1 / 17

Leveraging identity management interoperability in eHealth

45th IEEE INTERNATIONAL CARNAHAN CONFERENCE ON SECURITY TECHNOLOGY 18-21 October 2011. Leveraging identity management interoperability in eHealth. Maria João Campos Manuel Eduardo Correia Luís Filipe Antunes. Leveraging identity management interoperability in eHealth. Introduction

uriah
Download Presentation

Leveraging identity management interoperability in eHealth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 45th IEEE INTERNATIONAL CARNAHAN CONFERENCE ON SECURITY TECHNOLOGY 18-21 October 2011 Leveraging identity management interoperability in eHealth Maria João Campos Manuel Eduardo Correia Luís Filipe Antunes

  2. Leveraging identity management interoperability in eHealth • Introduction • Key issues in eHealth identity Management: a review • Legal Requirements • Main findings on European research programs • A new practical IDM infrastructure for eHealth • Simple use case scenario • Conclusions and future work

  3. Leveraging identity management interoperability in eHealth Introduction In eHealth: • Many heterogeneous and highly specialized software applications • Implemented and deployed by diverse health organizations, such as public and private hospitals and health care centers • The rational management of these eHealth assets together with their efficient and inter-operable integration represents today a major hitherto unresolved challenge for the health sector at a global level. • Lack of widely accepted standards for the homogeneous integration of highly diverse identity and authentication mechanisms; Unfortunately this has not yet been a major infrastructure concern for the eHealth context and thus constitutes a major road block for the realization of these applications full integration potential.

  4. Introduction Leveraging identity management interoperability in eHealth In government digital services: • The national citizen eID card is currently considered to be an excellent opportunity to build upon and improve security for health information systems. • This is being materialized by the plethora of newly planned government digital services that use the citizen card for authentication, where the digital qualification of professionals and the citizen's/patient’s explicit secure consent for access to specific information attributes are needed for their successful deployment. Unfortunately, appropriate inter-operable secure mechanisms for the professional’s qualified authentication and citizen’s explicit consent for private information access are presently not implemented or even defined.

  5. Introduction Leveraging identity management interoperability in eHealth  The existing authentication model for the citizen's card is centralized into a national government managed authentication framework. In an eHealth application context the citizen could be easily correlated with the patient identification number, but the question that arises then is: Is it possible to establish an appropriate relationship of trust between the different administration contexts (Government vs. Health) to provide the necessary proof of the patient´s consent for allowing access to highly specific critical health related attributes?

  6. Leveraging identity management interoperability in eHealth Identity management consists in: “the identification and management of identity attributes, associated credentials, and privileges necessary for the regular and efficient management and operation of the set of applications deployed on some administration domain.”

  7. Leveraging identity management interoperability in eHealth Key issues in eHealth identity management: a review  Pseudonymisation and anonymisation of identity for secondary use • Privacy preserving identity • Identity, authentication and authorization • Identity management and standardization. We have identified a need for a standard methodology for identity and authentication interoperability between different eHealth stakeholders.

  8. Leveraging identity management interoperability in eHealth Legal Requirements In Portugal: • Data protection is regulated by European and national legislation that addresses personal and Health data service provisioning, whose application and compliance is supervised by a national authority commission. • There is no legal data protection framework specifically for eHealth, so these issues have to comply and are thus regulated by the more general personal data protection laws. • On the other hand, clinical practice is regulated and managed by their professional association authorities. • Article 35º of the Portuguese Constitution defines that patients in Portugal have the constitutional right to privacy. Also the national basic law for health care indicates that the citizen/patient has the right to be treated with privacy with strong assurance of personal data confidentiality.

