Harmonization
Infrastructure
Technology Industry
Health Information Technology
Deployment
4
Standards Harmonization Process
–
HHS awarded a contract valued at $3.3 million to the
American National Standards Institute, a non-profit
organization that administers and coordinates the U.S.
voluntary standardization activities, to convene the
Health Information Technology Standards Panel
(HITSP).
–
The HITSP will develop, prototype, and evaluate a
harmonization process for achieving a widely
accepted and useful set of health IT standards that will
support interoperability among health care software
applications, particularly EHRs.
5
Compliance Certification Process
•
HHS awarded a contract valued at $2.7 million to the
Certification Commission for Health Information
Technology (CCHIT) to develop criteria and evaluation
processes for certifying EHRs and the infrastructure or
network components through which they interoperate.
•
CCHIT will be required to submit recommendations for
ambulatory EHR certification criteria in December 2005,
and to develop an evaluation process for ambulatory health
records in January 2006.
–
Criteria will include the capabilities of EHRs to protect health
information, standards by which EHRs can share health
information and clinical features that improve patient outcomes.
6
Privacy and Security Solutions
•
HHS awarded a contract valued at $11.5 million to RTI
International, a private, non-profit corporation, to lead the
Health Information Security and Privacy Collaboration
(HISPC), a collaboration that includes the National
Governors Association (NGA), up to 40 state and territorial
governments, and a multi-disciplinary team of experts.
•
RTI will oversee the HISPC to assess and develop plans to
address variations in organization-level business policies
and state laws that affect privacy and security practices
that may pose challenges to interoperable electronic health
information exchange while maintaining privacy
protections.
7
Health Information Technology Adoption Initiative
•
HHS awarded a contract valued in excess of $1 million to
the George Washington University and
Massachusetts General Hospital Harvard Institute for
Health Policy to support the Health IT Adoption
Initiative.
•
The new initiative is aimed at better characterizing and
measuring the state of EHR adoption and determining the
effectiveness of policies to accelerate adoption of EHRs
and interoperability.
•
For more information visit: http://www.hitadoption.org/
8
Compliance
Certification
Nationwide Health
Information Network
Privacy / Security
Health IT
Adoption
Industry Transformation
Standards
Harmonization
Infrastructure
Technology Industry
Health Information Technology
Deployment
9
Nationwide Health Information Network (NHIN)
•
Contracts have been awarded by HHS totaling $18.6
million to four consortia of health care and health
information technology organizations to develop
prototypes for the Nationwide Health Information
Network (NHIN) architecture.
–
•
The contracts were awarded to:
Accenture, Computer Sciences Corporation, IBM,
and Northrop Grumman, along with their affiliated
partners and health care market areas.
The four consortia will move the nation toward the
President’s goal of personal electronic health records by
creating a uniform architecture for health care information
that can follow consumers throughout their lives.
10
Health Information Technology
Deployment
Health Care Industry
Breakthroughs
Chronic Care
Electronic Health
Records
Industry Transformation
Consumer
Empowerment
Standards
Harmonization
Infrastructure
Technology Industry
Biosurveillance
Compliance
Certification
Nationwide Health
Information Network
Privacy / Security
Health IT
Adoption
Consumer Value
11
Health Information Technology
Deployment
Health Care Industry
Breakthroughs
Chronic Care
Electronic Health
Records
Industry Transformation
Consumer
Empowerment
Standards
Harmonization
Infrastructure
Technology Industry
Biosurveillance
Compliance
Certification
Nationwide Health
Information Network
Privacy / Security
Health IT
Adoption
Consumer Value
12
Health Information Technology
Deployment
Health Care Industry
Breakthroughs
Chronic Care
Electronic Health
Records
Industry Transformation
Consumer
Empowerment
Standards
Harmonization
Infrastructure
Technology Industry
Biosurveillance
Compliance
Certification
Nationwide Health
Information Network
Privacy / Security
Health IT
Adoption
Consumer Value
13
Challenges & Approaches in
Developing the Nationwide Health
Information Network (NHIN)
Architecture
Casey Webster
14
Business Consulting Services
The Nationwide Health Information Network (NHIN)
Architecture Prototype Project
Internet2 Spring Member Meeting
April 26, 2006
© 2006 IBM Corporation
Marketplaces
Fishkill, NY (THINC)
Taconic Healthcare Information Network
Communication
Hudson Valley: evolving RHIO w/ shared data at
HealthVision hub
2,300 physicians supporting 700,000 patients
Research Triangle, NC (NCHICA)
(North Carolina Healthcare Information
Communication Affiliates)
Competitive, high-tech urban environment: UNC,
Duke, Wake Forest
Rockingham County, NC and Danville, VA (NCHICA)
North Carolina Healthcare Information Communication
Affiliates)
Rural environment with NC and VA patients
Small, competitive practices and hospitals
16
Research Triangle Marketplace
UNC
Hospitals and
Health
System
Rex
Hospital
Duke Univ.
