SlideShare a Scribd company logo

RHEx NwHIN Power Team 2012-07-26

Download as PPTX, PDF
Brian Ahier
Brian Ahier
Technology
1 of 22
RESTful Health Exchange (RHEx) Overview To NwHIN Power Team July 26, 2012 wiki.siframework.org/RHEx DRAFT—for discussion purposes only
Outline • RESTful Health Exchange (RHEx) – Overview – Security and Privacy – Fiscal Year 2012 (FY12) Pilots – Project Outcomes – Security Approach Standards Profiles • HITSC Standards Readiness Test Case • Next Steps 2
RHEx Overview RESTful Health Exchange (RHEx) • An open source, exploratory project to apply proven web technologies to demonstrate a simple, secure, and standards-based health information exchange – Sponsored by the Federal Health Architecture (FHA) program – A Fiscal Year 2012 project being demonstrated in 2 phases • Phase 1: Security approach (April – July 2012) • Phase 2: Content approach (July – September 2012) • A Federal Partners’ response to an identified need – Addresses NwHIN Power Team recommendation to develop a specification for RESTful exchange of health data (28 Sept 2011) – Continues the tradition of Federal Partner investment in driving innovative solutions – Intended to inform a path forward on a RESTful health exchange “ We can’t wait 5 years for transport standards. We can’t afford it.” Farzad Mostashari, HIT Standards Committee, September 28, 2011 Meeting 3
RHEx Overview RHEx Approach • Apply existing standards – Refine existing standards to fit into the Nationwide Health Information Network (NwHIN) portfolio – Start with http – Layer on proven, open standards for identity management as well as user and service authentication • Use pilots to test that theory works in practice – Work to reduce ambiguity or oversights in the standards being refined by the project – Extend standards where best serves the health community • Implement a conformance testing framework – Provide tools and documentation to test that an independent party’s implementation conforms to RHEx standards profiles 4
RHEx Overview Piloting RHEx in Two Phases in FY12 • Phase 1: Security Approach (April - July 2012) – Focus on securing web interactions – Use web/mobile friendly methods of exchanging identity information and authorizing users via HTTPS – Seek community input on satisfactory and complete RESTful security • Phase 2: Content Approach (July - September 2012) – Expand pilot to show full benefit of a RESTful interaction and incorporate the content layer – Seek community input on a structured approach to granular health data exchange 5
RHEx Security and Privacy Safeguarding Access to Health Information • Secure communications over TLS/SSL (https) • Use proven, open standards for identity and authentication – OpenID Connect for distributed identity management and user authentication – OAuth2 for service-to-service authentication • Provide information needed for authorization determination – Extend standard profile to best serve the health domain • e.g., add clinical role for use in enforcing access control – Privacy is enforced at the provider location at the time the information is requested – Authorization process is out of scope for RHEx FY12 pilots 6
RHEx FY12 Pilots Testing that Theory Works in Practice • Initial pilot: Phase 1 & Phase 2 – Goal: Demonstrate simple, secure RESTful exchange in two phases – Use Case: Consults/Referral • Selected via discussions with Federal Partners – FHA Partner: Steve Steffensen and Ollie Gray, TATRC • Telemedicine & Advanced Technology Research Group (TATRC), U.S. Army Medical Research & Materiel Command (MRMC) – Status: Phase 1 scheduled for completion 31 July • Second pilot: Phase 2 – Goal: Investigate use of RESTful approach to populate Maine HIE (HealthInfoNet) Clinical Data Repository – Use Case: Integrate electronic health records for medically underserved areas – FHA Partner: Todd Rogow, HealthInfoNet – Status: Development on track for 31 August demonstration • Investigating possible Blue Button related third pilot 7
RHEx Project Outcomes Anticipated FY12 Outcomes • Community dialog around RESTful approaches – How to apply the architectural style widely used on the web today – Which proven open standards for identity management and authentication best serve the Health IT Community • A set of products to inform a path forward – RESTful health data exchange implementation(s) • Focusing on refining existing standards • Using pilots to reduce ambiguity and oversights in these standards – Testable, draft profiles for relevant, existing standards – Independent conformance testing tool to validate against profiles Input to inform a path forward on a world wide web and mobile friendly way to exchange health data 8
RHEx Security Approach Profiles Seeking Community Feedback • Draft profiles for OAuth 2 and OpenID Connect will be posted to RHEx wiki in July • RHEx project seeks community feedback – Attend the RHEx WebExs • Thursdays, 11 am – 12 pm EDT (until Sept. 20) • Security Profile Review is scheduled for Aug. 9 • Previous WebExs can be accessed here • For details, see S&I calendar or RHEx Wiki – Join the RHEx Google Group conversation • Also accessible through the RHEx wiki • RHEx project will document feedback and incorporate comments, as appropriate wiki.siframework.org/RHEx 9
HITSC Standards Readiness Test Case Preliminary Standards Assessment • Exercised HIT Standards Committee (HITSC) preliminary standards evaluation criteria – Version presented to HITSC by NwHIN Power Team on 19 July 2012 • Performed very preliminary assessment of two RHEx security approach standards – OAuth2 – OpenID Connect • Intended to provide feedback to Power Team on preliminary recommendations for standards evaluation criteria Criteria test case only – Not a vetted assessment 10
