1 Federated Identity Management in Healthcare: What is Needed and What is Feasible 2006 Spring...

1

Federated Identity Federated Identity Management in Healthcare:Management in Healthcare:What is Needed and What is Feasible What is Needed and What is Feasible

2006 Spring Member Meeting2006 Spring Member Meeting

April 26, 2006April 26, 2006

Holt Anderson – NCHICA Executive DirectorHolt Anderson – NCHICA Executive Director

William Weems, Univ. of Texas Health Science Center at HoustonWilliam Weems, Univ. of Texas Health Science Center at Houston

Casey Webster, IBMCasey Webster, IBM

2

Session OutlineSession Outline

• Holt AndersonHolt Anderson

• Background of National HIT Initiatives from ONC

• Casey WebsterCasey Webster

• Challenges & Approaches in Developing the Nationwide

Health Information Network (NHIN) Architecture

• Bill WeemsBill Weems

• What is Possible Today!

• Question & Answer SessionQuestion & Answer Session

3

Background of National HIT Background of National HIT Initiatives from ONCInitiatives from ONC

Holt AndersonHolt Anderson

4

Standards Harmonization

ComplianceCertification

Nationwide Health Information Network

Privacy / Security

Health ITAdoption

Infr

astr

uct

ure

Ind

ust

ry T

ran

sfo

rmat

ion

Health Information Technology Deployment

Tec

hn

olo

gy

Ind

ust

ry

5

– HHS awarded a contract valued at $3.3 million to the American National Standards Institute, a non-profit organization that administers and coordinates the U.S. voluntary standardization activities, to convene the Health Information Technology Standards Panel (HITSP).

– The HITSP will develop, prototype, and evaluate a harmonization process for achieving a widely accepted and useful set of health IT standards that will support interoperability among health care software applications, particularly EHRs.

Standards Harmonization Process

6

• HHS awarded a contract valued at $2.7 million to the Certification Commission for Health Information Technology (CCHIT) to develop criteria and evaluation processes for certifying EHRs and the infrastructure or network components through which they interoperate.

• CCHIT will be required to submit recommendations for ambulatory EHR certification criteria in December 2005, and to develop an evaluation process for ambulatory health records in January 2006.

– Criteria will include the capabilities of EHRs to protect health information, standards by which EHRs can share health information and clinical features that improve patient outcomes.

Compliance Certification Process

7

• HHS awarded a contract valued at $11.5 million to RTI International, a private, non-profit corporation, to lead the Health Information Security and Privacy Collaboration (HISPC), a collaboration that includes the National Governors Association (NGA), up to 40 state and territorial governments, and a multi-disciplinary team of experts.

• RTI will oversee the HISPC to assess and develop plans to address variations in organization-level business policies and state laws that affect privacy and security practices that may pose challenges to interoperable electronic health information exchange while maintaining privacy protections.

Privacy and Security Solutions

8

• HHS awarded a contract valued in excess of $1 million to the George Washington University and Massachusetts General Hospital Harvard Institute for Health Policy to support the Health IT Adoption Initiative.

• The new initiative is aimed at better characterizing and measuring the state of EHR adoption and determining the effectiveness of policies to accelerate adoption of EHRs and interoperability.

• For more information visit: http://www.hitadoption.org/

Health Information Technology Adoption Initiative

9




Privacy / Security

Health ITAdoption

Infr

astr

uct

ure

Ind

ust

ry T

ran

sfo

rmat

ion


Tec

hn

olo

gy

Ind

ust

ry

10

• Contracts have been awarded by HHS totaling $18.6 million to four consortia of health care and health information technology organizations to develop prototypes for the Nationwide Health Information Network (NHIN) architecture.

– The contracts were awarded to: Accenture, Computer Sciences Corporation, IBM, and Northrop Grumman, along with their affiliated partners and health care market areas.

• The four consortia will move the nation toward the President’s goal of personal electronic health records by creating a uniform architecture for health care information that can follow consumers throughout their lives.

Nationwide Health Information Network (NHIN)

11




Privacy / Security

Health ITAdoption

Infr

astr

uct

ure

Ind

ust

ry T

ran

sfo

rmat

ion


Tec

hn

olo

gy

Ind

ust

ry

Consumer Value

Biosurveillance Consumer Empowerment

Chronic Care Electronic HealthRecords

Breakthroughs

Health Care Industry

12




Privacy / Security

Health ITAdoption

Infr

astr

uct

ure

Ind

ust

ry T

ran

sfo

rmat

ion


Tec

hn

olo

gy

Ind

ust

ry

Consumer Value



Breakthroughs


13




Privacy / Security

Health ITAdoption

Infr

astr

uct

ure

Ind

ust

ry T

ran

sfo

rmat

ion


Tec

hn

olo

gy

Ind

ust

ry

Consumer Value



Breakthroughs


14

Challenges & Approaches in Challenges & Approaches in Developing the Nationwide Health Developing the Nationwide Health

