Exchange of documents and data in commercial organizations is normally accomplished using traditional workflow methodologies. Successful implementation of workflow in these organizations is encouraging agencies that did not look at these workflow methodologies favorably because data and documents exchanged were considered confidential and restricted and for use only by authorized users. The workflow in these organizations requires that user be authenticated before accessing the document/data as well as
obtain their signatures at each step due to legal requirements associated with these processes. In addition retaining the confidentiality of the document/data based on user authentication is of utmost concern. Recent advances in digital signature technology and its use in replacing traditional signature have opened
the possibility of creating a successful document/data exchange workflow for authenticated documents and data. Further this approach could be extended to authenticate each user and their role to meet confidentiality and security requirement. Some of the processes that can be identified for authenticated document/data exchange are:
• Document/data exchange associated with healthcare document requiring HIPAA compliance.
• Judicial transactions like TRO’s (Temporary Restraining Order) etc.
Exchange of documents and data in commercial organizations is normally accomplished using traditional workflow methodologies. Successful implementation of workflow in these organizations is encouraging agencies that did not look at these workflow methodologies favorably because data and documents exchanged were considered confidential and restricted and for use only by authorized users. The workflow in these organizations requires that user be authenticated before accessing the document/data as well as
obtain their signatures at each step due to legal requirements associated with these processes. In addition retaining the confidentiality of the document/data based on user authentication is of utmost concern. Recent advances in digital signature technology and its use in replacing traditional signature have opened
the possibility of creating a successful document/data exchange workflow for authenticated documents and data. Further this approach could be extended to authenticate each user and their role to meet confidentiality and security requirement. Some of the processes that can be identified for authenticated document/data exchange are:
• Document/data exchange associated with healthcare document requiring HIPAA compliance.
• Judicial transactions like TRO’s (Temporary Restraining Order) etc.
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
Entrust provides comprehensive identity-based security solutions that safeguard
enterprises, consumers, citizens and websites. More than 4,000 organizations in 60
countries across the globe leverage Entrust's world-class security solutions, which
include strong authentication, physical and logical access, public key infrastructure
(PKI), cloud and mobile security, citizen eID, employee credentialing, SSL and
more.
IDoT: Challenges from the IDentities of Things Landscapekantarainitiative
This is a presentation from the Kantara Initiative Identities of the Things (IDoT) Discussion Group. The presentations summarizes the findings to date of the DG for next steps and industry discussion and innovation.
As part of exercise to test the extensibility of OpenID Connect to other protocols than HTTP, we have created a custom scheme binding. This is still a rough sketch but should give you some ideas on what it is. It may seem to be a bit of stretch, but has a niche characteristics that it does not "leak" information to external OPs.
There will be a companion RP side as well, which would be a more normal case.
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
Entrust provides comprehensive identity-based security solutions that safeguard
enterprises, consumers, citizens and websites. More than 4,000 organizations in 60
countries across the globe leverage Entrust's world-class security solutions, which
include strong authentication, physical and logical access, public key infrastructure
(PKI), cloud and mobile security, citizen eID, employee credentialing, SSL and
more.
IDoT: Challenges from the IDentities of Things Landscapekantarainitiative
This is a presentation from the Kantara Initiative Identities of the Things (IDoT) Discussion Group. The presentations summarizes the findings to date of the DG for next steps and industry discussion and innovation.
As part of exercise to test the extensibility of OpenID Connect to other protocols than HTTP, we have created a custom scheme binding. This is still a rough sketch but should give you some ideas on what it is. It may seem to be a bit of stretch, but has a niche characteristics that it does not "leak" information to external OPs.
There will be a companion RP side as well, which would be a more normal case.
1. In the era of mobile, OAuth 2.0 is the protocol of the choice. 2. However, RFC6749 is a framework and needs to be profiled appropriately for use cases.
3. FAPI WG @ OIDF is taking such task for Financial APIs and securing it using RFC7636, JWT Client Authentication/TLS Client Authentication, OpenID Connect, etc.
4. FAPI WG is collaborating with many stakeholders including financial institutions and fintech companies, etc.
5. Read only security profile going to OIDF votes.
6. Overview of the requirements for Read Only and Write Access security profiles are discussed.
We are publishing a draft of the technical standards of the Personal Health Records (PHR) component of the National Health Stack (NHS)!
As a refresher, these standards govern the consented sharing of health information between Health Information Providers (HIPs) - like hospitals, pathology labs, and clinics - and Health Information Users (HIUs) like pharmacies, medical consultants, doctors, and so on. The user’s consent to share their health data is issued via a new entity called a Health Data Consent Manager (HDCM).
