E N D
2. September 8, 2005 Document Digital Signature Webinar 2 Providers and Vendors
Working Together to Deliver
Interoperable Health Information Systems
In the Enterprise
and Across Care Settings
3. September 8, 2005 Document Digital Signature Webinar 3 IT Infrastructure Profiles 2004
Patient Identifier Cross-referencing for MPI (PIX)
Retrieve Information for Display (RID)
Consistent Time (CT)
Patient Synchronized Applications (PSA)
Enterprise User Authentication (EUA)
2005
Patient Demographic Query (PDQ)
Cross Enterprise Document Sharing (XDS)
Audit Trail and Note Authentication (ATNA)
Personnel White Pages (PWP)
2006
Cross-Enterprise User Authentication (XUA)
Document Digital Signature (DSG) –
Notification of Document Availability (NAV)
Patient Administration/Management (PAM)
4. September 8, 2005 Document Digital Signature Webinar 4 Document Digital SignatureValue Proposition Leverages XDS Document infrastructure
Providing accountability
Providing document integrity
Providing non-repudiation
Providing satisfactory evidence of: Authorship, Approval, Review, and Authentication
Infrastructural pattern to be further profiled by domain specific groups (e-Prescribing, e-Referral)
5. September 8, 2005 Document Digital Signature Webinar 5 Document Digital SignatureAbstract/scope A Digital Signature is an XDS document (changed from June public comment version)
There are four Use Cases that we have considered for this year
Vendor must provide signature mechanism for XDS Submissions
Possibility to use digital signatures without having an XDS registry. Approach is determined by other domain-specific groups (e-Prescribing, e-Referral)
6. September 8, 2005 Document Digital Signature Webinar 6 Document Digital SignatureOut of scope Certificate management and PKI concepts
Standards and implementations are available and will be discussed later
Focus begins with signing, not encryption
Partial Document Signature
These are out of scope for the supplement, however we will discuss them in this webinar.
These are out of scope for the supplement, however we will discuss them in this webinar.
7. September 8, 2005 Document Digital Signature Webinar 7 Document Digital SignatureIntroduction to Digital Signatures The Signing Ceremony
Components
Resources
8. September 8, 2005 Document Digital Signature Webinar 8 Document Digital SignatureThe Signing Ceremony In order to create a digitally signed document the signing application:
Creates a digest of the document to be signed
Creates a cryptographic hash of the digest using the private key of the signer
Attaches the hash to the original document
The hash function and asymmetric algorithm, as well as the verification algorithm should be provided by a cryptographic toolkit. In order to create a digitally signed document the signing application:
Creates a digest of the document to be signed
Creates a cryptographic hash of the digest using the private key of the signer
Attaches the hash to the original document
The hash function and asymmetric algorithm, as well as the verification algorithm should be provided by a cryptographic toolkit.
9. September 8, 2005 Document Digital Signature Webinar 9 Document Digital SinatureVerification The recipient of the signed document can verify the signature by applying the public key of the signer
Begin with the signed document plus the signature, apply the algorithm using the public key of the signer that you may obtain from the LDAP directory or from the signature, and you should end up with the same hash as the one that the signer created with their private key.
If the hashes match, then the signature is valid.
This should also be taken care of by a good crypto toolkit.The recipient of the signed document can verify the signature by applying the public key of the signer
Begin with the signed document plus the signature, apply the algorithm using the public key of the signer that you may obtain from the LDAP directory or from the signature, and you should end up with the same hash as the one that the signer created with their private key.
If the hashes match, then the signature is valid.
This should also be taken care of by a good crypto toolkit.
10. September 8, 2005 Document Digital Signature Webinar 10 Document Digital SignatureComponents You will need:
A digital identity
A toolkit for the cryptographic algorithms of signing and signature verification
(Identrus will be providing Digital IDs for testing and showcasing at the connectathon. Contact Lori Reed-Fourquet to get a digital ID to test with.)
(Identrus will be providing Digital IDs for testing and showcasing at the connectathon. Contact Lori Reed-Fourquet to get a digital ID to test with.)