Information Network (NHIN) Information Network (NHIN) ArchitectureArchitecture

Casey WebsterCasey Webster

Business Consulting Services

© 2006 IBM Corporation

The Nationwide Health Information Network (NHIN) Architecture Prototype Project Internet2 Spring Member Meeting

April 26, 2006

16

MarketplacesMarketplaces

Fishkill, NY (THINC) Taconic Healthcare Information Network

Communication Hudson Valley: evolving RHIO w/ shared data at

HealthVision hub 2,300 physicians supporting 700,000 patients

Research Triangle, NC (NCHICA) (North Carolina Healthcare Information

Communication Affiliates) Competitive, high-tech urban environment: UNC,

Duke, Wake Forest Rockingham County, NC and Danville, VA (NCHICA)

North Carolina Healthcare Information Communication Affiliates)

Rural environment with NC and VA patients Small, competitive practices and hospitals

17

Research Triangle MarketplaceResearch Triangle Marketplace

UNC Hospitals and

Health System

Duke Univ. Health System

WakeMed Health SystemRex

Hospital (UNC)

1 x Practice 1 x

Practice

1 x Practice 1 x

Practice2 x

Practices

Durham Regional

Hosp(Duke)

Safety Net ProviderPublic HealthPharmacy Lab

18

Rockingham Co., NC / Danville, VA MarketplaceRockingham Co., NC / Danville, VA Marketplace

Morehead MemorialHospital

Moses Cone Health System

Annie Penn Hospital

(Moses Cone)

1 x Practice

1 x Practice 2 x

Practices

1 x Practice

(unaffiliated)

Pharmacy Public Health Safety Net ProviderLab

19

Architecture Guiding PrinciplesArchitecture Guiding Principles

Community-Centric Document repositories normalize and store clinical data within a community

Can be hosted by individual hospitals/practices and/or shared within the community

Community hub provides MPI, document locator, security and support services

The community hub is the gateway to other communities

Drive and conform to standards Instantiation of IHE interoperability framework (XDS, PIX/PDQ, ATNA & CT profiles)

Clinical events stored as HL7 CDA(r2)-compliant documents

Java/J2EE implementation is hardware & software vendor agnostic

Proven Internet protocols for authentication, authorization, and security

Provide security & privacy w/o sacrificing usability or research value Anonymous/pseudonymous data that can be re-identified as needed/permitted

Supports other data aggregates (registries, biosurveillance, outcomes analysis)

Practical Scalable and cost-effective at every level of practice

Point-of-care performance is critical to adoption

20

Security

Services

ArchitectureCommunity ArchitectureArchitectureCommunity Architecture

PIX

PDQ

MPI Services

RegistryServices

Document Locator

XDR

Community HubSupport Services

ATNA

CTLogging

Authentication

Authorization

Access Control

Patient Consent

Community Services

Biosurveillance

PHR Portal

Community XDS

CAD Search/RetrievalCAD Policies/SecurityAdmin/MaintenanceQoS

NHIN Interface

IntegrationEngine or

DataSource

Hospital or Physician Practice Interface

HCN Gateway

Xform/Xlate

Data Services

IHE Adapter

XDS

Document Services

DocumentStorage and

Retrieval

IBM Business Consulting Services

21

ArchitectureCross-Community InteractionArchitectureCross-Community Interaction

All cross-community interactions are brokered through the NHIN interface, using

other community services as needed

Authentication and authority uses a federated model, with trust relationships

established at the NHIN level

Cross-community patient lookup is based on demographic matching

Identity is established by matching demographic data between the local

and remote PDQ databases, with a conservative threshold

IBM research is working on open issues such as patient mobility, multi-

resident patients (“snowbirds”), directed searches, and undirected

bounded searches

Once a positive patient match is obtained, document search and retrieval is

identical to the intra-community model

Business Consulting Services

© 2006 IBM Corporation22

Acronyms IHE (Integrating the Healthcare Enterprise) Profiles

– XDS – Cross-Enterprise Document Sharing• Supports saving, registering, querying and retrieving documents across enterprises but within an

administrative domain

– PIX – Patient Identifier Cross-referencing• Supports cross referencing of patient identifiers across domains

– PDQ – Patient Demographics Query• Supports query for patients given a minimal set of demographic criteria (e.g. ID or partial name) returning

all the demographics and a patient identifier within a domain

– ATNA – Audit Trail and Node Authentication• Supports auditing and secure communications

– CT – Consistent Time• Supports consistent time across multiple systems

J2EE – Java 2 Enterprise Edition

– Sun’s Java-based framework for developing and deploying complex, scalable business solutions in a standardized manner, leveraging the following technologies

– JDBC – Java Database Connectivity• A vendor-neutral means of accessing relational data from within a Java/J2EE application. Note that the

data itself does not necessarily have to be stored in a relational database.

