Embed Size (px)
Citation preview
XDS SecurityXDS Security
ITI Technical CommitteeITI Technical Committee
May 26, 2006May 26, 2006
XDS Security Use CasesXDS Security Use CasesPrevent Indiscriminate attacks (worms, DOS)Prevent Indiscriminate attacks (worms, DOS)
Normal Patient that accepts XDS participationNormal Patient that accepts XDS participation
Patient asks for Accounting of DisclosuresPatient asks for Accounting of Disclosures
Protect against malicious neighbor doctorProtect against malicious neighbor doctor
Patient that retracts consent to publishPatient that retracts consent to publish
Provider PrivacyProvider Privacy
Malicious Data MiningMalicious Data Mining
Emergency access data setEmergency access data set
VIP (movie star, sports figure)VIP (movie star, sports figure)
Domestic violence patientDomestic violence patient
Daughter with sensitive tests hidden from ParentDaughter with sensitive tests hidden from Parent
Sensitive topics: mental health, sexual healthSensitive topics: mental health, sexual health
Guardian (cooperative)Guardian (cooperative)
Document AccessibilityDocument Accessibility
Source: prEN 13606-4
Security ModelsSecurity Models
Security protects AssetsSecurity protects Assets The information in Registry & all RepositoriesThe information in Registry & all Repositories Confidentiality, Integrity, and AvailabilityConfidentiality, Integrity, and Availability Patient Safety trumps privacy (most of the time)Patient Safety trumps privacy (most of the time)
Accountability optionsAccountability options Access Control modelAccess Control model Audit Control modelAudit Control model
Policy Enforcement optionsPolicy Enforcement options Mutually agree to enforce Policies Mutually agree to enforce Policies Enforcement of policies centrallyEnforcement of policies centrally
Privacy NeedsPrivacy Needs
Protect against inappropriate disclosureProtect against inappropriate disclosure
Provide an Accounting of DisclosuresProvide an Accounting of Disclosures
Protect employee privacyProtect employee privacy
Resulting in compliance with Laws and Resulting in compliance with Laws and Regulations by the Legal EntityRegulations by the Legal Entity
Affinity Domain PolicyAffinity Domain PolicyToday there must be ONE policyToday there must be ONE policy
IHE gives no direction on the content of this IHE gives no direction on the content of this Policy Policy
Policy must be enforceable by all the participants Policy must be enforceable by all the participants in the Affinity Domainin the Affinity Domain E.g. EHR RBAC capabilities must be consideredE.g. EHR RBAC capabilities must be considered
See IHE TF Volume 1: Appendix L: XDS Affinity See IHE TF Volume 1: Appendix L: XDS Affinity Domain Definition Checklist Domain Definition Checklist
Classic n-Tier SecurityClassic n-Tier Security
Client / Browser
Application Server
Database
User AuthenticationUser Interface
Business LogicPolicy Enforcement
Data IndexData Values
Mapped to XDSMapped to XDS
EHR / Browser
XDSDocument Consumer
Registry
User AuthenticationUser Interface
Business LogicPolicy Enforcement
Repository A
Repository B
PIX Service
PDQ Service
ATNA Service
Identity Svc
RBAC Svc
XDS Affinity Domain (NHIN sub-network)
Teaching Hospital
PACS
ED Application
EHR System
The Really Big ProblemThe Really Big Problem
PMS
Retrieve DocumentRetrieve Document
Register DocumentRegister DocumentQuery DocumentQuery Document
XDS Document Registry
Provide & Register Docs
XDSDocumen
t Reposito
ry
B)Disclosure happens on Export
Physician Office
EHR System
C)A Retrieve does result in a permanent copy of the Document.
D)The Document Consumer does agree to enforce policies forever
A)The Registry is not the center, it is just a card catalogue to patient data.