  9. Leveraging identity management interoperability in eHealth Legal Requirements At European level:  Professional Regulation and their recognition Directive 36/2005 on professional’s regulation and their recognition: determines that the free movement and mutual recognition of qualifications of doctors, nurses responsible for general care, dental practitioners, midwives, pharmacists should be based on the principle of automatic recognition of qualifications, based on the coordination of minimum training conditions.  Adoption of European directives on cross-border healthcare Patient rights who seek healthcare in another member state also supplements the rights that patients already have at the wider EU level. As a result patient´s will put pressure and demand member states to establish effective national contact points to provide them with information about their rights and entitlements and the more practical aspects about receiving cross border healthcare. This must all be supported by eHealth systems supporting interoperable identity management at the EU level.

  10. Leveraging identity management interoperability in eHealth Main findings on European research programs In information society: • FIDIS, with some scenarios and usage cases in the eHealth context have been defined but the main focus of this project is located within the information society at large. • The Liberty Alliance and STORK identity and authentication related technologies are already being introduced and deployed into wide scale applications, however few of these are eHealth related and this can create the feeling that eHealth is a later arrival to IdM. In eHealth: • The interoperability roadmap defined by the Calliope project ; • epSOSis the first large scale project to cater for and implement cross border interoperable patient electronic health record and electronic prescription.

  11. Leveraging identity management interoperability in eHealth A new practical IdM infrastructure for ehealth The IdM approach we are proposing is based on: • A centralized model supporting user centric functionalities. • User credentials are centrally issued and managed to provide identity and authentication services to users, patients and health care professionals and to facilitate and control access, in an inter-operable way, to services delivered by different applications Examples: • patient consent control on release personal information; • password management that can automatically keep track of different credentials and different authentication methods in a secure way; Users can have more effective control over how personal information is being released to promote inter-operability into otherwise unrelated applications.

  12. Authority’s sources Leveraging identity management interoperability in eHealth A new practical IdM infrastructure for ehealth • Authority’s sources; • Registration and • service subscription; • Applications; • Applicationsattributesinteroperability • Assurance level; • Authenticate identity attributes • Level of trust • Sensitivity level of information

  13. Leveraging identity management interoperability in eHealth

  14. Leveraging identity management interoperability in eHealth A simple use case scenario patient auto-enrollment Four distinct phases can be identified during the patient auto-enrollment registration process: (1) The presentation of an electronic civil identification or patient identification (card); (2) The selection of a health service delivery entity; (3) The addition of other alternative authentication mechanisms; (4) The patient control exercised over the release of sensitive personal information.

  15. Leveraging identity management interoperability in eHealth Use case considerations:  For an auto-enrollment process to be trustable, it is fundamental first to be in the possession of a trustable digital identity with a high level of assurance;  National eID cards have high levels of assurance because very strict security rules are followed before they can be issued and are therefore one example of tokens representing a fully trustable digital identity source. Security of the patient auto-enrolment process can safely rely on the security of the eID citizen card.

  16. Leveraging identity management interoperability in eHealth Conclusionsandfuturework The identity management proposal for eHealth provides:  Improving the identity management interoperability in eHealth;  Specify requirements for better identification and secure and reliable registration process with appropriate security levels; • Provides the patient registration in auto-enrollment with the use of an eID card;  For usability, it allows the patient to choose other authentication mechanisms; • Keeps the necessary ratio between the security level assurance and the usability to the patients;  Empowers patients control over personal attributes, with patient authorization and consent on attribute releases, in compliance with legal requirements for personal data protection;  The infrastructure keeps the minimum information, that allows patients to control attributes release, and empowers the control on sources authorities for attributes verification and validation, creating a transparent and scalable model.

  17. Leveraging identity management interoperability in eHealth Thankyou! Maria João Campos Faculdade de Ciências Faculdade de Medicina Universidade do Porto Porto, 4169-007 Portugal mariajoao.campos@gmail.com Manuel Eduardo Correia CRACS Faculdade de Ciências Universidade do Porto Porto, 4169-007 Portugal mcc@dcc.fc.up.pt Luís Filipe Antunes Instituto de Telecomunicações Faculdade de Ciências Universidade do Porto Porto, 4169-007 Portugal lfa@dcc.fc.up.pt

More Related