160 likes | 343 Views
Integrating the Healthcare Enterprise. Improving Clinical Care: Enterprise User Authentication For IT Infrastructure. Robert Horn Agfa Healthcare. The IHE Process – Integration Profiles. IHE Connectathon. IHE Demonstration. Product With IHE. Easy to Integrate Product s.
E N D
Integrating the Healthcare Enterprise Improving Clinical Care: Enterprise User Authentication For IT Infrastructure Robert Horn Agfa Healthcare
The IHE Process – Integration Profiles IHEConnectathon IHEDemonstration Product With IHE Easy to Integrate Products IHETechnicalFramework Standards IHE Integration Profiles: • Detailed selection of standards and options each solving a specific integration problem • A growing set of effective provider/vendor agreed solutions • Vendors can implement with ROI • Providers can deploy with stability IHEIntegration Profiles B IHEIntegration Profile A User Site RFP Vendor Webex – October 2003
Enterprise User Authentication (EUA) Profile • Kerberos based support for single sign on • Multi-year role out • This year: • Kerberos Server • Initial Login (username/password), Local system facilities • HTTP Authentication • Next year: • DICOM • HL7 • CCOW • Connectathon focus Vendor Webex – October 2003
Single Signon • EUA contributes to creating a Single Signon Solution: • EUA establishes a well known and trustable user identity mechanism • EUA establishes a mechanism to extend the user identity to network messages, network transactions, and network connections. Only part of this is ready in the first year. • EUA is being integrated with CCOW for application integration. • EUA can be extended to a variety of user identification mechanisms. Vendor Webex – October 2003
2002 2003 2004 2005 IHE Security Plans & Context future EUA – DICOM Protocol Basic Security DICOM TLS EUA – other protocol? Basic Security Audit Trail EUA - CCOW Basic Security HL7 TLS EUA – Initial Login EUA – HL7 EUA – Kerberos Server TBD – IETF Audit EUA – HTTP Protocol TBD – Reliable Syslog Node Authentication Local Node Security Private Network Security User Authorization Systems Kerberized Smart Cards Legend: IHE Activity, presently not scheduled Outside the SCOPE of IHE IHE supports, enhances, And coexists with these IHE Assumes that these have been provided IHE does not specify Current IHE Plan Vendor Webex – October 2003
Patient Identifier X-ref Manager Patient Identitifier Consumer Time Client TimeServer Synergy between IHE IT Int. ProfilesRID with EUA/CT & PIX Example of support ofmultiple actors/profiles Display Information Source Client AuthenticationAgent KerberosAuthenticationServer 6
Kerberos Authentication Initial username, password Request TGT “kinit” Kerberos Server Response (contains TGT) TGT Cache Request Service ticket TGT Response with Service Ticket application Communication Initiated Application server Protocol specific communication, using Service Ticket as authenticator Single System Environment Vendor Webex – October 2003
Kerberos Documentation • Online • “Moron’s Guide”, http://www.isi.edu/gost/brian/security/kerberos.html • MIT Site http://web.mit.edu/kerberos/www/ • Various Microsoft support documents • Hardcopy • Kerberos, Brian Tung, Addison Wesley • Various vendor manuals • Configuration and API documentation • See Microsoft, Unix, or other vendor documentation. Vendor Webex – October 2003
HTTP Authentication Client Authentication Agent HTTP Client Kerberos Authentication Server HTTP Kerberized Server HTTP Get – with no authentication. Start HTTP Session 401 response (WWW Authenticate: Negotiate) Get Kerberos Service Ticket Service Ticket HTTP Get – Kerberized Communication HTTP Response Vendor Webex – October 2003
HTTP Documentation • Standard (still in draft stage) • http://www.ietf.org/internet-drafts/draft-brezak-spnego-http-04.txt) • Other documentation • http://support.microsoft.com/default.aspx?scid=kb;ben-us;326985) Vendor Webex – October 2003
Protocols - DICOM • DICOM Associations will convey user identification. • User identified associations enables: • Better Audit logs • User specific customizations • User specific authorization • Work Item approved, work underway Vendor Webex – October 2003
Protocols - HL7 • HL7 transactions will convey user identification. • User identified associations enables: • Better Audit logs • User specific customizations • User specific authorization • Work Item approved, work underway Vendor Webex – October 2003
Protocols - CCOW • EUA defines a CCOW identity space: • User.Id.Logon.Kerberos • This enables some single signon capabilities. • CCOW exchange of service ticket information is a work item that is underway Vendor Webex – October 2003
Fast User Switch • First year, limited to single system • Motivation: • High startup times for system services, database connections, and other application services during normal system login. • Customer requirement for fast user switching • Solution: • Initiate applications as a “null user” during system startup • Utilize Context Manager and Kerberos Authentication Server to authenticate actual users • Utilize Follow Context to switch user identities without incurring the high startup costs. Vendor Webex – October 2003
User A Login User B Login Change Context Change Context Follow Context Follow Context Fast User Switch Kerberos Authentication Server User Context Participant Context Manager Client Authentication Agent Join Context Join Context Switch to User A Switch to User B Device with Fast User Switching Vendor Webex – October 2003
Connectathon vs Demonstration • The focus will be on using the connectathon to verify functionality. • These features do not demonstrate very well, because when working properly they are invisible to the user. Vendor Webex – October 2003