Post on 01-Apr-2015
transcript
1September, 2005 What IHE Delivers
ITI Security Profiles – ATNA, CT, EUA, PWP, DSIG
IHE Vendors Workshop 2006IHE Vendors Workshop 2006
IHE IT Infrastructure EducationIHE IT Infrastructure Education
Robert Horn, Agfa HealthcareRobert Horn, Agfa Healthcare
2
IT Infrastructure ProfilesIT Infrastructure Profiles
2004 2004 Patient Identifier Cross-referencing for MPI (PIX) Patient Identifier Cross-referencing for MPI (PIX) Retrieve Information for Display (RID) Retrieve Information for Display (RID)
Consistent Time (CT) Consistent Time (CT) Patient Synchronized Applications (PSA) Patient Synchronized Applications (PSA)
Enterprise User Authentication (EUA)Enterprise User Authentication (EUA) 20052005
Patient Demographic Query (PDQ) Patient Demographic Query (PDQ) Cross Enterprise Document Sharing (XDS)Cross Enterprise Document Sharing (XDS)
Audit Trail and Note Authentication (ATNA)Audit Trail and Note Authentication (ATNA)Personnel White Pages (PWP)Personnel White Pages (PWP)
20062006
Document Digital Signature (DSG) – Document Digital Signature (DSG) – Notification of Document Availability (NAV)Notification of Document Availability (NAV)Patient Administration/Management (PAM)Patient Administration/Management (PAM)
3
IHE and PHI ProtectionIHE and PHI Protection
User Identity → PWP, EUAUser Identity → PWP, EUA
User Authentication → EUAUser Authentication → EUA
Node Authentication → ATNANode Authentication → ATNA
Security Audit Trails → ATNASecurity Audit Trails → ATNA
Data Integrity Controls → CT, ATNA TLS optionData Integrity Controls → CT, ATNA TLS option
Data Confidentiality → ATNA TLS optionData Confidentiality → ATNA TLS option
Access Controls → Future item in IHE roadmapAccess Controls → Future item in IHE roadmap
4
Audit Trail and Node Audit Trail and Node Authentication (ATNA)Authentication (ATNA)
Defines basic security features for an individual Defines basic security features for an individual system for use as part of the security and privacy system for use as part of the security and privacy environment for a healthcare enterprise.environment for a healthcare enterprise.
Extends the IHE radiology oriented Basic Extends the IHE radiology oriented Basic Security profile (defined in 2002) to be applicable Security profile (defined in 2002) to be applicable to other healthcare uses.to other healthcare uses.
Provides host level authentication, which is used Provides host level authentication, which is used in conjunction with the user authentication from in conjunction with the user authentication from EUA.EUA.
5
ATNA ATNA Value PropositionValue Proposition
Protect Patient Privacy and System Security:Protect Patient Privacy and System Security: Meet ethical and regulatory requirementsMeet ethical and regulatory requirements
Enterprise Administrative Convenience:Enterprise Administrative Convenience: Unified and uniform auditing systemUnified and uniform auditing system Common approach from multiple vendors simplifies Common approach from multiple vendors simplifies
definition of enterprise policies and protocols.definition of enterprise policies and protocols. Common approach simplifies administrationCommon approach simplifies administration
Development and support cost reduction through Development and support cost reduction through Code Re-use:Code Re-use: Allows vendors to leverage single development effort to Allows vendors to leverage single development effort to
support multiple actorssupport multiple actors Allows a single development effort to support the needs of Allows a single development effort to support the needs of
different security policies and regulatory environments.different security policies and regulatory environments.
6
ATNA ATNA Assets protectedAssets protected
Patient and Staff SafetyPatient and Staff Safety• ATNA provides minor protections by restricted network accessATNA provides minor protections by restricted network access• Most safety related protection is elsewhere in productsMost safety related protection is elsewhere in products
Patient and Staff HealthPatient and Staff Health• As with Health, ATNA provides minor protectionAs with Health, ATNA provides minor protection
Patient and Staff PrivacyPatient and Staff Privacy• Access Control at the node level can be enforced.Access Control at the node level can be enforced.• Audit Controls at the personal level are supported.Audit Controls at the personal level are supported.• Note that in Europe there are significant staff privacy Note that in Europe there are significant staff privacy
protections, not just patient privacy protections in the laws.protections, not just patient privacy protections in the laws.
