Transcript Gino,
CSE5 810 Trust Profiling for Adaptive Trust Negotiation Eugene Sanzi Sanzi-1 Problem Many healthcare stakeholders want easy access to new systems Physicians need to access patient data, no matter where it may be Researchers want access to de-identified data repositories Data may be needed quickly Emergency medical situations leave little time to gain proper authorization Method needed to authorize healthcare professionals to access private data, even if the data holder has no previous knowledge of them CSE5 810 Sanzi-2 Requirements CSE5 810 Need a way to authorize any physician to healthcare data located at unknown providers Users must possess digital credentials that they can present for authorization Provide a method for verifying that presented credentials are legitimate Allow systems to automatically allow or deny different levels of access based on the presented credentials Sanzi-3 Solution Overview A physician gains access to different systems over the course of a career Ex. - Access to their local hospital's data Access may happen under different roles Use the physician's healthcare data access history as a set of credentials Each healthcare system grants a new credential if access is allowed Physicians create a collection of these credentials, called a trust profile into a digital wallet Healthcare systems can see who else have granted access to the physician Past handling of secure data informs future behavior CSE5 810 Sanzi-4 Background CSE5 810 Authentication vs. Authorization Authentication – verification of the user’s identity Authorization – determining whether a user is allowed to take a specified action (ex. read/write data) Trust – the ability of two entities to believe one another Participants must be able to verify credentials Participants must have assurance that each will handle sensitive data safely and correctly Trust may be required before some credentials can be disclosed Utilize Trust Negotiation to establish a baseline of trust and exchange credentials Sanzi-5 Trust Negotiation CSE5 810 Method for establishing trust between two participants Past contact not required Exchange sets of credentials until trust is established The requestor initiates trust negotiation to gain access to a service or data The controller receives the request and uses trust negotiation to decide whether access is granted The controller may decide to modify the data or perform other actions (ex. dispatch auditor notifications) Sanzi-6 Trust Negotiation Example CSE5 810 Controller HIT System Medical System Certification Security Certification Medical License Role Affiliation Requestor (Physician) Sanzi-7 Trust Negotiation Example CSE5 810 Controller HIT System Medical System Certification Requestor (Physician) Security Certification Medical License Role Affiliation Sanzi-8 Trust Negotiation Example CSE5 810 Medical License Controller HIT System Medical System Certification Requestor (Physician) Security Certification Role Affiliation Sanzi-9 Trust Negotiation Example CSE5 810 Medical License Controller HIT System Medical System Certification Role Affiliation Requestor (Physician) Security Certification Sanzi-10 Trust Negotiation Example CSE5 810 Medical License Controller HIT System Role Affiliation Medical System Certification Requestor (Physician) Security Certification Sanzi-11 Trust Negotiation Example CSE5 810 Medical License Controller HIT System Role Affiliation Medical System Certification Requestor (Physician) Security Certification Sanzi-12 Trust Negotiation Example CSE5 810 Medical License Controller HIT System Role Affiliation Health Data Medical System Certification Requestor (Physician) Security Certification Sanzi-13 Certificates CSE5 810 Identity certificates are used to establish a user's identity Public key cryptography is used to ensure that you are communicating with the certificate's owner Certificates are issued by Certificate Authorities (CAs) Certificate authorities establish user's identity by other means before issuing a certificate Ex. Driver's license, SSN, Email sent from administrator account on a domain You trust any valid certificate issued by a certificate authority that you trust Certificate authorities digitally sign the certificates The signature is inspected, a valid signature proves it was issued by the certificate authority Sanzi-14 Certificate Hierarchy CSE5 810 Sanzi-15 Attribute Certificates CSE5 810 A specialized certificate that stores data describing the holder Attribute certificates are signed by an attribute authority rather than a certificate authority Attribute certificates are attached to one identity certificate An identity certificate may be associated with multiple attribute certificates We will use this ability to store information related to user access Save information on user role and access history Identity certificates provide the ability for a user to prove ownership of an attribute certificate Identity itself is not useful since the requestor and controller are unknown to each other Sanzi-16 Infrastructure CSE5 810 Root Medical Authority Local Hospital (Hartford Hospital) Authority Local Hospital (St. Francis) Authority [email protected] [email protected] [email protected] [email protected] [email protected] Sanzi-17 Defining An Access Policy Each system defines a security policy that specifies constraints based on: The user role The type of data being requested The presented trust profile The user role and type of data being requested influence the requirements imposed on the trust profile Other actions may be taken based on the level of trust established Some accesses may result in notification being dispatched to auditors Some data may be denied to the user while access to other data is allowed Sanzi-18 CSE5 810 Making a Data Request CSE5 810 When Dr. Smith wants to obtain access to a new system, he will: Create a secure connection to the system Decide which credentials he will send to gain access Send the relevant identity and attribute certificates along with the request If access is granted, Dr. Smith will generate a new public/private key pair and receive a new identity and attribute certificate issued by the controller's certificate and attribute authorities Sanzi-19 Example CSE5 810 Dr. Smith wants to access his patient’s electronic health record from Day Kimball Hospital He does not have any kind of affiliation with Day Kimball Hospital He does have his trust profile proving his successful access to his patient’s data Sanzi-20 Dr. Smith's Wallet CSE5 810 Access History Sanzi-21 Choose Relevant Credentials CSE5 810 Access History Sanzi-22 Send Request With Credentials CSE5 810 X.509 Hartford Hosptial X.509 St. Francis Physician Physician Trust Profile Sanzi-23 Generate Certificates CSE5 810 X.509 Day Kimball Physician X.509 Day Kimball Physician Physician Health Data Sanzi-24 John Smith's New Wallet CSE5 810 Access History Sanzi-25 John Smith's New Wallet CSE5 810 John Smith adds the identity and attribute certificates issued to him to his digital wallet He can now use the certificate issued to him by Day Kimball hospital to gain access to other new systems Day Kimball Hospital can now identify him with his new identity certificate Over the course of his career, Dr. Smith builds a trust profile consisting of these credentials that can be utilized in attempts at data access Sanzi-26