Embed Size (px)
Citation preview
XDS SecurityXDS Security
ITI Technical CommitteeITI Technical Committee
May 27, 2006May 27, 2006
XDS Security Use CasesXDS Security Use CasesPrevent Indiscriminate attacks (worms, DOS)Prevent Indiscriminate attacks (worms, DOS)
Normal Patient that accepts XDS participationNormal Patient that accepts XDS participation
Patient asks for Accounting of DisclosuresPatient asks for Accounting of Disclosures
Protect against malicious neighbor doctorProtect against malicious neighbor doctor
Patient that retracts consent to publishPatient that retracts consent to publish
Provider PrivacyProvider Privacy
Malicious Data MiningMalicious Data Mining
Access to Emergency data setAccess to Emergency data set
VIP (movie star, sports figure)VIP (movie star, sports figure)
Domestic violence patientDomestic violence patient
Daughter with sensitive tests hidden from ParentDaughter with sensitive tests hidden from Parent
Sensitive topics: mental health, sexual healthSensitive topics: mental health, sexual health
Legal Guardian (cooperative)Legal Guardian (cooperative)
Care-Giver (assists w/ care)Care-Giver (assists w/ care)
Private entriesshared with GP
Private entriesshared with severalnamed parties
Entries restricted tosexual health team
Entries restricted toprison health service
Entries accessible toadministrative staff
Entries accessible todirect care teams
Document AccessibilityDocument Accessibility
Source: Dipak Kalra & prEN 13606-4
Entries accessible toclinical in emergency
Privacy NeedsPrivacy Needs
Protect against inappropriate disclosureProtect against inappropriate disclosure
Provide an Accounting of DisclosuresProvide an Accounting of Disclosures
Protect employee privacyProtect employee privacy
Resulting in compliance with Laws and Resulting in compliance with Laws and Regulations by the Legal EntityRegulations by the Legal Entity
Security ModelsSecurity Models
Risk AssessmentRisk Assessment Asset is the information in Registry & all RepositoriesAsset is the information in Registry & all Repositories Confidentiality, Integrity, and AvailabilityConfidentiality, Integrity, and Availability Patient Safety overrides privacy (most of the time)Patient Safety overrides privacy (most of the time)
AccountabilityAccountability Access Control model -- PreventionAccess Control model -- Prevention Audit Control model -- ReactionAudit Control model -- Reaction
Policy EnforcementPolicy Enforcement Mutually agree to enforce Policies Mutually agree to enforce Policies Enforcement of policies centrallyEnforcement of policies centrally
Affinity Domain PolicyAffinity Domain PolicyToday there must be ONE policyToday there must be ONE policy
See IHE TF Volume 1: Appendix L: XDS Affinity See IHE TF Volume 1: Appendix L: XDS Affinity Domain Definition Checklist Domain Definition Checklist IHE gives no direction on the content of this Policy IHE gives no direction on the content of this Policy E.g. Patient allows general purpose healthcare information E.g. Patient allows general purpose healthcare information
to be submitted, sensitive data will not be published. Only to be submitted, sensitive data will not be published. Only Healthcare Providers that are a member of that patients Healthcare Providers that are a member of that patients direct care team will be given access. direct care team will be given access.
Policy must be enforceable by all the systems in Policy must be enforceable by all the systems in the Affinity Domainthe Affinity Domain EHR RBAC capabilities must be consideredEHR RBAC capabilities must be considered PHR portal must be able to enforce restrictionsPHR portal must be able to enforce restrictions Registry / Repositories must only talk to authorized systemsRegistry / Repositories must only talk to authorized systems
Classic n-Tier SecurityClassic n-Tier Security
Client / Browser
Application Server
Database
User AuthenticationUser Interface
Business LogicPolicy Enforcement
Data IndexData Values
Mapped to XDSMapped to XDS
EHR-Workstation
Browser
EHR System
PHRPortal
Registry
User AuthenticationUser Interface
Business LogicPolicy Enforcement
Repository A
Repository B
PIX Service
PDQ Service
ATNA Service
Identity Svc
RBAC Svc
XDS Consumer
XDS Affinity Domain (NHIN sub-network)
Teaching Hospital
PACS
ED Application
EHR System
The Really Big ProblemThe Really Big Problem
PMS
Retrieve DocumentRetrieve Document
Register DocumentRegister DocumentQuery DocumentQuery Document
XDS Document Registry
Provide & Register Docs
XDSDocumen
t Reposito
ry
B)Disclosure happens on Export
Physician Office
EHR System
C)A Retrieve does result in a permanent copy of the Document.
