Title: Federated Identity Management in Healthcare: What is Needed and What is Feasible
1Federated Identity Management in HealthcareWhat
is Needed and What is Feasible
- 2006 Spring Member Meeting
- April 26, 2006
- Holt Anderson NCHICA Executive Director
- William Weems, Univ. of Texas Health Science
Center at Houston - Casey Webster, IBM
2Session Outline
- Holt Anderson
- Background of National HIT Initiatives from ONC
- Casey Webster
- Challenges Approaches in Developing the
Nationwide Health Information Network (NHIN)
Architecture - Bill Weems
- What is Possible Today!
- Question Answer Session
3Background of National HIT Initiatives from ONC
4Health Information Technology Deployment
Infrastructure
Technology Industry
Privacy / Security
Health IT Adoption
5Standards Harmonization Process
- HHS awarded a contract valued at 3.3 million to
the American National Standards Institute, a
non-profit organization that administers and
coordinates the U.S. voluntary standardization
activities, to convene the Health Information
Technology Standards Panel (HITSP). - The HITSP will develop, prototype, and evaluate a
harmonization process for achieving a widely
accepted and useful set of health IT standards
that will support interoperability among health
care software applications, particularly EHRs.
6Compliance Certification Process
- HHS awarded a contract valued at 2.7 million to
the Certification Commission for Health
Information Technology (CCHIT) to develop
criteria and evaluation processes for certifying
EHRs and the infrastructure or network components
through which they interoperate. - CCHIT will be required to submit recommendations
for ambulatory EHR certification criteria in
December 2005, and to develop an evaluation
process for ambulatory health records in January
2006. - Criteria will include the capabilities of EHRs to
protect health information, standards by which
EHRs can share health information and clinical
features that improve patient outcomes.
7Privacy and Security Solutions
- HHS awarded a contract valued at 11.5 million to
RTI International, a private, non-profit
corporation, to lead the Health Information
Security and Privacy Collaboration (HISPC), a
collaboration that includes the National
Governors Association (NGA), up to 40 state and
territorial governments, and a multi-disciplinary
team of experts. - RTI will oversee the HISPC to assess and develop
plans to address variations in organization-level
business policies and state laws that affect
privacy and security practices that may pose
challenges to interoperable electronic health
information exchange while maintaining privacy
protections.
8Health Information Technology Adoption Initiative
- HHS awarded a contract valued in excess of 1
million to the George Washington University and
Massachusetts General Hospital Harvard Institute
for Health Policy to support the Health IT
Adoption Initiative. - The new initiative is aimed at better
characterizing and measuring the state of EHR
adoption and determining the effectiveness of
policies to accelerate adoption of EHRs and
interoperability. - For more information visit http//www.hitadoption
.org/
9Health Information Technology Deployment
Infrastructure
Technology Industry
Privacy / Security
Health IT Adoption
10Nationwide Health Information Network (NHIN)
- Contracts have been awarded by HHS totaling 18.6
million to four consortia of health care and
health information technology organizations to
develop prototypes for the Nationwide Health
Information Network (NHIN) architecture. - The contracts were awarded to Accenture,
Computer Sciences Corporation, IBM, and Northrop
Grumman, along with their affiliated partners
and health care market areas. - The four consortia will move the nation toward
the Presidents goal of personal electronic
health records by creating a uniform architecture
for health care information that can follow
consumers throughout their lives.
