Proposed Technical Architecturefor California HIE Services
Walter SujanskySujansky & Associates, LLC
Presentation to NHIN-DirectSecurity and Trust Work Group
April 29, 2010
2
Enterprise-A
Principal-3
Principal-4
Enterprise-A
Principal-3
Principal-4
Enterprise-B
Principal-5
Principal-6
Enterprise-B
Principal-5
Principal-6
Principal-1
Principal-2
Principal-1
Principal-2
CoreCooperative
SharedHIE
Services
Entity RegistryService
Provider DirectoryService
Provider IdentityService
Identity management forlegal entities
Laboratory
Physician
Physician
IPA
Physician
IDN
Hospital
Legal Entity
Solo Practice
Hospital
IDN
Group Practice
Proposed Technical Architecture
Physician
3
Entity Registry Service
1. A Certificate Authority that provisions legal entities in a widely trusted manner• Certifies legitimacy of the entity and its conformance to
security/privacy policies• “Revokes” certification for entities when appropriate • Legal Entity = Physician practice, hospital, pharmacy, lab,
immunization registry, etc.• Not individual physicians, administrative staff, or consumers
2. Repository of valid, active certificates for legal entities that wish to exchange health information using the CS-HIE resources
4
Entity Registry Service
HIE CERTIFICATE AUTHORITY (C.A.)Public Key: 3D78EB4A58F2
Meaning: The Certificate Authority has validated that this legal entity:• Legitimately exists and has the attributes listed• Complies with the designated policies for provisioning and authenticating its
users and safeguarding electronic health information• Has possession of a private key that corresponds to the listed public key
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
Entity Registry
C.A. Signs
5
Responsibilities of a Registered Legal Entity (1)
Maintain internal registry of its providers, including minimum descriptive attributes (name, location, type, role, etc.)• I.e., Providers may be provisioned locally by their entities => no
requirement for a centralized user registry
Reliably authenticate these providers when they “log in” within the entity’s domain• I.e., Providers may be authenticated locally by their entities
When providers exchange health information outside of the entity’s domain, include the following with each transaction:1. An “authentication assertion” signed by the legal entity that (a) validates
the identity of the provider and (b) substantiates that the provider was authenticated appropriately
2. An “authorization assertion” signed by the legal entity that documents (a) the role of the provider with respect to the patient and (b) the purpose of the health information exchange
3. Copy of payload signed by the legal entity to confirm data integrity
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
6
Entity Registry Service
HIE CERTIFICATE AUTHORITY (C.A.)Public Key: 3D78EB4A58F2
Entity Registry
C.A. Signs Authentication Assertion
AuthenticatedNPI 5893859073Jacob HillMD – Internal MedicineLogin: 2010-03-28 14:35:50Credential: password-only
Entity: Montrose Internist Group
EntitySigns
Authorization Assertion
AuthorizedNPI 5893859073Jacob HillMD – Internal MedicineRole: Patient’s PCPPurpose: Transfer of CareEntity: Montrose Internist Group
EntitySigns
Sent to recipient in the transaction
Payload
Joe Patient, DOB, Gender, etc…
Problem List, Med List, etc…
EntitySigns
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
7
Provide an electronic directory of the providers within the legal entity• The directory must be accessible in a standard format as a “web
service”, available to all other entities with access to the Entity Registry Service
• The directory need contain only those providers whose information the legal entity wishes to publish
• Each directory entry must include– The provider’s descriptive attributes (to enable lookups)– The HIE transactions that the provider supports
(to determine whether a transaction is supported)– For each supported transaction, the electronic address(es) and protocol(s)
(to determine how a transaction is supported)
Responsibilities of a Registered Legal Entity (2)
8
Provider Directory Entries
Entity + Provider + Transaction Type => Network Address + Protocol• E.g., Dr. Hill at Montrose Internist Group can be sent hospital discharge
summaries at ehr.montrose.com/InBox/DischargeSummary using the Level-2 CCD document format
Network address may be provider’s own EHR or it may be a 3rd party system• E.g., an HIO routing service, an EHR hosted by an IPA, an HISP, etc.
Entries are created and certified (signed) by legal entities, which are responsible for their veracity
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
9
Entity Registry Service
Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8
HIE CERTIFICATE AUTHORITY (C.A.)Public Key: 3D78EB4A58F2
Entity Registry
C.A. Signs
Retrieved by potential sender of a transaction
Directory EntryMontrose Internist GroupJacob Hill, MDTrans: Discharge SummaryAddr: montroseIG.com/hie/discharge
Protocol: Level 2 CCD
Directory EntryMontrose Internist GroupJacob Hill, MDTrans: Discharge SummaryAddr: montroseIG.com/hie/discharge
Protocol: Level 2 CCD
Directory EntryMontrose Internist GroupJacob Hill, MDTrans: Discharge SummaryAddr: montroseIG.com/hie/discharge
Protocol: Level 2 CCD
Directory EntryEntity: Montrose Internist GroupProvider: Jacob Hill, MDTransaction: Receive Discharge SummaryAddr: ehr.montrose.com/Inbox/DcSummary
Protocol: Level 2 CCD
Entity SignsProvider Directory
For looking up the recipient
For formulating the transaction
Sujansky & Associates, LLC
10
CoreCooperative
SharedHIE
Services
Entity RegistryService
Provider DirectoryService
Provider IdentityService
LegalEntity
providers*
* Physicians, other providers, clerical users, departments, data repositories, etc.
