Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Healthcare Identity Management and Role-Based Access in a Federated NHIN - The e-Authentication Project Phase 4

4,709 views

Published on

The Nationwide Health Information Network (NHIN) requires the secure connection of health organizations within and across state borders. The goal of Phase 4 of the e-Authentication Pilot Study is to investigate a specific solution to this issue. In 2006 HIMSS sponsored Phase 1 of the e-Authentication Pilot Study which modeled the use of the General Services Administration (GSA) electronic authentication certificates using PKI and SAML in a healthcare information exchange (HIE) environment by 6 Regional Health Information Organizations (RHIOs) located in 5 different states. Phase 2 extended the work of Phase 1 to model federated single sign-on into a distributed multi-state HIE using PKI certificates for secure identity management, open source Internet2 middleware (Shibboleth and Shibboleth tools) for the authorization architecture and OASIS Security Assertion Markup Language (SAML) for single sign-on and access control. Phase 2 concluded in the development of a healthcare specific configuration of the Shibboleth network architecture and the development of healthcare related directory objects for role-based authorization. The Phase 2 technology was successfully demonstrated in the 2008 IHE Showcase. Phase 3 of the e-Authentication Pilot Study extended the network to include NHIN connectivity as a participant in the NHIN2 project. Advancements included; Record Location Services (RLS), proprietary Electronic Health Records (EHR), Personal Health Record Service (PHR), Public Health Immunization Record Service, VMWare virtual server technology. Phase 4 extends the use of NHIN Connector for Clinical and Administrative transactions, connection to OpenVISTA, work with the Voluntary Universal Healthcare Identifier (VUHID) and the growth of the network to 18 hospitals. Liberty Alliance/Kantara Workgroup for Health Identity and Assurance continues to participate to define Health Identity Management best practices and Role-based Authentication. Presented at HIMSS2010 by Richard Moore and John Fraser

  • Be the first to comment

Healthcare Identity Management and Role-Based Access in a Federated NHIN - The e-Authentication Project Phase 4