11. September 8, 2005 Document Digital Signature Webinar 11 Document Digital SignatureDigital Identity Must be obtained from an ISO 17090 compliant Certificate Authority
Including the role extension for the signer’s role in the healthcare profession
For purposes of signature verification, the signer’s certificate (public key portion) must be available
Test certificates can be obtained without rigorous identification requirements for the purpose of the Connectathon
For test certificates contact lori.fourquet@sbcglobal.net
-- The CA does not necessarily imply a PKI
2. There will be an LDAP directory available for Personnel White Pages
3. This however will be an important part of rolling this out to hospitals, as Identity management and rigorous registration management is key to the level of security of the signature
-- The CA does not necessarily imply a PKI
2. There will be an LDAP directory available for Personnel White Pages
3. This however will be an important part of rolling this out to hospitals, as Identity management and rigorous registration management is key to the level of security of the signature
12. September 8, 2005 Document Digital Signature Webinar 12 Document Digital SignatureISO 17090 Certificate Info A certificate may contain the name of the practitioner, their email address (optional), information about their organization and other credentials as referenced in ISO 17090
ISO 17090 specifies a single healthcare-specific extension enabling assertion of roles:
the healthcare profession
regulatory identifiers
professional identifiers
consumer identifiers
employee roles
The IHE ITI committee has chosen to use this role extension.
The IHE ITI committee has chosen to use this role extension.
13. September 8, 2005 Document Digital Signature Webinar 13 Document Digital SignatureIdentity Management Rigorous Identity management is critical to maintaining the trustworthiness of a digital signature
Organizations must ensure that face-to-face registration processes are in place and that digital identities are carefully assigned
Credentials of the healthcare stakeholder must be verified by the registration agent
The registration agent must be trained and aware of security requirements
Identity management will not be required for the Connectathon, but vendors must plan for it in their products.
Identity management will not be required for the Connectathon, but vendors must plan for it in their products.
14. September 8, 2005 Document Digital Signature Webinar 14 Document Digital SignatureGoals Leverages XDS for signature by reference
Profile use of single / multiple signatures
Profile use of nested signatures
Provide signature integrity across intermediary processing
E-prescribing
Interface Engine
15. September 8, 2005 Document Digital Signature Webinar 15 Document Digital SignatureUpdates Changes to Digital Signatures Supplement since June 15th public comments version
Most notably: no new XDS document type
NAV will use digital signature function
W3C XaDES was selected as an XML Digital Signature Structure
XaDES was selected for the timestamp, signature purpose and signer role attributes
In the long germ XaDES will also help support future profiling needs for signature verification and long-term non-repudiation
XaDES was selected for the timestamp, signature purpose and signer role attributes
In the long germ XaDES will also help support future profiling needs for signature verification and long-term non-repudiation
16. September 8, 2005 Document Digital Signature Webinar 16 Document Digital SignaturesSecurity Considerations Digital Signatures help mitigate risk for the following attacks:
In the storage or transmission of documents, characteristics of clinician orders reflected in the prescription could be modified.
In the storage or transmission of documents, characteristics of countersigned clinician orders reflected in the prescription could be modified.
A forged prescription could be introduced.
17. September 8, 2005 Document Digital Signature Webinar 17 Document Digital SignaturesRisks not mitigated The following scenarios will not be mitigated by using digital signatures and require additional security:
Corruption or bribery of a user, or counter-signer
Theft of a private key
Compromise of the physician’s workstation to allow access to the signing key
The confirmation process could be corrupted or modified.
The dispensing system could be corrupted or modified, including simple attacks like burglary.
The dispensing feedback could be corrupted, modified, or destroyed.
Implementers must understand that digital signatures do not provide complete assurance.
A full security policy infrastructure is necessary.
Implementers must understand that digital signatures do not provide complete assurance.
A full security policy infrastructure is necessary.
18. September 8, 2005 Document Digital Signature Webinar 18 Document Digital SignatureUse Cases: True Copy Use Case 1: Attesting a document as true copy
Verify that the document in use by all parties is the same as the original document and has not been modified.
Verify “document integrity”.
The purpose of this use case is to verify that the document being used is the same as the original document and has not been modified by error or intent. This is called establishing document integrity. It is also important to ascertain the identity of the signer, and the reason for the signature.
For example, if it needs to be confirmed that a document is a true copy of a source medical document the digital signature is checked. If the signature is verified, then the document is a true copy. If the signature is not verified, then the document has been modified and cannot be trusted
The purpose of this use case is to verify that the document being used is the same as the original document and has not been modified by error or intent. This is called establishing document integrity. It is also important to ascertain the identity of the signer, and the reason for the signature.
For example, if it needs to be confirmed that a document is a true copy of a source medical document the digital signature is checked. If the signature is verified, then the document is a true copy. If the signature is not verified, then the document has been modified and cannot be trusted
19. September 8, 2005 Document Digital Signature Webinar 19 Document Digital SignatureUse Cases: True Copy XDS example:
Medical records staff who submit documents to XDS need to verify and attest their submission.