Health
System
(Duke)
(UNC)
1x
Practice
Pharmacy
1x
Practice
Public Health
Durham
Regional
Hosp
WakeMed
Health
System
1x
Practice
Lab
1x
Practice
2x
Practices
Safety Net Provider
17
Rockingham Co., NC / Danville, VA Marketplace
Annie Penn
Hospital
Morehead
Memorial
Hospital
(Moses Cone)
Moses Cone
Health
System
1 x Practice
1x
Practice
Pharmacy
(unaffiliated)
Public Health
1x
Practice
Lab
2x
Practices
Safety Net Provider
18
Architecture Guiding Principles
Community-Centric
Document repositories normalize and store clinical data within a community
Can be hosted by individual hospitals/practices and/or shared within the community
Community hub provides MPI, document locator, security and support services
The community hub is the gateway to other communities
Drive and conform to standards
Instantiation of IHE interoperability framework (XDS, PIX/PDQ, ATNA & CT profiles)
Clinical events stored as HL7 CDA(r2)-compliant documents
Java/J2EE implementation is hardware & software vendor agnostic
Proven Internet protocols for authentication, authorization, and security
Provide security & privacy w/o sacrificing usability or research value
Anonymous/pseudonymous data that can be re-identified as needed/permitted
Supports other data aggregates (registries, biosurveillance, outcomes analysis)
Practical
Scalable and cost-effective at every level of practice
Point-of-care performance is critical to adoption
19
IBM Business Consulting Services
Architecture
Community Architecture
MPI Services
Registry
Services
PDQ
Access Control
Authentication
Authorization
Patient Consent
XDR
NHIN Interface
CAD Search/Retrieval
CAD Policies/Security
Admin/Maintenance
QoS
Support Services
ATNA
Logging
CT
Community Services
Biosurveillance
PHR Portal
Security Services
PIX
Community Hub
Document Locator
Community XDS
Hospital or Physician Practice Interface
Data Services
Integration
Engine or
Data
Source
HCN Gateway
Xform/Xlate
IHE Adapter
Document Services
Document
Storage and
Retrieval
XDS
20
Architecture
Cross-Community Interaction
All cross-community interactions are brokered through the NHIN interface, using
other community services as needed
Authentication and authority uses a federated model, with trust relationships
established at the NHIN level
Cross-community patient lookup is based on demographic matching
Identity is established by matching demographic data between the local
and remote PDQ databases, with a conservative threshold
IBM research is working on open issues such as patient mobility, multiresident patients (“snowbirds”), directed searches, and undirected
bounded searches
Once a positive patient match is obtained, document search and retrieval is
identical to the intra-community model
21
Business Consulting Services
NHIN Architecture Prototype – Introduction
Acronyms
IHE (Integrating the Healthcare Enterprise) Profiles
– XDS – Cross-Enterprise Document Sharing
•
Supports saving, registering, querying and retrieving documents across enterprises but within an
administrative domain
– PIX – Patient Identifier Cross-referencing
•
Supports cross referencing of patient identifiers across domains
– PDQ – Patient Demographics Query
•
Supports query for patients given a minimal set of demographic criteria (e.g. ID or partial name) returning
all the demographics and a patient identifier within a domain
– ATNA – Audit Trail and Node Authentication
•
Supports auditing and secure communications
– CT – Consistent Time
•
Supports consistent time across multiple systems
J2EE – Java 2 Enterprise Edition
– Sun’s Java-based framework for developing and deploying complex, scalable business
solutions in a standardized manner, leveraging the following technologies
– JDBC – Java Database Connectivity
•
A vendor-neutral means of accessing relational data from within a Java/J2EE application. Note that the
data itself does not necessarily have to be stored in a relational database.
– EJB – Enterprise JavaBeans
•
JavaBeans are reusable components within the J2EE architecture
– JMS – Java Messaging Service
•
22
A vendor-neutral means of accessing message queuing systems (eg, MQ Series) from within a Java/J2EE
application
© 2006 IBM Corporation
What is Possible Today!
Bill Weems
23
Internet2 Spring Mtg. 2006
University of Texas Health
Science Center at Houston
UTHSC-H
• Six Schools
– Graduate School of Biomedical Sciences
– Dental School
– Medical School
– Nursing School
– School of Health Information Sciences
– School of Public Health
• ~ 10,000 Students, Faculty and Staff
Internet2 Spring Mtg. 2006
Texas Medical Center
www.tmc.edu
•
•
•
•
•
•
•
•
•
•
Forty One Institutions on 740 Acres
Approximately 65,000 Employees
Seven Large Hospitals
6,176 Licensed Beds & 334 Bassinets
5.2 Million Patient Visits in 2004
Baylor College of Medicine
Rice University
Texas A&M Institution of Biotechnology
University of Texas Health Science Center at Houston
University of Texas M.D. Anderson Cancer Center
Internet2 Spring Mtg. 2006
Scenario I
• UT-Houston Residency Programs have some attending
physicians that are non-university personnel – e.g. M.D.
