Identity 2.0, Web services and SOA in Health Care


Published on

Buzzwords such as Identity 2.0, Web services and SOA characterize the architectures of novel IT-systems. Concerning these recent trends, the stake holders of eHealth systems might ask a number of questions including:
• Users: does that help us in providing a better care?
• Owners: how does it change the suite of applications and services we provide?
• Suppliers: what is the footprint on our software architecture?
This presentation will discuss the relevance of Identity 2.0, Web services and SOA for IT-systems in health-care. It will identify and assess the value that can be added through ideas and technologies behind these trends. Regarding the fundamental concept of identity, architectural blueprints for Web services and SOA-based eHealth systems will also be investigated.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Identity 2.0, Web services and SOA in Health Care

  1. 1. European Identity Conference 2008, Munich 2008-04-22/25 Identity 2.0, Web Services and SOA in Health-Care
  2. 2. Contents <ul><li>Setting the Scene </li></ul><ul><li>Benchmark Scenario </li></ul><ul><li>Buzzword Scouting </li></ul><ul><li>Identity 2.0 </li></ul><ul><li>Conclusions </li></ul>
  3. 3. Setting the Scene IT-Landscape in eHealth – A Vendor’s Perspective System layer System layer System layer System layer Integration layer Integration layer Integration layer Integration layer HIS ERP … Presentation Health professionals Health care provider 1 System layer Integration layer System layer Integration layer System layer Integration layer System layer Integration layer HIS ERP … Presentation Health professionals Health care provider 2 Cooperate
  4. 4. Setting the Scene Medical Cases Often Involve Multiple Providers <ul><li>In a majority of medical cases, patients are treated by health professionals at different providers e.g. for John Doe’s leg fracture: </li></ul><ul><ul><li>Emergency medical services by Red Cross </li></ul></ul><ul><ul><li>Emergency room in hospital A </li></ul></ul><ul><ul><li>Surgery in hospital A </li></ul></ul><ul><ul><li>General care in rehabilitation center B </li></ul></ul><ul><li>Inter-organizational care teams are being formed in an ad-hoc fashion for the treatment of medical cases </li></ul><ul><li>Medical data objects (short: MDOs) e.g. X-ray images, diagnosis documents, referral letters… belonging to a medical case are being created at the involved health care providers </li></ul><ul><li>This typical scenario is not yet well-supported in eHealth. Care teams still need to work like they used to do some 30 years ago (telephone, document exchange through couriers, fax…) </li></ul>
  5. 5. Benchmark Scenario The Electronic Case Records Scenario <ul><ul><ul><li>Challenge 1: definition and processing of metadata (beyond MDOs) </li></ul></ul></ul><ul><ul><ul><li>Challenge 2: integrate external IT- services; federated authentication and authorization </li></ul></ul></ul>Health care provider 1 MDO 1,1 MDO 1,2 MDO 1,n … Health care provider 2 MDO 2,1 MDO 2,2 MDO 2,n … Health care provider 3 MDO 3,1 MDO 3,2 MDO 3,n … Case: John Doe’s leg fracture ECR <ul><li>Electronic Case Records (short: ECRs) integrate MDOs: </li></ul><ul><ul><li>According to medical cases </li></ul></ul><ul><ul><li>Across health care providers </li></ul></ul><ul><li>Do not redefine or reinvent MDOs; add value beyond MDOs </li></ul><ul><li>Provide physicians with a tool to cooperate with other health professionals </li></ul><ul><li>Contents of MDOs and ECRs are a responsibility of the care team </li></ul><ul><li>Based on patient consent ( my body  my data  my control ) </li></ul>