RegistryEntry
Self-HostedProvider Directory
(Web Service)
3rd-Party-HostedProvider Directory
(Web Service)
PublishDirectoryEntries
OR
OR
Pointer toDirectory
OR
OR
Proposed Technical Architecture
Publishing Provider Directory Entries
11
Enterprise-A
Principal-3
Principal-4
Enterprise-A
Principal-3
Principal-4
Enterprise-B
Principal-5
Principal-6
Enterprise-B
Principal-5
Principal-6
Principal-1
Principal-2
Principal-1
Principal-2
CoreCooperative
SharedHIE
Services
Entity RegistryService
Provider DirectoryService
Provider IdentityService
Identity management forlegal entities
Addressing and formattinginformation for intendedrecipients of HIE transactions
Laboratory
Physician
Physician
IPA
Physician
IDN
Hospital
Legal Entity
Solo Practice
Hospital
IDN
Group Practice
Proposed Technical Architecture
Physician
12
Enterprise-A
Principal-3
Principal-4
Enterprise-A
Principal-3
Principal-4
Enterprise-B
Principal-5
Principal-6
Enterprise-B
Principal-5
Principal-6
Principal-1
Principal-2
Principal-1
Principal-2
CoreCooperative
SharedHIE
Services
Entity RegistryService
Provider DirectoryService
Provider IdentityService
Addressing and formattinginformation for intendedrecipients of HIE transactions
Identity management andauthentication for principalsin HIE transactions
Laboratory
Physician
Physician
IPA
Physician
IDN
Hospital
Legal Entity
Solo Practice
Hospital
IDN
Group Practice
Proposed Technical Architecture
Identity management forlegal entities
Physician
13
Provider Identity Service
Centralized, trusted service for provisioning and authenticating providers involved in HIE transactions• Intended for entities that are not trusted to authenticate their own providers,
despite blessing of certificate authority Use of Provider Identity Service is entirely optional
• Entities may provision and authentication their own providers
May or may not prove to be needed…
14
Enterprise-A
Principal-3
Principal-4
Enterprise-A
Principal-3
Principal-4
Enterprise-B
Principal-5
Principal-6
Enterprise-B
Principal-5
Principal-6
Principal-1
Principal-2
Principal-1
Principal-2
Transactions involving CS-HIE Services and usingthe protocols and standards required by these services
Transactions not involving CS-HIE Services and notnecessarily using theprotocols and standards required by these services
Legend
CoreCooperative
SharedHIE
Services
Entity RegistryService
Provider DirectoryService
Provider IdentityService
Identity management forlegal entities
Addressing and formattinginformation for intendedrecipients of HIE transactions
Identity management andauthentication for principalsin HIE transactions
Laboratory
Physician
Physician
IPA
Physician
Hospital
Legal Entity
Solo Practice
Hospital
IDN
Group Practice
Proposed Technical Architecture
IDN
Physician
*
* with TLS encryption and authentication
15
Transactions involving CS-HIE Services and usingthe protocols and standards required by these services
Transactions not involving CS-HIE Services and notnecessarily using theprotocols and standards required by these services
Legend
CoreCooperative
SharedHIE
Services
Entity RegistryService
Provider DirectoryService
Provider IdentityService
Dr. Beth Cramer Dr. Jonah Hill
Valley IPA
Legal Entity
Seaview Hospital Montrose Internist Group
Example: Hospital Discharge Summary
John Smith’s PCP is Dr. Jonah Hillat Montrose InternistGroup
Look upMontrose Internist
Group
Look upDr. Jonah Hill
Legal Entity Principal Transaction Address Protocol
Montrose Internist Group Dr. Jonah Hill Receive Hospital Discharge Summary www.valleyIPA.org/InBox/DcSummary CCD Level 2
Pointer
Formulate and SendTransaction
*
* with TLS encryption and authentication
16
Transactions involving CS-HIE Services and usingthe protocols and standards required by these services
Transactions not involving CS-HIE Services and notnecessarily using theprotocols and standards required by these services
Legend
CoreCooperative
SharedHIE
Services
Entity RegistryService
Provider DirectoryService
Provider IdentityService
Dr. Beth Cramer Dr. Jonah Hill
Valley IPA
Legal Entity
Seaview Hospital
Example: Hospital Discharge Summary
Formulate and SendTransaction
Certificate forSeaview Hospital(with public key)
Authentication Assertionfor Dr. Beth Cramer
(Signed by Seaview Hospital)
Authorization Assertionfor Dr. Beth Cramervis-à-vis John Smith
(Signed by Seaview Hospital)
Discharge Summary as CCDwith patient identifiers for John Smith
(Signed by Seaview Hospital)
Transaction:
Deliver toRecipient’s
EHR
InspectTransactionHeader and
Payload
ValidateSeaview Hosp’s
Certificate
Makeaccess-control
decision based onHeader & Payload
contents
Header
Payload
Montrose Internist Group
*
* with TLS encryption and authentication
17
Summary
The Core CS-HIE Services are intended to provide• 1. A trust infrastructure in which parties can determine the
authenticity of HIE transactions that they receive from arbitrary counterparties
• 2. A directory infrastructure in which parties can determine where and how to direct HIE transactions intended for specific recipients via the internet
Much technical and policy work remains to flesh out the design of these services• Define the policies surrounding the HIE certificate authority and the
granting of Entity Registry entries• Define the technical design of Entity Registry entries and Provider
Directory entries• Define the technical design of authentication and authorization
assertions• More…