11Health Information Technology Deployment
Infrastructure
Technology Industry
Privacy / Security
Health IT Adoption
12Health Information Technology Deployment
Infrastructure
Technology Industry
Privacy / Security
Health IT Adoption
13Health Information Technology Deployment
Infrastructure
Technology Industry
Privacy / Security
Health IT Adoption
14Challenges Approaches in Developing the
Nationwide Health Information Network (NHIN)
Architecture
15The Nationwide Health Information Network (NHIN)
Architecture Prototype Project Internet2 Spring
Member Meeting
16Marketplaces
- Fishkill, NY (THINC)
- Taconic Healthcare Information Network
Communication - Hudson Valley evolving RHIO w/ shared data at
HealthVision hub - 2,300 physicians supporting 700,000 patients
- Research Triangle, NC (NCHICA)
- (North Carolina Healthcare Information
Communication Affiliates) - Competitive, high-tech urban environment UNC,
Duke, Wake Forest - Rockingham County, NC and Danville, VA (NCHICA)
- North Carolina Healthcare Information
Communication Affiliates) - Rural environment with NC and VA patients
- Small, competitive practices and hospitals
17Research Triangle Marketplace
18Rockingham Co., NC / Danville, VA Marketplace
19Architecture Guiding Principles
- Community-Centric
- Document repositories normalize and store
clinical data within a community - Can be hosted by individual hospitals/practices
and/or shared within the community - Community hub provides MPI, document locator,
security and support services - The community hub is the gateway to other
communities - Drive and conform to standards
- Instantiation of IHE interoperability framework
(XDS, PIX/PDQ, ATNA CT profiles) - Clinical events stored as HL7 CDA(r2)-compliant
documents - Java/J2EE implementation is hardware software
vendor agnostic - Proven Internet protocols for authentication,
authorization, and security - Provide security privacy w/o sacrificing
usability or research value - Anonymous/pseudonymous data that can be
re-identified as needed/permitted - Supports other data aggregates (registries,
biosurveillance, outcomes analysis) - Practical
- Scalable and cost-effective at every level of
practice - Point-of-care performance is critical to adoption
20ArchitectureCommunity Architecture
IBM Business Consulting Services
Integration Engine or Data Source
21ArchitectureCross-Community Interaction
- All cross-community interactions are brokered
through the NHIN interface, using other community
services as needed - Authentication and authority uses a federated
model, with trust relationships established at
the NHIN level - Cross-community patient lookup is based on
demographic matching - Identity is established by matching demographic
data between the local and remote PDQ databases,
with a conservative threshold - IBM research is working on open issues such as
patient mobility, multi-resident patients
(snowbirds), directed searches, and undirected
bounded searches - Once a positive patient match is obtained,
document search and retrieval is identical to the
intra-community model
22Acronyms
NHIN Architecture Prototype Introduction
- IHE (Integrating the Healthcare Enterprise)
Profiles - XDS Cross-Enterprise Document Sharing
- Supports saving, registering, querying and
retrieving documents across enterprises but
within an administrative domain - PIX Patient Identifier Cross-referencing
- Supports cross referencing of patient identifiers
across domains - PDQ Patient Demographics Query
- Supports query for patients given a minimal set
of demographic criteria (e.g. ID or partial name)
returning all the demographics and a patient
identifier within a domain - ATNA Audit Trail and Node Authentication
- Supports auditing and secure communications
- CT Consistent Time
- Supports consistent time across multiple systems
- J2EE Java 2 Enterprise Edition
- Suns Java-based framework for developing and
deploying complex, scalable business solutions in
a standardized manner, leveraging the following
technologies - JDBC Java Database Connectivity
- A vendor-neutral means of accessing relational
data from within a Java/J2EE application. Note
that the data itself does not necessarily have to
be stored in a relational database. - EJB Enterprise JavaBeans
- JavaBeans are reusable components within the J2EE
architecture - JMS Java Messaging Service
- A vendor-neutral means of accessing message
queuing systems (eg, MQ Series) from within a
Java/J2EE application
23What is Possible Today!
24University of Texas HealthScience Center at
HoustonUTHSC-H
- Six Schools
- Graduate School of Biomedical Sciences
- Dental School
- Medical School
- Nursing School
- School of Health Information Sciences
- School of Public Health
- 10,000 Students, Faculty and Staff
25Texas Medical Centerwww.tmc.edu
- Forty One Institutions on 740 Acres
- Approximately 65,000 Employees
- Seven Large Hospitals
- 6,176 Licensed Beds 334 Bassinets
- 5.2 Million Patient Visits in 2004
- Baylor College of Medicine
- Rice University
- Texas AM Institution of Biotechnology
- University of Texas Health Science Center at
Houston - University of Texas M.D. Anderson Cancer Center
26Scenario I
- UT-Houston Residency Programs have some attending
physicians that are non-university personnel
e.g. M.D. Anderson Baylor - Dr. James at M.D. Anderson is to be an attending
physician in the UT-Houston Internal Medicine
Residency Program. - On-line Graduate Medical Education Information
System (GMEIS) contains confidential and
sensitive information - including HIPAA data. - Dr. James needs access to GMEIS.