The problem today is that the electronic health records listed in one app or ecosystem are not easily portable to other systems. There is no common standard that can be used to discover, share, and authenticate data between different networks or ecosystems. This means that the electronic medical records generated by users end up being confined to many different isolated silos, which can result in frustrating and complex experiences for patients wishing to manage data lying across different providers.
With the PHR system, a user is able to generate a longitudinal view of their health data across providers. The interoperability and security of the PHR architecture allows users to securely discover, share, and manage their health data in a safe, convenient, and universally acceptable manner. For instance, a user could use a HDCM to discover their account at one hospital or diagnostic lab, and then select certain electronic reports to share with a doctor from another hospital or clinic. The flow of data would be safe, and the user would have granular control over who can access their data and for how long. Here is a small demo of the PHR system in action.
The standards in the draft released today offers a high-level description of the architecture and flows that make this possible.
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...Richard Moore
Healthcare Identity Management and Role-based Access in a Federated NHIN - Session 170
Tuesday, April 7, 2:15 PM - 3:15 PM
Convention Center, Room:N 427 c
Richard Moore
John Frazer
Description:
The National Health Information Network requires secure connection of health organizations within and across state borders. Phase Three of the e-Authentication Pilot Project investigates open source and virtual server solutions to address this issue. Learn about the successes and challenges to this pilot project.
Healthcare Identity Management and Role-Based Access in a Federated NHIN - Th...Richard Moore
The Nationwide Health Information Network (NHIN) requires the secure connection of health organizations within and across state borders. The goal of Phase 4 of the e-Authentication Pilot Study is to investigate a specific solution to this issue. In 2006 HIMSS sponsored Phase 1 of the e-Authentication Pilot Study which modeled the use of the General Services Administration (GSA) electronic authentication certificates using PKI and SAML in a healthcare information exchange (HIE) environment by 6 Regional Health Information Organizations (RHIOs) located in 5 different states. Phase 2 extended the work of Phase 1 to model federated single sign-on into a distributed multi-state HIE using PKI certificates for secure identity management, open source Internet2 middleware (Shibboleth and Shibboleth tools) for the authorization architecture and OASIS Security Assertion Markup Language (SAML) for single sign-on and access control. Phase 2 concluded in the development of a healthcare specific configuration of the Shibboleth network architecture and the development of healthcare related directory objects for role-based authorization. The Phase 2 technology was successfully demonstrated in the 2008 IHE Showcase. Phase 3 of the e-Authentication Pilot Study extended the network to include NHIN connectivity as a participant in the NHIN2 project. Advancements included; Record Location Services (RLS), proprietary Electronic Health Records (EHR), Personal Health Record Service (PHR), Public Health Immunization Record Service, VMWare virtual server technology. Phase 4 extends the use of NHIN Connector for Clinical and Administrative transactions, connection to OpenVISTA, work with the Voluntary Universal Healthcare Identifier (VUHID) and the growth of the network to 18 hospitals. Liberty Alliance/Kantara Workgroup for Health Identity and Assurance continues to participate to define Health Identity Management best practices and Role-based Authentication. Presented at HIMSS2010 by Richard Moore and John Fraser
HIMSS GSA e-Authentication whitepaper June 2007Richard Moore
HIMSS and the GSA, developed a pilot project to demonstrate the adoption of the GSA's secure and interoperable technical architecture for sharing medical information across multiple healthcare providers. The pilot utilized the GSA's E-Authentication Service Component program to provide digital certificates, technical architecture development support, and certificate validation services.
Seven RHIOs/Health Information Exchanges initially volunteered to participate in the project. One participant the Nevada Single Portal Medical Record HIE had to withdraw from the project due to a lack of resources.
Central Ohio HIE - Initiated by eHealth Ohio, and in conjunction with the Ohio Supercomputer Center, this project has focused on evaluating the viability of using the proposed national level user authentication process as a means of authenticating individual researchers, system developers and system administrators who will be both utilizing, creating and maintaining future health care research systems. An emerging area of software development focus, this pilot will also identify key issues faced by resource constrained development efforts.
