Embed Size (px)
Citation preview
openPASSOpen Privacy, Access and Security Services
“Quis custodiet ipsos custodes?”
Phase 1 openPASS Services are intended to provide the basic capabilities that allow a patient or provider to request access to patient health information from a protected resource and, based upon the security and privacy policies applied by the resource, have that access either be granted or denied.To accomplish this objective, Phase 1 openPASS Services must provide at least basic functionality for
Patient Identity ResolutionProvider Identity Authentication, Assertion and ValidationProvider Credential AssertionPoint-to-Point and Message-based Document/Message TransportPolicy-driven Access Control Decisions and EnforcementAudit Event Record Generation and Submission to Audit Logging Services
openPASS Phase 1 Proposed Scope
openPASS
HL7 SOA-PASS
Service Functional Models and
Platform Independent Models
Guiding Principles Service Orientation Focus on gaps in existing standards or
adaptation to service environment Platform Independent Policy-driven Composable
openPASS Services in Architectural Context
Health Service Bus
PASS Common Service
Patient Identifier Service
Protected ResourceWorkstation
UIServices
TerminologyServices
HL7 V3Services
Admin SupportServices
Clinical SupportServices
Process
EHR Registry
EHR Repository
Runtime Platform Messages
PASS Services PASS Services PASS Services
Infrastructure Service
Terminology Service
openPASS Services
PASS ServiceInventory
TerminologyServiceInventory
Network Layer
ClinicalDocumentServiceInventory
UIServices
ProcessServiceInventory
UtilityServiceInventory
Code
Schema
Policy
Configuration
Data Objects
Generic Process/Service
MessageTransportServiceInventory
Process Executive Services
Messages- platform
Messages- internet
Authentication
User
Authorization
Access Enforcement
Resource
Identifier and Authentication
Factors
Identity Token
Against Default or Asserted Identity Provider. Support for “cross realm” identity federation.
A
A
A Invokes submitAuditRecord
Identity and Credential Tokens;
other Assertions
Access Decision
A
A
AuditAudit
Processing of Claims/Assertions against Policies to determine Access Privileges for targeted resource
aka Accounting in ”AAA”
Request Resource Access
Credential Identifier Identitybinds to binds to binds to
Entity
Subprojects Federated Identity Resolution Policy-driven Access Control Audit
Typical Health ID Federation Topology
HIDN vHIN
Identity Provider 2 vHIN
Health ID Resolution
Service
Health ID Resolution
Service
UserUser User ContextUser Context Login ServiceLogin Service
Identity Provider 2
Authentication Service
Identity Provider 2
Authentication Service
Identity Provider 1
Authentication Service
Identity Provider 1
Authentication Service
Identity Provider n
Authentication Service
Identity Provider n
Authentication Service
vHIN Authority
A Invokes submitAuditRecord
AA AA
A
A
DescriptionLocates and returns User’s “authoritative” Identity Provider
Gaps
• Metadata Exchange Schema
• Token Schema
• SFM
• HIDN Federation Agreements
• Reference Implementation
Benefits
• Supports mutlple Identity Providers
• Supports pseudonymisation
Access Enforcement
PointResource
Role Assertion
Decision
Identityx.509 Cert Policy 1
Policy 2
Service InvocationService Invocation
Consent Directive
Policy n
Policy Engine
Consent RepositoryInteraction
Policy
Audit
Submit Audit Record
Submit Audit Service Artifacts
Retrieve Audit Records
Submit Audit Record
Get Consistent Time
List Audit Service Artifacts
Process Audit Record
Retrieve Audit Records
Submit Notification/EventSubmit Notification/Event
Process Audit Record
Invoke Service
Remove Audit Record
Retrieve Audit Service Artifacts
[ProcessName] Audit Record
Query Audit Records
Query Audit Records
Remove/Archive Audit Record
[ProcessName] Audit Record
Audit Service Class DiagramDoes not explicitly show the possible Audit Record and
Audit Records (i.e. data store, repository) Entity Services
Submit Report
Audit<<service>>
<<profile-agent>>Submit Audit RecordSubmit Audit Record
Audit<<service>>
<<profile-analyze>>Submit Audit Record
Analyze Audit Record
Submit Notification/Event
Submit Report
Audit<<service>>
Submit Audit Record
Submit Event
Submit Audit Record
Submit Event
Audit<<service>>
<<profile-submit>>Submit Audit RecordSubmit Audit Record
Audit<<service>>
<<profile-monitor>>Submit Audit Record
Monitor Audit Record
Submit Audit Record
Submit Notifiaction/Event
Audit<<service>>
Submit Audit Record
Retrieve Audit Record
Submit Report
<<profile-repository>>
Remove/Archive Audit Record
<<profile-audit event disposition>>
Invoke Service
t t t
t
Possible Audit Service Profiles (just for discussion)
Remove Audit Service Artifacts
<<service>>
Audit
Submit Audit Record
