Embed Size (px)
Citation preview
IHE Security IHE Security IHE Europe 2006 - IHE Europe 2006 - Changing the Way Healthcare ConnectsChanging the Way Healthcare Connects
IHE Presentation at the World of Health IT show, October 2006IHE Presentation at the World of Health IT show, October 2006
G. ClaeysG. Claeys
IHE EuropeIHE Europe
Agfa Healthcare / CTO OfficeAgfa Healthcare / CTO Office
Courtesy of C. Sacchavini, J. MoehrkeCourtesy of C. Sacchavini, J. Moehrke
OverviewOverview
Security needsSecurity needs
IHE ATNAIHE ATNA
IHE DSGIHE DSG
IHE BPPCIHE BPPC
Practical example : XDS SecurityPractical example : XDS Security
ScopeScope
Defines basic security features for a Defines basic security features for a system in a healthcare enterprise in order system in a healthcare enterprise in order to guarantee :to guarantee : Only authorized persons have access to PHI Only authorized persons have access to PHI
(Protected Health Information)(Protected Health Information) Protect PHI against alteration, destruction and lossProtect PHI against alteration, destruction and loss Comply existing Privacy & Security regulationsComply existing Privacy & Security regulations
Security MechanismSecurity Mechanism
Authentication (user and device)Authentication (user and device)
AuthorizationAuthorization
Accountability (audit trails)Accountability (audit trails)
ConfidentialityConfidentiality
IntegrityIntegrity
ATNA, EUA/XUA
ATNA
ATNA
ATNA, DSG
G. Claeys, Agfa Healthcare G. Claeys, Agfa Healthcare ([email protected])([email protected])
Audit Trail and Node Audit Trail and Node AuthenticationAuthentication
IHE ATNA- Architecture
System A System B
Secured SystemSecure network
Secured System
Central Audit TrailRepository
Secure network
• Local authentication of user• Strong authentication of remote node (digital certificates)• Audit trail that logs privacy&security related operations
All existing IHE actors need to be grouped with a Secure Node actor.
Secure Node
Audit RecordRepository
“Any” IHE actor
Record Audit Event
Time Server
Secure Node Authenticate Node
Maintain Time
IHE ATNA – Actor and TransactionsIHE ATNA – Actor and Transactions
Secure NodeSecure Node
Local user authenticationLocal user authentication Only needed at “client” nodeOnly needed at “client” node Authentication mechanism Authentication mechanism
• User name and password (minimum)User name and password (minimum)• Biometrics, smart cardBiometrics, smart card
Secure nodes maintain list of authorized users : Secure nodes maintain list of authorized users : local or central (using EUA)local or central (using EUA)
Security policy of hospital defines the relation Security policy of hospital defines the relation between user and user idbetween user and user id
Secure Node (cont.)Secure Node (cont.)
Mutual device authenticationMutual device authentication Establish a trust relationship between 2 network nodesEstablish a trust relationship between 2 network nodes Strong authentication by exchanging X.509 certificatesStrong authentication by exchanging X.509 certificates Actor must be able to configure certificate list of trusted nodes.Actor must be able to configure certificate list of trusted nodes.
TCP/IP Transport Layer Security Protocol (TLS) TCP/IP Transport Layer Security Protocol (TLS) Used with DICOM/HL7/HTTP messagesUsed with DICOM/HL7/HTTP messages Secure handshake protocol during Association establishment:Secure handshake protocol during Association establishment: Encryption :Encryption :
• Intra-muros (default): no encryption Intra-muros (default): no encryption • Extra-muros : AES128Extra-muros : AES128
Secure node – additional effortSecure node – additional effort
Instrument all applications to detect auditable Instrument all applications to detect auditable events and generate audit messages.events and generate audit messages.
Ensure that all communications connections are Ensure that all communications connections are protected (system hardening).protected (system hardening).
Establish a local security mechanism to protect all Establish a local security mechanism to protect all local resources local resources
Establish configuration mechanisms for:Establish configuration mechanisms for: Time synchronizationTime synchronization Certificate managementCertificate management Network configurationNetwork configuration
Certificate ManagementCertificate ManagementCertificates can be signed by device (self-Certificates can be signed by device (self-signing) or via a CA (e.g. hospital) signing) or via a CA (e.g. hospital) Use self-signed certificates for testing interoperabilityUse self-signed certificates for testing interoperability Connectathon has a CAConnectathon has a CA
Support at least direct comparison of certificates Support at least direct comparison of certificates Import certificate of each trusted peer device Import certificate of each trusted peer device Compare each received certificate with list of trusted Compare each received certificate with list of trusted
certificatecertificate
Certificate management white paper Certificate management white paper from NEMA’s Security&Privacy committeefrom NEMA’s Security&Privacy committee www.nema.org/prod/med/securitywww.nema.org/prod/med/security
Auditing SystemAuditing System
Auditing system consists of Auditing system consists of List of events that generate audit messagesList of events that generate audit messages Audit message formatAudit message format Transport mechanismTransport mechanism
Designed for surveillance rather than Designed for surveillance rather than forensic use.forensic use.