How to Manage API Services From Azure Healthcare APIsJohn Metthew
Managed API services from Azure Healthcare APIs are built on open standards and frameworks, enabling workflows in healthcare to be improved and comprise scalable, secure solutions. With healthcare analytics and insights, you can improve outcomes
Explains about Health Record Standards, ICTs, Standards for Healthcare Sector, Ministry of Health and Family Welfare. For more information visit: http://www.transformhealth-it.org/
Digital transformation of health insurance vikasr2508
this is a proposed solution to the challenges & changing roles of health insurance companies in the digital age.Changing expectations of digital consumer, increasing incidence of life style related NCDs & increasing cost of healthcare delivery requires new thinking. Digital tools can help health insurers stay connected & impact behaviours of consumers to improve their health & reduce costs.
iUZ has organised last 3rd July a talk about Cross-Border Interoperability and we've broadcasted live on Youtube.
This is the presentation document.
You can watch the event through our Youtube channel: http://youtu.be/k1KLgD8GF3Q
wso2 masterclass italia #13 - Open Healthcare: interoperabilità e sicurezza ...Profesia Srl, Lynx Group
WSO2 Open Healthcare: interoperabilità e sicurezza del paziente grazie a FHIR e HL7
Matteo ci racconta in che modo la soluzione verticale di WSO2 dedicata al mondo medicale sia in grado di garantire la massima interoperabilità nella massima sicurezza del paziente e dei suoi dati, in ottemperanza agli standard di settore.
Personal Health Record over Encrypted Data Using Cloud ServiceYogeshIJTSRD
CBPHR Cloud Based Personal Health Record systems are used for storage and management of patient records. Cloud computing provides real time health care data in a convenient and cost effective manner. Due to the lack of visibility in cloud platform, the users are always concerned with data privacy and security. This is the main obstacle in widely adopting CBPHR systems in health care sector. The paper is discussing a cloud based patient health record management scheme which is highly secured. In this approach, indexes are encrypted under different symmetric keys and also the encrypted data indexes from various data providers can be merge by cloud without knowing the index content. It also provides efficient and privacy preserving query processing using a single data query submitted by the data user. Encrypted data will be processed by cloud from all related data providers without knowing its query content. Dinesh Soni | Dr. Lakshmi JVN "Personal Health Record over Encrypted Data Using Cloud Service" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-4 , June 2021, URL: https://www.ijtsrd.compapers/ijtsrd41230.pdf Paper URL: https://www.ijtsrd.comcomputer-science/computer-security/41230/personal-health-record-over-encrypted-data-using-cloud-service/dinesh-soni
In this digital era, the healthcare sector is going through a remarkable revolution enabled by sophisticated technologies. Amongst these advancements, web development has been particularly instrumental in enhancing the industry's capabilities.
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureNat Sakimura
Digital identity has been under a constant evolution for the last 30 years. It started from a simple access control via user account within a system to a shared credential among the systems, then to the federated identity and bring-your-own-identity (BYOI). Modern usages are not only for access control but include such purposes like digital on-boarding (account opening), employee and customer relationship management. Among the many technologies out there, OpenID seems to have gained popularity in the market that you are probably using it without knowing it. This session explains the positioning of OpenID in the digital ID landscape and explores the future potential for both corporations and individuals.
Introduction to the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesNat Sakimura
APIDays Paris 2018 presentaion by Nat Sakimura.
Talking about Part 1, 2, and new Part 3 with examples.
My twitter: @_nat_en
Follow me on Youtube: https://www.youtube.com/NatSakimura
Blog: https://nat.sakimura.org/
Introduction to the FAPI Read & Write OAuth ProfileNat Sakimura
It the presentation used in APIDays Berlin (2017-11-08) to explain the Financial API Read & Write Security profile's rationale and how it fulfilled the requirements.
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Nat Sakimura
OAuth 2.0 Authorization Framework, while achieved an extremely large adoption, has been exposed to various attacks and a num- ber of additional specifications to patch the problem has been created. It is expected that other attacks would come in the future requiring yet another patch specification. To avoid such future problems, a more systematic approach is needed.
This paper attempts to do it by applying BCM principles on OAuth (RFC6749). It demonstrates that additional parameters in all four messages are needed as well as the integrity protection of both authorization request and response.