Submit Audit Service Artifacts
Retrieve Audit Records
Submit Audit Record
Get Consistent Time
List Audit Service Artifacts
Process Audit Record
Retrieve Audit Records
Submit Notification/EventSubmit Notification/Event
Process Audit Record
Invoke Service
Remove Audit Record
Retrieve Audit Service Artifacts
[ProcessName] Audit Record
Query Audit Records
Query Audit Records
Remove/Archive Audit Record
[ProcessName] Audit Record
Audit Service Class DiagramDoes not explicitly show the possible Audit Record and
Audit Records (i.e. data store, repository) Entity Services
Submit Report
Audit<<service>>
<<profile-agent>>Submit Audit RecordSubmit Audit Record
Audit<<service>>
<<profile-analyze>>Submit Audit Record
Analyze Audit Record
Submit Notification/Event
Submit Report
Audit<<service>>
Submit Audit Record
Submit Event
Submit Audit Record
Submit Event
Audit<<service>>
<<profile-submit>>Submit Audit RecordSubmit Audit Record
Audit<<service>>
<<profile-monitor>>Submit Audit Record
Monitor Audit Record
Submit Audit Record
Submit Notifiaction/Event
Audit<<service>>
Submit Audit Record
Retrieve Audit Record
Submit Report
<<profile-repository>>
Remove/Archive Audit Record
<<profile-audit event disposition>>
Invoke Service
t t t
t
Possible Audit Service Profiles (just for discussion)
Filter Audit Records
<<profile-filter>>
Remove Audit Service Artifacts
<<service>>
Audit<<service-utility>><<profile-agent>>
Process Audit Event Data
Submit Audit Record
Process x
Submit Audit Event Data-or- Submit Audit Record
Accepts, processes, formats and forwards source audit data. (ie bridge, adapter, agent…)
Audit<<service-utility>>
<<profile-repository>>
Audit data in source(ie “Process”) format—Audit Service must be able to accept
Audit Record in format that invoked Audit Service can accept
agent repository
Audit Records may be available as:- individual Audit Record- set of Audit Records- stream of Audit Records- persisted set of Audit Records- ? [Process] Audit Records
Audit Record
Audit Record
Event
Report
Event Trigger
Query Audit Records
Event
Report
Retrieve Audit Records
Audit Record
Event
Filter Audit Records
Audit Record
Audit Record
Monitor Audit Records
Audit Record
Audit Record
Event
Submit Audit Records
Audit Record
Audit Record
Event
Store Audit Records
Audit Record
Event
Analyze Audit Records
Audit Record
Event
Report
Data Objects
Audit Records may be available as:- individual Audit Record- set of Audit Records- stream of Audit Records- persisted set of Audit Records- ?
Filter Audit Records
Audit Record
Audit Record
Submit Audit Records
Audit Record
Audit Record
Event
Store Audit Records
Audit Record
Filter Audit Records
Audit Record
Audit Record
Store Audit Records
Audit Record
Monitor Audit Records
Audit Record
Audit Record
Event
Typical Health ID Federation Topology(Standards Domains)
HIDN vHIN
Identity Provider 2 vHIN
Health ID Resolution
Service
Health ID Resolution
Service
Unique ID Service
Unique ID Service
UserUser
WS-*, PASS-IDF
WS-*, SAML
User ContextUser Context Login ServiceLogin Service
Identity Provider 2
Authentication Service
Identity Provider 2
Authentication Service
Identity Provider 1
Authentication Service
Identity Provider 1
Authentication Service
Identity Provider n
Authentication Service
Identity Provider n
Authentication Service
UID vHIN
vHIN Authority
A Invokes submitAuditRecord
AA AA
AA
A
I Identity Token
II
Locates and returns User’s
Identity Provider
Typical Health InformationExchange (HIE) Federation Topology
PHR 1 vHIN
vHIN Authority
HIE CredentialProvider vHIN
HIEMember
Credential Provider
HIEMember
Credential Provider
A
Healthcare Organization 1
Healthcare Organization 1
Healthcare Organization 2
Healthcare Organization 2
Healthcare Organization n
Healthcare Organization n
HIE HIE HIE HIE
HCO CredentialProvider vHIN
HCOHuman Resources
Credential Provider
HCOHuman Resources
Credential Provider
A
Employee 1Employee 1 Employee 2Employee 2 Employee nEmployee n
HCO HCO HCO HCO
HIEHCOI
HIEHCOI
HIEHCOI
HIEHCOI
HIE Authorization
withPolicy Decision
Engine
HIE Authorization
withPolicy Decision
Engine
HIE Health Information
Exchange with
Access Enforcement
HIE Health Information
Exchange with
Access Enforcement
A
HIE Authority
HIE Authority
A AHIEHCOI
HIEHCOI
HIEHCOI
HIE
HCO
I Identity Token
HIE Member Token
Healthcare Org Employee Token
A Invokes submitAuditRecord
Collects/Submits TokensStandards: WS-*, SAML, PASS
Consumes TokensStandards: WS-*,SAML, XACML,PASS
Issues TokensStandards: WS-*, SAML, PASS
Other Authorization
Decision Factors
Other Authorization
Decision Factors
Typical Policy-Driven Access Control Topology
PHR 1 vHIN
Credential Provider nCredential Provider n
PHR 1 Authorization
withPolicy Decision
Engine
PHR 1 Authorization
withPolicy Decision