- How is Dr. James identity verified,
authenticated and authorized to have access as an
attending physician? - If Dr. James suddenly leaves M.D. Anderson, is
his access to UT-Houston Residency Program
immediately abolished?
27Scenario I - Problems
- Dr. James has no digital credentials.
- U.T. Houston policy requires that a responsible
party at U. T. Houston assume responsibility for
Dr. James and sponsor him as a guest. - Dr. James must appear before a Local Registration
Administration Agent (LRAA) to have his identity
verified and be credentialed. - Does not verify his status with M.D. Anderson.
- If Dr. James leaves M.D. Anderson, there is no
automatic process in place to revoke his access
rights.
28Ideally, individuals would each like a single
digital credential that can be securely used to
authenticate his or her identity anytime
authentication of identity is required to secure
any transaction.
29Identity Vetting Credentialing
Identity Provider (IdP) uth.tmc.edu
Permanent Identity Database
Person
30UTHSC-H An Identity Provider (IdP)
It is critical to recognize that the university
functions as an identity provider (IdP) in
that UTHSC-H provides individuals with digital
credentials that consist of an identifier and an
authenticator. As an IdP, the university assumes
specific responsibilities and liabilities.
31Two Categories of Identity
- Physical Identity Assigned Identifier -
Authentication - Facial picture,
- Fingerprints
- DNA sample
- Identity Attributes Authorization Attributes
- Common name,
- Address,
- Institutional affiliations - e.g. faculty,
student, staff, contractor, - Specific group memberships,
- Roles,
- Etc.
32UTHSC-H Identity Management System
HRMS
SIS
GMEIS
Guest MS
UTP
Identity Reconciliation Provisioning Processes
Person Registry
INDIS
Authoritative Enterprise Directories
OAC7
OAC47
User Administration Tools
Attribute Management
Sync
Authentication Service
Authorization Service
Change Password
Secondary Directories
33Source of Authority (SOA) Responsibilities
An organizational entity officially responsible
for identifying individuals having explicitly
defined affiliations with the university
constitutes a source of authority (SOA). The
SOA is responsible for
- Identifying an individual,
- Maintaining the appropriate records that define a
person's affiliation, - Providing others with information about the
specifics of an affiliation and, - Determining if an affiliation is currently active
or inactive i.e. can a person be credentialed
34Person Registry
- Identity Reconciliation
- Unique Identifiers Generated by Source of Record
- SSN If Available (HRMS, GMEIS, UTP, Guest, SIS)
- Student ID,
- Employee Number - HRMS
- Full Name
- First, Middle, Last
- Birth Information
- Date of Birth,
- City of Birth,
- Country of Birth
- Gender
- UUID An everlasting unique identifier
35Issuing a Digital Credential
- Individual appears before an Identity Provider
(IdP) which accepts the responsibility to - positively determine and catalog a person's
uniquely identifying physical characteristics
(e.g. picture, two fingerprints, DNA sample), - assign a unique, everlasting digital identifier
to each person identified, - issue each identified person a digital credential
that can only be used by that person to
authenticate his or her identity, - maintain a defined affiliation with each
individual whereby the validity of the digital
credential is renewed at specified intervals.
36Identity Vetting Credentialing UTHSC-H Two
Factor Authentication
Identity Provider (IdP) uth.tmc.edu
Permanent Identity Database
Assigns Everlasting Identifier
Issues Digital Credential
IdP Obtains Physical Characteristics
?
?