D)The Document Consumer does agree to enforce policies forever
A)The Registry is not the center, it is just a card catalogue to patient data.
Current Solution to Big ProblemCurrent Solution to Big ProblemAffinity Domain Policy (singular)Affinity Domain Policy (singular) All ‘actors’ that participate must agree to enforce these policiesAll ‘actors’ that participate must agree to enforce these policies
XDSXDS Patient Centric Queries Patient Centric Queries Queries result in ONE patient exposed Queries result in ONE patient exposed
ATNAATNA Confidentiality, Integrity, Accountability Confidentiality, Integrity, Accountability Accountability distributed Accountability distributed Access controls at point of care (sensitive to context)Access controls at point of care (sensitive to context)
Digital Signature Content Profile (DSIG)Digital Signature Content Profile (DSIG)
Enhanced locally byEnhanced locally by EUAEUA PWPPWP
Application specific (Not IHE specified)Application specific (Not IHE specified) RBAC, PMACRBAC, PMAC
XDS Affinity Domain (NHIN sub-network)
Community Clinic
Lab Info. System
PACS
Teaching Hospital
PACS
ED Application
EHR System
Physician Office
EHR System
AccountabilityAccountability
PMS
Retrieve DocumentRetrieve Document
Register DocumentRegister DocumentQuery DocumentQuery Document
XDS Document Registry
ATNA Audit ATNA Audit record repositoryrecord repository CT Time serverCT Time server
MaintainMaintainTimeTime
MaintainMaintainTimeTime
Maintain TimeMaintain TimeProvide & Register Docs
XDS Document Repository
XDSDocumen
t Reposito
ry
ATNA Audit ATNA Audit record repositoryrecord repository
XDS Affinity Domain (NHIN sub-network)
Community Clinic
Lab Info. System
PACS
Teaching Hospital
PACS
ED Application
EHR System
Physician Office
EHR System
AccountabilityAccountability
PMS
Retrieve DocumentRetrieve Document
Register DocumentRegister DocumentQuery DocumentQuery Document
XDS Document Registry
ATNA Audit ATNA Audit record repositoryrecord repository CT Time serverCT Time server
MaintainMaintainTimeTime
MaintainMaintainTimeTime
Maintain TimeMaintain TimeProvide & Register Docs
XDS Document Repository
XDSDocumen
t Reposito
ry
ATNA Audit ATNA Audit record repositoryrecord repository
State run RHIO
ATNA Audit ATNA Audit record repositoryrecord repository
Today’s XDS AccountabilityToday’s XDS Accountability
Mitigation against unauthorized useMitigation against unauthorized use Investigate Audit log for patterns and behavior outside Investigate Audit log for patterns and behavior outside
policy. Enforce policypolicy. Enforce policy Secure Node requires appropriate Access Controls to Secure Node requires appropriate Access Controls to
enforce at the enterprise by XDS Source and Consumersenforce at the enterprise by XDS Source and Consumers
Investigation of patient complaintsInvestigation of patient complaints Investigate Audit log for specific evidenceInvestigate Audit log for specific evidence ATNA Audit Repositories can filter and auto-forwardATNA Audit Repositories can filter and auto-forward
Support an Accounting of DisclosuresSupport an Accounting of Disclosures ATNA Report: XDS-Export + XDS-Import ATNA Report: XDS-Export + XDS-Import
XDS Security Use-CasesXDS Security Use-CasesSupported TodaySupported Today Prevent Indiscriminate attacks (worms)Prevent Indiscriminate attacks (worms) Normal Patient that accepts XDS participationNormal Patient that accepts XDS participation Patient asks for Accounting of DisclosuresPatient asks for Accounting of Disclosures Protect against malicious neighbor doctorProtect against malicious neighbor doctor Patient that retracts consent to publish Patient that retracts consent to publish Provider Privacy Provider Privacy Malicious Data MiningMalicious Data Mining
Not directly supported with IHE technology (applications Not directly supported with IHE technology (applications can provide this functionality in their feature e.g. Portals)can provide this functionality in their feature e.g. Portals) Access to Emergency data set Access to Emergency data set all XDS open, or no access all XDS open, or no access VIP VIP Don’t publish, or use special domain Don’t publish, or use special domain Domestic violence patient Domestic violence patient Don’t publish any Don’t publish any Daughter with sensitive tests Daughter with sensitive tests Don’t publish, or use special domain Don’t publish, or use special domain Sensitive topicsSensitive topics Don’t publish, or use special domain Don’t publish, or use special domain Legal Guardian (cooperative) Legal Guardian (cooperative) Local enforcement Local enforcement Care Giver (assists w/ care) Care Giver (assists w/ care) Local enforcement Local enforcement
