Embed Size (px)
Citation preview
1September, 2005 What IHE Delivers
ITI Security Profiles – ATNA, CT
IHE Education Workshop 2007IHE Education Workshop 2007
IHE IT Infrastructure EducationIHE IT Infrastructure Education
John Moehrke GE HealthcareJohn Moehrke GE Healthcare
2
IHE Security ProfilesIHE Security Profiles2004 2004
Consistent Time (CT) Consistent Time (CT) Enterprise User Authentication (EUA) Enterprise User Authentication (EUA)
20052005
Audit Trail and Note Authentication (ATNA)Audit Trail and Note Authentication (ATNA)Personnel White Pages (PWP)Personnel White Pages (PWP)
20062006
Document Digital Signature (DSG)Document Digital Signature (DSG) Basic Patient Privacy Consents (BPPC)Basic Patient Privacy Consents (BPPC)
20072007
Cross-Enterprise User Assertion (XUA)Cross-Enterprise User Assertion (XUA)
White PapersWhite Papers
Health Information Exchange secured with IHEHealth Information Exchange secured with IHE
Risk Management in Profile DevelopmentRisk Management in Profile Development
3
IHE and PHI ProtectionIHE and PHI Protection
User Identity → PWP, EUAUser Identity → PWP, EUA
User Authentication → EUA, XUAUser Authentication → EUA, XUA
Node Authentication → ATNANode Authentication → ATNA
Security Audit Trails → ATNASecurity Audit Trails → ATNA
Data Integrity Controls → CT, ATNAData Integrity Controls → CT, ATNA, DSG, DSG
Data Confidentiality → ATNAData Confidentiality → ATNA, BPPC, BPPC
Access Controls → Future item in IHE roadmapAccess Controls → Future item in IHE roadmap
4
ATNA ATNA Assets protectedAssets protected
Patient and Staff SafetyPatient and Staff Safety• ATNA provides minor protections by restricting network accessATNA provides minor protections by restricting network access• Most safety related protection is elsewhere in products. Security Most safety related protection is elsewhere in products. Security
activity must not interfere with safety.activity must not interfere with safety.
Patient and Staff HealthPatient and Staff Health• As with Safety, ATNA provides minor health protection and must As with Safety, ATNA provides minor health protection and must
not interfere.not interfere.
Patient and Staff PrivacyPatient and Staff Privacy• Access Control at the node level can be enforced.Access Control at the node level can be enforced.• Audit Controls at the personal level are supported.Audit Controls at the personal level are supported.• Note that in Europe there are significant staff privacy protections, Note that in Europe there are significant staff privacy protections,
not just patient privacy protections, in the laws.not just patient privacy protections, in the laws.
5
ATNA ATNA Security RequirementsSecurity Requirements
Reasons: Clinical Use and PrivacyReasons: Clinical Use and Privacy authorized persons must have access to medical data of authorized persons must have access to medical data of
patients, and the information must not be disclosed patients, and the information must not be disclosed otherwise.otherwise.
Unauthorized persons should not be able to interfere with Unauthorized persons should not be able to interfere with operations or modify dataoperations or modify data
By means of procedures and security By means of procedures and security mechanisms, guarantee:mechanisms, guarantee: ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability AuthenticityAuthenticity
6
ATNA ATNA Security Measures (1 of 3)Security Measures (1 of 3)
Node Authentication:Node Authentication:Establish the system identity of network transactions.Establish the system identity of network transactions.
How to authenticate network connections.How to authenticate network connections.
How to protect the integrity of the transactionHow to protect the integrity of the transaction
Optionally: How to protect the confidentiality of Optionally: How to protect the confidentiality of the transactionthe transaction
Mutually Authenticated TLSMutually Authenticated TLS
7
ATNA ATNA Security Measures (2 of 3)Security Measures (2 of 3)
Authorization and Access control:Authorization and Access control:
Establish user’s ability to perform an action, e.g. Establish user’s ability to perform an action, e.g. access to dataaccess to data
User Authentication: e.g. Enterprise User User Authentication: e.g. Enterprise User Authentication (EUA) or Cross Enterprise User Authentication (EUA) or Cross Enterprise User Authentication (XUA)..Authentication (XUA)..