Non-XDS example:
A physician needs to forward results obtained from a third party to another clinician. There is a need to ensure that all parties are working from the same “true copy”
20. September 8, 2005 Document Digital Signature Webinar 20 Document Digital SignatureUse Cases: Attesting to Content Use Case 2: Attesting clinical information content
Attest that a report is complete and correct
Ability to verify that physician has verified and attested to report
21. September 8, 2005 Document Digital Signature Webinar 21 Document Digital SignatureUse Cases: Attesting to Content XDS example:
When a clinician submits content to XDS he/she signs it to take clinical responsibility for the content
Non-XDS example:
A clinician needs to rely on the contents of a report created by another clinician; diagnosis, prescription content, etc
Also, this signature can not be repudiated.
22. September 8, 2005 Document Digital Signature Webinar 22 Document Digital SignatureUse Cases: Diagnostic Report Use Case 3: Attesting to a diagnostic report
signature can simultaneously sign the source data that was used to prepare the diagnostic report
Provides a means to represent the full set of reports and data that was used to prepare report
Subsequent information added to XDS is clearly not part of the source data
23. September 8, 2005 Document Digital Signature Webinar 23 Document Digital SignatureUse Cases: Submission set Use Case 4: Attesting to a whole submission set
A digitally signed manifest can indicate both:
That a set of documents is authorized for release by signing clinician
That the set is indeed the complete set of documents and their associated signatures
Manifest signature does NOT verify content or correctness. 1.4.3 Attesting to a whole submission set
When a doctor releases a set of documents for cross enterprise distribution, s/he can use a digitally signed manifest to indicate that:
s/he is authorizing their release, and
this is the full set of documents in this release:
the medical documents, and
their associated digital signatures at the time of release
The digital signature document does not mean that s/he is verifying the clinical content of the documents that is handled by other digital signatures that should be included in the set of documents released.
The recipient organizations can use this digital signature to:
identify the person who selected and authorized the release,
obtain the complete list of documents released,
verify that the released documents have not changed, and
identify the associated XDS submission set.1.4.3 Attesting to a whole submission set
When a doctor releases a set of documents for cross enterprise distribution, s/he can use a digitally signed manifest to indicate that:
s/he is authorizing their release, and
this is the full set of documents in this release:
the medical documents, and
their associated digital signatures at the time of release
The digital signature document does not mean that s/he is verifying the clinical content of the documents that is handled by other digital signatures that should be included in the set of documents released.
The recipient organizations can use this digital signature to:
identify the person who selected and authorized the release,
obtain the complete list of documents released,
verify that the released documents have not changed, and
identify the associated XDS submission set.
24. September 8, 2005 Document Digital Signature Webinar 24 Document Digital SignatureUse Cases: Submission Set The recipient organizations can use this digital signature to:
identify the person who selected and authorized the release,
obtain the complete list of documents released,
verify that the released documents have not changed, and
identify the associated XDS submission set.
25. September 8, 2005 Document Digital Signature Webinar 25 Document Digital SignatureUse Cases: Submission Set XDS example:
Use XDS to send a collection of documents relating to a patient referral. Attest that submission includes complete set of relevent documents.
Non-XDS example:
Attesting to the completeness of a monthly submission of all TB patient records for statistical analysis
Attesting to the completeness of health records in a patient transfer
26. September 8, 2005 Document Digital Signature Webinar 26 Document Digital SitgnatureTranslation/Transformation Use Case 5: Translation
When an original document must be translated , the original signature cannot be used to validate the translated document. There must be an additional signature generated by the translation with the ability to retain the original signature and data integrity.
27. September 8, 2005 Document Digital Signature Webinar 27 Document Digital SignatureUse Cases: Translation Introduction of an additional signature to validate :
The original document
The original signature
The translated document
Used to verify that the translator had the original/true document, that the original document was signed, and that the translation has attested to the validity of the translation. When an original document must be translated (for the purposes of digital signature, translations and transformations will be handled the same way), the orginal signature cannot be used to validate the translated document. There must be an additional signature generated by the translation. This additional signature signs:
The original document being translated,
The resulting translation, and
The original signature.
Then all four objects must be provided to the user of the translated document:
The translated document, which will be used
The translator’s signature which will be used to:
Verify the translated document
Confirm the original document
Confirm the original signature
The original document, and
The original signatureWhen an original document must be translated (for the purposes of digital signature, translations and transformations will be handled the same way), the orginal signature cannot be used to validate the translated document. There must be an additional signature generated by the translation. This additional signature signs:
The original document being translated,
The resulting translation, and
The original signature.