Audit EventsAudit Events
Audit triggers are defined for every Audit triggers are defined for every operation that access PHI (create, delete, operation that access PHI (create, delete, modify, import/export)modify, import/export)
IHE TF describes the supported Audit IHE TF describes the supported Audit Trigger per ActorTrigger per Actor
Audit triggers are grouped on transaction/ Audit triggers are grouped on transaction/ study level to minimize overheadstudy level to minimize overhead
Audit Message FormatAudit Message Format
XML encoded messageXML encoded message
IHE Radiology Provisional formatIHE Radiology Provisional format for backward compatibility with radiologyfor backward compatibility with radiology
ATNA format ATNA format Preferred formatPreferred format Joint effort of IETF/DICOM/HL7/ASTMJoint effort of IETF/DICOM/HL7/ASTM XML schema (rfc3881) : XML schema (rfc3881) :
www.xml.org/xml/schema/7f0d86bd/healthcare-security-audiwww.xml.org/xml/schema/7f0d86bd/healthcare-security-audit.xsdt.xsd
XSLT transformation is provided to convert XSLT transformation is provided to convert “Provisional scheme” to “ATNA” scheme“Provisional scheme” to “ATNA” scheme
Audit Transport MechanismAudit Transport Mechanism
Reliable Syslog – cooked modeReliable Syslog – cooked mode RFC 3195RFC 3195 Connection orientedConnection oriented Support certificate based authentication, Support certificate based authentication,
encryptionencryption But limited industry supportBut limited industry support
BSD Syslog protocol (RFC 3164) BSD Syslog protocol (RFC 3164) Preferred transport mechanism for the time beingPreferred transport mechanism for the time being
16September, 2005 What IHE Delivers
Document Digital SignatureDocument Digital Signature(DSG)(DSG)
PurposePurpose
document integritydocument integrity
non-repudiation non-repudiation
accountability.accountability.
September 8, 2005 18
Document Digital SignatureDocument Digital Signaturescopescope
A Digital Signature is a separate XDS A Digital Signature is a separate XDS documentdocument
SupportsSupports single / multiple signaturessingle / multiple signatures nested signaturesnested signatures
Standard : XAdES (W3C) + X.509 certificatesStandard : XAdES (W3C) + X.509 certificates
Vendor must provide signature mechanism Vendor must provide signature mechanism for XDS Submissionsfor XDS Submissions
September 8, 2005 19
Document Digital SignatureDocument Digital SignatureOut of scopeOut of scope
Certificate management and PKI Certificate management and PKI conceptsconcepts
Focus begins with signing, not Focus begins with signing, not encryptionencryption
Partial Document SignaturePartial Document Signature
September 8, 2005 20
Document Digital SignatureDocument Digital SignatureThe Signing CeremonyThe Signing Ceremony
OriginalDocument
Equal
Combined to:Signed
Document
HASH functionAsymmetricalgorithm
Private Key usedfor signing
September 8, 2005 21
Document Digital SinatureDocument Digital SinatureVerificationVerificationOriginal
Document
HASH function
Signature
Message HASH
Original HASH(Signer generated)
Equal
Public Keyof Signer
SignedDocument
EAdfj78oXWq
EAdfj78oXWqAsymmetric Algorithm
September 8, 2005 22
Document Digital SigantureDocument Digital SigantureXML Digital Signature ToolsXML Digital Signature Tools
Apache XML Security project has both Java Apache XML Security project has both Java and C++ implementations of XML Digital and C++ implementations of XML Digital Signature (open source) Signature (open source) http://xml.apache.org/security/ http://xml.apache.org/security/
JSR 105: Java XML Digital Signature API JSR 105: Java XML Digital Signature API with reference implementations-- final with reference implementations-- final release by Sun and IBM June 24, 2005. release by Sun and IBM June 24, 2005. http://jcp.org/aboutJava/communityprocess/final/jsrhttp://jcp.org/aboutJava/communityprocess/final/jsr105/index.html105/index.html
September 8, 2005 23
Document Digital SignatureDocument Digital SignatureCommercial ToolkitsCommercial Toolkits
(not comprehensive list)(not comprehensive list)
http://jce.iaik.tugraz.at/products/052_XSECT/indehttp://jce.iaik.tugraz.at/products/052_XSECT/index.phpx.php
http://www.infomosaic.net/http://www.infomosaic.net/SecureXMLDetailInfo.htm SecureXMLDetailInfo.htm
