Federated Identity Management in Healthcare: What is Needed and What is Feasible

1
Federated Identity Management in HealthcareWhat
is Needed and What is Feasible

• 2006 Spring Member Meeting
• April 26, 2006
• Holt Anderson NCHICA Executive Director
• William Weems, Univ. of Texas Health Science
  Center at Houston
• Casey Webster, IBM

2
Session Outline

• Holt Anderson
• Background of National HIT Initiatives from ONC
• Casey Webster
• Challenges Approaches in Developing the
  Nationwide Health Information Network (NHIN)
  Architecture
• Bill Weems
• What is Possible Today!
• Question Answer Session

3
Background of National HIT Initiatives from ONC

• Holt Anderson

4
Health Information Technology Deployment
Infrastructure
Technology Industry
Privacy / Security
Health IT Adoption
5
Standards Harmonization Process

• HHS awarded a contract valued at 3.3 million to
  the American National Standards Institute, a
  non-profit organization that administers and
  coordinates the U.S. voluntary standardization
  activities, to convene the Health Information
  Technology Standards Panel (HITSP).
• The HITSP will develop, prototype, and evaluate a
  harmonization process for achieving a widely
  accepted and useful set of health IT standards
  that will support interoperability among health
  care software applications, particularly EHRs.

6
Compliance Certification Process

• HHS awarded a contract valued at 2.7 million to
  the Certification Commission for Health
  Information Technology (CCHIT) to develop
  criteria and evaluation processes for certifying
  EHRs and the infrastructure or network components
  through which they interoperate.
• CCHIT will be required to submit recommendations
  for ambulatory EHR certification criteria in
  December 2005, and to develop an evaluation
  process for ambulatory health records in January
  2006.
• Criteria will include the capabilities of EHRs to
  protect health information, standards by which
  EHRs can share health information and clinical
  features that improve patient outcomes.

7
Privacy and Security Solutions

• HHS awarded a contract valued at 11.5 million to
  RTI International, a private, non-profit
  corporation, to lead the Health Information
  Security and Privacy Collaboration (HISPC), a
  collaboration that includes the National
  Governors Association (NGA), up to 40 state and
  territorial governments, and a multi-disciplinary
  team of experts. 
• RTI will oversee the HISPC to assess and develop
  plans to address variations in organization-level
  business policies and state laws that affect
  privacy and security practices that may pose
  challenges to interoperable electronic health
  information exchange while maintaining privacy
  protections.

8
Health Information Technology Adoption Initiative

• HHS awarded a contract valued in excess of 1
  million to the George Washington University and
  Massachusetts General Hospital Harvard Institute
  for Health Policy to support the Health IT
  Adoption Initiative.  
• The new initiative is aimed at better
  characterizing and measuring the state of EHR
  adoption and determining the effectiveness of
  policies to accelerate adoption of EHRs and
  interoperability.
• For more information visit http//www.hitadoption
  .org/

9
Health Information Technology Deployment
Infrastructure
Technology Industry
Privacy / Security
Health IT Adoption
10
Nationwide Health Information Network (NHIN)

• Contracts have been awarded by HHS totaling 18.6
  million to four consortia of health care and
  health information technology organizations to
  develop prototypes for the Nationwide Health
  Information Network (NHIN) architecture.
• The contracts were awarded to Accenture,
  Computer Sciences Corporation, IBM, and Northrop
  Grumman, along with their affiliated partners
  and health care market areas.
• The four consortia will move the nation toward
  the Presidents goal of personal electronic
  health records by creating a uniform architecture
  for health care information that can follow
  consumers throughout their lives.

