Upload
massimiliano-masi
View
82
Download
0
Tags:
Embed Size (px)
Citation preview
What IHE Delivers
Massimiliano Masi,
Tiani “Spirit” GmbH
Addressing Security and Privacy through IHE Profiles
April 15, 2023 2
Layers of Policies
International
Country-Specific
Horizontal Industry
Enterprise
OECD Guidelines on Transborder Flows
Examples
Pro
file
s e
nab
les
/ en
forc
es
US-HIPAA; eIDAS; JP-Act 57 - 2003
Medical Professional Societies
Backup and Recovery
3
Risk Scenario
In this scenario:
• The vulnerability is the hole in the roof
• The threat is the rain cloud
• Rain could exploit the vulnerability
The risk is that the building and equipment in the building could be damaged as long as the vulnerability exists and there is a likely chance that rain will fall.
April 15, 2023
April 15, 2023 6
Security & Privacy Controls
IHE ProfileProfile Issued
Audit Log
Identification and Authentication
Data Access Control
Secrecy
Data Integrity
Non-Repudiation
Patient Privacy
Audit Trails and Node Authentication 2004 √ √ √ √ √ √ √
Consistent Time 2003 √ ∙ √
Enterprise User Authentication 2003 √ ∙ ∙ ∙
Cross-Enterprise User Assertion 2006 √ ∙ ∙ ∙
Basic Patient Privacy Consents 2006 ∙ √
Personnel White Pages 2004 √ √ ∙
Healthcare Provider Directory 2010 √ ∙ ∙
Document Digital Signature 2005 √ √ √
Document Encryption 2011 √ √ ∙
Profiles mapped to Security & Privacy Controls
April 15, 2023 7
Security & Privacy Controls
IHE ProfileProfile Issued
Audit Log
Identification and Authentication
Data Access Control
Secrecy
Data Integrity
Non-Repudiation
Patient Privacy
Internet User Authorization 2015 √ √
Secure Retrieve 2015 √ √
Access Control WP 2009 √ √ √
Profiles mapped to Security & Privacy Controls
April 15, 2023 8
Example: the epSOS project
epSOS (2008-2014) was a large scale pilot that enabled the secure and reliable exchange of Patient Summary and ePrescription
epSOS has been built on the IHE profiles
Security Requirements related to the pan-European exchange of Private Healthcare Information
Now sustained through EXPAND, input from EU projects as e-SENS, Trillium Bridge
April 15, 2023 9
Example: the epSOS project
Authentication made through IHE Cross Enterprise Document assertion
Authorization following the IHE White Paper on Access Control
Traceability through Audit Trail and Node Authentication
Consistent Time
Privacy Consent through Basic Patient Privacy Consent
April 15, 2023 10
Example: the epSOS Project
Profiles are flexible enough that can cope with any Health IT project (IHE starts with a Clinical Use Case)
Grouping (e.g.) merging, enables the building of complex IT Architectures that are successfully constrained by the Regional / Governmental / Enterprise policies
Usage of IHE profiles ease the compliance with regulations and industry best practices
April 15, 2023 11
Example: technology
IHE Security profiles uses the state of the art of the IT Security Technology Security Assertion Markup Language (SAML) for authentication tokens
(e.g. Stork) OAuth2.0 (JWT / SAML) for RESTFul authorization (e.g., Google) XaDES for Digital Signature (e.g., ETSI) CMS for document encryption (and hash) X.509 certificates (and full PKI support) to authenticate nodes (TLSv1.2) rfc5424 for audit trails (ex rfc3881) NTP to maintain time Kerberos (Active Directory) for Enterprise-level authentication (e.g.,
SPNEGO, GSSAPI)
April 15, 2023 12
Conclusion
IHE Security Profiles provides the “security glue” for IHE standards such as XDS, PIX
Easy to specify and to combine with the widely used profiles for data sharing
Flexible and extensible enough to adapt to international / governmental / regional / enterprise level policy
Widely adopted in EU LSP: epSOS, e-SENS, EXPAND, Trillium Bridge, and in dozens of national projects (NÖGUS, Veneto region, ELGA, eFA …)
April 15, 2023 13
More InformationIHE Web site: www.ihe.net
IHE official materialTechnical Framework documents
IHE Wiki site: wiki.ihe.net IHE committee pages Implementation Notes Ongoing committee work
IHE ITI technical committee mailing list Instructions on the bottom of :http://www.ihe.net/IT_Infra/committees