  6. 6. Benchmark Scenario The ECR Security Challenge From 10.000 Feet <ul><li>There are following provider roles: </li></ul>Column Resource provider Has: services providing resources <ul><ul><li>Resource providers: </li></ul></ul><ul><ul><ul><li>Do service resources (MDOs/ECRs) belonging to their organizations </li></ul></ul></ul><ul><ul><ul><li>Aim at providing access for (internal or external) members of a care team </li></ul></ul></ul>Has: unauthenticated user data Column Identity provider <ul><ul><li>Identity providers: </li></ul></ul><ul><ul><ul><li>Do maintain user accounts for health professionals belonging to their organizations </li></ul></ul></ul><ul><ul><ul><li>Aim at enabling them to access (internal and external) resources of cases where they are care team members </li></ul></ul></ul>Row Transient data Row Persisted data Clockwise or counter- clockwise? <ul><li>Key question: how to bring application services and user data together? </li></ul><ul><ul><li>Clockwise </li></ul></ul><ul><ul><li>Counter-clockwise </li></ul></ul>Has: unauthenticated user data
  7. 7. Buzzword Scouting Identity 2.0 Has: persisted, unauthenticated user data Has: service providing resources Column Identity provider Column Resource provider Row Transient data Row Persisted data doTransfer doAuthn <ul><li>Identity 2.0 pattern - clockwise: </li></ul><ul><ul><li>First authenticate against persisted local data (any traditional scheme) </li></ul></ul><ul><ul><li>Then transfer authenticated subject identity as secured, marshaled information over the network (e.g. SAML assertions) </li></ul></ul>doTransfer doAuthn <ul><li>Identity 1.0 pattern – counter-clockwise: </li></ul><ul><ul><li>First transfer unauthenticated user data over the network (e.g. SPML, DSML, LDIF) </li></ul></ul><ul><ul><li>Then authenticate against persisted local data (any traditional scheme) </li></ul></ul>
  8. 8. Buzzword Scouting Why Identity 2.0 Is Natural But (Still) Strange? <ul><li>Society is built upon a decoupling between means of production and use of product , trivially stated: it is not mandatory to own a cow if you want to drink milk </li></ul><ul><li>Due to IT-security legacy, this natural decoupling appears to be the exception while the exception appears natural in IT: </li></ul><ul><ul><li>The Identity 1.0 pattern is commonplace in distributed IT-systems: </li></ul></ul><ul><ul><ul><li>It lacks separation between means of production (identity data) and use of product (consuming authentication for authorization purposes) </li></ul></ul></ul><ul><ul><ul><li>This translates to the suggestion that owning a cow (= meansOfProduction) is a prerequisite for drinking milk (= useOfProduct) </li></ul></ul></ul><ul><ul><li>The Identity 2.0 pattern still is an exception: </li></ul></ul><ul><ul><ul><li>It relies on separation between means of production and use of product </li></ul></ul></ul><ul><ul><ul><li>This translates to the suggestion that it is not mandatory to own a cow (= meansOfProduction) if you want to drink milk (= useOfProduct) </li></ul></ul></ul>
  9. 9. Buzzword Scouting Web Services and SOA <ul><li>Web services (WS for short): </li></ul><ul><ul><li>A new breed of Web applications that are entirely based on XML and that publish service contracts </li></ul></ul><ul><ul><li>Motivation: make the Web consumable for IT-processes </li></ul></ul><ul><li>SOA: </li></ul><ul><ul><li>A new paradigm for architecting software (self-contained, business functionality that is loosely-coupled) </li></ul></ul><ul><ul><li>Motivation: improve re-use of software </li></ul></ul>SOA Web services School-of-thought for organizing software Means to integrate external IT-services via Web Web services- based SOA <ul><li>WS-based SOA is a sweet spot: </li></ul><ul><ul><li>Inside-out: SOA-based systems are easy to WS-enable in an evolutionary fashion </li></ul></ul><ul><ul><li>Outside-in: SOA provides a natural organization principle for code that implements WS interfaces </li></ul></ul>
