Transcript Gino,
CSE5
810
Trust Profiling for Adaptive Trust
Negotiation
Eugene Sanzi
Sanzi-1
Problem
Many healthcare stakeholders want easy access to new
systems
Physicians need to access patient data, no matter
where it may be
Researchers want access to de-identified data
repositories
Data may be needed quickly
Emergency medical situations leave little time to
gain proper authorization
Method needed to authorize healthcare professionals
to access private data, even if the data holder has no
previous knowledge of them
CSE5
810
Sanzi-2
Requirements
CSE5
810
Need a way to authorize any physician to healthcare
data located at unknown providers
Users must possess digital credentials that they can
present for authorization
Provide a method for verifying that presented
credentials are legitimate
Allow systems to automatically allow or deny
different levels of access based on the presented
credentials
Sanzi-3
Solution Overview
A physician gains access to different systems over the
course of a career
Ex. - Access to their local hospital's data
Access may happen under different roles
Use the physician's healthcare data access history as a
set of credentials
Each healthcare system grants a new credential if
access is allowed
Physicians create a collection of these credentials,
called a trust profile into a digital wallet
Healthcare systems can see who else have granted
access to the physician
Past handling of secure data informs future
behavior
CSE5
810
Sanzi-4
Background
CSE5
810
Authentication vs. Authorization
Authentication – verification of the user’s identity
Authorization – determining whether a user is
allowed to take a specified action (ex. read/write
data)
Trust – the ability of two entities to believe one
another
Participants must be able to verify credentials
Participants must have assurance that each will
handle sensitive data safely and correctly
Trust may be required before some credentials can
be disclosed
Utilize Trust Negotiation to establish a baseline of
trust and exchange credentials
Sanzi-5
Trust Negotiation
CSE5
810
Method for establishing trust between two participants
Past contact not required
Exchange sets of credentials until trust is
established
The requestor initiates trust negotiation to gain access
to a service or data
The controller receives the request and uses trust
negotiation to decide whether access is granted
The controller may decide to modify the data or
perform other actions (ex. dispatch auditor
notifications)
Sanzi-6
Trust Negotiation Example
CSE5
810
Controller
HIT System
Medical System
Certification
Security
Certification
Medical
License
Role
Affiliation
Requestor
(Physician)
Sanzi-7
Trust Negotiation Example
CSE5
810
Controller
HIT System
Medical System
Certification
Requestor
(Physician)
Security
Certification
Medical
License
Role
Affiliation
Sanzi-8
Trust Negotiation Example
CSE5
810
Medical
License
Controller
HIT System
Medical System
Certification
Requestor
(Physician)
Security
Certification
Role
Affiliation
Sanzi-9
Trust Negotiation Example
CSE5
810
Medical
License
Controller
HIT System
Medical System
Certification
Role
Affiliation
Requestor
(Physician)
Security
Certification
Sanzi-10
Trust Negotiation Example
CSE5
810
Medical
License
Controller
HIT System
Role
Affiliation
Medical System
Certification
Requestor
(Physician)
Security
Certification
Sanzi-11
Trust Negotiation Example
CSE5
810
Medical
License
Controller
HIT System
Role
Affiliation
Medical System
Certification
Requestor
(Physician)
Security
Certification
Sanzi-12
Trust Negotiation Example
CSE5
810
Medical
License
Controller
HIT System
Role
Affiliation
Health
Data
Medical System
Certification
Requestor
(Physician)
Security
Certification
Sanzi-13
Certificates
CSE5
810
Identity certificates are used to establish a user's
identity
Public key cryptography is used to ensure that you
are communicating with the certificate's owner
Certificates are issued by Certificate Authorities
(CAs)
Certificate authorities establish user's identity by
other means before issuing a certificate
Ex. Driver's license, SSN, Email sent from
administrator account on a domain
You trust any valid certificate issued by a certificate
authority that you trust
Certificate authorities digitally sign the certificates
The signature is inspected, a valid signature proves
it was issued by the certificate authority
Sanzi-14
Certificate Hierarchy
CSE5
810
Sanzi-15
Attribute Certificates
CSE5
810
A specialized certificate that stores data describing the
holder
Attribute certificates are signed by an attribute
authority rather than a certificate authority
Attribute certificates are attached to one identity
certificate
An identity certificate may be associated with
multiple attribute certificates
We will use this ability to store information related to
user access
Save information on user role and access history
Identity certificates provide the ability for a user to
prove ownership of an attribute certificate
Identity itself is not useful since the requestor and
controller are unknown to each other
Sanzi-16
Infrastructure
CSE5
810
Root Medical
Authority
Local Hospital
(Hartford Hospital)
Authority
Local Hospital
(St. Francis)
Authority
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Sanzi-17
Defining An Access Policy
Each system defines a security policy that specifies
constraints based on:
The user role
The type of data being requested
The presented trust profile
The user role and type of data being requested
influence the requirements imposed on the trust profile
Other actions may be taken based on the level of trust
established
Some accesses may result in notification being
dispatched to auditors
Some data may be denied to the user while access
to other data is allowed
Sanzi-18
CSE5
810
Making a Data Request
CSE5
810
When Dr. Smith wants to obtain access to a new
system, he will:
Create a secure connection to the system
Decide which credentials he will send to gain
access
Send the relevant identity and attribute certificates
along with the request
If access is granted, Dr. Smith will generate a new
public/private key pair and receive a new identity and
attribute certificate issued by the controller's certificate
and attribute authorities
Sanzi-19
Example
CSE5
810
Dr. Smith wants to access his patient’s electronic
health record from Day Kimball Hospital
He does not have any kind of affiliation with Day
Kimball Hospital
He does have his trust profile proving his
successful access to his patient’s data
Sanzi-20
Dr. Smith's Wallet
CSE5
810
Access History
Sanzi-21
Choose Relevant Credentials
CSE5
810
Access History
Sanzi-22
Send Request With Credentials
CSE5
810
X.509 Hartford
Hosptial
X.509 St.
Francis
Physician
Physician
Trust Profile
Sanzi-23
Generate Certificates
CSE5
810
X.509 Day
Kimball
Physician
X.509 Day
Kimball
Physician
Physician
Health Data
Sanzi-24
John Smith's New Wallet
CSE5
810
Access History
Sanzi-25
John Smith's New Wallet
CSE5
810
John Smith adds the identity and attribute certificates
issued to him to his digital wallet
He can now use the certificate issued to him by Day
Kimball hospital to gain access to other new systems
Day Kimball Hospital can now identify him with his
new identity certificate
Over the course of his career, Dr. Smith builds a trust
profile consisting of these credentials that can be
utilized in attempts at data access
Sanzi-26