API Days 2016 Day 1: OpenID Financial API WGNat Sakimura
The presentation introduces the Financial API Working Group at the OpenID Foundation. The presentation was made at the API Days 2016 on December 13, 2016 in Paris.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
3. NHINとは 3 2004 に開始された、米国全土にまたがる健康情報交換インフラプロジェクト Health Information Exchange (HIE) 及び他の期間との間での健康情報の発見と取得を可能にする 患者情報のサマリーを提供して、患者ケアや患者の健康増進に役立てる 情報交換は安全に行う すべての参加者が同意し遵守する、信頼の基となる契約書を作成する 国民背番号無くして患者とデータをひもづけることを可能にする ステークホルダーが任意で同意する標準のハーモニゼーションをサポートする
4. 主なユースケース 4 Emergency Responder-Electronic Health Record Electronic Health Record – Lab Results Medication Management Consumer Empowerment-Consumer Access to Clinical Information Consumer Empowerment- Registration and Medication History Quality Biosurveillance
5. 5 Data Use and Reciprocal Support Agreement (出所) (NHIN) Architecture Overview v.1.0 1/29/2010
6. Architecture Principles 分散 自立・自治 ローカル・アカウンタビリティ 標準準拠 SOA Webサービスの利用 仕様ドリブン 認可フレームワーク メッセージング・プラットフォーム 患者ディスカバリ ドキュメント発見 ドキュメント取得 Health Information Event Messaging (HIEM) Document Submission Access Consent Policies Geocoded Interoperable Population Summary Exchange (GIPSE) Profile CARE (Continuity Assessment Record and Evaluation) Profile PKIをセキュリティのベースとして利用 6 (出所) (NHIN) Architecture Overview v.1.0 1/29/2010 を基にOIDF-J
11. NHIN Messaging, Security & Privacy Foundation 11 Messaging Platform Spec. WS-I Basic v.2.0 WS-I Security v.1.1 Authorization Framework 個人の認証はSAML2.0ベースで。 Requester, Date and Time 属性 Authorized Decision Statement Authorization Framework
12. NHIN Discovery and Information Services 12 NHIN Discovery and Information Services UDDIでEnd Pointを検索 患者の発見(Patient Discovery) 2つのNodeが、患者の名寄せを行うためのシステム UDDI 一意に特定出来なかった場合には、属性を追加して再問合せ 1. End Point候補ください 2. 候補一覧 node1 3.氏名・生年月日・他 MPI node2 4.Patient ID, 属性 Master Person Index
13. NHIN Discovery and Information Services 13 ドキュメントIDとドキュメントの取得 Health Information Event Messaging (Pub/Sub) Document Submission (Push) Node 1 1. Patient ID Node 2 2. Doc ID 3. Doc ID HIO 5. Document 4. Authz
14. NHIN Specs 14 Access Consent Policies Production Specification - v1.0 [PDF - 176 KB] Administrative Distribution Production Specification - v2.0 [PDF - 157 KB] Authorization Framework Production Specification v2.0 [PDF - 256 KB] Document Submission Production Specification v2.0 [PDF -200 KB] Health Information Event Messaging Production Specification v2.0 [PDF - 152 KB] Messaging Platform Production Specification v2.0 [PDF - 248 KB] Patient Discovery Production Specification v1.0 [PDF - 214 KB] Query for Documents Production Specification v2.0 [PDF - 212 KB] Retrieve Documents Production Specification v2.0 [PDF - 178 KB] Web Services Registry Production Specification v2.0 [PDF - 378 KB] http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__nhin_exchange/1407
15. Meaningful Use 15 医療データ電子提供化インセンティブ The American Recovery and Reinvestment Act of 2009 (ARRA) authorizes the Centers for Medicare & Medicaid Services (CMS) to provide reimbursement incentives for eligible professionals and hospitals who are successful in becoming “meaningful users” of certified electronic health record (EHR) technology. Beginning in January 2010, meaningful use will play a prominent role in NHIN development.
