260 likes | 378 Views
Integrating the Healthcare Enterprise. Audit Trail and Node Authentication. Courtesy of IHE Committees. IHE IT Infrastructure 2004-2005. Personnel White Page. New. Access to workforce contact information. New. Retrieve Information for Display. Retrieve Information for Display.
E N D
Integrating the Healthcare Enterprise Audit Trail and Node Authentication Courtesy of IHE Committees IHE Europe Educational Event
IHE IT Infrastructure 2004-2005 Personnel White Page New Access to workforcecontact information New Retrieve Information for Display Retrieve Information for Display Cross-Enterprise Document Sharing Access a patient’s clinical information and documents in a format ready to be presentedto the requesting user Access a patient’s clinical information and documents in a format ready to be presentedto the requesting user Registration, distribution and access across health enterprises of clinical documents forming a patient electronic health record Patient Demographics Query New Audit Trail & Node Authentication New Centralized privacy audit trail and node to node authentication to create a secured domain. Enterprise User Authentication Enterprise User Authentication Consistent Time Provide users a single nameand centralized authentication processacross all systems Coordinate time across networked systems Patient Synchronized Applications Synchronize multiple applications on a desktop to the same patient Patient Identifier Cross-referencing for MPI Patient Identifier Cross-referencing for MPI Map patient identifiers across independent identification domains Map patient identifiers across independent identification domains IHE Europe Educational Event
Scope • Defines basic security features for a system in a healthcare enterprise in order to guarantee : • Only authorized persons have access to PHI (Protected Health Information) • Protect PHI against alteration, destruction and loss • Comply existing Privacy & Security regulations • Extends the IHE radiology oriented Basic Security profile (2002) to be applicable to other healthcare uses. IHE Europe Educational Event
Assumptions • IHE ATNA transactions takes place in a secure domain • User/devices in secure domain adhere to security policy of hospital • Secure network is isolated from external networks through firewall • Intrusion detection systems are in place to detect violations • Favor authentication & auditing over authorization IHE Europe Educational Event
Security Mechanism • Authentication (user and device) • Authorization • Accountability (audit trails) • Confidentiality • Integrity ATNA, EUA ATNA ATNA ATNA IHE Europe Educational Event
ATNA - Security mechanism • Device/User Authentication • “Who are you?” • Proof that the user/device is the one who it claims to be • ATNA features: • Mutual device authentication over network, using certificates • User authentication -> responsibility of implementation • Authorization • “What are you allowed to do?” • Role based access control (RBAC) • ATNA features : • Only authenticated users/devices can access PHI • RBAC is on the IHE roadmap IHE Europe Educational Event
ATNA - Security mechanism (cont.) • Accountability (audit trails) • “What have you done?” • Mechanisms to record and examine user/system activity • ATNA features : • Audit message format + transport protocol • Integrity • Proof that data has not been altered or destroyed in an unauthorized manner • ATNA features : • TLS based network communication • Confidentiality • Protection of PHI, transmitted or stored • Optional for intra-muros transmission • Required for extra-muros transmission • ATNA features : • TLS option of AES IHE Europe Educational Event
IHE ATNA- Architecture • Local access control (authentication of user) • Strong authentication of remote node (digital certificates) • network traffic encryption is not required, it is optional • Audit trail with: • Real-time access • Time synchronization Secured System Secured System Secure network System B System A Central Audit TrailRepository IHE Europe Educational Event
IHE ATNA – New Actors • Secure Node • Make an actor secure • Audit Record Repository • Receives audit messages • Correlate audit information from different sources • Patient- or user- centric analysis • Filter&forward messages to enterprise audit repositories • Time Server • Maintain reference time • Enables client application to synchronise their time IHE Europe Educational Event