Then all four objects must be provided to the user of the translated document:
The translated document, which will be used
The translator’s signature which will be used to:
Verify the translated document
Confirm the original document
Confirm the original signature
The original document, and
The original signature
28. September 8, 2005 Document Digital Signature Webinar 28 Document Digital SignatureUse Cases: Translation The original signature is not sufficient for signing the translated document. An additional translation signature must be used.The original signature is not sufficient for signing the translated document. An additional translation signature must be used.
29. September 8, 2005 Document Digital Signature Webinar 29 Document Digital SignatureUse Cases: Translation XDS example:
Reference original document and original signature by using association-type to link them in XDS with translated version
Non-XDS example:
e-prescribing : Value added networks that translate the format of a prescription before forwarding it to a pharmacy Non-xds example: use translation signature use case to ensure that you don’t lose signature integrity.
Non-xds example: use translation signature use case to ensure that you don’t lose signature integrity.
30. September 8, 2005 Document Digital Signature Webinar 30 Document Digital SignatureSignature Attributes Expand signature to include additional data relevant to the healthcare signature
Includes the date and time the signature was calculated and applied
The identity of the signer
Signature Purpose
W3C XaDES signatures need to be expanded to suit healthcare needs
We are expanding W3C XaDES signatures which to not have sufficient signature attribute support to include at least these attributes from the ASTM standard since they’re necessary to healthcareW3C XaDES signatures need to be expanded to suit healthcare needs
We are expanding W3C XaDES signatures which to not have sufficient signature attribute support to include at least these attributes from the ASTM standard since they’re necessary to healthcare
31. September 8, 2005 Document Digital Signature Webinar 31 Document Digital SignatureAdditions to ASTM1762 The following items will be added to ASTM1762
Modification
Authorization
Transformation
Recipient
Modification is being worked on. In support of this profile and concepts identified in preparing this profile, we will suggest the addition of these signature purposes to the ASTM standard.In support of this profile and concepts identified in preparing this profile, we will suggest the addition of these signature purposes to the ASTM standard.
32. September 8, 2005 Document Digital Signature Webinar 32 Document Digital SignatureMultiple Signatures The following diagrams will outline common transactions where multiple signatures may be required.
33. September 8, 2005 Document Digital Signature Webinar 33 Document Digital Signature Transaction Diagram First transaction: A simple signature action
Second transaction: Two collaborators co-sign, sharing responsibility for the content of the document. First transaction: A simple signature action
Second transaction: Two collaborators co-sign, sharing responsibility for the content of the document.
34. September 8, 2005 Document Digital Signature Webinar 34 Document Digital Signature Transaction Diagram First workflow: An example of a counter-signature verifying the first signature, such an anaesthesiologist approving the anaesthetizing nurse’s signature
Second workflow: In a patient discharge, the physician authorizes release of the patient and the nurse signs that they have informed the patient of discharge instructions and the discharge planner signs that arrangements for supplement care have been made. First workflow: An example of a counter-signature verifying the first signature, such an anaesthesiologist approving the anaesthetizing nurse’s signature
Second workflow: In a patient discharge, the physician authorizes release of the patient and the nurse signs that they have informed the patient of discharge instructions and the discharge planner signs that arrangements for supplement care have been made.
35. September 8, 2005 Document Digital Signature Webinar 35 Document Digital SitgnatureMultiple Signatures For multiple signatures of the same document (e.g. co-signature), each signature will generate the digest data from the document source
For witness signatures and other cases where the second signature is representing attestation to the original data and the prior signature (e.g. witness), the digest is generated from the output of the first signed document.
36. September 8, 2005 Document Digital Signature Webinar 36 Document Digital SigantureXML Digital Signature Tools Apache XML Security project has both Java and C++ implementations of XML Digital Signature (open source) http://xml.apache.org/security/
JSR 105: Java XML Digital Signature API with reference implementations-- final release by Sun and IBM June 24, 2005. http://jcp.org/aboutJava/communityprocess/final/jsr105/index.html
37. September 8, 2005 Document Digital Signature Webinar 37 Document Digital SignatureCommercial Toolkits (not comprehensive list)
http://jce.iaik.tugraz.at/products/052_XSECT/index.php
http://www.infomosaic.net/SecureXMLDetailInfo.htm
http://www.betrusted.com/products/keytools/xml/index.asp
http://www.phaos.com/products/category/xml.html
http://www.verisign.com/products-services/security-services/pki/xml-trust-services/index.html
38. September 8, 2005 Document Digital Signature Webinar 38 Document Digital SignatureEfforts to make it easier– Implementations of IHE IT Infrastructure actors that require XML Digital Signature support have been announced for the Eclipse Open Healthcare Framework.