Context: Evaluation of Readiness of Technical Specifications to Become National Standards Preliminary placement for criteria test case; Not all criteria able to be assessed High National Maturity Criteria: Standards • Maturity of Specification • Maturity of Underlying Technology Maturity Components Moderate • Market Adoption Pilots Adoptability Criteria: • Ease of Implementation and Deployment • Ease of Operations Emerging Standards • Intellectual Property Low Low Moderate High Adoptability Source: Dixie Baker, Preliminary Recommendations for Standards Evaluations Criteria”, Briefing to HIT Standards Committee, July 19, 2012 11
Standards Evaluation Criteria Preliminary Test Notes • Not a vetted assessment – Cursory pass through evaluation criteria • HTTP -- Underlying technology of OAuth2 and OpenId Connect – Highly mature, adoptable and scalable • OAuth2 – IETF Draft – High to Moderate maturity and adoptability • OpenID Connect – Implementers Draft – Moderate maturity and adoptability • Preliminary Standards Evaluation Criteria Feedback – Quite comprehensive – Additional clarification on some criteria would be beneficial • Questions around context and meaning of some criteria elements – Can provide feedback on specific criteria elements 12
Next Steps • Continue to engage the community – Community feedback on OpenID Connect and OAuth 2 profiles – Google Group discussions – Bi-weekly WebEx meetings • Continue pilot implementations • Continue work on conformance test framework Powering Secure, Web-Based Health Data Exchange 13
BACK-UP CHARTS 14
Tentative RHEx WebEx Schedule Date Topic Speaker June 28 Overview/Kick-Off Mary Pulvermacher July 12 Charter Discussion Rick Cagle July 26 RHEx Security Approach Justin Richer August 9 Phase I Profile Rob Dingwell and Andy Discussion Gregorowicz August 23 RHEx Content Approach Anne Kling August 30 Phase II Profile Andy Gregorowicz Discussion September 6 RHEx Test Framework Jason Matthews September 20 Lessons Learned from Suzette Stoutenburg RHEx Pilots September 27 Wrap-up and Next Steps Mary Pulvermacher 15
Core Technical Principles • Internet Scale Access Management – Standards such as OAuth and OpenID have demonstrated strong, scalable security at low cost • Granular and Addressable Data – Breaking healthcare information into small pieces accessible by a URL enables secure, efficient access • Linking – When data is addressable, it can be linked on the web, allowing humans and software to browse the web of links to view clinical contexts • Leverage HTTP – The protocol that drives the web offers a more robust, flexible and scalable solution 16
Why use OpenID Connect and OAuth 2? • OpenID Connect – Strong industry participation – Flexible trust model – Alternatives • Browser ID, Shibboleth, CAS • Low adoption, some are more SSO oriented • OAuth 2 – Wide industry adoption – Works well with browser clients – Alternatives • Two way TLS/SSL – Low adoption – Key distribution and protection problems • WS-Security – Does not work well with browsers 17
OpenID Connect Family Tree OpenID Connect Family Tree OpenID 1.0 OAuth 1.0/a XRDS OpenID 2.0 Hybrid WS* ID-WSF WRAP XRD AB AX PAPE SAML OAuth 2 Facebook SWD Connect JWT/JOSE OpenID Connect 18
OAuth • An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications • An Internet Engineering Task Force (IETF) standard 19
• OpenID is an open web standard that allows users to be authenticated in a distributed manner – For example, this could allow a VA Provider to log into a DoD system using their VA username and password • Provides authentication and identity – Extensible to include profiles and claims (e.g., the user clinical role) • OpenID Connect – Identity service built on top of OAuth2 20
Standards Evaluation Criteria Preliminary Test Maturity Criteria Criteria OAuth2 OpenID Connect Maturity of the Specification Breadth of Support H M-H Stability M-H L Degree of interoperability among independent non-coordinated ? M implementations Adoption of Specification H M Maturity of Underlying Technology Components Breadth of Support H M Stability H M-H Degree of interoperability among independent non-coordinated H M implementations Adoption of Technology H M-H Platform Support H M-H Maturity of the technology within its life cycle H ? Market Adoption Installed health care user base ? L Installed user base outside of health care H L Future projections and anticipated support M-H M-H Investments in user training ? ? Preliminary assessment for criteria test case; Not all criteria able to be assessed 21
Standards Evaluation Criteria Preliminary Test Adoptability Criteria Criteria OAuth2 OpenID Connect Ease of Implementation and Deployment Availability of off-the-shelf infrastructure to support implementation H L-H Deployment Complexity ? ? Conformance Criteria and Tests L L Availability of Reference Implementations H ? Complexity of Specification ? ? Quality and Clarity of Specifications H M-H Specification Modularity ? ? Separation of Concerns H H Ease of use of specification H H Degree to which specification uses familiar terms to describe “real-world” concepts H H Runtime Coupling H H Degree of Optionality ? ? Ease of Operations Comparison of targeted scale of deployment to actual scale deployed ? ? Number of operational issued identified in deployment ? ? Degree of peer-coordination needed H H Operational scalability (i.e., operational impact of adding a single node) H H Fit to Purpose ? ? Intellectual Property Openness H H Accessibility and Fees H H Licensing Policy H H Copyrights H H Patents H H Preliminary assessment for criteria test case; Not all criteria able to be assessed 22