7
ATNA ATNA Security RequirementsSecurity Requirements
Reasons: Clinical Use and PrivacyReasons: Clinical Use and Privacy authorized persons must have access to medical data of authorized persons must have access to medical data of
patients, and the information must not be disclosed patients, and the information must not be disclosed otherwise.otherwise.
Unauthorized persons should not be able to interfere with Unauthorized persons should not be able to interfere with operations or modify dataoperations or modify data
By means of procedures and security By means of procedures and security mechanisms, guarantee:mechanisms, guarantee: ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability AuthenticityAuthenticity
8
ATNA ATNA Security MeasuresSecurity Measures
Authentication:Authentication: Establish the user and/or system Establish the user and/or system identity, answers question: “identity, answers question: “Who are you?Who are you?””
• ATNA defines: How to authenticate network connections.ATNA defines: How to authenticate network connections.• ATNA Supports: Authentication mechanisms, e.g. Enterprise ATNA Supports: Authentication mechanisms, e.g. Enterprise
User Authentication (EUA) or Cross Enterprise User User Authentication (EUA) or Cross Enterprise User Authentication (XUA)..Authentication (XUA)..
Authorization and Access control:Authorization and Access control:Establish user’s ability to perform an action, Establish user’s ability to perform an action, e.g. access to data, answers question: e.g. access to data, answers question: “Now that I know who you are, “Now that I know who you are, what can you dowhat can you do?”?”
• ATNA defines: How to authorize network connections.ATNA defines: How to authorize network connections.• ATNA requires: System internal mechanisms for both local and ATNA requires: System internal mechanisms for both local and
network access.network access.
9
ATNA ATNA Security MeasuresSecurity Measures
Accountability and Audit trail:Accountability and Audit trail:Establish historical record of user’s or system Establish historical record of user’s or system actions over period of time, answers question: actions over period of time, answers question: ““What have you done?”What have you done?”
• ATNA Defines: Audit message format and transport ATNA Defines: Audit message format and transport protocolprotocol
10
ATNA ATNA IHE GoalIHE Goal
IHE makes cross-node security IHE makes cross-node security management easy:management easy: Only a simple manual certificate installation is Only a simple manual certificate installation is
needed, although more sophisticated systems can needed, although more sophisticated systems can be usedbe used
Separate the authentication, authorization, and Separate the authentication, authorization, and accountability functions to accommodate the accountability functions to accommodate the needs of different approaches.needs of different approaches.
Enforcement driven by ‘a posteriori audits’ and Enforcement driven by ‘a posteriori audits’ and real-time visibility.real-time visibility.
11
ATNA ATNA Integrating Trusted NodesIntegrating Trusted Nodes
System A System B
Secured SystemSecure network
• Strong authentication of remote node (digital certificates)• network traffic encryption is not required, it is optional
Secured System
• Local access control (authentication of user)
• Audit trail with:• Real-time access • Time synchronization
Central Audit TrailRepository
12
ATNA ATNA Suitable Network EnvironmentsSuitable Network Environments
Physically secured networksPhysically secured networks• Explicit physical security preventing access by other nodes, orExplicit physical security preventing access by other nodes, or• VPN and VLAN technologies that provide equivalent network VPN and VLAN technologies that provide equivalent network
isolation.isolation.
Protected networksProtected networks• Physical security that prevents modification or installation of Physical security that prevents modification or installation of
unauthorized equipmentunauthorized equipment• The network is shared with other authorized nodes within the The network is shared with other authorized nodes within the
enterprise that should not have unrestricted access to patient enterprise that should not have unrestricted access to patient information.information.