User Authorizations: e.g. Role-based-access-User Authorizations: e.g. Role-based-access-controlcontrol
System internal mechanismsSystem internal mechanisms
8
ATNA ATNA Security Measures (3 of 3)Security Measures (3 of 3)
Accountability and Audit trail:Accountability and Audit trail:Establish historical record of user’s or system Establish historical record of user’s or system actions over period of time, answers question: actions over period of time, answers question: ““What have you done?”What have you done?”
List of security audit eventsList of security audit events
message format to describe an event and message format to describe an event and
transport protocoltransport protocol
9
ATNA ATNA Node SecurityNode Security
ATNA specifies some of the capabilities that ATNA specifies some of the capabilities that are needed, e.g. access control.are needed, e.g. access control.
ATNA does not specify policiesATNA does not specify policies
ATNA does not specify mechanisms, although ATNA does not specify mechanisms, although other IHE protocols like EUA are obvious other IHE protocols like EUA are obvious candidates.candidates.
This permits vendors and enterprises to select This permits vendors and enterprises to select technologies and policies that are appropriate technologies and policies that are appropriate to their own purposes without conflicting with to their own purposes without conflicting with the ATNA profile.the ATNA profile.
10
Why Node AuthenticationWhy Node AuthenticationMany systems are shared access, e.g. CT systems, Many systems are shared access, e.g. CT systems, where the machine identity is more important than the where the machine identity is more important than the operator’s identity for security purposes. operator’s identity for security purposes.
• A CT operator is only permitted to update CT records from a CT system.A CT operator is only permitted to update CT records from a CT system.
Some systems operate autonomously, e.g. PACS Some systems operate autonomously, e.g. PACS archive.archive.
• Knowing identity of the PACS administrator on duty is not useful when Knowing identity of the PACS administrator on duty is not useful when monitoring PACS activity. There might be nobody logged in.monitoring PACS activity. There might be nobody logged in.
Machine access is usually controlled by the site Machine access is usually controlled by the site administration. administration.
• Even authorized users are not permitted to use personal machines.Even authorized users are not permitted to use personal machines.
11
X - ATNA X - ATNA IHE GoalIHE Goal
IHE makes cross-node security IHE makes cross-node security management easy:management easy:Only a simple manual certificate installation is Only a simple manual certificate installation is
needed, although more sophisticated systems needed, although more sophisticated systems can be usedcan be used
Separate the authentication, authorization, and Separate the authentication, authorization, and accountability functions to accommodate the accountability functions to accommodate the needs of different approaches.needs of different approaches.
Enforcement driven by ‘a posteriori audits’ and Enforcement driven by ‘a posteriori audits’ and real-time visibility.real-time visibility.
12
ATNA ATNA Integrating Trusted NodesIntegrating Trusted Nodes
System A System B
Secured SystemSecure network
• Strong authentication of remote node (digital certificates)• network traffic encryption is not required, it is optional
Secured System
• Local access control (authentication of user)
• Audit trail with:• Real-time access • Time synchronization
Central Audit TrailRepository
13
ATNA ATNA Node AuthenticationNode Authentication
X.509 certificates for node identity and keysX.509 certificates for node identity and keys
TCP/IP Transport Layer Security Protocol (TLS) TCP/IP Transport Layer Security Protocol (TLS) for node authentication, and optional encryptionfor node authentication, and optional encryption
Secure handshake protocol of both parties Secure handshake protocol of both parties during Association establishment:during Association establishment: Identify encryption protocolIdentify encryption protocol Exchange session keysExchange session keys
Actor must be able to configure certificate list of Actor must be able to configure certificate list of authorized nodes.authorized nodes.
ATNA presently specifies mechanisms for HTTP, ATNA presently specifies mechanisms for HTTP, DICOM, and HL7DICOM, and HL7
14
ATNA ATNA Node AuthenticationNode Authentication
TLS Encryption options:TLS Encryption options: IHE mandates a minimum mandatory set to ensure that a IHE mandates a minimum mandatory set to ensure that a
compatible pair will exist.compatible pair will exist. Additional encryption options may be implementedAdditional encryption options may be implemented TLS specifies how the encryption will be selected from the TLS specifies how the encryption will be selected from the
proposed list. It need not be one of the IHE minimum set.proposed list. It need not be one of the IHE minimum set. Some environments permit NULL encryption (e.g., internal Some environments permit NULL encryption (e.g., internal
radiology operations). Others do not (e.g., XDS).radiology operations). Others do not (e.g., XDS).