Recommended

IT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIGATE Corporation
 
Do you have EHR Technology that meets the new Certified EHR Technology defini...
Do you have EHR Technology that meets the new Certified EHR Technology defini...Do you have EHR Technology that meets the new Certified EHR Technology defini...
Do you have EHR Technology that meets the new Certified EHR Technology defini...Brian Ahier
 
ONC’s Proposed Strategy on Governance for the Nationwide Health Information N...
ONC’s Proposed Strategy on Governance for the Nationwide Health Information N...ONC’s Proposed Strategy on Governance for the Nationwide Health Information N...
ONC’s Proposed Strategy on Governance for the Nationwide Health Information N...Brian Ahier
 
A Vision for a National Research Network
A Vision for a National Research Network A Vision for a National Research Network
A Vision for a National Research Network Brian Ahier
 
Do you have EHR Technology that meets the new Certified EHR Technology defin...
Do you have EHR Technology that meets the new Certified EHR Technology defin...Do you have EHR Technology that meets the new Certified EHR Technology defin...
Do you have EHR Technology that meets the new Certified EHR Technology defin...Brian Ahier
 
HIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateHIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateBrian Ahier
 
Healthcare Factoids to Power Your Thinking
Healthcare Factoids to Power Your ThinkingHealthcare Factoids to Power Your Thinking
Healthcare Factoids to Power Your ThinkingHealth Catalyst
 
Hitsc sept 19_2012_v2
Hitsc sept 19_2012_v2Hitsc sept 19_2012_v2
Hitsc sept 19_2012_v2Rich Elmore
 

Recommended

IT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIGATE Corporation
 
Do you have EHR Technology that meets the new Certified EHR Technology defini...
Do you have EHR Technology that meets the new Certified EHR Technology defini...Do you have EHR Technology that meets the new Certified EHR Technology defini...
Do you have EHR Technology that meets the new Certified EHR Technology defini...Brian Ahier
 
ONC’s Proposed Strategy on Governance for the Nationwide Health Information N...
ONC’s Proposed Strategy on Governance for the Nationwide Health Information N...ONC’s Proposed Strategy on Governance for the Nationwide Health Information N...
ONC’s Proposed Strategy on Governance for the Nationwide Health Information N...Brian Ahier
 
A Vision for a National Research Network
A Vision for a National Research Network A Vision for a National Research Network
A Vision for a National Research Network Brian Ahier
 
Do you have EHR Technology that meets the new Certified EHR Technology defin...
Do you have EHR Technology that meets the new Certified EHR Technology defin...Do you have EHR Technology that meets the new Certified EHR Technology defin...
Do you have EHR Technology that meets the new Certified EHR Technology defin...Brian Ahier
 
HIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateHIT Policy Committee FDASIA Update
HIT Policy Committee FDASIA UpdateBrian Ahier
 
Healthcare Factoids to Power Your Thinking
Healthcare Factoids to Power Your ThinkingHealthcare Factoids to Power Your Thinking
Healthcare Factoids to Power Your ThinkingHealth Catalyst
 
Hitsc sept 19_2012_v2
Hitsc sept 19_2012_v2Hitsc sept 19_2012_v2
Hitsc sept 19_2012_v2Rich Elmore
 