http://www.betrusted.com/products/keytools/xml/http://www.betrusted.com/products/keytools/xml/index.asp index.asp
http://www.phaos.com/products/category/http://www.phaos.com/products/category/xml.html xml.html
http://www.verisign.com/products-services/http://www.verisign.com/products-services/security-services/pki/xml-trust-services/security-services/pki/xml-trust-services/index.htmlindex.html
September 8, 2005 24
Document Digital SignatureDocument Digital SignatureXDS Sample CodeXDS Sample Code
<Signature Id="<Signature Id="signatureOIDsignatureOID" xmlns=" xmlns=http://www.w3.org/2000/09/xmldsig#http://www.w3.org/2000/09/xmldsig# xmlns:xad=”xmlns="http://uri.etsi.org/01903/v1.1.1#"”> xmlns:xad=”xmlns="http://uri.etsi.org/01903/v1.1.1#"”>
<SignedInfo> <SignedInfo> <CanonicalizationMethod <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-
20010315#WithComments”/> 20010315#WithComments”/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-
sha1"/> sha1"/> <Reference URI="#IHEManifest" <Reference URI="#IHEManifest" Type="http://www.w3.org/2000/09/xmldsig#Manifest"> Type="http://www.w3.org/2000/09/xmldsig#Manifest"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue><DigestValue>base64ManifestDigestValubase64ManifestDigestValue</DigestValue> e</DigestValue> </Reference> </Reference> </SignedInfo> </SignedInfo>
<SignatureValue><SignatureValue>base64SignatureValuebase64SignatureValue</SignatureValue></SignatureValue> <KeyInfo> <KeyInfo> <X509Data><X509Data> <X509Certificate><X509Certificate>base64X509certificatebase64X509certificate<X509Certificate><X509Certificate> </X509Data></X509Data> </KeyInfo></KeyInfo>
September 8, 2005 25
Document Digital SignatureDocument Digital SignatureXDS Sample CodeXDS Sample Code
<Object><Object> <xad:QualifyingProperties><xad:QualifyingProperties> <xad:SignedProperties><xad:SignedProperties> <xad:SignedSIgnatureProperties><xad:SignedSIgnatureProperties> <xad:SigningTime><xad:SigningTime> yyyymmddhhmmss yyyymmddhhmmss</SigningTime></SigningTime> <xad:SigningCertificate><xad:SigningCertificate> <xad:Cert> <!-- identifier of signing certificate --> <xad:Cert> <!-- identifier of signing certificate --> <xad:CertDigest><xad:CertDigest> <xad:DigestMethod <xad:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xad:DigestValue><xad:DigestValue>base64 digest valuebase64 digest value</DigestValue></DigestValue> </CertDigest></CertDigest> <xad:IssuerSerial><xad:IssuerSerial> <xad:X509IssuerName><xad:X509IssuerName>X.509 distinguished name of X.509 distinguished name of
certificatecertificate</X509IssuerName></X509IssuerName> <xad:X509SerialNumber><xad:X509SerialNumber>certificate serial certificate serial
numbernumber</X509SerialNumber> </X509SerialNumber> </IssuerSerial></IssuerSerial> </Cert></Cert>
September 8, 2005 26
Document Digital SignatureDocument Digital SignatureXDS Sample CodeXDS Sample Code
<xad:Cert> <!-- identifier of signing certificate’s parent --> <xad:Cert> <!-- identifier of signing certificate’s parent --> <xad:CertDigest><xad:CertDigest> <xad:DigestMethod <xad:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <xad:DigestValue><xad:DigestValue>base64 digest valuebase64 digest value</DigestValue></DigestValue>
</CertDigest></CertDigest> <xad:IssuerSerial><xad:IssuerSerial> <xad:X509IssuerName><xad:X509IssuerName>X.509 distinguished name of X.509 distinguished name of
parent’s certificateparent’s certificate</X509IssuerName></X509IssuerName> <xad:X509SerialNumber><xad:X509SerialNumber>certificate serial number certificate serial number
</X509SerialNumber></X509SerialNumber> </IssuerSerial></IssuerSerial> </Cert> </Cert> </SigningCertificate></SigningCertificate>
<xad:SignaturePolicyIdentifier><xad:SignaturePolicyIdentifier>idid</SignaturePolicyIdentifie</SignaturePolicyIdentifier>r>
</SignedSIgnatureProperties></SignedSIgnatureProperties> </SignedProperties></SignedProperties> </QualifyingProperties> </QualifyingProperties>
September 8, 2005 27
Document Digital SignatureDocument Digital SignatureXDS Sample CodeXDS Sample Code
<SignatureProperties><SignatureProperties> <SignatureProperty Id="purposeOfSignature" target=”<SignatureProperty Id="purposeOfSignature" target=”signatureOID”signatureOID” > > codecode</SignatureProperty></SignatureProperty> </SignatureProperties></SignatureProperties> <Manifest Id="IHEManifest"><Manifest Id="IHEManifest">