Unprotected networksUnprotected networks• Not generally supported, although nodes with sufficient node Not generally supported, although nodes with sufficient node
level security and using encryption may be safe.level security and using encryption may be safe.
13
ATNA ATNA Node SecurityNode Security
ATNA specifies some of the capabilities that are ATNA specifies some of the capabilities that are needed, e.g. access control.needed, e.g. access control.
ATNA does not specify policiesATNA does not specify policies
ATNA does not specify mechanisms, although ATNA does not specify mechanisms, although other IHE protocols like EUA are obvious other IHE protocols like EUA are obvious candidates.candidates.
This permits vendors and enterprises to select This permits vendors and enterprises to select technologies and policies that are appropriate to technologies and policies that are appropriate to their own purposes without conflicting with the their own purposes without conflicting with the ATNA profile.ATNA profile.
14
ATNA ATNA Node AuthenticationNode Authentication
X.509 certificates for node identity and keysX.509 certificates for node identity and keys
TCP/IP Transport Layer Security Protocol (TLS) for TCP/IP Transport Layer Security Protocol (TLS) for node authentication, and optional encryptionnode authentication, and optional encryption
Secure handshake protocol of both parties during Secure handshake protocol of both parties during Association establishment:Association establishment: Identify encryption protocolIdentify encryption protocol Exchange session keysExchange session keys
Actor must be able to configure certificate list of Actor must be able to configure certificate list of authorized nodes.authorized nodes.
ATNA presently specifies mechanisms for HTTP, ATNA presently specifies mechanisms for HTTP, DICOM, and HL7DICOM, and HL7
15
Why Node AuthenticationWhy Node Authentication
Many systems are shared access, e.g. CT systems, where Many systems are shared access, e.g. CT systems, where the machine identity is more important than the operator’s the machine identity is more important than the operator’s identity for security purposes. identity for security purposes.
• A CT operator is only permitted to update CT records from a CT A CT operator is only permitted to update CT records from a CT system.system.
Some systems operate autonomously, e.g. PACS archive.Some systems operate autonomously, e.g. PACS archive.• Knowing identity of the PACS administrator on duty is not useful when Knowing identity of the PACS administrator on duty is not useful when
monitoring PACS activity. There might be nobody logged in.monitoring PACS activity. There might be nobody logged in.
Machine access is usually controlled by the site Machine access is usually controlled by the site administration. administration.
• Even authorized users are not permitted to use personal machines.Even authorized users are not permitted to use personal machines.
16
Secure Node vs ApplicationSecure Node vs Application
IHE uses the grouping mechanism to state that in the finished IHE uses the grouping mechanism to state that in the finished system or environment both the application and the secure system or environment both the application and the secure node must be present.node must be present.
It is possible to be an application supporting ATNA transactions It is possible to be an application supporting ATNA transactions without being a Secure Node:without being a Secure Node: Server applicationsServer applications Plug-in applicationsPlug-in applications
Those security facilities that are within the scope of the Those security facilities that are within the scope of the application must be provided:application must be provided: ATNA logging of relevant eventsATNA logging of relevant events Within application authentication, signature, etc.Within application authentication, signature, etc.
External security facilities are the responsibility of the secure External security facilities are the responsibility of the secure node actor:node actor: File system security, etcFile system security, etc
17
ATNA ATNA Auditing SystemAuditing System
Designed for surveillance rather than forensic use.Designed for surveillance rather than forensic use.
Two audit message formatsTwo audit message formats IHE Radiology interim format, for backward compatibility with IHE Radiology interim format, for backward compatibility with
radiologyradiology IETF/DICOM/HL7/ASTM format, for future growthIETF/DICOM/HL7/ASTM format, for future growth
• DICOM Supplement 95DICOM Supplement 95• IETF Draft for Common Audit MessageIETF Draft for Common Audit Message• ASTM E.214ASTM E.214• HL7 Audit Informative documentsHL7 Audit Informative documents
Both formats are XML encoded messages, Both formats are XML encoded messages, permitting extensions using XML standard permitting extensions using XML standard extension mechanisms.extension mechanisms.