– EJB – Enterprise JavaBeans• JavaBeans are reusable components within the J2EE architecture

– JMS – Java Messaging Service• A vendor-neutral means of accessing message queuing systems (eg, MQ Series) from within a Java/J2EE

application

NHIN Architecture Prototype – Introduction

23

What is Possible Today!What is Possible Today!

Bill WeemsBill Weems

Internet2 Spring Mtg. 2006

University of Texas HealthScience Center at Houston

UTHSC-H

• Six Schools– Graduate School of Biomedical Sciences

– Dental School

– Medical School

– Nursing School

– School of Health Information Sciences

– School of Public Health

• ~ 10,000 Students, Faculty and Staff


Texas Medical Centerwww.tmc.edu

• Forty One Institutions on 740 Acres • Approximately 65,000 Employees• Seven Large Hospitals • 6,176 Licensed Beds & 334 Bassinets• 5.2 Million Patient Visits in 2004• Baylor College of Medicine• Rice University• Texas A&M Institution of Biotechnology• University of Texas Health Science Center at Houston• University of Texas M.D. Anderson Cancer Center


Scenario I

• UT-Houston Residency Programs have some attending physicians that are non-university personnel – e.g. M.D. Anderson & Baylor

• Dr. James at M.D. Anderson is to be an attending physician in the UT-Houston Internal Medicine Residency Program.

• On-line Graduate Medical Education Information System (GMEIS) contains confidential and sensitive information - including HIPAA data.

• Dr. James needs access to GMEIS.

• How is Dr. James’ identity verified, authenticated and authorized to have access as an attending physician?

• If Dr. James suddenly leaves M.D. Anderson, is his access to UT-Houston Residency Program immediately abolished?


Scenario I - Problems

• Dr. James has no digital credentials.

• U.T. Houston policy requires that a responsible party at U. T. Houston assume responsibility for Dr. James and sponsor him as a “guest”.

• Dr. James must appear before a Local Registration Administration Agent (LRAA) to have his identity verified and be credentialed.

– Does not verify his status with M.D. Anderson.

• If Dr. James leaves M.D. Anderson, there is no automatic process in place to revoke his access rights.


Ideally, individuals would each like a single digital credential that

can be securely used to authenticate his or her identity

anytime authentication of identity is required to secure any

transaction.


Identity Provider(IdP)

uth.tmc.edu

Person

IdP ObtainsPhysical

Characteristics

Identity Vetting & Credentialing

IdentifierPermanently

Bound

AssignsEverlasting

Identifier

Digital Credential

IssuesDigital

Credential

Person Only Activation

PermanentIdentity

Database


UTHSC-H: An Identity Provider (IdP)

It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with

digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific

responsibilities and liabilities.


Two Categories of Identity

• Physical Identity – Assigned Identifier - Authentication– Facial picture,– Fingerprints– DNA sample

• Identity Attributes – Authorization Attributes– Common name,– Address,– Institutional affiliations - e.g. faculty, student, staff, contractor,– Specific group memberships,– Roles,– Etc.

UTHSC-H Identity Management System

HRMS SIS GMEIS Guest MSUTP

INDIS

OAC7 OAC47

SecondaryDirectories

Sync

Person Registry

AuthoritativeEnterprise Directories

AuthorizationService

AuthenticationService

User Administration Tools

ChangePassword

AttributeManagement

Identity Reconciliation &

ProvisioningProcesses


Source of Authority (SOA) Responsibilities

• Identifying an individual,• Maintaining the appropriate records that define a

person's affiliation,• Providing others with information about the

specifics of an affiliation and,• Determining if an affiliation is currently active or

inactive – i.e. can a person be credentialed

An organizational entity officially responsible for identifying individuals having explicitly defined affiliations with the university constitutes a “source of authority” (SOA). The SOA is responsible for


Person Registry • Identity Reconciliation

– Unique Identifiers Generated by Source of Record• SSN – If Available (HRMS, GMEIS, UTP, Guest, SIS)• Student ID, • Employee Number - HRMS

– Full Name• First, Middle, Last

– Birth Information• Date of Birth, • City of Birth, • Country of Birth

– Gender

• UUID – An everlasting unique identifier


Issuing a Digital Credential

• Individual appears before an Identity Provider (IdP) which accepts the responsibility to – positively determine and catalog a person's uniquely

identifying physical characteristics (e.g. picture, two fingerprints, DNA sample),

– assign a unique, everlasting digital identifier to each person identified,

– issue each identified person a digital credential that can only be used by that person to authenticate his or her identity,

– maintain a defined affiliation with each individual whereby the validity of the digital credential is renewed at specified intervals.



uth.tmc.edu

PersonIdentifier Digital CredentialPermanently

Bound

AssignsEverlasting

Identifier

IssuesDigital

CredentialIdP Obtains

PhysicalCharacteristics


Identity Vetting & CredentialingUTHSC-H Two Factor Authentication

PermanentIdentity

Database

?