<Reference URI=”<Reference URI=”ihexds:registry:xxxx-xxxx….ihexds:registry:xxxx-xxxx….”> <!”> <!-- document A-->-- document A--> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue><DigestValue>base64DigestValuebase64DigestValue</DigestValue> </DigestValue> </Reference> </Reference>
<Reference URI=”<Reference URI=”ihexds:registry:xxxx-xxxx….ihexds:registry:xxxx-xxxx….”> <!”> <!—XML document B-->—XML document B--> <Transforms> <Transforms> <Transform Algorithm="<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithCommentshttp://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> "/> </Transforms> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue><DigestValue>base64DigestValuebase64DigestValue</DigestValue> </Reference> </DigestValue> </Reference>
<Reference URI=”<Reference URI=”ihexds:registry:xxxx-xxxx….ihexds:registry:xxxx-xxxx….”> <!”> <!--DICOM document (or --DICOM document (or object) C-->object) C-->
<Transforms> <Transforms> <Transform Algorithm="urn:oid:1.2.840.10008.1.2.1"/> <Transform Algorithm="urn:oid:1.2.840.10008.1.2.1"/> </Transforms> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue><DigestValue>base64DigestValuebase64DigestValue</DigestValue></DigestValue> </DigestMethod </DigestMethod </Reference> </Reference> </Manifest></Manifest> </Object></Object></Signature></Signature>
Basic Patient Privacy Basic Patient Privacy Consents Consents
IHE Vendors Workshop 2006IHE Vendors Workshop 2006
IHE IT Infrastructure EducationIHE IT Infrastructure Education
John MoehrkeJohn Moehrke
Basic Patient Privacy ConsentsBasic Patient Privacy Consents
Small number of pre-coordinated Affinity Small number of pre-coordinated Affinity Domain Privacy ConsentDomain Privacy Consent Patient can choose which ones to agree toPatient can choose which ones to agree to
Data is classified as published under the Data is classified as published under the authority of a specific Privacy Consentauthority of a specific Privacy Consent
Data is used in conformance with original Data is used in conformance with original Privacy ConsentPrivacy Consent
Applicable for XD* transport mechanismApplicable for XD* transport mechanism
Capturing the Patient Consent actCapturing the Patient Consent act
One of the Affinity Domain Consent policies are usedOne of the Affinity Domain Consent policies are used
CDA document captures the act of signingCDA document captures the act of signing Effective time (Start and Sunset)Effective time (Start and Sunset) XDS-SD – Capture of wet signature from paperXDS-SD – Capture of wet signature from paper DSIG – Digital Signature (Patient, Guardian, Clerk, System)DSIG – Digital Signature (Patient, Guardian, Clerk, System)
XDS MetadataXDS Metadata templateId – BPPC documenttemplateId – BPPC document eventCodeList – the list of the identifiers of the AF policieseventCodeList – the list of the identifiers of the AF policies confidentialityCode – could mark this document as sensitiveconfidentialityCode – could mark this document as sensitive
Marking all XDS DocumentsMarking all XDS Documents
Use XDS Metadata – confidentialityCodeUse XDS Metadata – confidentialityCode List of appropriate consentsList of appropriate consents
Consents enumerated at Affinity Domain (OID)Consents enumerated at Affinity Domain (OID)
Rules are programmed into each system Rules are programmed into each system participating in Affinity Domain XDSparticipating in Affinity Domain XDS
Registry rejects non-conformant Registry rejects non-conformant confidentialityCodesconfidentialityCodes
Now have a well formed vocabularyNow have a well formed vocabulary
Using documentsUsing documents
XDS Query XDS Query *** Consumer requests specific values*** Consumer requests specific values Result includes confidentiality codesResult includes confidentiality codes
XDS Consumer XDS Consumer Knows the user, patient, setting, intention, urgency, etc.Knows the user, patient, setting, intention, urgency, etc. Enforces Access Controls (RBAC) according to Enforces Access Controls (RBAC) according to
confidentiality codesconfidentiality codes No access given to documents marked with unknown No access given to documents marked with unknown
confidentiality codesconfidentiality codes
