1 / 16

Integrating the Healthcare Enterprise

Integrating the Healthcare Enterprise. Improving Clinical Care: Enterprise User Authentication For IT Infrastructure. Robert Horn Agfa Healthcare. The IHE Process – Integration Profiles. IHE Connectathon. IHE Demonstration. Product With IHE. Easy to Integrate Product s.

delta
Download Presentation

Integrating the Healthcare Enterprise

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrating the Healthcare Enterprise Improving Clinical Care: Enterprise User Authentication For IT Infrastructure Robert Horn Agfa Healthcare

  2. The IHE Process – Integration Profiles IHEConnectathon IHEDemonstration Product With IHE Easy to Integrate Products IHETechnicalFramework Standards IHE Integration Profiles: • Detailed selection of standards and options each solving a specific integration problem • A growing set of effective provider/vendor agreed solutions • Vendors can implement with ROI • Providers can deploy with stability IHEIntegration Profiles B IHEIntegration Profile A User Site RFP Vendor Webex – October 2003

  3. Enterprise User Authentication (EUA) Profile • Kerberos based support for single sign on • Multi-year role out • This year: • Kerberos Server • Initial Login (username/password), Local system facilities • HTTP Authentication • Next year: • DICOM • HL7 • CCOW • Connectathon focus Vendor Webex – October 2003

  4. Single Signon • EUA contributes to creating a Single Signon Solution: • EUA establishes a well known and trustable user identity mechanism • EUA establishes a mechanism to extend the user identity to network messages, network transactions, and network connections. Only part of this is ready in the first year. • EUA is being integrated with CCOW for application integration. • EUA can be extended to a variety of user identification mechanisms. Vendor Webex – October 2003

  5. 2002 2003 2004 2005 IHE Security Plans & Context future EUA – DICOM Protocol Basic Security DICOM TLS EUA – other protocol? Basic Security Audit Trail EUA - CCOW Basic Security HL7 TLS EUA – Initial Login EUA – HL7 EUA – Kerberos Server TBD – IETF Audit EUA – HTTP Protocol TBD – Reliable Syslog Node Authentication Local Node Security Private Network Security User Authorization Systems Kerberized Smart Cards Legend: IHE Activity, presently not scheduled Outside the SCOPE of IHE IHE supports, enhances, And coexists with these IHE Assumes that these have been provided IHE does not specify Current IHE Plan Vendor Webex – October 2003

  6. Patient Identifier X-ref Manager Patient Identitifier Consumer Time Client TimeServer Synergy between IHE IT Int. ProfilesRID with EUA/CT & PIX Example of support ofmultiple actors/profiles Display Information Source Client AuthenticationAgent KerberosAuthenticationServer 6

  7. Kerberos Authentication Initial username, password Request TGT “kinit” Kerberos Server Response (contains TGT) TGT Cache Request Service ticket TGT Response with Service Ticket application Communication Initiated Application server Protocol specific communication, using Service Ticket as authenticator Single System Environment Vendor Webex – October 2003

  8. Kerberos Documentation • Online • “Moron’s Guide”, http://www.isi.edu/gost/brian/security/kerberos.html • MIT Site http://web.mit.edu/kerberos/www/ • Various Microsoft support documents • Hardcopy • Kerberos, Brian Tung, Addison Wesley • Various vendor manuals • Configuration and API documentation • See Microsoft, Unix, or other vendor documentation. Vendor Webex – October 2003

  9. HTTP Authentication Client Authentication Agent HTTP Client Kerberos Authentication Server HTTP Kerberized Server HTTP Get – with no authentication. Start HTTP Session 401 response (WWW Authenticate: Negotiate) Get Kerberos Service Ticket Service Ticket HTTP Get – Kerberized Communication HTTP Response Vendor Webex – October 2003

  10. HTTP Documentation • Standard (still in draft stage) • http://www.ietf.org/internet-drafts/draft-brezak-spnego-http-04.txt) • Other documentation • http://support.microsoft.com/default.aspx?scid=kb;ben-us;326985) Vendor Webex – October 2003

  11. Protocols - DICOM • DICOM Associations will convey user identification. • User identified associations enables: • Better Audit logs • User specific customizations • User specific authorization • Work Item approved, work underway Vendor Webex – October 2003

  12. Protocols - HL7 • HL7 transactions will convey user identification. • User identified associations enables: • Better Audit logs • User specific customizations • User specific authorization • Work Item approved, work underway Vendor Webex – October 2003

  13. Protocols - CCOW • EUA defines a CCOW identity space: • User.Id.Logon.Kerberos • This enables some single signon capabilities. • CCOW exchange of service ticket information is a work item that is underway Vendor Webex – October 2003

  14. Fast User Switch • First year, limited to single system • Motivation: • High startup times for system services, database connections, and other application services during normal system login. • Customer requirement for fast user switching • Solution: • Initiate applications as a “null user” during system startup • Utilize Context Manager and Kerberos Authentication Server to authenticate actual users • Utilize Follow Context to switch user identities without incurring the high startup costs. Vendor Webex – October 2003

  15. User A Login User B Login Change Context Change Context Follow Context Follow Context Fast User Switch Kerberos Authentication Server User Context Participant Context Manager Client Authentication Agent Join Context Join Context Switch to User A Switch to User B Device with Fast User Switching Vendor Webex – October 2003

  16. Connectathon vs Demonstration • The focus will be on using the connectathon to verify functionality. • These features do not demonstrate very well, because when working properly they are invisible to the user. Vendor Webex – October 2003

More Related