2006 IHE Security geert claeys4

Document Sample
2006 IHE Security geert claeys4 Powered By Docstoc
					                    IHE Security
IHE Europe 2006 - Changing the Way Healthcare Connects
  IHE Presentation at the World of Health IT show, October 2006


                               G. Claeys
                              IHE Europe
                     Agfa Healthcare / CTO Office

         Courtesy of C. Sacchavini, J. Moehrke
             Overview
Security needs
IHE ATNA
IHE DSG
IHE BPPC
Practical example : XDS Security
                  Scope
Defines basic security features for a
system in a healthcare enterprise in order
to guarantee :
 Only authorized persons have access to PHI
  (Protected Health Information)
 Protect PHI against alteration, destruction and
  loss
 Comply existing Privacy & Security regulations
              Security Mechanism
            Authentication (user and device)

ATNA,
EUA/XUA
            Authorization



            Accountability (audit trails)
ATNA


            Confidentiality

ATNA

            Integrity


ATNA, DSG
          Audit Trail and Node
            Authentication


G. Claeys, Agfa Healthcare
(geert.claeys@agfa.com)
              IHE ATNA- Architecture

• Local authentication of user
• Strong authentication of remote node (digital certificates)
• Audit trail that logs privacy&security related operations



Secured System                             Secured System
                       Secure network

  System A                                        System B



                            Central
                           Audit Trail
                           Repository
IHE ATNA – Actor and Transactions

All existing IHE actors need to be grouped with a Secure
Node actor.


                                                            Audit Record
                       Time Server
                                                             Repository




                                   Maintain Time
                                                            Record Audit Event




      Secure Node   Authenticate Node                                             “Any”
                                                   Secure Node
                                                                                 IHE actor
              Secure Node
Local user authentication
 Only needed at “client” node
 Authentication mechanism
   •   User name and password (minimum)
   •   Biometrics, smart card
 Secure nodes maintain list of authorized users :
  local or central (using EUA)
 Security policy of hospital defines the relation
  between user and user id
        Secure Node (cont.)
Mutual device authentication
 Establish a trust relationship between 2 network nodes
 Strong authentication by exchanging X.509 certificates
 Actor must be able to configure certificate list of trusted nodes.

TCP/IP Transport Layer Security Protocol (TLS)
 Used with DICOM/HL7/HTTP messages
 Secure handshake protocol during Association establishment:
 Encryption :
   • Intra-muros (default): no encryption
   • Extra-muros : AES128
Secure node – additional effort

Instrument all applications to detect auditable
events and generate audit messages.
Ensure that all communications connections are
protected (system hardening).
Establish a local security mechanism to protect
all local resources
Establish configuration mechanisms for:
 Time synchronization
 Certificate management
 Network configuration
   Certificate Management
Certificates can be signed by device (self-signing)
or via a CA (e.g. hospital)
 Use self-signed certificates for testing interoperability
 Connectathon has a CA


Support at least direct comparison of certificates
 Import certificate of each trusted peer device
 Compare each received certificate with list of trusted
  certificate


Certificate management white paper
 from NEMA‟s Security&Privacy committee
 www.nema.org/prod/med/security
         Auditing System
Auditing system consists of
 List of events that generate audit messages
 Audit message format
 Transport mechanism


Designed for surveillance rather than
forensic use.
           Audit Events
Audit triggers are defined for every
operation that access PHI (create, delete,
modify, import/export)


IHE TF describes the supported Audit
Trigger per Actor


Audit triggers are grouped on transaction/
study level to minimize overhead
    Audit Message Format
XML encoded message

IHE Radiology Provisional format
 for backward compatibility with radiology

ATNA format
 Preferred format
 Joint effort of IETF/DICOM/HL7/ASTM
 XML schema (rfc3881) :
  www.xml.org/xml/schema/7f0d86bd/healthcare-security-
  audit.xsd

XSLT transformation is provided to convert
“Provisional scheme” to “ATNA” scheme
Audit Transport Mechanism
Reliable Syslog – cooked mode
 RFC 3195
 Connection oriented
 Support certificate based authentication,
  encryption
 But limited industry support


BSD Syslog protocol (RFC 3164)
 Preferred transport mechanism for the time being
Document Digital Signature
         (DSG)




           16
              Purpose
document integrity
non-repudiation
accountability.
                    Document Digital Signature
                             scope
       A Digital Signature is a separate XDS
       document

       Supports
         single / multiple signatures
         nested signatures


       Standard : XAdES (W3C) + X.509 certificates

       Vendor must provide signature mechanism
       for XDS Submissions
September 8, 2005                                18
                    Document Digital Signature
                         Out of scope

            Certificate management and PKI
            concepts

            Focus begins with signing, not
            encryption

            Partial Document Signature




September 8, 2005                                19
          Document Digital Signature
           The Signing Ceremony
            Original                                    Combined to:
           Document                                       Signed
                                                         Document




                                                    Equal




                       HASH function
                                           Asymmetric
                                            algorithm