Private entriesshared with GP
Private entriesshared with severalnamed parties
Entries restricted tosexual health team
Entries restricted toprison health service
Entries accessible toadministrative staff
Entries accessible toclinical in emergency
Entries accessible todirect care teams
Document AccessibilityDocument Accessibility
Source: Dipak Kalra & prEN 13606-4
Next Year Solution IHE-ITINext Year Solution IHE-ITI
XDP – Cross-Enterprise Document Point-to-Point XDP – Cross-Enterprise Document Point-to-Point InterchangeInterchange Can be used to handle sensitive data or sensitive patientsCan be used to handle sensitive data or sensitive patients Point to Point communications of documentsPoint to Point communications of documents Email – using S/MIME to target the documents to a Email – using S/MIME to target the documents to a
specific individualspecific individual Media – carried by authorized/bonded courierMedia – carried by authorized/bonded courier
Next Year Solution IHE-PCCNext Year Solution IHE-PCCPCC – Basic lists of Patient Consents PCC – Basic lists of Patient Consents Small number of Basic Consents the patient could choose Small number of Basic Consents the patient could choose
from (about 10)from (about 10)• Additive in nature, so it is clear which is most restrictiveAdditive in nature, so it is clear which is most restrictive• Supporting Emergency Data Set, Clerical Data Set, Direct Caregiver Supporting Emergency Data Set, Clerical Data Set, Direct Caregiver
Data Set.Data Set.• Could include excluding/including organizations (enforced by Could include excluding/including organizations (enforced by
Registry/Repository based on Node Certs)Registry/Repository based on Node Certs) Enables more than one Policy to be defined and claimed Enables more than one Policy to be defined and claimed
• Captured document with patient signatureCaptured document with patient signature– FormatCode identifies the document that captures the eventFormatCode identifies the document that captures the event
• Coded identifier to enable automated enforcementCoded identifier to enable automated enforcement Enables data to be marked as to be controlled by a specific Enables data to be marked as to be controlled by a specific
policy (Confidentiality Code)policy (Confidentiality Code)• ***Need query extensions to limit query results to those that match ***Need query extensions to limit query results to those that match
policy (Confidentiality Code) requestedpolicy (Confidentiality Code) requested
Future possible topicsFuture possible topicsFederated User Identity (XUA)Federated User Identity (XUA)
Patient Access toPatient Access to Sensitive health topics (you are going to die)Sensitive health topics (you are going to die) Low sensitivity (scheduling)Low sensitivity (scheduling) Self monitoring (blood sugar)Self monitoring (blood sugar) Authoritative updates / amendments / removalAuthoritative updates / amendments / removal
Centralized Policy capabilitiesCentralized Policy capabilities Suggested PoliciesSuggested Policies Supporting Inclusion ListsSupporting Inclusion Lists Supporting Exclusion ListsSupporting Exclusion Lists Supporting functional role languageSupporting functional role language
Central Policy Decision PointCentral Policy Decision Point Note: Continued distributed Policy Enforcement Point near patientNote: Continued distributed Policy Enforcement Point near patient
Un-Safe Client machine (home-computer)Un-Safe Client machine (home-computer)
ConclusionConclusionIHE provides the necessary basic security for IHE provides the necessary basic security for XDS todayXDS today
There is room for improvementThere is room for improvement
Roadmap includes prioritized list of use-casesRoadmap includes prioritized list of use-cases
Continuous Risk Assessment is necessary at all Continuous Risk Assessment is necessary at all levelslevels Product DesignProduct Design Implementation Implementation OrganizationalOrganizational Affinity DomainAffinity Domain
TODO: Include Risk Assessment Table and MapTODO: Include Risk Assessment Table and Map