18
ATNA ATNA Auditable EventsAuditable Events
Actor-start-stopActor-start-stop The starting or stopping of any The starting or stopping of any application or actor.application or actor.
Audit-log-usedAudit-log-used Reading or modification of any stored Reading or modification of any stored audit logaudit log
Begin-storing-instancesBegin-storing-instances The storage of any persistent object, e.g. The storage of any persistent object, e.g. DICOM instances, is begunDICOM instances, is begun
Health-service-eventHealth-service-event Other health service related auditable Other health service related auditable event.event.
Images-availability-queryImages-availability-query The query for instances of persistent The query for instances of persistent objects.objects.
Instances-deletedInstances-deleted The deletion of persistent objects.The deletion of persistent objects.
Instances-storedInstances-stored The storage of persistent objects is The storage of persistent objects is completed.completed.
19
ATNA ATNA Auditable EventsAuditable Events
MedicationMedication Medication is prescribed, delivered, etc.Medication is prescribed, delivered, etc.
Mobile-machine-eventMobile-machine-event Mobile equipment is relocated, leaves Mobile equipment is relocated, leaves the network, rejoins the networkthe network, rejoins the network
Node-authentication-Node-authentication-failurefailure
An unauthorized or improperly An unauthorized or improperly authenticated node attempts authenticated node attempts communicationcommunication
Order-record-eventOrder-record-event An order is created, modified, completed.An order is created, modified, completed.
Patient-care-assignmentPatient-care-assignment Patient care assignments are created, Patient care assignments are created, modified, deleted.modified, deleted.
Patient-care-episodePatient-care-episode Auditable patient care episode event that Auditable patient care episode event that is not specified elsewhere.is not specified elsewhere.
Patient-record-eventPatient-record-event Patient care records are created, Patient care records are created, modified, deleted.modified, deleted.
20
ATNA ATNA Auditable EventsAuditable Events
PHI-exportPHI-export Patient information is exported outside Patient information is exported outside the enterprise, either on media or the enterprise, either on media or electronicallyelectronically
PHI-importPHI-import Patient information is imported into the Patient information is imported into the enterprise, either on media or enterprise, either on media or electronicallyelectronically
Procedure-record-eventProcedure-record-event The patient record is created, modified, The patient record is created, modified, or deleted.or deleted.
Query-informationQuery-information Any auditable query not otherwise Any auditable query not otherwise specified.specified.
Security-administrationSecurity-administration Security alerts, configuration changes, Security alerts, configuration changes, etc.etc.
Study-object-eventStudy-object-event A study is created, modified, or deleted.A study is created, modified, or deleted.
Study-usedStudy-used A study is viewed, read, or similarly A study is viewed, read, or similarly used.used.
21
ATNA ATNA Record Audit EventRecord Audit Event
BSD Syslog protocol (RFC 3164) is the BSD Syslog protocol (RFC 3164) is the interim approach while the IETF continues interim approach while the IETF continues to resolve issues surrounding Reliable to resolve issues surrounding Reliable Syslog (RFC 3195).Syslog (RFC 3195).
Audit trail events and content based on Audit trail events and content based on IETF, DICOM, HL7, and ASTM standards. IETF, DICOM, HL7, and ASTM standards. Also, Radiology Basic Security audit event Also, Radiology Basic Security audit event format is allowed for backward format is allowed for backward compatibility.compatibility.
