1
Federated, Secure Trust Networks for Distributed
Healthcare IT Services
Alfred WeaverSamuel Dwyer
Andrew SnyderJim Van Dyke
Tim MulhollandJames Hu
Xiaohui ChenAndrew Marshall
2
Industrial Informatics Applied to Healthcare
Health Insurance Portability and Accountability Act of 1996 privacy of patient encounters security of patient data encryption of medical information when stored or
transmitted access controls to retrieve information audit logs of data access
3
Healthcare Informatics Portal
Common medical data portal doctors, patients, staff see a customized view allied health services exchange information
electronically Authentication of users
biometric and conventional methods Authorization of access
role-based access control model Strong encryption of all data All built on a web services model
4
5
6
Federated, Secure Trust Networks for Distributed Healthcare IT Services
Medical Data Portal Web Services
AuthorizationService
AuthenticationService
Electronic Patient Record
2
3
9
10
11
12
RuleEngines
1
46
7
5
8
7
Research Issues
Authentication who are you?
Mobile devices what capabilities do you have?
Authorization what can you do?
Encryption which algorithm? what length key?
Shared trust off-network organizations
8
Authentication
Can support legacy techniques user ID and passwords, challenge-response
Newer identification technologies smartcards, access keys
Biometric identification fingerprints, iris scans signature analysis, voice recognition keyboard dynamics face, hand, finger, ear geometry
9
Fingerprints
70 points of differentiation (loops, whirls, deltas, ridges)Even identical twins have differing fingerprint patternsFalse positive rate < 0.01%False negative rate < 1.5%Can distinguish a live finger; fast to enrollInexpensive ($100-$200) for the reader
10
Iris Scans
Iris has 266 identification degrees of freedomIdentical twins have different iris patternsFalse positive rate < 0.01%False negative rate < 2%Does take some time and controlled lighting to enrollPattern is stored as a data template, not a pictureSome units control light to detect pupil dilation (prove live eye)
11
Mobile Devices
Legitimate access is no longer limited to desktops or in-hospital devices
Wave of the future includes PDAs (HP iPAQ Pocket PC h5455 with fingerprint
scanner built-in) tablet PCs (handwriting recognition) cell phones (voice recognition)
Personal authentication should work using the devices and capabilities available to the legitimate user
12
Fingerprints with Wireless PDA
HP iPAQ h5455 with fingerprint scannerThermal scanner detects live fingerWe wrote an authentication web service--send fingerprint pattern to service--compare against database of enrollees--confirm or deny identity--send confirmation to web portal--write cookie to device--cookie becomes an identification token containing:
--who the individual is--how identity was confirmed--trust level of the identification--e.g., iris scan > fingerprint > password
13
Authorization Now that we know who you are, what are you allowed
to do? Use role-based access control Roles for people with different privileges:
attending physician referring physician medical fellows medical students physician consultants other healthcare staff (nurses) technologists (diagnostic imagery) technicians (lab results) patient
Plus roles for other entities (insurance, pharmacy)
14
Authentication Rule Engine
Identity token
Access request
Rules
Hospital administrationrule templates
Authorization token
15
Authorization Rule Templates
AttendingReferringFellowStudentTechnicianTechnologistPatientInsuranceBillingPharmacyMed records
CanCan not
DemographicsClinical notesLab notesDiagnostic imagesPsych evaluation
Who Access Electronic Patient Record
16
Authorization Rule Engine
More complicated in practice doctor needs consultation doctor on vacation doctors practicing in groups
surgeons, radiologists emergencies
17
Encryption
Which encryption method? DES, 3DES, AES, RSA, others what length key?
Unintended consequences UVA does 380,000 radiological exams annually produce 9 TB of data every year encrypting one 3 MB chest x-ray is no problem but CT and MR produces 500-1000 slices each slice is a file typical MR is 68 MB
What is the workflow impact of encrypting/decrypting a 68 MB file each time it is touched?
18
Trust Networks
Trust, legitimately established, should be shared across the enterprise pharmacies insurance companies outpatient services
How does trust get quantified? How does trust get shared? WS-Trust does not yet provide guidance
19
Trust Networks
98
Identification tokensAuthorization tokensEncryptionDigital signatureTrust credentialsDynamic negotiation of credentials
Banks do this with ATMs;we need to do it amongcooperating healthcare providers
20
Trust Authority
Attribute
Criterion 1
Criterion 2
…
Criterion N
Rating
Identification Reliability
False positive rate < 0.1%False negative rate < 1.0%
Availability > 0.99
4.7 out of 10
21
Electronic Prescriptions
1. Encrypt prescription (doctor, medicine, details)2. Encrypt physician's identity token3. Digitally sign message4. Transmit to pharmacy
4. Check digital signature5. Decrypt prescription6. Decrypt physician's identity token7. Is this a valid physician?8. Send identity token to trust authority
9. Check how identity was established10. Recover trust level
11. Is trust level acceptable?12. Accept or reject
22
Summary of Issues
Authentication Mobile access technologies Biometric identification Authorization rule engine Role-based access control Simplified rule administration Trust sharing Dynamic negotiation of trust credentials
23
Acknowledgements
Funding for this project provided by:
David Ladd and Tom HealyUniversity Research Program
Microsoft ResearchMicrosoft Corporation