  10. 10. Identity 2.0 Becomes Default in WS-Based SOA <ul><li>SAML assertions provide a standard format to securely marshal authenticated subject information for WSs and traditional Web applications: </li></ul><ul><ul><li>WSs support holder-of-key subject confirmation models </li></ul></ul><ul><ul><li>Web applications are limited to bearer models </li></ul></ul><ul><li>WSs have a native understanding about their handling (Web applications do not): </li></ul><ul><ul><li>Request SAML assertions: through WS-SecurityPolicy sections in WSDLs </li></ul></ul><ul><ul><li>Issue SAML assertions: through WS-Trust STS WSs ( sp:IssuedToken ) or arbitrary WSs ( sp:SamlToken ) </li></ul></ul><ul><ul><li>Transfer SAML assertions: as child elements of wsse:Security SOAP headers </li></ul></ul><ul><li>(Almost) all is off-the-shelf: </li></ul><ul><ul><li>WS-stacks natively support request, transfer and parsing of SAML assertions </li></ul></ul><ul><ul><li>Issuance requires WS-Trust STSs or STS-style WSs; the supply and consumption of SAML assertion contents (usually) is solution-specific </li></ul></ul><ul><li>Web services are federation-enabled from birth; no magic beyond the standard functionality is needed for their federation resp. Identity 2.0 enablement. </li></ul><ul><ul><li>Attention - a false friend: WSFED is no prerequisite for identity federation in WSs </li></ul></ul>
  11. 11. Identity 2.0 Support in WS-Based SOA Application logic WS stack processBusinessObject <dependsOnAuthn> WS consumer requestSecurityToken <reportsOnAuthn> WS provider Application logic WS stack Resources <RP> <IdP> Identity store STS provider STS logic WS stack <wsp:Policy …> <sp:ProtectionToken> … <sp:IssuedToken…> <sp:RequestSecurityTokenTemplate> <wst:TokenType> urn:oasis:names:tc:SAML:2.0:assertion </wst:TokenType> <wst:KeyType>…</wst:KeyType> <wst:KeySize>256</wst:KeySize> </sp:RequestSecurityTokenTemplate>… </sp:IssuedToken> </sp:ProtectionToken> </wsp:Policy> SAML assertion RAM representation
  12. 12. Identity 2.0 Underlying Architectural Proposition <ul><li>As WS provider, say what you need and let the WS consumer take care </li></ul><ul><li>Motivation: </li></ul><ul><ul><li>Separation of concerns: RPs shall focus on processing actual business resources; IdPs on processing actual identity data </li></ul></ul><ul><ul><li>Dependency injection: decouple the use of information from lookup and maintaining </li></ul></ul><ul><ul><li>Efficiency: offload processing tasks from RPs </li></ul></ul><ul><ul><li>Statelessness: remove state assumptions from RPs </li></ul></ul><ul><ul><li>Re-use: the retrieved information might be re-usable for the WS consumer </li></ul></ul><ul><li>Go beyond the basics: </li></ul><ul><ul><li>Can be used with identity-centric information but is not limited to it </li></ul></ul><ul><ul><ul><li>E.g. authorization policy information encompassing information about resources </li></ul></ul></ul><ul><ul><li>Can be used with persisted information but is not limited to it </li></ul></ul><ul><ul><ul><li>E.g. dynamically created values such as pseudonyms </li></ul></ul></ul><ul><ul><li>Can be used iteratively: </li></ul></ul><ul><ul><ul><li>E.g. a WS may ask for input from multiple STSs or STS-style WSs </li></ul></ul></ul><ul><ul><li>Can be used recursively: </li></ul></ul><ul><ul><ul><li>E.g. an STS WS may ask for further input from other STSs or STS-style STSs </li></ul></ul></ul>