                        Private Key used
                           for signing




September 8, 2005                                                      20
            Document Digital Sinature
                 Verification
                     Original
                    Document                                    Message HASH


                                                                 EAdfj78oXWq

                                              HASH function




 Signed
                                                                Equal
Document


                                 Public Key
                                  of Signer




                                       Asymmetric Algorithm      EAdfj78oXWq

                     Signature
                                                                Original HASH
                                                              (Signer generated)


September 8, 2005                                                         21
          Document Digital Siganture
          XML Digital Signature Tools
       Apache XML Security project has both Java
       and C++ implementations of XML Digital
       Signature (open source)
       http://xml.apache.org/security/

       JSR 105: Java XML Digital Signature API
       with reference implementations-- final
       release by Sun and IBM June 24, 2005.
       http://jcp.org/aboutJava/communityprocess/final/jsr
       105/index.html




September 8, 2005                                       22
      Document Digital Signature
               Commercial Toolkits
   (not comprehensive list)

      http://jce.iaik.tugraz.at/products/052_XSECT/inde
      x.php

      http://www.infomosaic.net/SecureXMLDetailInfo.h
      tm

      http://www.betrusted.com/products/keytools/xml/i
      ndex.asp

      http://www.phaos.com/products/category/xml.htm
      l

          http://www.verisign.com/products-
          services/security-services/pki/xml-trust-
September services/index.html
          8, 2005                                     23
          Document Digital Signature
                    XDS Sample Code
    <Signature Id="signatureOID" xmlns=http://www.w3.org/2000/09/xmldsig#
        xmlns:xad=”xmlns="http://uri.etsi.org/01903/v1.1.1#"”>
    <SignedInfo>
     <CanonicalizationMethod
     Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-
       20010315#WithComments”/>
     <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-
       sha1"/>
     <Reference URI="#IHEManifest"
      Type="http://www.w3.org/2000/09/xmldsig#Manifest">
     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
     <DigestValue>base64ManifestDigestValue</DigestValue>
     </Reference>
    </SignedInfo>
     <SignatureValue>base64SignatureValue</SignatureValue>
     <KeyInfo>
     <X509Data>
      <X509Certificate>base64X509certificate<X509Certificate>
      </X509Data>
     </KeyInfo>
September 8, 2005                                                           24
          Document Digital Signature
                      XDS Sample Code
        <Object>
         <xad:QualifyingProperties>
          <xad:SignedProperties>
           <xad:SignedSIgnatureProperties>
           <xad:SigningTime> yyyymmddhhmmss</SigningTime>
           <xad:SigningCertificate>
            <xad:Cert> <!-- identifier of signing certificate -->
            <xad:CertDigest>
             <xad:DigestMethod
            Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
              <xad:DigestValue>base64 digest value</DigestValue>
             </CertDigest>
             <xad:IssuerSerial>
              <xad:X509IssuerName>X.509 distinguished name of
            certificate</X509IssuerName>
              <xad:X509SerialNumber>certificate serial
            number</X509SerialNumber>
             </IssuerSerial>
            </Cert>
September 8, 2005                                                   25
       Document Digital Signature
          XDS Sample Code
   <xad:Cert> <!-- identifier of signing certificate’s parent -->
      <xad:CertDigest>
      <xad:DigestMethod
     Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
       <xad:DigestValue>base64 digest value</DigestValue>
       </CertDigest>
       <xad:IssuerSerial>
        <xad:X509IssuerName>X.509 distinguished name of
      parent’s certificate</X509IssuerName>
        <xad:X509SerialNumber>certificate serial number
      </X509SerialNumber>
       </IssuerSerial>
      </Cert>
      </SigningCertificate>

      <xad:SignaturePolicyIdentifier>id</SignaturePolicyIdentifier
      >
       </SignedSIgnatureProperties>
      </SignedProperties>
      </QualifyingProperties>
September 8, 2005                                                   26
          Document Digital Signature
             XDS Sample Code
      <SignatureProperties>
       <SignatureProperty Id="purposeOfSignature" target=”signatureOID” >
         code</SignatureProperty>
       </SignatureProperties>
       <Manifest Id="IHEManifest">
       <Reference URI=”ihexds:registry:xxxx-xxxx….”> <!-- document A-->
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>base64DigestValue</DigestValue>
       </Reference>
       <Reference URI=”ihexds:registry:xxxx-xxxx….”> <!—XML document B-->
       <Transforms>
        <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
       </Transforms>
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
       <DigestValue>base64DigestValue</DigestValue> </Reference>
       <Reference URI=”ihexds:registry:xxxx-xxxx….”> <!--DICOM document (or
        object) C-->
       <Transforms>
        <Transform Algorithm="urn:oid:1.2.840.10008.1.2.1"/>
       </Transforms>
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <DigestValue>base64DigestValue</DigestValue>
       </DigestMethod
       </Reference>
      </Manifest>
     </Object>
     </Signature>
September 8, 2005                                                                               27
          Basic Patient Privacy
               Consents


