Embed Size (px)
DESCRIPTION
March 16, 2006ITI Technical Committee3 Key: Original Transaction XUA Assertion TLS Protections EHR Patient Data XDS Consumer XDS Registry X-Service User user auth provider X-Identity Provider Cross-Enterprise User Authentication Implementation Example User Auth (ATNA Secure Node) Audit Log
Citation preview
Cross-Enterprise User AuthenticationYear 2
March 16, 2006
John F. MoehrkeGE Healthcare
IT Infrastructure Technical Committee
March 16, 2006 ITI Technical Committee2
Cross-Enterprise User AuthenticationCross-Enterprise User AuthenticationValue PropositionValue Proposition
• Extend User Identity to Affinity Domain– Users include Providers, Patients, Clerical, etc – Must supports cross-enterprise transactions, can be used inside
enterprise– Distributed or Centralized.
• Provide information necessary so that receiving actors can make Access Control decisions– Does not include Access Control mechanism
• Provide information necessary so that receiving actors can produce detailed and accurate Security Audit Trail
March 16, 2006 ITI Technical Committee4
XUA – Circle of Trust(e.g. XDS Affinity Domain)
St. Johns
North Clinic
AuthProv
IDProv
AuthProv
IDProv
RadiologistReporting
PACS
XDS Patient ID
Source
Family Doctor
0a
1a
2a 3
4
0b
5
6
1b
Any DICOM
HL7 v2
XDSProvide& Register
XDS Register
XDS Retrieve
XDS Query
HL7 v3
LAB7
RID (Browser)
2b Any DICOM
Key:
Original Transaction
XUA modification
Use-Case number ‘n’ n
InternalExported
XDSRepository
User auth
XDS Registry
March 16, 2006 ITI Technical Committee5
Open IssuesOpen Issues• XUA: Need all transactions where XUA is needed to support one method
– XDS-Retrieve new option using Web-Services?– Provide/Register continues to not include XUA?– Query with XUA only with new stored query?
• DICOM– DICOM standard support for SAML not yet done.– WADO: Not clear how to solve. Currently recommend Browser profile
• PIX/PDQ– There is still times when user is not relevant, thus HL7 v2 is not invalid
• Solution that doesn’t use SAML (Simple text user identity)?– What is the risk we are trying to mitigate?– Are the overrides appropriate mitigation vs the risk?
• Assertion content (e.g. Specific attributes)?– Could include PWP attributes. – Likely need PWP updated first with clinical attributes from ISO.
• Patient vs. Provider? Do we have specific attributes that are required of patients?• What do we do when the Service User is not a ‘service’?
– Continue to utilize ATNA: TLS: Certificates?– Utilize SAML’s ability to assert a service identity?– Possibly do this in an appendix
• Policy: The clinical user that is typically identified in the transaction is not likely to be a clinical user but rather a clerical individual.
– Future could leverage SAML delegation as that mechanism matures• Actor/Transaction
– The actor and transaction layout for Browser SSO is different from the one we want to use for Web-Services/DICOM
March 16, 2006 ITI Technical Committee6
RecommendationRecommendation• Browsers – SAML v2.0 SSO and ECP profile (as
is currently written)• DICOM – SAML v2.0 Assertions encoded using
DICOM user identity mechanism (currently in progress in DICOM)
• HL7 v2 – NOT SUPPORTED• HL7 v3 – Supported when bound to Web-Services• Web-Services – Next version of WS-I Basic
Security Profile that includes WS-SX standard
March 16, 2006 ITI Technical Committee7
Cross-Enterprise User Authentication Cross-Enterprise User Authentication Three Year PlanThree Year Plan
• 2005: defined the use-cases and identified standards gaps– Profiled solution for Browser sessions– Profiled solution for HL7 v2 (should we remove?)
• 2006: Set the stage (Work on non Web-Services parts)– Encourage XDS-Retrieve using Web-Service – Encourage XDS-Stored Query using Web-Services– Encourage PIX/PDQ with HL7 V3 using Web-Services– Update PWP with ASTM and ISO attributes so they can be available in SAML– Define attribute so that clinician, clerical, and patient are properly identified– Define SAML Assertion content, assurance levels.– Appendix to describe solution when ‘Service User’ is a ‘Service’
• Late 2006: support Web-Services transactions– Endorse: WS-Security, WS-SX, WS-I Basic Security Profile.
• 2007: add other transactions– Profile DICOM transactions.
March 16, 2006 ITI Technical Committee8
Meetings / TconMeetings / Tcon1. Update usecases, and Actor/Transaction layout.
Add of Patient as user. Add of ‘service’ as user comment.
• April 17 at 11:30 – 1:30 Central2. Work on Assertion content requirements. Work
on PWP integration of ISO dataset, talk about Patient
• May 15 at 11:30 – 1:30 Central3. Build section on Web-Services. Likely will
duplicate much of what we expect in WS-I
