100 likes | 110 Views
Explore the advanced security measures proposed in IHE Year 4 for radiology systems, including authentication, access control, audit trails, and encryption protocols. Learn about the selection of standards and next-level security enhancements for secure data management.
E N D
IHE Year 4,the basis for a security solution Cor Loef Philips Medical Systems IHE Planning and Technical Committee HIMSS / RSNA
Overview • Why Information Security in Radiology? • Requirements • Proposed solution in IHE Year 4 • Is the a reasonable solution? HIMSS / RSNA
IHE year 4: collection of trusted nodes • Local authentication of user (Userid, Password) • Authentication of the remote node (digital certificates) • Local access control • Audit trail • Time synchronization System B System A Secure network Secure domain Secure domain HIMSS / RSNA
Selection of standards • X.509 certificates for node identity and keys • TCP/IP Transport Layer Security Protocol (TLS) for node authentication, and optional encryption • Reliable Delivery for Syslog (RFC 3195) • Network Time Protocol ( NTP) for time synchronization HIMSS / RSNA
Selection of standards • Audit trail open issue: events and content • HL7 Security and Accountability SIG:Common Audit Message (informative document) • ASTM PS 115: Provisional Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems • IHE in Technical Framework : Use XML and vendor DTD for defined content HIMSS / RSNA
Next level of security • Full user authentication between nodes, key management • Much more functionality and detail in authorization ( role based, patient related ), using central directory service • Encryption • Digital signatures (Reporting function) • De-identification • Support for Secure media • Intrusion Detection Systems HIMSS / RSNA
Background on RFC-3195 • Reliable replacement for BSD Syslog • Provides BEEP message structure, store and forward transport, common mandatory fields, and an XML payload. • Options for encryption and signatures. HIMSS / RSNA
Audit Trail • RFC - Basic information fields. • HL7 Security SIG - Information content recommendations for audit trails. • Missing component - a DTD HIMSS / RSNA
DTD • Joint or separate HL7 and DICOM DTDs? • There will be variety vendor DTDs in any real network • Audit management will be prepared for multiple DTDs • It makes sense for WG 14 to define DICOM transaction related DTD HIMSS / RSNA
What level of detail to describe? • IHE is recommending routine audit at the patient level • C2, CAPP (DoD) require adjustable detail level • normally high level surveillance • very detailed for high risk items and for suspect users • Is it reasonable to define messages at the levels: • patient, study, series, instance, DIMSE • DTD is prepared for the future beyond IHE basic support. HIMSS / RSNA