IHE Vendors Workshop 2006
IHE IT Infrastructure Education
John Moehrke
Basic Patient Privacy Consents

Small number of pre-coordinated Affinity
Domain Privacy Consent
 Patient can choose which ones to agree to
Data is classified as published under the
authority of a specific Privacy Consent
Data is used in conformance with original
Privacy Consent
Applicable for XD* transport mechanism
 Capturing the Patient Consent act
One of the Affinity Domain Consent policies are used
CDA document captures the act of signing
 Effective time (Start and Sunset)
 XDS-SD – Capture of wet signature from paper
 DSIG – Digital Signature (Patient, Guardian, Clerk, System)
XDS Metadata
 templateId – BPPC document
 eventCodeList – the list of the identifiers of the AF policies
 confidentialityCode – could mark this document as sensitive
   Marking all XDS Documents
 Use XDS Metadata – confidentialityCode
   List of appropriate consents
 Consents enumerated at Affinity Domain (OID)
 Rules are programmed into each system
 participating in Affinity Domain XDS
 Registry rejects non-conformant
 confidentialityCodes


Now have a well formed vocabulary
           Using documents
XDS Query
 *** Consumer requests specific values
 Result includes confidentiality codes
XDS Consumer
 Knows the user, patient, setting, intention, urgency, etc.
 Enforces Access Controls (RBAC) according to
  confidentiality codes
 No access given to documents marked with unknown
  confidentiality codes
Example : XDS and Security
         XDS Security Use-Cases
Supported Today
   Prevent Indiscriminate attacks (worms)
   Normal Patient that accepts XDS participation
   Patient asks for Accounting of Disclosures
   Protect against malicious neighbor doctor
   Patient that retracts consent to publish
   Provider Privacy
   Malicious Data Mining
Not directly supported with IHE technology (applications
can provide this functionality in their feature e.g. Portals)
   Access to Emergency data set      all XDS open, or no access
   VIP                               Don‟t publish, or use special domain
   Domestic violence patient         Don‟t publish any
   Daughter with sensitive tests     Don‟t publish, or use special domain
   Sensitive topics                  Don‟t publish, or use special domain
   Legal Guardian (cooperative)      Local enforcement
   Care Giver (assists w/ care)      Local enforcement
      Current XDS Security Profiles
Affinity Domain Policy (singular)
 All „actors‟ that participate must agree to enforce these policies
XDS
 Patient Centric Queries  Queries result in ONE patient exposed
ATNA
 Confidentiality, Integrity, Accountability
 Accountability distributed
 Access controls at point of care (sensitive to context)
Digital Signature Content Profile (DSIG)
Enhanced locally by
 EUA
 PWP
Basic Patient Privacy Consent (BPPC)
IHE Security Profiles - WIP
XUA Cross Enterprise Authentication
 Federated identity management
 SAML 2.0
 Wait for maturity


Access Control Mechanism
 RBAC
          XDS Security model
                                              Registry

                                              Repository A
                                               Repository B

                                                 PIX Service

  EHR-                EHR
                                                   PDQ Service
Workstation           System     XDS
                               Consumer
                      PHR                            ATNA Service
  Browser
                      Portal
                                                         Identity Svc
User Authentication      Business Logic
User Interface           Policy Enforcement                   RBAC Svc
                    XDS Security Transactions


                EHR System PMS

        Physician Office                                                                               ED Application

                                   XDS
                                   Document
                                   Repository                      XDS
                                                                   Document                     PACS
                                                                   Registry
                                                                                   XDS
                                                                              Document
                                                                              Repository
                                       Query Document          Register Document
                                                                                                             EHR System
PACS
                                                   Retrieve Document                                   Provide & Register Docs
                       Lab Info.                                        Maintain Time
                       System
  ATNA Audit                                                                         Maintain    Teaching Hospital
record repository                                          Maintain                   Time
                                            ATNA Audit      Time
                                          record repository         CT Time server
       Community Clinic



                                 XDS Affinity Domain (NHIN sub-network)
                    XDS Security Transactions

                                                                                                Teaching Hospital
                                                 State run RHIO



                EHR System PMS

        Physician Office                                                                                   ED Application

                                   XDS
                                   Document
                                   Repository                      XDS
                                                                   Document                         PACS
                                                                   Registry
                                                                                   XDS
                                                                              Document
                                                                              Repository
                                       Query Document          Register Document
                                                                                                                 EHR System
PACS
                                                   Retrieve Document                                       Provide & Register Docs
                       Lab Info.                                        Maintain Time
                       System
  ATNA Audit                                                                         Maintain
record repository                                          Maintain                   Time
                                            ATNA Audit      Time
                                                                                                           ATNA Audit
                                          record repository         CT Time server
       Community Clinic                                                                                  record repository




                                 XDS Affinity Domain (NHIN sub-network)
Thank you

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:2/7/2012
language:English
pages:40