  1. 1. Healthcare Identity Management and Role-Based Access in a Federated NHIN The e-Authentication Project Phase 4 Co-presenters: Richard Moore, President eHealth Ohio and John Fraser, CEO MEDNETWorld.com Session 246 HIMSS 2010 Atlanta, GA Thursday, March 4, 11:15 AM - 12:15 PM
  2. 2. Conflict of Interest Disclosure Rick Moore and John Fraser <ul><li>Have no real or apparent </li></ul><ul><li>conflicts of interest to report. </li></ul>
  3. 3. Abstract <ul><li>The Nationwide Health Information Network requires the secure connection of health organizations within and across state borders. The goal of Phase 4 of the e-Authentication Pilot Study is to investigate a specific solution to this issue. </li></ul><ul><li>In 2006 HIMSS sponsored Phase 1 of the e-Authentication Pilot Study which modeled the use of the General Services Administration (GSA) electronic authentication certificates using PKI and SAML in a healthcare information exchange (HIE) environment by 6 Regional Health Information Organizations (RHIOs) located in 5 different states. </li></ul><ul><li>Phase 2 extended the work of Phase 1 to model federated single sign-on into a distributed multi-state HIE using PKI certificates for secure identity management, open source Internet2 middleware (Shibboleth and Shibboleth tools) for the authorization architecture and single sign-on capability and OASIS defined Security Assertion Markup Language (SAML) for access control. Phase 2 concluded in the development of a healthcare specific configuration of the Shibboleth network architecture and the development of healthcare related directory objects for role-based authorization. The Phase 2 technology was successfully demonstrated in the 2008 IHE Showcase. </li></ul><ul><li>Phase 3 of the e-Authentication Pilot Study extended the network to include NHIN connectivity as a participant in the NHIN2 project. Advancements included: Record Location Services (RLS); proprietary Electronic Health Records (EHR); Personal Health Record Service (PHR); Public Health Immunization Record Service; VMWare virtual server technology. </li></ul><ul><li>Phase 4 extends the use of NHIN Connector for Clinical and Administrative transactions, connection to OpenVISTA, work with the Voluntary Universal Healthcare Identifier (VUHID) and the growth of the network to 18 hospitals. Liberty Alliance/Kantara Workgroup for Health Identity and Assurance continues to participate to define Health Identity Management best practices and Role-based Authentication. </li></ul>
  4. 4. Talk Outline <ul><li>Problems & Opportunity </li></ul><ul><li>Key Benefits – what does this mean to you? </li></ul><ul><li>Project Review & History </li></ul><ul><li>Case Studies: Building a Federated NHIN </li></ul><ul><ul><li>eHealth Ohio </li></ul></ul><ul><ul><li>HIE-Bridge HIE in Minnesota </li></ul></ul><ul><ul><li>NHIN Federated HIE Model </li></ul></ul><ul><li>Recommendations </li></ul>
  5. 5. Key Problems <ul><li>When doctors connect nationally or outside their HIE, how do they know who is on other end of a request for medical information? </li></ul><ul><li>Usernames and passwords problems </li></ul><ul><ul><li>Too many </li></ul></ul><ul><ul><li>Lose track </li></ul></ul><ul><ul><li>Very frustrating to remember them all </li></ul></ul><ul><ul><li>Very unsecure </li></ul></ul><ul><ul><li>Need to share username/passwords between apps </li></ul></ul>
  6. 6. Opportunity <ul><li>Demonstrate methods to authenticate doctors </li></ul><ul><li>Provide one credential to access multiple services </li></ul><ul><ul><li>Share the credential within a clinic or across the country </li></ul></ul><ul><li>Using existing standards – don’t re-invent the wheel. </li></ul><ul><li>Use new Health Information Exchanges to validate these solutions. </li></ul><ul><li>Leverage the new NHIN standards </li></ul>
  7. 7. Key Benefits <ul><li>Providers and Staff: </li></ul><ul><ul><li>Simplify the process </li></ul></ul><ul><ul><li>Modernize user authentication </li></ul></ul><ul><ul><li>Help link systems together </li></ul></ul><ul><li>Managers and Technologists </li></ul><ul><ul><li>Manage to national standards </li></ul></ul><ul><ul><li>Use open standards – vendor neutral </li></ul></ul><ul><li>Benefits to Patients </li></ul><ul><ul><li>More secure systems </li></ul></ul><ul><ul><li>Protection of patient privacy </li></ul></ul><ul><ul><li>Easier interaction with systems </li></ul></ul>
  8. 9. Past projects - eHealth Ohio and MN <ul><li>2006 - Completed HIMSS/GSA project </li></ul><ul><ul><li>PKI Certificate provisioning and use </li></ul></ul><ul><ul><li>HIMSS e-Authentication Whitepaper </li></ul></ul><ul><li>2007 - Phase 2 </li></ul><ul><ul><li>MN & OH linked using Shibboleth “Club” federation </li></ul></ul><ul><li>2008 - Phase 3 </li></ul><ul><ul><li>NHIN2 work in MN </li></ul></ul><ul><li>2009 – Phase 4 and beyond </li></ul><ul><ul><li>Tying NHIN / HIE interests together </li></ul></ul><ul><ul><li>Developing framework for national NHIN federation </li></ul></ul><ul><ul><li>Kantara Group to build consensus on national standards </li></ul></ul>