Anderson & Baylor
• Dr. James at M.D. Anderson is to be an attending physician in the
UT-Houston Internal Medicine Residency Program.
• On-line Graduate Medical Education Information System (GMEIS)
contains confidential and sensitive information - including HIPAA
data.
• Dr. James needs access to GMEIS.
• How is Dr. James’ identity verified, authenticated and authorized
to have access as an attending physician?
• If Dr. James suddenly leaves M.D. Anderson, is his access to UTHouston Residency Program immediately abolished?
Internet2 Spring Mtg. 2006
Scenario I - Problems
• Dr. James has no digital credentials.
• U.T. Houston policy requires that a responsible party at U. T.
Houston assume responsibility for Dr. James and sponsor him as
a “guest”.
• Dr. James must appear before a Local Registration
Administration Agent (LRAA) to have his identity verified and be
credentialed.
– Does not verify his status with M.D. Anderson.
• If Dr. James leaves M.D. Anderson, there is no automatic process
in place to revoke his access rights.
Internet2 Spring Mtg. 2006
Ideally, individuals would each
like a single digital credential that
can be securely used to
authenticate his or her identity
anytime authentication of identity
is required to secure any
transaction.
Internet2 Spring Mtg. 2006
Identity Vetting & Credentialing
Permanent
Identity
Database
Identity Provider
(IdP)
uth.tmc.edu
Assigns
Everlasting
Identifier
Identifier
Permanently
Bound
IdP Obtains
Physical
Characteristics
Person
Issues
Digital
Credential
Person Only
Activation
Digital Credential
Internet2 Spring Mtg. 2006
UTHSC-H: An Identity Provider
(IdP)
It is critical to recognize that the university
functions as an identity provider (IdP) in
that UTHSC-H provides individuals with
digital credentials that consist of an
identifier and an authenticator. As an
IdP, the university assumes specific
responsibilities and liabilities.
Internet2 Spring Mtg. 2006
Two Categories of Identity
• Physical Identity – Assigned Identifier - Authentication
– Facial picture,
– Fingerprints
– DNA sample
• Identity Attributes – Authorization Attributes
– Common name,
– Address,
– Institutional affiliations - e.g. faculty, student, staff,
contractor,
– Specific group memberships,
– Roles,
– Etc.
UTHSC-H Identity Management System
HRMS
SIS
Identity
Reconciliation &
Provisioning
Processes
Authoritative
Enterprise
Directories
OAC7
Sync
Secondary
Directories
GMEIS
UTP
INDIS
Person
Registry
Guest MS
OAC47
User Administration Tools
Authentication
Service
Attribute
Management
Authorization
Service
Change
Password
Internet2 Spring Mtg. 2006
Source of Authority (SOA) Responsibilities
An organizational entity officially responsible for
identifying individuals having explicitly defined
affiliations with the university constitutes a “source of
authority” (SOA). The SOA is responsible for
• Identifying an individual,
• Maintaining the appropriate records that define a
person's affiliation,
• Providing others with information about the
specifics of an affiliation and,
• Determining if an affiliation is currently active or
inactive – i.e. can a person be credentialed
Internet2 Spring Mtg. 2006
Person Registry
• Identity Reconciliation
– Unique Identifiers Generated by Source of
Record
• SSN – If Available (HRMS, GMEIS, UTP, Guest,
SIS)
• Student ID,
• Employee Number - HRMS
– Full Name
• First, Middle, Last
– Birth Information
• Date of Birth,
• City of Birth,
• Country of Birth
– Gender
• UUID – An everlasting unique identifier
Internet2 Spring Mtg. 2006
Issuing a Digital Credential
• Individual appears before an Identity Provider
(IdP) which accepts the responsibility to
– positively determine and catalog a person's uniquely
identifying physical characteristics (e.g. picture, two
fingerprints, DNA sample),
– assign a unique, everlasting digital identifier to each
person identified,
– issue each identified person a digital credential that can
only be used by that person to authenticate his or her
identity,
– maintain a defined affiliation with each individual
whereby the validity of the digital credential is renewed
at specified intervals.
Internet2 Spring Mtg. 2006
Identity Vetting & Credentialing
UTHSC-H Two Factor Authentication
Permanent
Identity
Database
Identity Provider
(IdP)
uth.tmc.edu
Assigns
Everlasting
Identifier
IdP Obtains
Physical
Characteristics
Issues
Digital
Credential
?
