Federated, Secure Trust Networks for Distributed Healthcare IT Services

1. Federated, Secure Trust Networks for Distributed Healthcare IT Services Alfred WeaverSamuel DwyerAndrew SnyderJim Van DykeTim MulhollandJames HuXiaohui ChenAndrew Marshall

2. Industrial Informatics Applied to Healthcare • Health Insurance Portability and Accountability Act of 1996 • privacy of patient encounters • security of patient data • encryption of medical information when stored or transmitted • access controls to retrieve information • audit logs of data access

3. Healthcare Informatics Portal • Common medical data portal • doctors, patients, staff see a customized view • allied health services exchange information electronically • Authentication of users • biometric and conventional methods • Authorization of access • role-based access control model • Strong encryption of all data • All built on a web services model

6. 10 12 11 5 1 6 4 8 9 7 2 3 Federated, Secure Trust Networks for Distributed Healthcare IT Services Medical Data Portal Web Services Electronic Patient Record Authorization Service Rule Engines Authentication Service

7. Research Issues • Authentication • who are you? • Mobile devices • what capabilities do you have? • Authorization • what can you do? • Encryption • which algorithm? what length key? • Shared trust • off-network organizations

8. Authentication • Can support legacy techniques • user ID and passwords, challenge-response • Newer identification technologies • smartcards, access keys • Biometric identification • fingerprints, iris scans • signature analysis, voice recognition • keyboard dynamics • face, hand, finger, ear geometry

9. Fingerprints 70 points of differentiation (loops, whirls, deltas, ridges) Even identical twins have differing fingerprint patterns False positive rate < 0.01% False negative rate < 1.5% Can distinguish a live finger; fast to enroll Inexpensive ($100-$200) for the reader

10. Iris Scans Iris has 266 identification degrees of freedom Identical twins have different iris patterns False positive rate < 0.01% False negative rate < 2% Does take some time and controlled lighting to enroll Pattern is stored as a data template, not a picture Some units control light to detect pupil dilation (prove live eye)

11. Mobile Devices • Legitimate access is no longer limited to desktops or in-hospital devices • Wave of the future includes • PDAs (HP iPAQ Pocket PC h5455 with fingerprint scanner built-in) • tablet PCs (handwriting recognition) • cell phones (voice recognition) • Personal authentication should work using the devices and capabilities available to the legitimate user

12. Fingerprints with Wireless PDA HP iPAQ h5455 with fingerprint scanner Thermal scanner detects live finger We wrote an authentication web service --send fingerprint pattern to service --compare against database of enrollees --confirm or deny identity --send confirmation to web portal --write cookie to device --cookie becomes an identification token containing: --who the individual is --how identity was confirmed --trust level of the identification --e.g., iris scan > fingerprint > password

13. Authorization • Now that we know who you are, what are you allowed to do? • Use role-based access control • Roles for people with different privileges: • attending physician • referring physician • medical fellows • medical students • physician consultants • other healthcare staff (nurses) • technologists (diagnostic imagery) • technicians (lab results) • patient • Plus roles for other entities (insurance, pharmacy)

14. Authentication Rule Engine Identity token Hospital administration rule templates Access request Rules Authorization token

15. Authorization Rule Templates Who Access Electronic Patient Record Demographics Clinical notes Lab notes Diagnostic images Psych evaluation Attending Referring Fellow Student Technician Technologist Patient Insurance Billing Pharmacy Med records Can Can not

16. Authorization Rule Engine • More complicated in practice • doctor needs consultation • doctor on vacation • doctors practicing in groups • surgeons, radiologists • emergencies

17. Encryption • Which encryption method? • DES, 3DES, AES, RSA, others • what length key? • Unintended consequences • UVA does 380,000 radiological exams annually • produce 9 TB of data every year • encrypting one 3 MB chest x-ray is no problem • but CT and MR produces 500-1000 slices • each slice is a file • typical MR is 68 MB • What is the workflow impact of encrypting/decrypting a 68 MB file each time it is touched?

18. Trust Networks • Trust, legitimately established, should be shared across the enterprise • pharmacies • insurance companies • outpatient services • How does trust get quantified? • How does trust get shared? • WS-Trust does not yet provide guidance

19. Trust Networks 8 9 Identification tokens Authorization tokens Encryption Digital signature Trust credentials Dynamic negotiation of credentials Banks do this with ATMs; we need to do it among cooperating healthcare providers

20. Trust Authority Identification Reliability False positive rate < 0.1% False negative rate < 1.0% Availability > 0.99 4.7 out of 10 Attribute Criterion 1 Criterion 2 … Criterion N Rating

21. Electronic Prescriptions 4. Check digital signature 5. Decrypt prescription 6. Decrypt physician's identity token 7. Is this a valid physician? 8. Send identity token to trust authority 9. Check how identity was established 10. Recover trust level 1. Encrypt prescription (doctor, medicine, details) 2. Encrypt physician's identity token 3. Digitally sign message 4. Transmit to pharmacy 11. Is trust level acceptable? 12. Accept or reject

22. Summary of Issues • Authentication • Mobile access technologies • Biometric identification • Authorization rule engine • Role-based access control • Simplified rule administration • Trust sharing • Dynamic negotiation of trust credentials

23. Acknowledgements • Funding for this project provided by: David Ladd and Tom Healy University Research Program Microsoft Research Microsoft Corporation