?



uth.tmc.edu

PersonIdentifier Digital CredentialPermanently

Bound

AssignsEverlasting

Identifier

IssuesDigital

CredentialIdP Obtains

PhysicalCharacteristics


Using NetworkUsernamePassword

Identity Vetting & CredentialingUTHSC-H Username/Password Authentication

PermanentIdentity

Database

???????

?


Federal E-Authentication Initiativehttp://www.cio.gov/eauthentication/

• Levels of assurance (Different Requirements)– Level 1 – e.g. no identity vetting– Level 2 - e.g. specific identity vetting requirements– Level 3 – e.g. cryptographic tokens required– Level 4 – e.g. cryptographic hard tokens required

• Credential Assessment Framework Suite (CAF)


UTHSC-H Strategic Authentication Goals• Two authentication mechanisms.

– Single university ID (UID) and password– Public Key Digital ID on Token (two-factor

authentication)• Digital Signatures

– Authenticates senders– Guarantees messages are unaltered, i.e. message

integrity– Provides for non-repudiation– Legal signature

• Encryption of email and other documents• Highly Secure Access Control• Potential for inherent global trust


Mass Mailing of Signed & Encrypted E-mail

Automated Mailer

Mailing List

[email protected]@[email protected] [email protected]

&Encrypted

LDAP Directory

Service

Request Recipient's

Digital Cert.

Message [email protected]

[email protected]


The University of Texas SystemSTRATEGIC LEADERSHIP COUNCIL

Statement of DirectionIdentity Management

April 27, 2004• LDAP (Lightweight Directory Access Protocol)

compliant directory services,• eduperson schema as promulgated by

EDUCAUSE and Internet2,• utperson schema (to be developed)• inter-institutional access control utilizing

Internet2 Shibboleth, and• consistent institutional definitions and identity

management trust policies for students, faculty, and staff as well as sponsored affiliates.


uth.tmc.edu

Federated Services Identity (IdP) & Service Providers (SP)


utsystem.edu


bcm.edu

Resource Provider(SP)

library.tmc.edu

Blackboard(SP)

uth.tmc.edu

GMEIS(SP)

uth.tmc.edu


mdanderson.org


utmb.edu

FederationWAYF Service

InCommon

Public Key

Infrastructure

Home Organization

Attribute Authority

Authentication System (ISO/SSO/Cert)

Handle Service

IdP

RBAC Authorization

System - LDAP (eduperson)

Browser

FederationWAYF SERVICE

(IN COMMON)

Attributes determined by ARP

Service Provider

SHIRE

SHAR

Resource Manager

SP

Web Site

Shib Software =

ShibbolethHome University

Attribute Authority

Authentication System (ISO/SSO/Cert)

Handle Service

Resource Provider

SHIRE

SHAR

Resource Manager

Browser

WAYF (In Common)

1

34

IdPSP

5

2

7

6

8

LDAP (eduperson)

9

10

Web SiteAttributes determined by ARP

11

How Does Shibboleth Work?

Who are you and

where you come from?

What is your

Organization?

Your request is forwarded

to your Organization

Handle Service

Who are You? Can you login?

I know who you are. Your request

and handle is redirected to

Target

Now I know who you are.

What are your user

attributes?

What are the attributes for

this user?

Your attributes are returned to Target

I am satisfied with the attributes.

You are allowed access


The focus of planning should be on how Identity Management makes life great

for people in cyberspace!!! Don’t focus on underlying theory, arcane concepts and minute implementation details. If basic infrastructure is in place along

with user applications, people will use it and demand more.

Lessons Learned


What Is Needed To Reach Critical Mass?

• Develop a core group that operationally believes in & understands Identity Management!

• Identity Management basic policies and procedures.

• Identity reconciliation & provisioning systems• Operational LDAP directory service.• As many “real” applications as possible!

– Solutions that use signing & encryption.– Cherished resources PKI and Shibboleth enabled for

access.

47

Thank YouThank You

Questions ?Questions ?

1 Federated Identity Management in Healthcare: What is Needed and What is Feasible 2006 Spring...

Documents

Transcript of 1 Federated Identity Management in Healthcare: What is Needed and What is Feasible 2006 Spring...