Engine
Credential Provider 1
User Digital Cert Validation
Credential Provider 1
User Digital Cert Validation
Identity Provider
Validation Service
Identity Provider
Validation Service
UserUser
UserContext
UserContext
PHR 1 Personal Health Record Service
with Access Enforcement
PHR 1 Personal Health Record Service
with Access Enforcement
A
PatientContextPatientContext
Consent Directive Service
Consent Directive Service
SessionContextSessionContext
Other Authorization
Decision Factors
Other Authorization
Decision Factors
Runtime (assumes user authenticated)
CredentialProvider 1 vHIN
CredentialProvider n vHIN
IdentityProvider vHIN
ConsentDirective vHIN
PHR 1 Authority
Credential Provider
PHR 1 Authority
Credential Provider
A A
A A AAA
AA I
PatientContextPatientContext
vHIN Authority
HCO
I Identity Token
Healthcare Org Employee Token A Invokes submitAuditRecord
HCOI
HCO
I
Credential Provider
Credential Provider
AccessControl
Authorization Service
AccessControl
Authorization Service
Health ID Resolution
Service
Health ID Resolution
Service
PASS Context Service
PASS Context Service
Identity Provider Authentication
Service
Identity Provider Authentication
Service
openPASS Architecture
HIDN vHIN
CI C
PersonalHealth Record
Service
PersonalHealth Record
Service
Standards: WS-*, OASIS, PASS
Standards: WS-*, SAML, PASS
Standards: WS-*, SAML
Standards: WS-*, PASS-IDF
PHR vHIN
Standards: WS-*, PASS
Identity Provider
A Invokes PASS submitAuditRecord or equivalent
A AA A
C
A A
Verified Identity Token
Request Privacy Policy
I
Identifier
Redirect- Identity Provider
Login
Identifier, Assertions
Request Credential
Verified Credential
User Role Assertion C
Request PHR Access,submit credentials
Access Granted- Redirect
Request User Role
Access PHR
Request PHR Access
Credential Provider
Standards: WS-*, HL7
Development Plan
Reference implementations Code Base
Review and refactor
WS, Java, .NET components Commercialization issues
Policy Agents for major web and application servers
Audit
Submit Audit Record
Submit Audit Service Artifacts
Retrieve Audit Records
Submit Audit Record
Get Consistent Time
<<service>>
List Audit Service Artifacts
Process Audit Record
Retrieve Audit Records
Submit Notification/EventSubmit Notification/Event
Process Audit Record
Invoke Service
Remove/Archive Audit Record
Retrieve Audit Service Artifacts
Remove Audit Service Artifacts
[ProcessName] Audit Record
The following is intended to introduce the concept—storyboards, use cases and discussion are needed to justify the approach at an SFM level:
The Process Audit Record and [ProcessName] Audit Record interfaces are intended to expose the category of capabilities that operate on one or more Audit Records resulting in an output of Audit Records, event notifications and/or reports. Process Audit Record anticipates invocation of an internally configured or composed capabilities. These interfaces help facilitate a distributed and composable audit architecture.
[ProcessName] Audit Record, where a specific process capability name is substituted for [ProcessName], is a generalized convention for exposing specific process capabilities. Examples that we have considered are Monitor, Notify, Submit and Retrieve. Others that may be useful include Filter, Query, Store, Remove and Analyze. Higher level or composed processes such as the XDAS Audit Event Disposition capability could be exposed in this way.
Query Audit Records
Query Audit Records
Remove/Archive Audit Record
[ProcessName] Audit Record
Audit Service Class DiagramDoes not explicitly show the possible Audit Record and
Audit Records (i.e. data store, repository) Entity Services
Submit Report
Audit<<service>>
<<profile-agent>>Submit Audit RecordSubmit Audit Record
Audit<<service>>
<<profile-analyze>>Submit Audit Record
Analyze Audit Record
Submit Notification/Event
Submit Report
Audit<<service>>
Submit Audit Record
Submit Event
Submit Audit Record
Submit Event
Audit<<service>>
<<profile-submit>>Submit Audit Record Submit Audit Record
Audit<<service>>
<<profile-monitor>>Submit Audit Record
Monitor Audit Record
Submit Audit Record
Submit Notifiaction/Event
Audit<<service>>
Submit Audit Record
Retrieve Audit Record
Submit Report
<<profile-repository>>
Remove/Archive Audit Record
<<profile-audit event disposition>>
Invoke Service
All Provided and Referenced (aka Required) interfaces are optional, although they may be mandatory for a particular SFM profile.
Administrative interface and capabilities still need further discussion. This is an approach that is consistent with some discussion “threads”.
t
t
t
t
t
t
t
t
t
t
t
t
t
t
t
t
t
t Adopted
Discussed
New or “refactored”t
t
KeyCapability Spec Status
t t t
t
Possible Audit Service Profiles (just for discussion)
Monitor Audit Records t