22XDS Affinity Domain (NHIN sub-network)
Community Clinic
Lab Info. System
PACS
Teaching Hospital
PACS
ED Application
EHR System
Physician Office
EHR System
AccountabilityAccountability
PMS
Retrieve DocumentRetrieve Document
Register DocumentRegister DocumentQuery DocumentQuery Document
XDS Document Registry
ATNA Audit ATNA Audit record repositoryrecord repository CT Time serverCT Time server
MaintainMaintainTimeTime
MaintainMaintainTimeTime
Maintain TimeMaintain TimeProvide & Register Docs
XDS Document Repository
XDSDocumen
t Reposito
ry
ATNA Audit ATNA Audit record repositoryrecord repository
ExportExportExportExport
QueryQuery
QueryQuery
ImportImportImportImport
ExportExport
23
Consistent Time (CT)Consistent Time (CT)
Network Time Protocol ( NTP) version 3 Network Time Protocol ( NTP) version 3 (RFC 1305) for time synchronization(RFC 1305) for time synchronization
Actor must support manual configurationActor must support manual configuration
Required accuracy: 1 secondRequired accuracy: 1 second
Optionally Secure NTP may be usedOptionally Secure NTP may be used
Required for use of ATNA, EUA, XUARequired for use of ATNA, EUA, XUA
24
Enterprise User Authentication - EUAEnterprise User Authentication - EUA
Support a Support a single enterprisesingle enterprise governed by a governed by a single set of security policiessingle set of security policies and having a and having a common network domaincommon network domain..
Establish Establish one name per userone name per user to be used to be used for for all IT applications and devicesall IT applications and devices. .
Facilitate Facilitate centralized user authentication centralized user authentication managementmanagement..
Provide users with Provide users with single sign-onsingle sign-on..
25
EUA – Transaction DiagramEUA – Transaction Diagram
26
Personnel White Pages (PWP)Personnel White Pages (PWP)
Provide access to basic information Provide access to basic information about the human workforce membersabout the human workforce membersDoes not include PatientsDoes not include Patients
Defines method for finding the PWPDefines method for finding the PWP
Defines query/access methodDefines query/access method
Defines attributes of interestDefines attributes of interest
27
PWP - TransactionsPWP - Transactions
PersonnelWhitePages
ConsumerQuery for Healthcare Workforce Member Info
PersonnelWhite Pages
Directory
DNS Server
Find PersonnelWhite Pages
28
What it takes to be a secure nodeWhat it takes to be a secure node
The Secure node is not a simple add-on of an The Secure node is not a simple add-on of an auditing capability. The complete work effort auditing capability. The complete work effort includes:includes:
• Instrumenting all applications to detect auditable events and Instrumenting all applications to detect auditable events and generate audit messages.generate audit messages.
• Ensuring that all communications connections are protected.Ensuring that all communications connections are protected.• Establishing a local security mechanism to protect all local Establishing a local security mechanism to protect all local
resources.resources.• Establishing configuration mechanisms for:Establishing configuration mechanisms for:
– Time synchronization using Consistent Time (CT) profileTime synchronization using Consistent Time (CT) profile– Certificate managementCertificate management– Network configurationNetwork configuration
Implement the audit logging facilityImplement the audit logging facility
29
What it takes to be a secure nodeWhat it takes to be a secure node
The entire host must be secured, not just individual actors.The entire host must be secured, not just individual actors.
The entire host must have appropriate user access controls The entire host must have appropriate user access controls for identification, authentication, and authorization.for identification, authentication, and authorization.
All communications that convey protected information All communications that convey protected information must be authenticated and protected from interception. must be authenticated and protected from interception. This means every protocol, not just the IHE transactions.This means every protocol, not just the IHE transactions.
All health information activities should generate audit trails, All health information activities should generate audit trails, not just the IHE actors.not just the IHE actors.
30
Document Digital Signature (DSG)Document Digital Signature (DSG)
Provide signature mechanismProvide signature mechanism
Provide verification/validation mechanismProvide verification/validation mechanism
Provide signature attributesProvide signature attributes
XDS manages document and signatureXDS manages document and signature
Allows direct access to document (XDS)Allows direct access to document (XDS)
31
Document Digital Signature (DSG)Document Digital Signature (DSG)
Digital Signature Document formatDigital Signature Document format
Leverages XDS for signature by referenceLeverages XDS for signature by reference
New document type in XDS – Linkage New document type in XDS – Linkage forward and back.forward and back.
Profiles single / multiple signaturesProfiles single / multiple signatures
Profiles nested signaturesProfiles nested signatures
Provide signature integrity across Provide signature integrity across intermediary processingintermediary processing