Health Information Exchange Standards - Compliance via Integration Testing
Health Information Exchange Standards - Compliance via Integration TestingHealth Information Exchange Standards - Compliance via Integration Testing
Health Information Exchange Standards - Compliance via Integration TestingHealth Informatics New Zealand
 
Direct Project HIT Standards 10.27
Direct Project HIT Standards 10.27Direct Project HIT Standards 10.27
Direct Project HIT Standards 10.27Brian Ahier
 
PMP-Scope Management area
PMP-Scope Management areaPMP-Scope Management area
PMP-Scope Management areaZaur Ahmadov, PMP
 
2012 08-15 standards-summary_draft
2012 08-15 standards-summary_draft2012 08-15 standards-summary_draft
2012 08-15 standards-summary_draftRich Elmore
 
Willmers&King open con2016-ct-14.11.16
Willmers&King open con2016-ct-14.11.16Willmers&King open con2016-ct-14.11.16
Willmers&King open con2016-ct-14.11.16Michelle Willmers
 
A Framework for Health IT Evaluation
A Framework for Health IT EvaluationA Framework for Health IT Evaluation
A Framework for Health IT EvaluationHealth Informatics New Zealand
 
AIRA Update
AIRA UpdateAIRA Update
AIRA UpdateBaylorWilliams2
 
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...EOSCpilot .eu
 
The Future of Standards
The Future of StandardsThe Future of Standards
The Future of StandardsHealth Informatics New Zealand
 
Keepit Course 5: Tools for Assessing Trustworthy Repositories
Keepit Course 5: Tools for Assessing Trustworthy RepositoriesKeepit Course 5: Tools for Assessing Trustworthy Repositories
Keepit Course 5: Tools for Assessing Trustworthy RepositoriesJISC KeepIt project
 
11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...
11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...
11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...Walid Maalej
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Architecture and Standards
Architecture and StandardsArchitecture and Standards
Architecture and StandardsARDC
 
Dev ops
Dev opsDev ops
Dev opsMeghaSinha43
 
Pistoia Alliance Sequence Services Programme Phase 2
Pistoia Alliance Sequence Services Programme Phase 2Pistoia Alliance Sequence Services Programme Phase 2
Pistoia Alliance Sequence Services Programme Phase 2Pistoia Alliance
 
IaaS
IaaSIaaS
IaaSKenny Huang Ph.D.
 
system development life cycle
system development life cycle system development life cycle
system development life cycle Sumit Yadav
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Criteria and evaluation of research data repository platforms @ the Universit...
Criteria and evaluation of research data repository platforms @ the Universit...Criteria and evaluation of research data repository platforms @ the Universit...
Criteria and evaluation of research data repository platforms @ the Universit...heila1
 
Draft TEFCA
Draft TEFCADraft TEFCA
Draft TEFCABrian Ahier
 
Future is Now
Future is NowFuture is Now
Future is NowBrian Ahier
 

More Related Content

Similar to RHEx NwHIN Power Team 2012-07-26

Health Information Exchange Standards - Compliance via Integration Testing
Health Information Exchange Standards - Compliance via Integration TestingHealth Information Exchange Standards - Compliance via Integration Testing
Health Information Exchange Standards - Compliance via Integration TestingHealth Informatics New Zealand
 
Direct Project HIT Standards 10.27
Direct Project HIT Standards 10.27Direct Project HIT Standards 10.27
Direct Project HIT Standards 10.27Brian Ahier
 
2012 08-15 standards-summary_draft
2012 08-15 standards-summary_draft2012 08-15 standards-summary_draft
2012 08-15 standards-summary_draftRich Elmore
 
Willmers&King open con2016-ct-14.11.16
Willmers&King open con2016-ct-14.11.16Willmers&King open con2016-ct-14.11.16
Willmers&King open con2016-ct-14.11.16Michelle Willmers
 
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...EOSCpilot .eu
 
Keepit Course 5: Tools for Assessing Trustworthy Repositories
Keepit Course 5: Tools for Assessing Trustworthy RepositoriesKeepit Course 5: Tools for Assessing Trustworthy Repositories
Keepit Course 5: Tools for Assessing Trustworthy RepositoriesJISC KeepIt project
 
11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...
11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...
11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...Walid Maalej
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Architecture and Standards
Architecture and StandardsArchitecture and Standards
Architecture and StandardsARDC
 
Pistoia Alliance Sequence Services Programme Phase 2
Pistoia Alliance Sequence Services Programme Phase 2Pistoia Alliance Sequence Services Programme Phase 2
Pistoia Alliance Sequence Services Programme Phase 2Pistoia Alliance
 
system development life cycle
system development life cycle system development life cycle
system development life cycle Sumit Yadav
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Criteria and evaluation of research data repository platforms @ the Universit...
Criteria and evaluation of research data repository platforms @ the Universit...Criteria and evaluation of research data repository platforms @ the Universit...
Criteria and evaluation of research data repository platforms @ the Universit...heila1
 