Permanently Bound
Person Only Activation
Person
Identifier
Digital Credential
37Identity Vetting Credentialing UTHSC-H
Username/Password Authentication
Identity Provider (IdP) uth.tmc.edu
Permanent Identity Database
Assigns Everlasting Identifier
Issues Digital Credential
IdP Obtains Physical Characteristics
?
???????
Permanently Bound
Person Only Activation Using Network Username Pas
sword
Person
Identifier
Digital Credential
38Federal E-Authentication Initiativehttp//www.cio
.gov/eauthentication/
- Levels of assurance (Different Requirements)
- Level 1 e.g. no identity vetting
- Level 2 - e.g. specific identity vetting
requirements - Level 3 e.g. cryptographic tokens required
- Level 4 e.g. cryptographic hard tokens required
- Credential Assessment Framework Suite (CAF)
39UTHSC-H Strategic Authentication Goals
- Two authentication mechanisms.
- Single university ID (UID) and password
- Public Key Digital ID on Token (two-factor
authentication) - Digital Signatures
- Authenticates senders
- Guarantees messages are unaltered, i.e. message
integrity - Provides for non-repudiation
- Legal signature
- Encryption of email and other documents
- Highly Secure Access Control
- Potential for inherent global trust
40Mass Mailing of Signed Encrypted E-mail
41The University of Texas SystemSTRATEGIC
LEADERSHIP COUNCILStatement of
DirectionIdentity ManagementApril 27, 2004
- LDAP (Lightweight Directory Access Protocol)
compliant directory services, - eduperson schema as promulgated by EDUCAUSE and
Internet2, - utperson schema (to be developed)
- inter-institutional access control utilizing
Internet2 Shibboleth, and - consistent institutional definitions and identity
management trust policies for students, faculty,
and staff as well as sponsored affiliates.
42Federated Services Identity (IdP) Service
Providers (SP)
Identity Provider (IdP) uth.tmc.edu
Identity Provider (IdP) utsystem.edu
Identity Provider (IdP) bcm.edu
Public Key
Resource Provider (SP) library.tmc.edu
GMEIS (SP) uth.tmc.edu
Federation WAYF Service InCommon
Infrastructure
Blackboard (SP) uth.tmc.edu
Identity Provider (IdP) mdanderson.org
Identity Provider (IdP) utmb.edu
43Home Organization
Service Provider
IdP
Browser
SP
Authentication System (ISO/SSO/Cert)
SHIRE
Federation WAYF SERVICE (IN COMMON)
SHAR
Handle Service
Resource Manager
Attribute Authority
Web Site
Attributes determined by ARP
RBAC Authorization System - LDAP (eduperson)
Shib Software
44How Does Shibboleth Work?
I am satisfied with the attributes. You are
allowed access
Shibboleth
Your request is forwarded to your Organization
Handle Service
11
Home University
Browser
Resource Provider
Who are you and where you come from?
1
IdP
What is your Organization?
SP
Authentication System (ISO/SSO/Cert)
3
4
Who are You? Can you login?
Now I know who you are. What are your user
attributes?
2
SHIRE
WAYF (In Common)
5
6
SHAR
Handle Service
Resource Manager
7
8
I know who you are. Your request and handle is
redirected to Target
What are the attributes for this user?
10
Attribute Authority
Web Site
Attributes determined by ARP
9
Your attributes are returned to Target
LDAP (eduperson)
45 Lessons Learned
The focus of planning should be on how Identity
Management makes life great for people in
cyberspace!!! Dont focus on underlying theory,
arcane concepts and minute implementation
details. If basic infrastructure is in place
along with user applications, people will use it
and demand more.
46 What Is Needed To Reach Critical Mass?
- Develop a core group that operationally believes
in understands Identity Management! - Identity Management basic policies and
procedures. - Identity reconciliation provisioning systems
- Operational LDAP directory service.
- As many real applications as possible!
- Solutions that use signing encryption.
- Cherished resources PKI and Shibboleth enabled
for access.
47Thank You Questions ?