Integrating the Healthcare EnterpriseIntegrating the Healthcare Enterprise
Enterprise User Authenticationand
Consistent Time
Glen MarshallCo-Chair, IHE IT Infrastructure Planning Committee
Sept 13-15, 2004 IHE Interoperability Workshop2
IHE IT Infrastructure 2004-2005IHE IT Infrastructure 2004-2005
Enterprise User AuthenticationEnterprise User Authentication
Provide users a single nameand centralized authentication
processacross all systems
Retrieve Information for Display
Access a patient’s clinical information and documents in a
format ready to be presentedto the requesting user
Retrieve Information for Display
Access a patient’s clinical information and documents in
a format ready to be presented
to the requesting user
Patient Identifier Cross-referencing
for MPIMap patient identifiers
across independent identification domains
Patient Identifier Cross-referencing for
MPI
Map patient identifiers across independent
identification domains
Synchronize multiple applications on a desktop to the
same patient
Patient Synchronized Applications
Consistent TimeCoordinate time across
networked systems
Audit Trail & Node Authentication
Centralized privacy audit trail and node to node authentication
to create a secured domain.
New
Patient Demographics Query New
Personnel White PageAccess to workforcecontact information
New
Cross-Enterprise Document Sharing
Registration, distribution and access across health enterprises of clinical
documents forming a patient electronic health record
New
Sept 13-15, 2004 IHE Interoperability Workshop3
IHE IT Infrastructure 2004-2005IHE IT Infrastructure 2004-2005
Retrieve Information for Display
Access a patient’s clinical information and documents in a
format ready to be presentedto the requesting user
Retrieve Information for Display
Access a patient’s clinical information and documents in
a format ready to be presented
to the requesting user
Patient Identifier Cross-referencing
for MPIMap patient identifiers
across independent identification domains
Patient Identifier Cross-referencing for
MPI
Map patient identifiers across independent
identification domains
Synchronize multiple applications on a desktop to the
same patient
Patient Synchronized Applications
Audit Trail & Node Authentication
Centralized privacy audit trail and node to node authentication
to create a secured domain.
New
Patient Demographics Query New
Personnel White PageAccess to workforcecontact information
New
Cross-Enterprise Document Sharing
Registration, distribution and access across health enterprises of clinical
documents forming a patient electronic health record
New
Enterprise User Authentication
Enterprise User Authentication
Provide users a single nameand centralized authentication process
across all systems
Consistent Time
Coordinate time across networked systems
Sept 13-15, 2004 IHE Interoperability Workshop4
Enterprise User AuthenticationEnterprise User AuthenticationScopeScope
Support a single enterprise governed by a single set of security policies and having a common network domain.
Establish one name per user to be used for all IT applications and devices.
Facilitate centralized user authentication management.
Provide users with single sign-on.
Sept 13-15, 2004 IHE Interoperability Workshop5
Enterprise User AuthenticationEnterprise User AuthenticationValue PropositionValue Proposition
Meet a basic security requirement User authentication is necessary for most applications and data
access operations.
Achieve cost savings/containment Centralize user authentication management Simplify multi-vendor implementations
Provide workflow improvement for users Increase user acceptance through simplicity Decrease user task-switching time.
More effective security protection Consistency and simplicity yields greater assurance.
Sept 13-15, 2004 IHE Interoperability Workshop6
Consistent TimeConsistent TimeScope and Value PropositionScope and Value Proposition
Meet a basic security requirement
System clocks and time stamps of the many computers in a network must be synchronized.
Lack of consistent time creates a “security hole” for attackers. Synchronization ±1 second is generally sufficient.
Achieve cost savings/containment
Use the Network Time Protocol (NTP) standard defined in RFC 1305.
Leverage exisisting Internet NTP services, a set-up option for mainstream operating systems.
Sept 13-15, 2004 IHE Interoperability Workshop7
Enterprise User Authentication Enterprise User Authentication Use Case: Single Sign OnUse Case: Single Sign On
Motivation Users need to frequently communicate with many non-
integrated IT application services. Managing multiple user identities and passwords is costly to
users and system administration.
Solution EUA supports a single common user identity for browser-
based applications. EUA allows multiple user authentication technologies. EUA uses well-trusted standardized user identity
mechanisms: Kerberos and CCOW user context.
Sept 13-15, 2004 IHE Interoperability Workshop8
Enterprise User Authentication Enterprise User Authentication Use Case: Fast User SwitchUse Case: Fast User Switch
Motivation Customer requirement for fast user switching on a multi-
user workstation due to long startup times during normal system login
Solution Initiate a “null user” during workstation startup. Utilize EUA to authenticate actual users once, e.g., at start
of work shift, via Kerberos. Utilize Follow Context to switch user identities without
incurring the high startup costs, via CCOW user context.
Sept 13-15, 2004 IHE Interoperability Workshop9
Enterprise User AuthenticationEnterprise User AuthenticationKey AttributesKey Attributes
Limited network overhead
Kerberos is network-efficient, developed at a time when high-speed networks were rare.
CCOW is similarly network-efficient
Kerberos and CCOW work with any user authentication technology
Tokens, biometric technologies, smart cards, … Specific implementations require some proprietary
components, e.g., biometric devices. Once user authentication is complete, network transactions
are the same for all technologies.