IHE ATNA vs IHE Basic Security • Focus on enterprise and not on radiology • Support additional audit events (non-radiology related) • Support additional audit event format • IETF format • Support additional transport mechanism • Reliable syslog (cooked mode) IHE Europe Educational Event
Backward compatibility • ATNA is backward compatible with Basic Security • Applications, supporting Basic Security are ATNA compliant • Basic security is deprecated • No further extensions • New applications are encouraged to use new message format, transport mechanism IHE Europe Educational Event
IHE ATNA – Actor and Transactions All existing IHE actors need to be grouped with a Secure Node actor. Audit Record Repository Time Server Maintain Time Record Audit Event Secure Node Authenticate Node “Any” IHE actor Secure Node IHE Europe Educational Event
IHE ATNA – Transaction diagram IHE Europe Educational Event
Secure Node • Local user authentication • Only needed at “client” node • Authentication mechanism • User name and password (minimum) • Biometrics, smart card • Secure nodes maintain list of authorized users : local or central (using EUA) • Security policy of hospital defines the relation between user and user id IHE Europe Educational Event
Secure Node (cont.) • Mutual device authentication • Establish a trust relationship between 2 network nodes • Strong authentication by exchanging X.509 certificates • Certificates have a expiration date of 2 yr • Actor must be able to configure certificate list of trusted nodes. • TCP/IP Transport Layer Security Protocol (TLS) • Used with DICOM/HL7/HTTP messages • Secure handshake protocol of both parties during Association establishment: • Identify encryption protocol • Exchange session keys • Supported cyphersuite : • TLS_RSA_WITH_NULL_SHA (message signing, no encryption, default) • TLS_RSA_WITH_AES_128_CBC_SHA (message signing + encryption, optional) IHE Europe Educational Event
What it takes to be a secure node • The Secure node is not a simple add-on of an auditing capability. The larger work effort is: • Instrument all applications to detect auditable events and generate audit messages. • Ensure that all communications connections are protected (system hardening). • Establish a local security mechanism to protect all local resources • Establish configuration mechanisms for: • Time synchronization • Certificate management • Network configuration • Implement the audit logging facility IHE Europe Educational Event
Audit Record Repository • Receives audit events from applications/actors accessing PHI • ATNA defines • List of events that generate audit messages • Audit message format • Transport mechanism IHE Europe Educational Event
Audit Events • Audit triggers are defined for every operation that access PHI (create, delete, modify, import/export) • IHE TF describes the supported Audit Trigger per Actor • Audit triggers are grouped on study level to minimize overhead IHE Europe Educational Event
IHE Audit Trail EventsCombined list of IETF and DICOM events IHE Europe Educational Event
IHE Audit Trail EventsCombined list of IETF and DICOM events IHE Europe Educational Event
IHE Audit Trail EventsCombined list of IETF and DICOM events IHE Europe Educational Event
Audit Message Format • Two audit message formats • IHE Radiology Provisional format, for backward compatibility with radiology • New ATNA format, for future growth • Joint effort of IETF/DICOM/HL7/ASTM • Draft version : http://www.ietf.org/rfc/rfc3881.txt • Both formats are XML encoded messages, permitting extensions using XML standard extension mechanisms. • XSLT transformation is provided to convert “Provisional scheme” to “ATNA” scheme IHE Europe Educational Event
Audit Transport Mechanism • Reliable Syslog – cooked mode • Preferred mechanism • RFC 3195 • Connection oriented • Support certificate based authentication, encryption • BSD Syslog protocol (RFC 3164) for backward compatibility IHE Europe Educational Event
More information…. • IHE Web sites: www.ihe.net www.ihe-europe.org • Technical Frameworks: • ITI V1.0, RAD V5.5, LAB V1.0 • Technical Framework Supplements - Trial Implementation • May 2004: Radiology • August 2004: Cardiology, IT Infrastructure • Non-Technical Brochures : • Calls for Participation • IHE Fact Sheet and FAQ • IHE Integration Profiles: Guidelines for Buyers • IHE Connect-a-thon Results • Vendor Products Integration Statements IHE Europe Educational Event