ATNA presently specifies mechanisms for using ATNA presently specifies mechanisms for using TLS with HTTP, DICOM, and HL7.TLS with HTTP, DICOM, and HL7. DICOM toolkits incorporate TLS supportDICOM toolkits incorporate TLS support Some HL7 libraries incorporate TLS supportSome HL7 libraries incorporate TLS support Some web servers (e.g. Tomcat, Apache) incorporate TLS Some web servers (e.g. Tomcat, Apache) incorporate TLS
support.support.
15
ATNA ATNA Auditing SystemAuditing SystemDesigned for surveillance rather than forensic Designed for surveillance rather than forensic use. This is not a substitute for internal product use. This is not a substitute for internal product detailed logs.detailed logs.
Two audit message formats. Two audit message formats. IHE Radiology interim format, for backward compatibility IHE Radiology interim format, for backward compatibility
with radiologywith radiology IETF/DICOM/HL7/ASTM format, for future growthIETF/DICOM/HL7/ASTM format, for future growth
• IETF RFC 3881 Common Audit MessageIETF RFC 3881 Common Audit Message• DICOM Supplement 95DICOM Supplement 95• ASTM E.214ASTM E.214• HL7 Audit Informative documentsHL7 Audit Informative documents• ISO Standardization in processISO Standardization in process
New profile work will utilize the new schema for New profile work will utilize the new schema for messages, so use the new schema unless there is a messages, so use the new schema unless there is a product need for compatibility with the Radiology interim product need for compatibility with the Radiology interim format.format.
16
ATNA ATNA Auditing SystemAuditing System
Both formats are XML encoded messages, Both formats are XML encoded messages, permitting extensions using XML standard permitting extensions using XML standard extension mechanisms.extension mechanisms. Do not redefine current attributes or elementsDo not redefine current attributes or elements Only extend when existing attributes or elements are Only extend when existing attributes or elements are
insufficientinsufficient Document the source schema for extensions and make it Document the source schema for extensions and make it
freely available because audit repositories will need it.freely available because audit repositories will need it.
If there might be messages using different If there might be messages using different schema from a single system, use the source schema from a single system, use the source field in the syslog message to distinguish the field in the syslog message to distinguish the format. All messages from a specific source format. All messages from a specific source must use the same schema.must use the same schema.
17
ATNA ATNA Record Audit EventRecord Audit Event
BSD Syslog protocol (RFC 3164) will be part of BSD Syslog protocol (RFC 3164) will be part of the Connectathon infrastructure.the Connectathon infrastructure. Support messages up to 32768 bytes long.Support messages up to 32768 bytes long. Clients should be configurable to send to any port and Clients should be configurable to send to any port and
destination.destination.
IETF continues to resolve issues surrounding IETF continues to resolve issues surrounding Reliable Syslog (RFC 3195). There will be no Reliable Syslog (RFC 3195). There will be no connectathon support of testing Reliable connectathon support of testing Reliable Syslog, but private testing may take place.Syslog, but private testing may take place.
Possibility is syslog-protocol currently under Possibility is syslog-protocol currently under ballotballot
18
ATNA ATNA Auditable EventsAuditable Events
Actor-start-stopActor-start-stop The starting or stopping of any The starting or stopping of any application or actor.application or actor.
Audit-log-usedAudit-log-used Reading or modification of any stored Reading or modification of any stored audit logaudit log
Begin-storing-instancesBegin-storing-instances The storage of any persistent object, The storage of any persistent object, e.g. DICOM instances, is begune.g. DICOM instances, is begun
Health-service-eventHealth-service-event Other health service related auditable Other health service related auditable event.event.
Images-availability-Images-availability-queryquery
The query for instances of persistent The query for instances of persistent objects.objects.
Instances-deletedInstances-deleted The deletion of persistent objects.The deletion of persistent objects.
Instances-storedInstances-stored The storage of persistent objects is The storage of persistent objects is completed.completed.