Sept 13-15, 2004 IHE Interoperability Workshop10
Enterprise User Authentication Enterprise User Authentication Key AttributesKey Attributes
Multi-year roll-out
2004:• Kerberos Server• HTTP Authentication• Shared Identity through CCOW• Grouped with Consistent Time
Future:• DICOM (Supplement 99)• HL7 (v2.6 UAC segment or WSDL/SOAP transport)• CCOW – Kerberos service ticket as part of use context
Sept 13-15, 2004 IHE Interoperability Workshop11
EUA and CTEUA and CTKey Technical PropertiesKey Technical Properties
Standards Used Kerberos v5 (RFC 1510)
• Stable since 1993, • Widely implemented on current operating system platforms• Successfully withstood attacks in its 10-year history• Fully interoperable among all platforms
HL7 CCOW, user subject Network Time Protocol (RFC 1305)
Minimal Application Changes Eliminate application-specific, non-interoperable
authentication Replace less secure proprietary security techniques Leverage NTP interfaces built-into operating systems
Sept 13-15, 2004 IHE Interoperability Workshop12
Enterprise User AuthenticationEnterprise User AuthenticationTransaction DiagramTransaction Diagram
Sept 13-15, 2004 IHE Interoperability Workshop13
Enterprise User AuthenticationEnterprise User AuthenticationTransaction Diagram: CCOW OptionTransaction Diagram: CCOW Option
Sept 13-15, 2004 IHE Interoperability Workshop14
Consistent TimeConsistent TimeTransaction DiagramTransaction Diagram
Maintain Time [ITI-1]↑
Time Server
Time Client
Sept 13-15, 2004 IHE Interoperability Workshop15
Enterprise User Authentication Enterprise User Authentication Kerberos AuthenticationKerberos Authentication
Kerberos Server
“kinit”
Cache
Request TGT
Response (contains TGT)
application
TGT
TGT
Request Service ticket
Response with Service Ticket
Application serverProtocol specific communication, using Service Ticket as authenticator
CommunicationInitiated
Initial username, password
Single System Environment
Sept 13-15, 2004 IHE Interoperability Workshop16
Enterprise User Authentication Enterprise User Authentication HTTP AuthenticationHTTP Authentication
Client Authentication AgentHTTP Client
HTTP KerberizedServer
Kerberos AuthenticationServer
Start HTTP Session HTTP Get – with no authentication.
401 response (WWW Authenticate: Negotiate)
Get Kerberos Service Ticket
Service Ticket
HTTP Get – Kerberized Communication
HTTP Response
Sept 13-15, 2004 IHE Interoperability Workshop17
Enterprise User Authentication Enterprise User Authentication Fast User SwitchFast User Switch
KerberosAuthentication
Server
Device with Fast User Switching
User ContextParticipant
Context Manager Client AuthenticationAgent
Join ContextJoin Context
Switch to User A
Change Context User A Login
Follow Context
User B LoginChange Context
Follow Context
Switch to User B
Sept 13-15, 2004 IHE Interoperability Workshop18
Kerberos DocumentationKerberos DocumentationOnline “Moron’s Guide”
http://www.isi.edu/gost/brian/security/kerberos.html MIT Site
http://web.mit.edu/kerberos/www/ Various Microsoft MSDN support documents
Hardcopy Kerberos, by Brian Tung, Addison Wesley Various vendor manuals
Configuration and API documentation Microsoft, Unix, and other vendor documentation
Sept 13-15, 2004 IHE Interoperability Workshop19
HTTP DocumentationHTTP Documentation
Internet draft for Kerberization of HTTP
draft-brezak-spnego-http-05.txt
Other documentation http://support.microsoft.com/default.aspx?scid=kb;ben-
us;326985
Sept 13-15, 2004 IHE Interoperability Workshop20
EUA FuturesEUA Futures
HL7 CCOW ProposalHL7 CCOW ProposalEUA defines a CCOW identity space User.Id.Logon.Kerberos This enables some single signon capabilities.
CCOW exchange of SAML assertions Assertions can contain Kerberos service tickets Is an HL7 work item, now underway Use cases are needed in order to move this forward.
Sept 13-15, 2004 IHE Interoperability Workshop21
EUA FuturesEUA Futures
HL7 v2.6 ProposalHL7 v2.6 ProposalHL7 v2.6 User Authentication Credential (UAC) segment
Kerberos service tickets or SAML assertion
User identified associations enables
Better Audit logs User specific customizations User specific authorization
HL7 also allows EUA as part of WSDL/SOAP, via SAML assertion
Sept 13-15, 2004 IHE Interoperability Workshop22
EUA FuturesEUA Futures
DICOM ProposalDICOM ProposalDICOM Associations convey user identification
User identified associations enable Better audit logs User specific customizations User specific authorization
Under development as Supplement 99
Sept 13-15, 2004 IHE Interoperability Workshop23
More information….More information….IHE Web sites:
http://www.himss.org/IHEhttp://www.rsna.org/IHEhttp://www.acc.org/quality/ihe.htm.
Technical Frameworks:• ITI V1.0, RAD V5.5, LAB V1.0
Technical Framework Supplements - Trial Implementation• May 2004: Radiology• August 2004: Cardiology, IT Infrastructure
Non-Technical Brochures :• Calls for Participation• IHE Fact Sheet and FAQ• IHE Integration Profiles: Guidelines for Buyers• IHE Connect-a-thon Results• Vendor Products Integration Statements