Similar to RHEx NwHIN Power Team 2012-07-26 (20)

Health Information Exchange Standards - Compliance via Integration Testing
Health Information Exchange Standards - Compliance via Integration TestingHealth Information Exchange Standards - Compliance via Integration Testing
Health Information Exchange Standards - Compliance via Integration Testing
 
Direct Project HIT Standards 10.27
Direct Project HIT Standards 10.27Direct Project HIT Standards 10.27
Direct Project HIT Standards 10.27
 
PMP-Scope Management area
PMP-Scope Management areaPMP-Scope Management area
PMP-Scope Management area
 
2012 08-15 standards-summary_draft
2012 08-15 standards-summary_draft2012 08-15 standards-summary_draft
2012 08-15 standards-summary_draft
 
Willmers&King open con2016-ct-14.11.16
Willmers&King open con2016-ct-14.11.16Willmers&King open con2016-ct-14.11.16
Willmers&King open con2016-ct-14.11.16
 
A Framework for Health IT Evaluation
A Framework for Health IT EvaluationA Framework for Health IT Evaluation
A Framework for Health IT Evaluation
 
AIRA Update
AIRA UpdateAIRA Update
AIRA Update
 
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
 
The Future of Standards
The Future of StandardsThe Future of Standards
The Future of Standards
 
Keepit Course 5: Tools for Assessing Trustworthy Repositories
Keepit Course 5: Tools for Assessing Trustworthy RepositoriesKeepit Course 5: Tools for Assessing Trustworthy Repositories
Keepit Course 5: Tools for Assessing Trustworthy Repositories
 
11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...
11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...
11 Towards a Research Agenda for Recommendation Systems in Requirements Engin...
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Architecture and Standards
Architecture and StandardsArchitecture and Standards
Architecture and Standards
 
Dev ops
Dev opsDev ops
Dev ops
 
Pistoia Alliance Sequence Services Programme Phase 2
Pistoia Alliance Sequence Services Programme Phase 2Pistoia Alliance Sequence Services Programme Phase 2
Pistoia Alliance Sequence Services Programme Phase 2
 
IaaS
IaaSIaaS
IaaS
 
system development life cycle
system development life cycle system development life cycle
system development life cycle
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Criteria and evaluation of research data repository platforms @ the Universit...
Criteria and evaluation of research data repository platforms @ the Universit...Criteria and evaluation of research data repository platforms @ the Universit...
Criteria and evaluation of research data repository platforms @ the Universit...
 

More from Brian Ahier

AMA Digital Health Study
AMA Digital Health Study AMA Digital Health Study
AMA Digital Health Study Brian Ahier
 
DoD onboarding slides
DoD onboarding slidesDoD onboarding slides
DoD onboarding slidesBrian Ahier
 
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...Brian Ahier
 
Remarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyRemarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyBrian Ahier
 
Accountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsAccountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsBrian Ahier
 
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataFTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataBrian Ahier
 
Mobile Device Tracking Seminar
Mobile Device Tracking SeminarMobile Device Tracking Seminar
Mobile Device Tracking SeminarBrian Ahier
 
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBig Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBrian Ahier
 
Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Brian Ahier
 
ONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaBrian Ahier
 
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Brian Ahier
 
DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13Brian Ahier
 
Patient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingPatient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingBrian Ahier
 
Frisse - One Step at a Time
Frisse - One Step at a TimeFrisse - One Step at a Time
Frisse - One Step at a TimeBrian Ahier
 
The Pulse of Liquid Health Data
The Pulse of Liquid Health DataThe Pulse of Liquid Health Data
The Pulse of Liquid Health DataBrian Ahier
 
Direct Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesDirect Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesBrian Ahier
 
Direct Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsDirect Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsBrian Ahier
 
Direct20: Modular Specifications - Provider Directories
Direct20: Modular Specifications - Provider DirectoriesDirect20: Modular Specifications - Provider Directories
Direct20: Modular Specifications - Provider DirectoriesBrian Ahier
 

More from Brian Ahier (20)

Draft TEFCA
Draft TEFCADraft TEFCA
Draft TEFCA
 
Future is Now
Future is NowFuture is Now
Future is Now
 
AMA Digital Health Study
AMA Digital Health Study AMA Digital Health Study
AMA Digital Health Study
 
DoD onboarding slides
DoD onboarding slidesDoD onboarding slides
DoD onboarding slides
 
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
2015 Edition Proposed Rule Modifications to the ONC Health IT Certification ...
 
Remarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT PolicyRemarks to Public Forum on National Health IT Policy
Remarks to Public Forum on National Health IT Policy
 
Accountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft RecommendationsAccountable Care Workgroup: Draft Recommendations
Accountable Care Workgroup: Draft Recommendations
 
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health DataFTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
 
Mobile Device Tracking Seminar
Mobile Device Tracking SeminarMobile Device Tracking Seminar
Mobile Device Tracking Seminar
 
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MSBig Data and VistA Evolution, Theresa A. Cullen, MD, MS
Big Data and VistA Evolution, Theresa A. Cullen, MD, MS
 
Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations Meaningful Use Workgroup Stage 3 Recommendations
Meaningful Use Workgroup Stage 3 Recommendations
 
ONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification CriteriaONC 2015 Edition EHR Certification Criteria
ONC 2015 Edition EHR Certification Criteria
 
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014Mark Bertolini of Aetna at JP Morgan Healthcare 2014
Mark Bertolini of Aetna at JP Morgan Healthcare 2014
 
DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13DeSalvo Remarks to HIT Policy Committee 1-14-13
DeSalvo Remarks to HIT Policy Committee 1-14-13
 
Patient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder MeetingPatient Identification and Matching Initiative Stakeholder Meeting
Patient Identification and Matching Initiative Stakeholder Meeting
 
Frisse - One Step at a Time
Frisse - One Step at a TimeFrisse - One Step at a Time
Frisse - One Step at a Time
 
The Pulse of Liquid Health Data
The Pulse of Liquid Health DataThe Pulse of Liquid Health Data
The Pulse of Liquid Health Data
 
Direct Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse DirectoriesDirect Boot Camp 2.0 - Tennesse Directories
Direct Boot Camp 2.0 - Tennesse Directories
 
Direct Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory PilotsDirect Boot Camp 2 0 IWG Provider Directory Pilots
Direct Boot Camp 2 0 IWG Provider Directory Pilots
 
Direct20: Modular Specifications - Provider Directories
Direct20: Modular Specifications - Provider DirectoriesDirect20: Modular Specifications - Provider Directories
Direct20: Modular Specifications - Provider Directories
 