11
Health Information Technology Deployment
Infrastructure
Technology Industry
Privacy / Security
Health IT Adoption
12
Health Information Technology Deployment
Infrastructure
Technology Industry
Privacy / Security
Health IT Adoption
13
Health Information Technology Deployment
Infrastructure
Technology Industry
Privacy / Security
Health IT Adoption
14
Challenges Approaches in Developing the
Nationwide Health Information Network (NHIN)
Architecture

• Casey Webster

15
The Nationwide Health Information Network (NHIN)
Architecture Prototype Project Internet2 Spring
Member Meeting

• April 26, 2006

16
Marketplaces

• Fishkill, NY (THINC)
• Taconic Healthcare Information Network
  Communication
• Hudson Valley evolving RHIO w/ shared data at
  HealthVision hub
• 2,300 physicians supporting 700,000 patients
• Research Triangle, NC (NCHICA)
• (North Carolina Healthcare Information
  Communication Affiliates)
• Competitive, high-tech urban environment UNC,
  Duke, Wake Forest
• Rockingham County, NC and Danville, VA (NCHICA)
• North Carolina Healthcare Information
  Communication Affiliates)
• Rural environment with NC and VA patients
• Small, competitive practices and hospitals

17
Research Triangle Marketplace
18
Rockingham Co., NC / Danville, VA Marketplace
19
Architecture Guiding Principles

• Community-Centric
• Document repositories normalize and store
  clinical data within a community
• Can be hosted by individual hospitals/practices
  and/or shared within the community
• Community hub provides MPI, document locator,
  security and support services
• The community hub is the gateway to other
  communities
• Drive and conform to standards
• Instantiation of IHE interoperability framework
  (XDS, PIX/PDQ, ATNA CT profiles)
• Clinical events stored as HL7 CDA(r2)-compliant
  documents
• Java/J2EE implementation is hardware software
  vendor agnostic
• Proven Internet protocols for authentication,
  authorization, and security
• Provide security privacy w/o sacrificing
  usability or research value
• Anonymous/pseudonymous data that can be
  re-identified as needed/permitted
• Supports other data aggregates (registries,
  biosurveillance, outcomes analysis)
• Practical
• Scalable and cost-effective at every level of
  practice
• Point-of-care performance is critical to adoption

20
ArchitectureCommunity Architecture
IBM Business Consulting Services
Integration Engine or Data Source
21
ArchitectureCross-Community Interaction

• All cross-community interactions are brokered
  through the NHIN interface, using other community
  services as needed
• Authentication and authority uses a federated
  model, with trust relationships established at
  the NHIN level
• Cross-community patient lookup is based on
  demographic matching
• Identity is established by matching demographic
  data between the local and remote PDQ databases,
  with a conservative threshold
• IBM research is working on open issues such as
  patient mobility, multi-resident patients
  (snowbirds), directed searches, and undirected
  bounded searches
• Once a positive patient match is obtained,
  document search and retrieval is identical to the
  intra-community model

22
Acronyms
NHIN Architecture Prototype Introduction

• IHE (Integrating the Healthcare Enterprise)
  Profiles
• XDS Cross-Enterprise Document Sharing
• Supports saving, registering, querying and
  retrieving documents across enterprises but
  within an administrative domain
• PIX Patient Identifier Cross-referencing
• Supports cross referencing of patient identifiers
  across domains
• PDQ Patient Demographics Query
• Supports query for patients given a minimal set
  of demographic criteria (e.g. ID or partial name)
  returning all the demographics and a patient
  identifier within a domain
• ATNA Audit Trail and Node Authentication
• Supports auditing and secure communications
• CT Consistent Time
• Supports consistent time across multiple systems
• J2EE Java 2 Enterprise Edition
• Suns Java-based framework for developing and
  deploying complex, scalable business solutions in
  a standardized manner, leveraging the following
  technologies
• JDBC Java Database Connectivity
• A vendor-neutral means of accessing relational
  data from within a Java/J2EE application. Note
  that the data itself does not necessarily have to
  be stored in a relational database.
• EJB Enterprise JavaBeans
• JavaBeans are reusable components within the J2EE
  architecture
• JMS Java Messaging Service
• A vendor-neutral means of accessing message
  queuing systems (eg, MQ Series) from within a
  Java/J2EE application

23
What is Possible Today!

• Bill Weems

24
University of Texas HealthScience Center at
HoustonUTHSC-H

• Six Schools
• Graduate School of Biomedical Sciences
• Dental School
• Medical School
• Nursing School
• School of Health Information Sciences
• School of Public Health
• 10,000 Students, Faculty and Staff