No delivery date announced yet, but will be available for the 2005-2006 integrations
For more information on Eclipse contact djorgenson@inpriva.com
39. September 8, 2005 Document Digital Signature Webinar 39 Document Digital SignatureXDS Sample Code <Signature Id="signatureOID" xmlns=http://www.w3.org/2000/09/xmldsig# xmlns:xad=”xmlns="http://uri.etsi.org/01903/v1.1.1#"”>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments”/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#IHEManifest"
Type="http://www.w3.org/2000/09/xmldsig#Manifest">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>base64ManifestDigestValue</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>base64SignatureValue</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>base64X509certificate<X509Certificate>
</X509Data>
</KeyInfo>
40. September 8, 2005 Document Digital Signature Webinar 40 Document Digital SignatureXDS Sample Code <Object>
<xad:QualifyingProperties>
<xad:SignedProperties>
<xad:SignedSIgnatureProperties>
<xad:SigningTime> yyyymmddhhmmss</SigningTime>
<xad:SigningCertificate>
<xad:Cert> <!-- identifier of signing certificate -->
<xad:CertDigest>
<xad:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<xad:DigestValue>base64 digest value</DigestValue>
</CertDigest>
<xad:IssuerSerial>
<xad:X509IssuerName>X.509 distinguished name of certificate</X509IssuerName>
<xad:X509SerialNumber>certificate serial number</X509SerialNumber>
</IssuerSerial>
</Cert>
41. September 8, 2005 Document Digital Signature Webinar 41 Document Digital SignatureXDS Sample Code <xad:Cert> <!-- identifier of signing certificate’s parent -->
<xad:CertDigest>
<xad:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<xad:DigestValue>base64 digest value</DigestValue>
</CertDigest>
<xad:IssuerSerial>
<xad:X509IssuerName>X.509 distinguished name of parent’s certificate</X509IssuerName>
<xad:X509SerialNumber>certificate serial number </X509SerialNumber>
</IssuerSerial>
</Cert>
</SigningCertificate>
<xad:SignaturePolicyIdentifier>id</SignaturePolicyIdentifier>
</SignedSIgnatureProperties>
</SignedProperties>
</QualifyingProperties>
42. September 8, 2005 Document Digital Signature Webinar 42 Document Digital SignatureXDS Sample Code <SignatureProperties>
<SignatureProperty Id="purposeOfSignature" target=”signatureOID” >
code</SignatureProperty>
</SignatureProperties>
<Manifest Id="IHEManifest">
<Reference URI=”ihexds:registry:xxxx-xxxx….”> <!-- document A-->
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>base64DigestValue</DigestValue>
</Reference>
<Reference URI=”ihexds:registry:xxxx-xxxx….”> <!—XML document B-->
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>base64DigestValue</DigestValue> </Reference>
<Reference URI=”ihexds:registry:xxxx-xxxx….”> <!--DICOM document (or object) C-->
<Transforms>
<Transform Algorithm="urn:oid:1.2.840.10008.1.2.1"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>base64DigestValue</DigestValue>
</DigestMethod
</Reference>
</Manifest>
</Object>
</Signature>
43. September 8, 2005 Document Digital Signature Webinar 43 Document Digital SignatureXDS Signature Document Content Lori will touch on these items and give people time to ask if any elements of the table are unclear.Lori will touch on these items and give people time to ask if any elements of the table are unclear.
44. September 8, 2005 Document Digital Signature Webinar 44 Document Digital SignatureXDS Signature Document Content
45. September 8, 2005 Document Digital Signature Webinar 45 Document Digital SignatureXDS Signature Document Content
46. September 8, 2005 Document Digital Signature Webinar 46 Document Digital SignatureStandards Used W3C XML XaDES Signature
ISO 17090, 21091
ASTM E2212, E1985, E1762, E1084
IETF x509
DICOM supplement 41, 86
NCPDP
HL7 CDA
47. September 8, 2005 Document Digital Signature Webinar 47 More information…. IHE Web sites: www.ihe.net
Technical Frameworks, Supplements
Fill in relevant supplements and frameworks
Non-Technical Brochures :
Calls for Participation
IHE Fact Sheet and FAQ
IHE Integration Profiles: Guidelines for Buyers
IHE Connect-a-thon Results
Vendor Products Integration Statements