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

RHEx NwHIN Power Team 2012-07-26

  • 1. RESTful Health Exchange (RHEx) Overview To NwHIN Power Team July 26, 2012 wiki.siframework.org/RHEx DRAFT—for discussion purposes only
  • 2. Outline • RESTful Health Exchange (RHEx) – Overview – Security and Privacy – Fiscal Year 2012 (FY12) Pilots – Project Outcomes – Security Approach Standards Profiles • HITSC Standards Readiness Test Case • Next Steps 2
  • 3. RHEx Overview RESTful Health Exchange (RHEx) • An open source, exploratory project to apply proven web technologies to demonstrate a simple, secure, and standards-based health information exchange – Sponsored by the Federal Health Architecture (FHA) program – A Fiscal Year 2012 project being demonstrated in 2 phases • Phase 1: Security approach (April – July 2012) • Phase 2: Content approach (July – September 2012) • A Federal Partners’ response to an identified need – Addresses NwHIN Power Team recommendation to develop a specification for RESTful exchange of health data (28 Sept 2011) – Continues the tradition of Federal Partner investment in driving innovative solutions – Intended to inform a path forward on a RESTful health exchange “ We can’t wait 5 years for transport standards. We can’t afford it.” Farzad Mostashari, HIT Standards Committee, September 28, 2011 Meeting 3
  • 4. RHEx Overview RHEx Approach • Apply existing standards – Refine existing standards to fit into the Nationwide Health Information Network (NwHIN) portfolio – Start with http – Layer on proven, open standards for identity management as well as user and service authentication • Use pilots to test that theory works in practice – Work to reduce ambiguity or oversights in the standards being refined by the project – Extend standards where best serves the health community • Implement a conformance testing framework – Provide tools and documentation to test that an independent party’s implementation conforms to RHEx standards profiles 4
  • 5. RHEx Overview Piloting RHEx in Two Phases in FY12 • Phase 1: Security Approach (April - July 2012) – Focus on securing web interactions – Use web/mobile friendly methods of exchanging identity information and authorizing users via HTTPS – Seek community input on satisfactory and complete RESTful security • Phase 2: Content Approach (July - September 2012) – Expand pilot to show full benefit of a RESTful interaction and incorporate the content layer – Seek community input on a structured approach to granular health data exchange 5
  • 6. RHEx Security and Privacy Safeguarding Access to Health Information • Secure communications over TLS/SSL (https) • Use proven, open standards for identity and authentication – OpenID Connect for distributed identity management and user authentication – OAuth2 for service-to-service authentication • Provide information needed for authorization determination – Extend standard profile to best serve the health domain • e.g., add clinical role for use in enforcing access control – Privacy is enforced at the provider location at the time the information is requested – Authorization process is out of scope for RHEx FY12 pilots 6
  • 7. RHEx FY12 Pilots Testing that Theory Works in Practice • Initial pilot: Phase 1 & Phase 2 – Goal: Demonstrate simple, secure RESTful exchange in two phases – Use Case: Consults/Referral • Selected via discussions with Federal Partners – FHA Partner: Steve Steffensen and Ollie Gray, TATRC • Telemedicine & Advanced Technology Research Group (TATRC), U.S. Army Medical Research & Materiel Command (MRMC) – Status: Phase 1 scheduled for completion 31 July • Second pilot: Phase 2 – Goal: Investigate use of RESTful approach to populate Maine HIE (HealthInfoNet) Clinical Data Repository – Use Case: Integrate electronic health records for medically underserved areas – FHA Partner: Todd Rogow, HealthInfoNet – Status: Development on track for 31 August demonstration • Investigating possible Blue Button related third pilot 7
  • 8. RHEx Project Outcomes Anticipated FY12 Outcomes • Community dialog around RESTful approaches – How to apply the architectural style widely used on the web today – Which proven open standards for identity management and authentication best serve the Health IT Community • A set of products to inform a path forward – RESTful health data exchange implementation(s) • Focusing on refining existing standards • Using pilots to reduce ambiguity and oversights in these standards – Testable, draft profiles for relevant, existing standards – Independent conformance testing tool to validate against profiles Input to inform a path forward on a world wide web and mobile friendly way to exchange health data 8
  • 9. RHEx Security Approach Profiles Seeking Community Feedback • Draft profiles for OAuth 2 and OpenID Connect will be posted to RHEx wiki in July • RHEx project seeks community feedback – Attend the RHEx WebExs • Thursdays, 11 am – 12 pm EDT (until Sept. 20) • Security Profile Review is scheduled for Aug. 9 • Previous WebExs can be accessed here • For details, see S&I calendar or RHEx Wiki – Join the RHEx Google Group conversation • Also accessible through the RHEx wiki • RHEx project will document feedback and incorporate comments, as appropriate wiki.siframework.org/RHEx 9
  • 10. HITSC Standards Readiness Test Case Preliminary Standards Assessment • Exercised HIT Standards Committee (HITSC) preliminary standards evaluation criteria – Version presented to HITSC by NwHIN Power Team on 19 July 2012 • Performed very preliminary assessment of two RHEx security approach standards – OAuth2 – OpenID Connect • Intended to provide feedback to Power Team on preliminary recommendations for standards evaluation criteria Criteria test case only – Not a vetted assessment 10
  • 11. Context: Evaluation of Readiness of Technical Specifications to Become National Standards Preliminary placement for criteria test case; Not all criteria able to be assessed High National Maturity Criteria: Standards • Maturity of Specification • Maturity of Underlying Technology Maturity Components Moderate • Market Adoption Pilots Adoptability Criteria: • Ease of Implementation and Deployment • Ease of Operations Emerging Standards • Intellectual Property Low Low Moderate High Adoptability Source: Dixie Baker, Preliminary Recommendations for Standards Evaluations Criteria”, Briefing to HIT Standards Committee, July 19, 2012 11