25
Texas Medical Centerwww.tmc.edu

• Forty One Institutions on 740 Acres
• Approximately 65,000 Employees
• Seven Large Hospitals
• 6,176 Licensed Beds 334 Bassinets
• 5.2 Million Patient Visits in 2004
• Baylor College of Medicine
• Rice University
• Texas AM Institution of Biotechnology
• University of Texas Health Science Center at
  Houston
• University of Texas M.D. Anderson Cancer Center

26
Scenario I

• UT-Houston Residency Programs have some attending
  physicians that are non-university personnel
  e.g. M.D. Anderson Baylor
• Dr. James at M.D. Anderson is to be an attending
  physician in the UT-Houston Internal Medicine
  Residency Program.
• On-line Graduate Medical Education Information
  System (GMEIS) contains confidential and
  sensitive information - including HIPAA data.
• Dr. James needs access to GMEIS.
• How is Dr. James identity verified,
  authenticated and authorized to have access as an
  attending physician?
• If Dr. James suddenly leaves M.D. Anderson, is
  his access to UT-Houston Residency Program
  immediately abolished?

27
Scenario I - Problems

• Dr. James has no digital credentials.
• U.T. Houston policy requires that a responsible
  party at U. T. Houston assume responsibility for
  Dr. James and sponsor him as a guest.
• Dr. James must appear before a Local Registration
  Administration Agent (LRAA) to have his identity
  verified and be credentialed.
• Does not verify his status with M.D. Anderson.
• If Dr. James leaves M.D. Anderson, there is no
  automatic process in place to revoke his access
  rights.

28
Ideally,  individuals would each like a single
digital credential that can be securely used to
authenticate his or her identity anytime
authentication of identity is required to secure
any transaction.
29
Identity Vetting Credentialing
Identity Provider (IdP) uth.tmc.edu
Permanent Identity Database
Person
30
UTHSC-H An Identity Provider (IdP)
It is critical to recognize that the university
functions as an identity provider (IdP) in
that UTHSC-H provides individuals with digital
credentials that consist of an identifier and an
authenticator. As an IdP, the university assumes
specific responsibilities and liabilities.
31
Two Categories of Identity

• Physical Identity Assigned Identifier -
  Authentication
• Facial picture,
• Fingerprints
• DNA sample
• Identity Attributes Authorization Attributes
• Common name,
• Address,
• Institutional affiliations - e.g. faculty,
  student, staff, contractor,
• Specific group memberships,
• Roles,
• Etc.

32
UTHSC-H Identity Management System
HRMS
SIS
GMEIS
Guest MS
UTP
Identity Reconciliation Provisioning Processes
Person Registry
INDIS
Authoritative Enterprise Directories
OAC7
OAC47
User Administration Tools
Attribute Management
Sync
Authentication Service
Authorization Service
Change Password
Secondary Directories
33
Source of Authority (SOA) Responsibilities
An organizational entity officially responsible
for identifying individuals having explicitly
defined affiliations with the university
constitutes a source of authority (SOA). The
SOA is responsible for

• Identifying an individual,
• Maintaining the appropriate records that define a
  person's affiliation,
• Providing others with information about the
  specifics of an affiliation and,
• Determining if an affiliation is currently active
  or inactive i.e. can a person be credentialed

34
Person Registry

• Identity Reconciliation
• Unique Identifiers Generated by Source of Record
• SSN If Available (HRMS, GMEIS, UTP, Guest, SIS)
• Student ID,
• Employee Number - HRMS
• Full Name
• First, Middle, Last
• Birth Information
• Date of Birth,
• City of Birth,
• Country of Birth
• Gender
• UUID An everlasting unique identifier

35
Issuing a Digital Credential

• Individual appears before an Identity Provider
  (IdP) which accepts the responsibility to
• positively determine and catalog a person's
  uniquely identifying physical characteristics
  (e.g. picture, two fingerprints, DNA sample),
• assign a unique, everlasting digital identifier
  to each person identified,
• issue each identified person a digital credential
  that can only be used by that person to
  authenticate his or her identity,
• maintain a defined affiliation with each
  individual whereby the validity of the digital
  credential is renewed at specified intervals.