Example : XDS and SecurityExample : XDS and Security
XDS Security Use-CasesXDS Security Use-CasesSupported TodaySupported Today Prevent Indiscriminate attacks (worms)Prevent Indiscriminate attacks (worms) Normal Patient that accepts XDS participationNormal Patient that accepts XDS participation Patient asks for Accounting of DisclosuresPatient asks for Accounting of Disclosures Protect against malicious neighbor doctorProtect against malicious neighbor doctor Patient that retracts consent to publish Patient that retracts consent to publish Provider Privacy Provider Privacy Malicious Data MiningMalicious Data Mining
Not directly supported with IHE technology (applications Not directly supported with IHE technology (applications can provide this functionality in their feature e.g. Portals)can provide this functionality in their feature e.g. Portals) Access to Emergency data set Access to Emergency data set all XDS open, or no access all XDS open, or no access VIP VIP Don’t publish, or use special domain Don’t publish, or use special domain Domestic violence patient Domestic violence patient Don’t publish any Don’t publish any Daughter with sensitive tests Daughter with sensitive tests Don’t publish, or use special domain Don’t publish, or use special domain Sensitive topicsSensitive topics Don’t publish, or use special domain Don’t publish, or use special domain Legal Guardian (cooperative) Legal Guardian (cooperative) Local enforcement Local enforcement Care Giver (assists w/ care) Care Giver (assists w/ care) Local enforcement Local enforcement
Current XDS Security ProfilesCurrent XDS Security ProfilesAffinity Domain Policy (singular)Affinity Domain Policy (singular) All ‘actors’ that participate must agree to enforce these policiesAll ‘actors’ that participate must agree to enforce these policies
XDSXDS Patient Centric Queries Patient Centric Queries Queries result in ONE patient exposed Queries result in ONE patient exposed
ATNAATNA Confidentiality, Integrity, Accountability Confidentiality, Integrity, Accountability Accountability distributed Accountability distributed Access controls at point of care (sensitive to context)Access controls at point of care (sensitive to context)
Digital Signature Content Profile (DSIG)Digital Signature Content Profile (DSIG)
Enhanced locally byEnhanced locally by EUAEUA PWPPWP
Basic Patient Privacy Consent (BPPC)Basic Patient Privacy Consent (BPPC)
IHE Security Profiles - WIPIHE Security Profiles - WIP
XUA Cross Enterprise AuthenticationXUA Cross Enterprise Authentication Federated identity managementFederated identity management SAML 2.0SAML 2.0 Wait for maturityWait for maturity
Access Control MechanismAccess Control Mechanism RBACRBAC
XDS Security modelXDS Security model
EHR-Workstation
Browser
EHR System
PHRPortal
Registry
User AuthenticationUser Interface
Business LogicPolicy Enforcement
Repository A
Repository B
PIX Service
PDQ Service
ATNA Service
Identity Svc
RBAC Svc
XDS Consumer
XDS Affinity Domain (NHIN sub-network)
Community Clinic
Lab Info. System
PACS
Teaching Hospital
PACS
ED Application
EHR System
Physician Office
EHR System
XDS Security TransactionsXDS Security Transactions
PMS
Retrieve DocumentRetrieve Document
Register DocumentRegister DocumentQuery DocumentQuery Document
XDS Document Registry
ATNA Audit ATNA Audit record repositoryrecord repository CT Time serverCT Time server
MaintainMaintainTimeTime
MaintainMaintainTimeTime
Maintain TimeMaintain TimeProvide & Register Docs
XDS Document Repository
XDSDocumen
t Reposito
ry
ATNA Audit ATNA Audit record repositoryrecord repository
XDS Affinity Domain (NHIN sub-network)
Community Clinic
Lab Info. System
PACS
Teaching Hospital
PACS
ED Application
EHR System
Physician Office
EHR System
XDS Security TransactionsXDS Security Transactions
PMS
Retrieve DocumentRetrieve Document
Register DocumentRegister DocumentQuery DocumentQuery Document
XDS Document Registry
ATNA Audit ATNA Audit record repositoryrecord repository CT Time serverCT Time server
MaintainMaintainTimeTime
MaintainMaintainTimeTime
Maintain TimeMaintain TimeProvide & Register Docs
XDS Document Repository
XDSDocumen
t Reposito
ry
ATNA Audit ATNA Audit record repositoryrecord repository
State run RHIO
ATNA Audit ATNA Audit record repositoryrecord repository
Thank youThank you