  • 12. Standards Evaluation Criteria Preliminary Test Notes • Not a vetted assessment – Cursory pass through evaluation criteria • HTTP -- Underlying technology of OAuth2 and OpenId Connect – Highly mature, adoptable and scalable • OAuth2 – IETF Draft – High to Moderate maturity and adoptability • OpenID Connect – Implementers Draft – Moderate maturity and adoptability • Preliminary Standards Evaluation Criteria Feedback – Quite comprehensive – Additional clarification on some criteria would be beneficial • Questions around context and meaning of some criteria elements – Can provide feedback on specific criteria elements 12
  • 13. Next Steps • Continue to engage the community – Community feedback on OpenID Connect and OAuth 2 profiles – Google Group discussions – Bi-weekly WebEx meetings • Continue pilot implementations • Continue work on conformance test framework Powering Secure, Web-Based Health Data Exchange 13
  • 15. Tentative RHEx WebEx Schedule Date Topic Speaker June 28 Overview/Kick-Off Mary Pulvermacher July 12 Charter Discussion Rick Cagle July 26 RHEx Security Approach Justin Richer August 9 Phase I Profile Rob Dingwell and Andy Discussion Gregorowicz August 23 RHEx Content Approach Anne Kling August 30 Phase II Profile Andy Gregorowicz Discussion September 6 RHEx Test Framework Jason Matthews September 20 Lessons Learned from Suzette Stoutenburg RHEx Pilots September 27 Wrap-up and Next Steps Mary Pulvermacher 15
  • 16. Core Technical Principles • Internet Scale Access Management – Standards such as OAuth and OpenID have demonstrated strong, scalable security at low cost • Granular and Addressable Data – Breaking healthcare information into small pieces accessible by a URL enables secure, efficient access • Linking – When data is addressable, it can be linked on the web, allowing humans and software to browse the web of links to view clinical contexts • Leverage HTTP – The protocol that drives the web offers a more robust, flexible and scalable solution 16
  • 17. Why use OpenID Connect and OAuth 2? • OpenID Connect – Strong industry participation – Flexible trust model – Alternatives • Browser ID, Shibboleth, CAS • Low adoption, some are more SSO oriented • OAuth 2 – Wide industry adoption – Works well with browser clients – Alternatives • Two way TLS/SSL – Low adoption – Key distribution and protection problems • WS-Security – Does not work well with browsers 17
  • 18. OpenID Connect Family Tree OpenID Connect Family Tree OpenID 1.0 OAuth 1.0/a XRDS OpenID 2.0 Hybrid WS* ID-WSF WRAP XRD AB AX PAPE SAML OAuth 2 Facebook SWD Connect JWT/JOSE OpenID Connect 18
  • 19. OAuth • An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications • An Internet Engineering Task Force (IETF) standard 19
  • 20. • OpenID is an open web standard that allows users to be authenticated in a distributed manner – For example, this could allow a VA Provider to log into a DoD system using their VA username and password • Provides authentication and identity – Extensible to include profiles and claims (e.g., the user clinical role) • OpenID Connect – Identity service built on top of OAuth2 20
  • 21. Standards Evaluation Criteria Preliminary Test Maturity Criteria Criteria OAuth2 OpenID Connect Maturity of the Specification Breadth of Support H M-H Stability M-H L Degree of interoperability among independent non-coordinated ? M implementations Adoption of Specification H M Maturity of Underlying Technology Components Breadth of Support H M Stability H M-H Degree of interoperability among independent non-coordinated H M implementations Adoption of Technology H M-H Platform Support H M-H Maturity of the technology within its life cycle H ? Market Adoption Installed health care user base ? L Installed user base outside of health care H L Future projections and anticipated support M-H M-H Investments in user training ? ? Preliminary assessment for criteria test case; Not all criteria able to be assessed 21
  • 22. Standards Evaluation Criteria Preliminary Test Adoptability Criteria Criteria OAuth2 OpenID Connect Ease of Implementation and Deployment Availability of off-the-shelf infrastructure to support implementation H L-H Deployment Complexity ? ? Conformance Criteria and Tests L L Availability of Reference Implementations H ? Complexity of Specification ? ? Quality and Clarity of Specifications H M-H Specification Modularity ? ? Separation of Concerns H H Ease of use of specification H H Degree to which specification uses familiar terms to describe “real-world” concepts H H Runtime Coupling H H Degree of Optionality ? ? Ease of Operations Comparison of targeted scale of deployment to actual scale deployed ? ? Number of operational issued identified in deployment ? ? Degree of peer-coordination needed H H Operational scalability (i.e., operational impact of adding a single node) H H Fit to Purpose ? ? Intellectual Property Openness H H Accessibility and Fees H H Licensing Policy H H Copyrights H H Patents H H Preliminary assessment for criteria test case; Not all criteria able to be assessed 22

Editor's Notes

  1. Internet Scale Access Management Standards such as OAuth and OpenID have demonstrated implementable approaches to authentication and authorization on the web. Healthcare data exchanges can use these technologies to provide strong, scalable security.Granular and Addressable Data Breaking healthcare information into small pieces and giving each piece its own URL enables secure, efficient access and allows data to be combined in many useful ways.Linking When data is addressable, it can be linked on the web. This allows clinical contexts to be built by linking data together. Humans and software can browse the web of links to get the information they need.Leverage HTTP The protocol that drives the web offers many features that can be used to make health information exchange more robust, flexible and scalable. Clients can indicate whether they prefer their data in XML, JSON or HTML. Servers can indicate how long a large image file should be cached. Full utilization of HTTP can lead to powerful, scalable system interfaces.
  2. These are many of the different things that have fed into the development of the OpenID Connect specification.
  3. IETF goal is to make the Internet better