  13. 13. Identity 2.0 Addressing the ECR Challenge – eFA Business WSs client logic WS stack WS consumers RReg WS RReg logic WS stack Interceptors (PEP/PDP) processing IdT / AdT / AcT / PoT Folder/MDO relation, MDO metadata DReg WS DReg logic WS stack eFA security WSs (cf. below) FReg WS FReg logic WS stack In: IdT / AdT In: IdT / AcT / PoT In: IdT / AcT / PoT In: IdT / AcT / PoT ECR/folder relation, folder metadata Patient/ECR relation, ECR metadata DRep WS DRep logic WS stack MDOs
  14. 14. Identity 2.0 Addressing the ECR Challenge – eFA Security WSs Client logic WS stack WS consumers Identity store IdT STS IdT logic WS stack AdT WS AdT logic WS stack AcT WS AcT logic WS stack Policy store (DAC) Key store PoT WS PoT logic WS stack eFA business WSs (cf. above) Stub Full content GuT STS GuT logic WS stack In: IdT / AcT Out: PoT In: IdT / AdT Out: AcT In: IdT Out: AdT In: GuT (ext user) or X509Token (int user) Out: IdT In: arbitrary Out: GuT Arbitrary
  15. 15. Conclusions <ul><li>Regarding eHealth trends and perspectives, following initiatives are outstanding: </li></ul><ul><ul><li>SOA: innovates the way how software is being organized </li></ul></ul><ul><ul><li>Web services: allow to integrate external IT-services via Web </li></ul></ul><ul><ul><li>Identity 2.0: provides a fundamental pattern for addressing security as a cross-cutting concern in eHealth </li></ul></ul><ul><li>It makes sense to see these initiatives in conjunction: </li></ul><ul><ul><li>SOA & Web services: make an integration of external IT-services evolutionary </li></ul></ul><ul><ul><li>Web services & Identity 2.0: make things straightforward – no extra magic needed </li></ul></ul><ul><li>Covering the considered ECR scenario: </li></ul><ul><ul><li>The eFA ( resolution of ECR scenario mainly builds upon Web services as a means to define the ECR services and to integrate external services via Web plus Identity 2.0 as a fundamental pattern for the security architecture: </li></ul></ul><ul><ul><ul><li>Customers: various German hospitals </li></ul></ul></ul><ul><ul><ul><li>Specification: Fraunhofer ISST </li></ul></ul></ul><ul><ul><ul><li>Realization: various eHealth vendors incl. Siemens Med (Soarian Integrated Care) </li></ul></ul></ul><ul><li>For other eHealth scenarios: </li></ul><ul><ul><li>Identity 2.0, Web services and SOA are perceived as fundamental building blocks for next-generation eHealth systems </li></ul></ul>
  16. 16. Abbreviations <ul><li>AcT (eFA) AccessToken </li></ul><ul><li>AdT (eFA) AdmissionToken </li></ul><ul><li>ECR Electronic Case Record </li></ul><ul><li>eFA elektronische Fallakte (engl.: ECR) </li></ul><ul><li>FReg (eFA) Folder Registry </li></ul><ul><li>IdT (eFA) IdentityToken </li></ul><ul><li>DReg (eFA) Document Registry </li></ul><ul><li>DRep (eFA) Document Repository </li></ul><ul><li>DAC Discretionary Access Control </li></ul><ul><li>GuT (eFA) GuarantorToken </li></ul><ul><li>IdP Identity Provider </li></ul><ul><li>MDO Medical Data Object </li></ul><ul><li>PoT (eFA) PolicyToken </li></ul><ul><li>SOA Service-Oriented Architecture </li></ul><ul><li>RAM Random Access Memory </li></ul><ul><li>RP Resource Provider </li></ul><ul><li>RReg (eFA) Record Registry </li></ul><ul><li>STS Security Token Service </li></ul><ul><li>WS Web Services </li></ul><ul><li>WSDL Web Services Description Language </li></ul><ul><li>WSFED WS-Federation </li></ul>
  17. 17. Author <ul><li>Dr. Oliver Pfaff Siemens AG Med GS SEC DI 1 E-Mail: </li></ul>