Consultancy

Infrastructure Requirements for Fast, Reliable and Secure HL7

V3 Messaging

Andrew Hinchley CPL Consulting

Consultancy

UK direction

• HL7 V3 offers many options as how the supporting network and security infrastructure is implemented

• HL7 V3 Infrastructure ballot offers rich set of options for implementing message wrappers and related support messages

• This is a brief review of the directions that the NHS is taking in supporting HL7 V3 for ICRS messaging

Consultancy

Caveats –NPfIT development

• In a number of areas, NPfIT decisions depend on the results of contractual negotiations which are still under way

• In others, decisions have yet to be taken with the immediate focus being on completing what is needed to specify and develop the Electronic Booking Service for mid-2004

Consultancy

General Principles in networking and security area

• Supply a set of network services able to be used for a variety of purposes including messaging

• Implement security infrastructure that provides protection against threats to a variety of communication flows

Consultancy

General status - December 2003

• Much of the detailed solution has been specified by each short-listed NASP against the NHS stated requirements

• Selection of the NASP in December will trigger the implementation of the selected NASP’s solutions

Consultancy

Security Approach

• ICRS focuses on high level security mechanisms to counter risks– Pseudonymisation for Secondary Uses– Legitimate Relationships and Sealed enveloped– Role Based Access Control

• ICRS security solutions for the underlying network can then use standard components– Retain NHS private network with NHS access controls

and Code of Connection– Where necessary use link encryption or VPN

encryption as appropriate

Consultancy

Security Approach

• For the purposes of this talk, Legitimate Relationships and Sealed envelopes do not impact messages or the network

• Role Base Access Control may impact messaging if/when authorisation meta-data needs to be carried with the message

• For initial ICRS applications this is not yet found to be necessary

Consultancy

Role-based Access Control

• In an organisation with as many staff as the NHS, authorised access to clinical information on a “need-to-know” basis is seen as a key requirement

• Need to provide methods whereby access can be checked and authorised before access is granted

• A successful universal approach can be used for many types of access including GUI and message-based access

Consultancy

Role-based Access Control(RBAC)

• RBAC requires up-to-date accurate directories of staff

• Need to tie into NHS initiatives to build staff directories

• Issues– How many access roles need to be defined?– Business functions can be classified in a way

which helps defines which roles should be granted access

Consultancy

Role-based Access Controlhealthcare experiences elsewhere

• Some implementation experience from US

• Recent proposals from Veterans Administration –to be presented to HL7 at next WGM– Likely to include specific proposals for

including authorisation information in message wrappers

Consultancy

Network Infrastructure

• Retain and strengthen dedicated network for NHSnet comes up for replacement – revised N3

• Consider applying encryption close to network : link SSL

• Increasing focus by Cabinet Office on robustness of key national resources: CNI - Critical National Infrastructure, which includes health. Pressure to enhance network integrity and security from perspective of risks to CNI

• Specific to Messaging: Need for specific HL7 V3 message transport specifications

Consultancy

Messaging client

Network client

Messaging client

Network client

Application Domain AApplication Domain B

No Security Services atthis level

NASP/LSP services

Message Relay

SOAP SOAP

Application Domain-Security Services

Role-based AccessControl

NHSNET/N3

Consultancy

Message Routing

• The message wrapper provides a permanent envelope for the message throughout this transit

• Messages will be forwarded through relays which need to be able to use the V3 wrapper to apply forward routing as needed

• V3 messages may need to be carried over a number of different transport protocols between source and destination

Consultancy

Message transport services

• In line with general ICRS approach to communications infrastructure services designed to support a number of requirements including messaging

• Web Services is a potentially attractive general solution:-– Define message transport services based on

SOAP– In HL7 Microsoft have submitted drafts which

include use of WSDL

Consultancy

Web Services Architecture

MetadataWSDL, Policy

XML and SOAP XSD, XPath, …

Messaging WS-Addressing …

TransactionsWS-Transactions,WS-Coordination

…

SecurityWS-Security,

Secure Conversation, Trust, …

ReliableMessaging

Network Transports HTTP, TCP, UDP, …

Consultancy

Web Services transport

• Reliable Delivery Service not yet stable

• Link encryption adequate for now. Do not require WS-Security

• WSDL preferred by companies such as Microsoft to standardise stub software

• SOAP wrapper may need to duplicate some of the information in the V3 wrapper

Consultancy

Application acknowledgements

• HL7 V3 messaging should not have to rely completely on the network for reliable delivery

• HL7 V3 defines an end-to-end application acknowledgement and this is being used in NPfIT applications.

• Messaging is then a true end-to-end service, an independent service layer in the network stack

Consultancy

Requirements for message-based authentication or encryption?

• Current NPfIT plans do not include requirements for either of these:-– Messages pass between trusted NHS Organisations.

There is no requirement therefore for authentication information to be carried in the message

– Where necessary, link-level encryption can be used to protect messages in transit between NHS Organisations

– Within an NHS Organisation any protection requirements are addressed by a local assessment of risks

Consultancy

TMS - Transaction and Messaging Service

• Over time the ICRS TMS will provide an increasing level of functionality– TMS provides additional routing intelligence

over that of a standard message relay– TMS may create message copies, for

instance to allow copies of clinical reports to be stored in the spine

– TMS will have the capability of splitting or recombining messages in future applications as/when these functions are found useful

Consultancy

Summary (1)

• N3 replacement needs less functions than existing network– Focus on high integrity– High speed– High availability– Network Code of Conduct– Level 3 eGIF dial-up access– Interconnects with LSPs

Consultancy

Summary (2)

• Underlying network does not need specific messaging capabilities

• NASP/LSPs manage messaging layers together

• Security focus is high level, protecting access to assets on need-to-know basis