19
ATNA ATNA Auditable EventsAuditable Events
MedicationMedication Medication is prescribed, delivered, etc.Medication is prescribed, delivered, etc.
Mobile-machine-eventMobile-machine-event Mobile equipment is relocated, leaves Mobile equipment is relocated, leaves the network, rejoins the networkthe network, rejoins the network
Node-authentication-Node-authentication-failurefailure
An unauthorized or improperly An unauthorized or improperly authenticated node attempts authenticated node attempts communicationcommunication
Order-record-eventOrder-record-event An order is created, modified, An order is created, modified, completed.completed.
Patient-care-Patient-care-assignmentassignment
Patient care assignments are created, Patient care assignments are created, modified, deleted.modified, deleted.
Patient-care-episodePatient-care-episode Auditable patient care episode event Auditable patient care episode event that is not specified elsewhere.that is not specified elsewhere.
Patient-record-eventPatient-record-event Patient care records are created, Patient care records are created, modified, deleted.modified, deleted.
20
ATNA ATNA Auditable EventsAuditable EventsPHI-exportPHI-export Patient information is exported outside Patient information is exported outside
the control of the systemthe control of the system
PHI-importPHI-import Patient information is imported into the Patient information is imported into the control of the systemcontrol of the system
Procedure-record-eventProcedure-record-event The patient record is created, modified, The patient record is created, modified, or deleted.or deleted.
Query-informationQuery-information Any auditable query not otherwise Any auditable query not otherwise specified.specified.
Security AlertSecurity Alert Security alerts, configuration changes, Security alerts, configuration changes, Break-Glass, etc.Break-Glass, etc.
User AuthenticationUser Authentication user attempting to log on or log off, user attempting to log on or log off, whether successful or not.whether successful or not.
Study-object-eventStudy-object-event A study is created, modified, or deleted.A study is created, modified, or deleted.
Study-usedStudy-used A study is viewed, read, or similarly A study is viewed, read, or similarly used.used.
21XDS Affinity Domain (NHIN sub-network)
Community Clinic
Lab Info. System
PACS
Teaching Hospital
PACS
ED Application
EHR System
Physician Office
EHR System
AccountabilityAccountability
PMS
Retrieve DocumentRetrieve Document
Register DocumentRegister DocumentQuery DocumentQuery Document
XDS Document Registry
ATNA Audit ATNA Audit record repositoryrecord repository CT Time serverCT Time server
MaintainMaintainTimeTime
MaintainMaintainTimeTime
Maintain TimeMaintain TimeProvide & Register Docs
XDS Document Repository
XDSDocumen
t Reposito
ry
ATNA Audit ATNA Audit record repositoryrecord repository
ExportExportExportExport
QueryQuery
QueryQuery
ImportImportImportImport
ExportExport
22
Secure Node vs ApplicationSecure Node vs ApplicationIHE uses the grouping mechanism to state that in the finished IHE uses the grouping mechanism to state that in the finished system or environment both the application and the secure node system or environment both the application and the secure node must be present.must be present.
It is possible to be an application supporting ATNA transactions It is possible to be an application supporting ATNA transactions without being a Secure Node:without being a Secure Node: Server applicationsServer applications Plug-in applicationsPlug-in applications
Those security facilities that are within the scope of the application Those security facilities that are within the scope of the application must be provided:must be provided: ATNA logging of relevant eventsATNA logging of relevant events Network communication authenticatedNetwork communication authenticated User access controls as applicableUser access controls as applicable
External security facilities are the responsibility of the secure node External security facilities are the responsibility of the secure node actor:actor: File system security, etcFile system security, etc Over all system user authentication and access controlOver all system user authentication and access control Over all security audit event captureOver all security audit event capture
23
Consistent Time (CT)Consistent Time (CT)Network Time Protocol ( NTP) version 3 Network Time Protocol ( NTP) version 3 (RFC 1305) for time synchronization(RFC 1305) for time synchronization
Actor must support manual configuration Actor must support manual configuration for NTP sources.for NTP sources.
Required accuracy: 1 secondRequired accuracy: 1 second
Options:Options:SNTP (Simple Network Time Protocol) SNTP (Simple Network Time Protocol) Secure NTPSecure NTP
24September, 2005 What IHE Delivers
Questions?Questions?