36
Identity Vetting Credentialing UTHSC-H Two
Factor Authentication
Identity Provider (IdP) uth.tmc.edu
Permanent Identity Database
Assigns Everlasting Identifier
Issues Digital Credential
IdP Obtains Physical Characteristics
?
?
Permanently Bound
Person Only Activation
Person
Identifier
Digital Credential
37
Identity Vetting Credentialing UTHSC-H
Username/Password Authentication
Identity Provider (IdP) uth.tmc.edu
Permanent Identity Database
Assigns Everlasting Identifier
Issues Digital Credential
IdP Obtains Physical Characteristics
?
???????
Permanently Bound
Person Only Activation Using Network Username Pas
sword
Person
Identifier
Digital Credential
38
Federal E-Authentication Initiativehttp//www.cio
.gov/eauthentication/

• Levels of assurance (Different Requirements)
• Level 1 e.g. no identity vetting
• Level 2 - e.g. specific identity vetting
  requirements
• Level 3 e.g. cryptographic tokens required
• Level 4 e.g. cryptographic hard tokens required
• Credential Assessment Framework Suite (CAF)

39
UTHSC-H Strategic Authentication Goals

• Two authentication mechanisms.
• Single university ID (UID) and password
• Public Key Digital ID on Token (two-factor
  authentication)
• Digital Signatures
• Authenticates senders
• Guarantees messages are unaltered, i.e. message
  integrity
• Provides for non-repudiation
• Legal signature
• Encryption of email and other documents
• Highly Secure Access Control
• Potential for inherent global trust

40
Mass Mailing of Signed Encrypted E-mail
41
The University of Texas SystemSTRATEGIC
LEADERSHIP COUNCILStatement of
DirectionIdentity ManagementApril 27, 2004

• LDAP (Lightweight Directory Access Protocol)
  compliant directory services,
• eduperson schema as promulgated by EDUCAUSE and
  Internet2,
• utperson schema (to be developed)
• inter-institutional access control utilizing
  Internet2 Shibboleth, and
• consistent institutional definitions and identity
  management trust policies for students, faculty,
  and staff as well as sponsored affiliates.

42
Federated Services Identity (IdP) Service
Providers (SP)
Identity Provider (IdP) uth.tmc.edu
Identity Provider (IdP) utsystem.edu
Identity Provider (IdP) bcm.edu
Public Key
Resource Provider (SP) library.tmc.edu
GMEIS (SP) uth.tmc.edu
Federation WAYF Service InCommon
Infrastructure
Blackboard (SP) uth.tmc.edu
Identity Provider (IdP) mdanderson.org
Identity Provider (IdP) utmb.edu
43
Home Organization
Service Provider
IdP
Browser
SP
Authentication System (ISO/SSO/Cert)
SHIRE
Federation WAYF SERVICE (IN COMMON)
SHAR
Handle Service

Resource Manager
Attribute Authority
Web Site
Attributes determined by ARP
RBAC Authorization System - LDAP (eduperson)
Shib Software
44
How Does Shibboleth Work?
I am satisfied with the attributes. You are
allowed access
Shibboleth
Your request is forwarded to your Organization
Handle Service
11
Home University
Browser
Resource Provider
Who are you and where you come from?
1
IdP
What is your Organization?
SP
Authentication System (ISO/SSO/Cert)
3
4
Who are You? Can you login?
Now I know who you are. What are your user
attributes?
2
SHIRE
WAYF (In Common)
5
6
SHAR
Handle Service

Resource Manager
7
8
I know who you are. Your request and handle is
redirected to Target
What are the attributes for this user?
10
Attribute Authority
Web Site
Attributes determined by ARP
9
Your attributes are returned to Target
LDAP (eduperson)
45
Lessons Learned
The focus of planning should be on how Identity
Management makes life great for people in
cyberspace!!! Dont focus on underlying theory,
arcane concepts and minute implementation
details. If basic infrastructure is in place
along with user applications, people will use it
and demand more.
46
What Is Needed To Reach Critical Mass?

• Develop a core group that operationally believes
  in understands Identity Management!
• Identity Management basic policies and
  procedures.
• Identity reconciliation provisioning systems
• Operational LDAP directory service.
• As many real applications as possible!
• Solutions that use signing encryption.
• Cherished resources PKI and Shibboleth enabled
  for access.

47
Thank You Questions ?