  9. 10. <ul><li>Who : HIMSS and The General Services Administration (GSA) </li></ul><ul><li>When : 2006, early 2007 </li></ul><ul><li>Purpose : Demonstrate federally approved authentication services </li></ul><ul><li>What : Pilot used Electronic Authentication Service Components established under Homeland Security Presidential Directive HSPD 12, Policy for a Common Identification Standard for Federal Employees and Contractors. </li></ul><ul><li>Pilot Participants : Seven Regional Health Information Organizations (RHIOs)/health information exchanges (HIEs) and ORC, Inc. Federal Certificate Authority. </li></ul><ul><li>HIMSS e-Authentication Whitepaper http://www.himss.org/content/files/GSAwhitepaper.pdf </li></ul>Phase 1 - HIMSS/GSA eAuthentication Project
  10. 11. Phase 1 – 8 Participants - 2006 <ul><li>GSA: ORC, Inc. ACES Certificate Authority </li></ul><ul><li>CT: e-Health Connecticut </li></ul><ul><li>MI: Michigan Data Sharing & Transaction Infrastructure Project </li></ul><ul><li>TX: CHRISTUS Health, Health eCities of Texas Project </li></ul><ul><li>MN: Community Health Information Collaborative </li></ul><ul><li>OH: eHealth Ohio/OSC Bioinformatics </li></ul><ul><li>OH: Virtual Medical Network </li></ul><ul><li>NV: Single Portal Medical Record Project </li></ul>
  11. 12. Phase 2 – 5 Participants - 2007/2008 <ul><li>CT: e-Health Connecticut </li></ul><ul><li>MN: MEDNET, USA </li></ul><ul><li>MN: Community Health Information Collaborative (CHIC) </li></ul><ul><li>OH: eHealth Ohio </li></ul><ul><li>OH: Virtual Medical Network </li></ul>
  12. 13. Phase 3 – 2008/2009 <ul><li>The Original Focus of Phase 3 was to extend the Role-Based Access Model and scalability. </li></ul><ul><li>CHIC was selection for the NHIN2 development and NHIN work took precedence for 2008. </li></ul><ul><li>Based on the participation in the NHIN, the e-Authentication project is now a portal to the NHIN. </li></ul><ul><li>Scalability gains were achieved by using virtualization of servers to reduce maintenance and application deployment. </li></ul><ul><li>Streamlining certificate provisioning. </li></ul>
  13. 14. Phase 4 – 2009 <ul><li>Case Studies - Implement lessons learned in HIE </li></ul><ul><li>Work with other Open Source solutions </li></ul><ul><li>Implement a federated identity management system that can be shared between HIEs and states </li></ul><ul><li>Connect to NHIN to exchange clinical and Administrative transactions </li></ul><ul><li>With Kantara develop a reference implementation for federated identity </li></ul>
  14. 16. eHealth Ohio Developments 2009 <ul><li>Who: </li></ul><ul><ul><li>Rubicon Group (TRG), </li></ul></ul><ul><ul><li>Provider Business Group (50 practices and 200 physicians) </li></ul></ul><ul><li>What: </li></ul><ul><ul><li>HIE Pilot </li></ul></ul><ul><ul><li>Hosted at TechColumbus Platform Laboratory </li></ul></ul><ul><ul><li>VMWare Cloud-based </li></ul></ul><ul><li>Studies: </li></ul><ul><ul><li>Pediatric Physician Record Locator service for a local Pediatric Urgent Care </li></ul></ul><ul><ul><li>Hospital to TRG Physician connectivity for Mobile Office Resource services </li></ul></ul>
  15. 17. RLS Service Service Provider MEDNET Gateway MEDNET NHIN Gateway MEDNET Gateway MEDNET Gateway MEDNET NHIN Gateway MEDNET HIE Identity Provider Identity Provider TechColumbus Platform Lab Physician Portal eHealth Rubicon Service Service Provider EHR/EMR SOAP/HTTPS Firewall Firewall eHealth Ohio Developments 2009
  16. 19. MEDNET HIE-Bridge Case Study <ul><li>Situation – Clinics and Hospitals </li></ul><ul><ul><li>Spending too much time contacting providers for patient medical records </li></ul></ul><ul><ul><li>Difficult to manage incoming patient requests </li></ul></ul><ul><ul><li>Incomplete information delayed accurate and timely patient care </li></ul></ul><ul><li>Strategy </li></ul><ul><ul><li>Adopt existing NHIN standards and Internet connectivity </li></ul></ul><ul><ul><li>Implemented a “Smart Index” at each participating clinic and hospital </li></ul></ul><ul><ul><li>Implemented Translation Engine </li></ul></ul><ul><ul><li>Patient Privacy and Trust Services </li></ul></ul><ul><ul><li>Implement a security “Gatekeeper” to keep out the bad guys </li></ul></ul><ul><ul><li>Implemented PKI Security with audit and logging </li></ul></ul>
  17. 20. MEDNET HIE-Bridge Case Study (cont) <ul><li>Results </li></ul><ul><ul><li>Increased patient privacy </li></ul></ul><ul><ul><li>Less hassle to users for logins </li></ul></ul><ul><ul><li>Eliminated the need for a central database to reduce security threats </li></ul></ul><ul><ul><li>Saves 15 – 45 minutes per patient </li></ul></ul><ul><ul><li>Increase security and audit capability </li></ul></ul>