Current Solution to Big ProblemCurrent Solution to Big Problem
Affinity Domain Policy (singular)Affinity Domain Policy (singular) All ‘actors’ that participate must agree to enforce these policiesAll ‘actors’ that participate must agree to enforce these policies
XDSXDS Patient Centric Queries Patient Centric Queries Queries result in ONE patient exposed Queries result in ONE patient exposed
ATNAATNA Confidentiality, Integrity, Accountability Confidentiality, Integrity, Accountability Accountability distributed Accountability distributed Access controls at point of care (sensitive to context)Access controls at point of care (sensitive to context)
Enhanced locally byEnhanced locally by EUAEUA PWPPWP DSIGDSIG
Application specific (Not IHE specified)Application specific (Not IHE specified) RBAC, PMACRBAC, PMAC
XDS Affinity Domain (NHIN sub-network)
Community Clinic
Lab Info. System
PACS
Teaching Hospital
PACS
ED Application
EHR System
Physician Office
EHR System
AccountabilityAccountability
PMS
Retrieve DocumentRetrieve Document
Register DocumentRegister DocumentQuery DocumentQuery Document
XDS Document Registry
ATNA Audit ATNA Audit record repositoryrecord repository CT Time serverCT Time server
MaintainMaintainTimeTime
MaintainMaintainTimeTime
Maintain TimeMaintain TimeProvide & Register Docs
XDS Document Repository
XDSDocumen
t Reposito
ry
ATNA Audit ATNA Audit record repositoryrecord repository
Today’s XDS AccountabilityToday’s XDS Accountability
Mitigation against unauthorized useMitigation against unauthorized use Investigate Audit log for patterns and behavior outside Investigate Audit log for patterns and behavior outside
policy. Enforce policypolicy. Enforce policy Secure Node requires appropriate Access Controls to Secure Node requires appropriate Access Controls to
enforce at the enterprise by XDS Source and Consumersenforce at the enterprise by XDS Source and Consumers
Investigation of patient complaintsInvestigation of patient complaints Investigate Audit log for specific evidenceInvestigate Audit log for specific evidence
Support an Accounting of DisclosuresSupport an Accounting of Disclosures ATNA Report: XDS-Export + XDS-Import ATNA Report: XDS-Export + XDS-Import
XDS Security Use-CasesXDS Security Use-CasesSupported TodaySupported Today Prevent Indiscriminate attacks (worms)Prevent Indiscriminate attacks (worms) Normal Patient that accepts XDS participationNormal Patient that accepts XDS participation Patient asks for Accounting of DisclosuresPatient asks for Accounting of Disclosures Protect against malicious neighbor doctorProtect against malicious neighbor doctor Patient that retracts consent to publish Patient that retracts consent to publish Provider Privacy Provider Privacy Malicious Data MiningMalicious Data Mining
Not directly supported with IHE technology Not directly supported with IHE technology Emergency access data set Emergency access data set all XDS open, or no access all XDS open, or no access VIP VIP Don’t publish, or use special domain Don’t publish, or use special domain Domestic violence patient Domestic violence patient Don’t publish any Don’t publish any Daughter with sensitive tests Daughter with sensitive tests Don’t publish, or use special domain Don’t publish, or use special domain Sensitive topicsSensitive topics Don’t publish, or use special domain Don’t publish, or use special domain Guardian (cooperative) Guardian (cooperative) Local enforcement Local enforcement
Next ProblemNext Problem
Source: prEN 13606-4
Next Year Solution Next Year Solution
PCC – Basic Patient Consents enable the PCC – Basic Patient Consents enable the YELLOW policiesYELLOW policies Enables more than one Policy to be defined and claimed Enables more than one Policy to be defined and claimed
• Captured document with patient signatureCaptured document with patient signature• Coded identifier to enable automated enforcementCoded identifier to enable automated enforcement
Enables data to be marked as to be controlled by a Enables data to be marked as to be controlled by a specific policy (Confidentiality Code)specific policy (Confidentiality Code)
Supporting Emergency Data Set, Clerical Data Set, Direct Supporting Emergency Data Set, Clerical Data Set, Direct Caregiver Data Set.Caregiver Data Set.
***Need query extensions to limit query results to those ***Need query extensions to limit query results to those that match policy (Confidentiality Code) requestedthat match policy (Confidentiality Code) requested
XDPXDP Can be used to handle sensitive data or sensitive patientsCan be used to handle sensitive data or sensitive patients
Future possible topicsFuture possible topicsPatient Access toPatient Access to Sensitive health topics (you are going to die)Sensitive health topics (you are going to die) Low sensitivity (scheduling)Low sensitivity (scheduling) Self monitoring (blood sugar)Self monitoring (blood sugar) Authoritative updates / amendments / removalAuthoritative updates / amendments / removal
Centralized Policy capabilitiesCentralized Policy capabilities Suggested PoliciesSuggested Policies Supporting Inclusion ListsSupporting Inclusion Lists Supporting Exclusion ListsSupporting Exclusion Lists Supporting functional role languageSupporting functional role language
Central Policy Decision PointCentral Policy Decision Point Note: Continued distributed Policy Enforcement Point near patientNote: Continued distributed Policy Enforcement Point near patient
Un-Safe Client machine (home-computer)Un-Safe Client machine (home-computer)
ConclusionConclusionIHE provides the necessary basic security for IHE provides the necessary basic security for XDS todayXDS today
There is room for improvementThere is room for improvement
Roadmap includes prioritized list of use-casesRoadmap includes prioritized list of use-cases
Continuous Risk Assessment is necessary at all Continuous Risk Assessment is necessary at all levelslevels Product DesignProduct Design Implementation Implementation OrganizationalOrganizational Affinity DomainAffinity Domain
TODO: Include Risk Assessment Table and MapTODO: Include Risk Assessment Table and Map
Profile Template Profile Template Security ConsiderationsSecurity Considerations
Profile Security ConsiderationsProfile Security Considerations
Volume 1 – Last section of the Profile descriptionVolume 1 – Last section of the Profile description
Volume 2 – Section for each TransactionVolume 2 – Section for each Transaction
Section ContentsSection Contents Statement that a risk assessment has been done and is Statement that a risk assessment has been done and is
maintained in the IHE Risk Repositorymaintained in the IHE Risk Repository Pre-Conditions – the expected environmental factorsPre-Conditions – the expected environmental factors Profile Specific Mitigations Profile Specific Mitigations Profile Unresolved Risks to be mitigated downstreamProfile Unresolved Risks to be mitigated downstream
