Assuring Identities in an Open Trust Framework

1
Assuring Identities in an Open Trust Framework

• Interoperability and Connectivity Privacy,
  Security and Trust in Health Information Exchange
  - 5th Annual WHIT Congress 11/10/2009The
  Identity Assurance Framework
• Kantara Initiative
• Pete Palmer
• Co-Chair - Kantara Healthcare Identity Assurance
  Work Group

2
Disclaimer

• This presentation is the result of work
  developed by volunteers of the Electronic
  Authentication Partnership, the Liberty Alliance,
  and the Kantara Initiative and is not a work
  product of Surescripts.

3
Kantara Overview

• Founded April 20, 2009
• Trustees AOL, BT, CA, Fidelity, Intel, Internet
  Society, Liberty Alliance, Neustar, Novell, NRI,
  NTT, Oracle, PayPal and Sun
• ( see http//kantarainitiative.org/confluence
  /display/GI/CurrentMembers )
• Purpose
• To bridge and harmonize identity community
  efforts
• To ensure secure online interactions
• To enhance personal privacy
• To assure interoperability between OpenID,
  Liberty, InfoCard and other identity management
  solutions.

4
Kantara Healthcare Work Group

• Founded August, 2009
• History Was Liberty Alliance Health Care Work
  Group
• Purposes
• Implement patient access to their medical
  information and health care providers system
  using open source solutions
• Implement simplified health care worker identity
  management
• Review/Endorse identity assurance framework to
  support health information exchanges (HIEs) and
  the US nationwide health information network
  (NHIN)
• Review/endorse patient identification standards
  for on-line and card identifiers
• Work with vendors to help foster interoperability
• Current co-chairs John Fraser, MEDNETWorld.com,
  Pete Palmer, Surescripts, and Rick Moore, eHealth
  Ohio.
• Home Page http//kantarainitiative.org/confluence
  /display/healthidassurance/Home
• Full Charter is at http//kantarainitiative.org/c
  onfluence/display/healthidassurance/Charter

5
Identity in the Physical World
6
Todays Collection of Identity Silos
7
What the User wants

• Simplified online experience
• Get rid of the need for multiple user-ids and
  passwords
• Fewer clicks
• Protected personal information
• Reduce my risk from fraud
• Better product service offerings
• Web 2.0 and/or smart phone data service
  integration

8
There are Two Problem Areas

• Technical Interoperability
• Does the client application I'm using talk to
  the systems I want to use? (can I type in my PIN
  on my iPhone and have unfettered access to
  services without logging in again?)
• Does the system that authenticates me (vouches
  for me) talk to the service provider systems I
  want to access? (can I login to my bank's site
  and use that to pay my taxes, book travel, and
  check my Gmail account?)
• Operational Interoperability Assurance
• Do the commercial and government systems trust
  each others' systems, operating procedures,
  vetting practices, etc.? (i.e., understand
  accept the distribution of liability when/if
  something goes wrong)
• Well focus today on the Operational
  Interoperability Assurance Aspects

9
so why the need for a common standard?
10
ATM Historic Analogy
11
Identity Ecosystem Trust
Government Applications, Services, Resources
12
Identity Assurance Framework

• What is it?
• Framework supporting mutual acceptance,
  validation and lifecycle maintenance across
  identity federations (i.e. systems that trust
  each other)
• Started with EAP Trust Framework, UK tScheme and
  US e-Auth Federation Credential Assessment
  Framework as baseline
• Harmonized, best-of-breed industry identity
  assurance standard
• Identity credential policy
• Business procedure and rule set
• Baseline commercial terms
• Guideline to foster inter-federation (i.e.
  inter-trust) on a global scale
• It consists of 4 parts
• Assurance Levels
• Service Assessment Criteria
• Assurance Assessment Scheme and Certification
  Program
• Business Rules/Deployment Guidelines

13
Identity Ecosystem Trust after IAF
Government Applications, Services, Resources
14
IAF Assurance Levels

• Four Primary Levels of Assurance
• Level 1 Little or no confidence in asserted
  identitys validity
• Level 2 Some confidence
• Level 3 Significant level of confidence
• Level 4 Very high level of confidence
• CSPs are certified by Assessors to a specific
  Level(s)

15
IAF Assurance Levels Illustrated
Note Assurance level criteria as posited by the
OMB M-04-04 NIST SP 800-63
16
Assurance Assessment Scheme Certification
Program

• Oversight by Member Committee (ARB)
• Assessor is Accredited based on application of
  demonstrated expertise
• CSP service is Certified to LOA(s) based on IAF
  compliance
• Technology is Certified to be Interoperable
• User has safe, simple access to services

17
The Result Identity Ecosystem

• Ubiquitous interoperability
• Minimize or Eliminate Token Necklace
• Customer Convenience
• Consistent User Experience
• Plain Language
• Simplified On-boarding
• Low-to-No Cost
• Ease of Service Selection
• Clear Risk Liability

17
18
Goal Health care simplified authentication
Health Information Exchange - HIE
Health Information Systems Clinics, Hospitals,
etc

• Interoperability for
• Patient Lookup
• Clinical Document Exchange
• Privacy and Security

HIE Gateway
EMR
HIE Gateway
NHIN Gateway
EMR
RLS
HIE Gateway
HIE Gateway
PHR
Patient Logins
HIE Member Users
Simplified Sign Ons to Clinics, Google Health,
MS HealthVault, etc, or via iPhone or similar
smartphone apps
Simplified Sign Ons
Patients
Healthcare Workers
19
More Information on IAF and the Assurance
Certification Program

• http//kantarainitiative.org/confluence/display/ce
  rtification/IdentityAssuranceCertificationProgr
  am
• Thank You! pete.palmer_at_surescripts.com