  18. 21. CHIC & eHealth Ohio – Record Locator Service & NHIN CHIC SISU / St.Luke’s VRMC Users NHIN Backbone connecting HIEs Community Security/ Privacy Officers Log Reviews Personal Health Record (PHR) Role Based Access Control Service Community Patient Privacy Manager Audit Database XDS Registry and Repository Patient Clinical Info Retrieval Lookup MEDNET GRID SERVER Immunization Connection eHealth Ohio, Rubicon TechColumbus Test server LOGIN MEDNET NHIN Gateway Record Locator Service Federated Identity Management Service
  19. 23. What is the Nationwide Health Information Network - NHIN <ul><li>Developed by Department of Health and Human Services </li></ul><ul><li>18 initial participants </li></ul><ul><li>Internet-based, uses existing Internet standards </li></ul><ul><li>Web Services based with SAML security </li></ul><ul><li>No centralized servers / control </li></ul><ul><li>Moving into production in 2010 </li></ul>
  20. 24. NHIN Connectivity Overview Your existing sites Your organizations network Feds: SSA, DoD, VA, CDC, etc Nationwide Health Information Network - NHIN INTERNET Payers Providers State & Local Health Information Exchanges (HIE)
  21. 25. NHIN Needs <ul><li>What do you want? – Standardized services </li></ul><ul><ul><li>Supported by NHIN Core Services </li></ul></ul><ul><ul><li>Services listed in a directory (UDDI) </li></ul></ul><ul><ul><li>Uses Standardized Web Services (SOAP) </li></ul></ul><ul><li>Who am I? - Need to federate, or share identities </li></ul><ul><ul><li>NHIN is a network of networks – who do you trust? </li></ul></ul><ul><li>Do you trust me? - Standardized PKI security </li></ul><ul><ul><li>Kantara / Liberty Alliance’s IAF framework </li></ul></ul><ul><ul><li>SAFE BioPharma global infrastructure </li></ul></ul>
  22. 26. NHIN Message Security <ul><li>Authenticated </li></ul><ul><li>Secure </li></ul><ul><li>Not subject to later repudiation </li></ul><ul><li>NHIN implementing Public Key Infrastructure (PKI), based on X.509 certificates </li></ul><ul><li>Basis of trust at the implementation level is a shared Certificate Authority chartered by NHIN governance body </li></ul>Messages between HIEs must be:
  23. 27. NHIN Message Security* Required in all NHIN SOAP messages (*) standard SAML-secured SOAP message – not NHIN specific Example payload: HL7v3 CCD Message in XML format
  24. 28. Who am I on NHIN? <ul><li>Need standardized identity sharing across multiple HIEs </li></ul><ul><ul><li>No central registry (no big brother) </li></ul></ul><ul><li>Shibboleth open-source identities between HIEs </li></ul><ul><ul><li>Supports multiple providers of identities from small clinics to huge research centers </li></ul></ul>
  25. 29. CHIC & eHealth Ohio – Record Locator Service & NHIN CHIC SISU / St.Luke’s VRMC Users NHIN Backbone connecting HIEs Community Security/ Privacy Officers Log Reviews Personal Health Record (PHR) Role Based Access Control Service Community Patient Privacy Manager Audit Database XDS Registry and Repository Patient Clinical Info Retrieval Lookup MEDNET GRID SERVER Immunization Connection eHealth Ohio, Rubicon TechColumbus Test server LOGIN MEDNET NHIN Gateway Record Locator Service Federated Identity Management Service
  26. 30. Recommendations and Future Vision <ul><li>Investigate federations for community projects </li></ul><ul><li>PKI provides better security and patient privacy </li></ul><ul><li>Consider federated databases for systems – avoid centralizing information to increase security </li></ul><ul><li>Future predictions </li></ul><ul><ul><li>HIE building will standardize on NHIN architecture </li></ul></ul><ul><ul><li>NHIN will adopt some type of federation approach </li></ul></ul><ul><ul><li>PKI will become required for HIE to HIE connectivity </li></ul></ul>
  27. 31. Kantara Initiative – Leading the Way <ul><li>Healthcare Identity Assurance WG </li></ul><ul><ul><li>Co-chairs John Fraser, Pete Palmer & Richard Moore </li></ul></ul><ul><li>Build Reference Implementation </li></ul><ul><ul><li>Use “Identity Assurance Framework” approved by ICAM </li></ul></ul><ul><ul><li>Voluntary User Health ID </li></ul></ul>
  28. 32. Resources To learn more about NHIN: Visit: http://blog.mednetworld.com/survey to complete a two question survey on our talk, and download a free copy of an e-Book that we've developed on the topic.
  29. 33. Presenter information: <ul><li>Rick Moore </li></ul><ul><ul><li>eHealth Ohio </li></ul></ul><ul><ul><li>+1 877.813.9750 </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>Co-chair of the Kantara Healthcare Identity Assurance Workgroup </li></ul></ul><ul><li>John Fraser </li></ul><ul><ul><li>MEDNETWorld.com </li></ul></ul><ul><ul><li>+1 612.435.7602 </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>Co-chair of the Kantara Healthcare Identity Assurance Workgroup </li></ul></ul>

×