?
Identifier
Permanently
Bound
Person
Person Only
Activation
Digital Credential
Internet2 Spring Mtg. 2006
Identity Vetting & Credentialing
UTHSC-H Username/Password Authentication
Permanent
Identity
Database
Identity Provider
(IdP)
uth.tmc.edu
Assigns
Everlasting
Identifier
IdP Obtains
Physical
Characteristics
?
Issues
Digital
Credential
???????
Identifier
Permanently
Bound
Person
Person Only
Digital Credential
Activation
Using Network
Username
Password
Internet2 Spring Mtg. 2006
Federal E-Authentication Initiative
http://www.cio.gov/eauthentication/
• Levels of assurance (Different Requirements)
–
–
–
–
Level 1 – e.g. no identity vetting
Level 2 - e.g. specific identity vetting requirements
Level 3 – e.g. cryptographic tokens required
Level 4 – e.g. cryptographic hard tokens required
• Credential Assessment Framework Suite
(CAF)
Internet2 Spring Mtg. 2006
UTHSC-H Strategic Authentication Goals
• Two authentication mechanisms.
– Single university ID (UID) and password
– Public Key Digital ID on Token (two-factor
authentication)
• Digital Signatures
– Authenticates senders
– Guarantees messages are unaltered, i.e. message
integrity
– Provides for non-repudiation
– Legal signature
• Encryption of email and other documents
• Highly Secure Access Control
• Potential for inherent global trust
Internet2 Spring Mtg. 2006
Mass Mailing of Signed & Encrypted E-mail
Mailing List
[email protected]
[email protected]
[email protected]
Message
Automated
Mailer
Request
Recipient's
Digital Cert.
LDAP
Directory
Service
Signed
&
Encrypted
[email protected]
[email protected]
[email protected]
Internet2 Spring Mtg. 2006
•
•
•
•
•
The University of Texas System
STRATEGIC LEADERSHIP COUNCIL
Statement of Direction
Identity Management
April 27, 2004
LDAP (Lightweight Directory Access Protocol)
compliant directory services,
eduperson schema as promulgated by
EDUCAUSE and Internet2,
utperson schema (to be developed)
inter-institutional access control utilizing
Internet2 Shibboleth, and
consistent institutional definitions and identity
management trust policies for students, faculty,
and staff as well as sponsored affiliates.
Federated Services
Identity (IdP) & Service Providers (SP)
Identity Provider
(IdP)
uth.tmc.edu
Identity Provider
(IdP)
utsystem.edu
Identity Provider
(IdP)
bcm.edu
Public Key
Resource Provider
(SP)
library.tmc.edu
Federation
WAYF Service
InCommon
GMEIS
(SP)
uth.tmc.edu
Infrastructure
Identity Provider
(IdP)
mdanderson.org
Blackboard
(SP)
uth.tmc.edu
Identity Provider
(IdP)
utmb.edu
Home Organization
IdP
Service Provider
Browser
SP
Authentication
System (ISO/SSO/Cert)
SHIRE
Federation
Handle Service
WAYF SERVICE
SHAR
(IN COMMON)
Resource
Manager
Attribute Authority
Attributes determined by ARP
RBAC Authorization
System - LDAP (eduperson)
Shib Software =
Web Site
How Does Shibboleth Work?
Your request is
forwarded to
Home University
your
Browser
Organization
Handle Service
What is your
IdP
Organization?
Authentication
4
3
Who are
You?
System
(ISO/SSO/Cert)
Can you
login?
WAYF
I am satisfied with the
attributes.
You are
11allowed access
Shibboleth
5
ResourceWho
Provider
are
1
2
(In Common)
6
SHAR
7
Resource
Manager
Handle Service
What
are who
the you
I know
8 are.
attributes
for
Your request
and
Attribute
Authority
this
user?
handle
is redirected
to
Target 9
LDAP (eduperson)
you and
where you
SP
come from?
Now I know
who you are.
What
are your
SHIRE
user attributes?
10
Attributes determined by ARP
Your attributes are
returned to Target
Web Site
Internet2 Spring Mtg. 2006
Lessons Learned
The focus of planning should be on how
Identity Management makes life great
for people in cyberspace!!! Don’t focus
on underlying theory, arcane concepts
and minute implementation details. If
basic infrastructure is in place along
with user applications, people will use it
and demand more.
Internet2 Spring Mtg. 2006
What Is Needed To Reach Critical
Mass?
• Develop a core group that operationally believes in
& understands Identity Management!
• Identity Management basic policies and
procedures.
• Identity reconciliation & provisioning systems
• Operational LDAP directory service.
• As many “real” applications as possible!
– Solutions that use signing & encryption.
– Cherished resources PKI and Shibboleth enabled for
access.
Thank You
Questions ?
47