250 likes | 455 Views
On Securing the Public Health Information Network Messaging System. Barry Rhodes, Ph.D. Associate Director Public Health System Development NCPHI Centers for Disease Control and Prevention www.cdc.gov. Rajashekar Kailar, Ph.D. Chief Technology Officer Business Networks International Inc.
E N D
On Securing the Public Health Information Network Messaging System Barry Rhodes, Ph.D. Associate Director Public Health System Development NCPHI Centers for Disease Control and Prevention www.cdc.gov Rajashekar Kailar, Ph.D. Chief Technology Officer Business Networks International Inc. www.bnetal.com
Overview • Public Health Information Network (PHIN) • PHIN Messaging System (PHINMS) • Security considerations • Public Key Infrastructure considerations
PublicHealth Information Network (PHIN) (www.cdc.gov/phin/) • Public health organizations • CDC • State, Local Health Departments • National Laboratories (e.g., LabCorp) • Standards based information gathering and dissemination across organizations (routine surveillance, emergency event response) • Data gathering: NEDSS Data Model, PAMs • Message content: HL7 • Data transport: ebXML over HTTP(S)
Electronic Business XML (www.ebxml.org) XML Standard for B2B electronic document exchanges • SOAP with Attachments • Reliable (once and only once delivery) • Message level security (XMLENC / XMLDSIG) • Standard message envelope, addressing schema / semantics • Workflows (Service, Action)
PHIN Messaging System • Secure and Reliable Transport over Public Networks • Security: Confidentiality, Integrity, Non-Repudiation, Authentication, Access Control • Reliability: Once and only Once delivery, network failure handling • Standards Based • ebXML/HTTPS, X.509, XMLDSIG, XMLENC • Platform Neutral • Java/J2EE • Language Neutral • Queue Interfaces (database tables) • Payload agnostic (text, binary) • Extensible • Message handlers • Certified for ebXML interoperability with several ebXML products by Drummond Group
PHINMS - Functional Components Message PHINMS Sender Application Response Application1 (Message Handler) Message PHINMS Receiver Application2 (Message Handler) Response
Messaging Security Context • Sensitive data • Public, un-trusted networks (Internet) • Autonomous organizations • Heterogeneous environments • Public health users not always security savvy
Business/Electronic Collaboration Agreements State Lab State HD Client Client CDC Server Server Client Server Hospital System National Labs Client Client No central identity/trust authority PKI and non-PKI environments
PHINMS – Messaging/Trust Models Hub-and-Spoke (route-not-read) Peer-to-Peer (direct-send)
DOH Private Key (Decrypt) DOH Public Key (Encrypt) HL7 HL7 DB Q DB Q Confidentiality – Transport and Message Level LDAP State DOH Lab Internet Proxy Server PHINMS Server PHINMS Client DMZ Firewall Firewall
Lab Private Key (Sign) Lab Public Key (Verify) HL7 HL7 DB Q DB Q Integrity: Transport and Message Level State DOH Lab Internet Proxy Server PHINMS Server PHINMS Client DMZ
ACL Access Control: Perimeter Level DMZ Internal Network Internal Network Proxy Server PHINMS Receiver Message Consumer Internet PHINMS Sender Firewall Firewall Firewall
Identities, Credentials, Authorities Accept Multiple Credentials (policy dependent) Submit Multiple Credentials Identity: Party ID Credential: Certificate, Password
End Point Authentication Two factor: Appropriate for user interactions 2 Factor for B2B – No inter-op standards, Lower assurance ROI
Firewall ConsiderationsScenario 1: Both parties are Internet Accessible
Firewall Considerations (Contd.)Scenario 2: One party behind firewall
Firewall Considerations (Contd.)Scenario 3: Both parties behind firewalls
Use of PKI in PHIN MS • Leverages PKI for security, but does not require it • Authentication • Client certificate over SSL (enforced by web server proxy using CTL model) • Currently not Bridge PKI aware (proxy layer can be extended) • XML Encryption • Certificate lookup from LDAP Directory • Certificate lookup using web service • XML DSIG • Signature meta-data includes X.509 certificate
PHIN Partners – PKI Landscape • PKI Implementers (few) • Organizations with full PKI implementation • PKI Users (most) • SSL servers/certificates (most) • User certificates, strong authentication (few) • Mixed environments - PKI and non-PKI (most) • Purely non-PKI (few) • Organizations that use other mechanisms (e.g., login/password, one time password)
PHINMS – Status • Used by several CDC/PHIN applications as primary data transport mechanism over Internet • Deployed in 50+ sites nationwide, many more being deployed • Processes thousands of production messages daily • Data is transported securely and reliably - gracefully handles network failures using persistence/retries
PHINMS - Lessons Learned • ebXML, Web-Services Security Standards are a moving target • Multiple credentials/mechanisms a reality today • Managing multiple credentials a challenge (e.g., expiring passwords, certificates)