17. PIDSの目的 17 PIDS全体の目的 Patient ID Service (PIDS) プロジェクトは、患者が自分の健康情報にアクセスしたり処理したりすることができるようにするための、Web上の認証サービスを作ります。 PIDSプロジェクトで作られたコードは、Apacheライセンスで提供され、各ベンダーが互換性の高い実装を提供するにあたっての、有用な素材を提供します。 PIDSプロジェクトのフェーズ1では、要件定義を行い、一つないし二つのアーキテクチャ案を提示し、フェーズ2におけるモデル実装、テスト、および認定サービスの開発の用に資するものとします。 OpenIDファウンデーション・ジャパンにとっての目的 PIDSのコンテキストの中でのOpenIDの有用性の立証 上記を用いた、OpenIDプロモーションマテリアルの獲得 Ph.2 での会員企業の参加&ノウハウ獲得機会の提供
18. 18 プロジェクト体制 Joint Steering Committee Kantara Inititative (Board Member, LC Member), eCitizen Foundation (Board Member) Project Sponsor US$20,000(Ph.1) Matthew Gardiner, President, KI (Executive Adviser) Requirements Ray Campbell, Executive Director, Mass. Health Data Consortium, eCitizens Foundation (実施責任者) Dan Combs Dazza Greenwood Daniel Bennet (出所)eCitizen_Kantara_healthidpilot v.5 を元に NRI
19. 19 プロジェクトメンバー経歴 Ray Campbell Executive Director, Massachusetts Health Data Consortium Dan Combs CEO, eCitizen Foundation Chair, EC3 Real ID Workgroup & Program Director, MIT Real ID Forum Director, Digital Government, State of Iowa (200-2003) Dazza Greenwood Co-Founder & ED, eCitizen Foundation 弁護士、MIT Medialab 講師(1997-2007)、LegalXML E-Contract 委員会委員長(OASIS) 他 Daniel Bennet CTO, eCitizen Foundation W3C’s eGov Interest Group Invited Expert 米国 Paperwork Elimination Act 、電子署名法 共同起草者
21. 21 Kantara – Patient NHIN Login Project 試験結果、課題リスト、処方薬リスト、薬剤アレルギーリスト、 予防接種、退院要約、退院後指導書 ICAM compatible/ certified Service?? Personal Health Records (un-tethered) Patient DI Federated SSO + Directory LoA2 Issues: PHRs must be trusted by NHIN (policy, legal framework) PHRs should/must support SAML? OpenID? PHRs could be run by various groups Information could exist on cell phones Patient e.g. Microsoft, Google Patient NHIN Service Gateway Patient Preferences / Authorization Service TLS NHIN Gateway Internet TLS TLS Doctor / Providers Doctor / Providers NHIN Gateway TLS NHIN Gateway TLS LoA3 LoA3 Federated SSO + Directory Federated SSO + Directory Minnesota Health Information Exchange Massachusetts Health Information Exchange VERY DRAFT – FOR DISCUSSION ONLY – 2-22-2010 (出所)Kantara Healthcare IAWG 2010-02-22資料を元にNRI
25. Privacy and SecurityHIE Gateway EMR Hospitals HIE Gateway Payors EMR RLS HIE Gateway HIE Gateway PHR HIE Member Users Simplified Sign Ons: to Clinics, Google Health, MS HealthVault, etc, or via iPhone or similar smartphone apps Patient Logins Simplified Sign Ons Clinics Healthcare Workers Patients (出所)Kantara Initiative Healthcare IAWG 2009-10-22資料
33. Complex, Robust Back-End Rules & Policy-Based Auditable Access Control 31 (出所)Greenwood, Masson “Open Architecture for Patient Identity as a Service”, 2011
34. Open Architecture Enables Markets (出所)Greenwood, Masson “Open Architecture for Patient Identity as a Service”, 2011
35. 2 – Authenticate Open ID Server 3 - Retrieve 1 – Login Additional Info Credentials display PHR login Patient X Indivo (出所)Greenwood, Masson “Open Architecture for Patient Identity as a Service”, 2011
36. Actors and Elements of PIDS The actors and elements of the PIDS component include: Patient PHR Service PIDS services Registration Authority Identity Proofing Enrollment Issuance (or adoption) of Identifier Issuance (or adoption) of Identity Credential Authentication registration, discovery and implementation service Authorization and attribute registration, discovery and implementation service (e.g. PDP with XACML) Relying Parties outside of NHIN Relying Party Registries Health care standard APIs or translation services Health care providers within NHIN Personal health and wellness devices Smart Phone health and wellness apps Other services on the web 34
37. Interfaces, Connectors & Adapters 35 NwHINGateway Direct Project Indivo/Dossia Personal Health Platform*1 Microsoft Health Vault Health & Wellness Apps on Android and iPhone Devices Personal Medical Devices and Appliances Back-End EMR, EHR and MPI Systems *1 インテル、ウォルマートなどの共同PHR。オープンソースPHRのIndivoを採用
38. Modular "Component" Approach 36 PIDS Component Contains Services and Data Stores Legal and Policy Interoperability and Modularity Interfaces Points With External Systems/Services Features of ID Service Component Approach: Capacity to Upgrade Components and Not Interfaces Capacity to Replace Component and Not Interfaces Capacity to Maintain Component and Replace Interfaces
39. General Security Requirements 37 A holistic approach to information security – Address Inspector General’s report on “Audit of Information Technology Security Included in Health Information Technology Standards” ( A-18-09-30160) HIPAA Security Rule - Examples of the weakness identified at the eight hospitals: unprotected wireless networks, lack of vendor support for OSs, inadequate system patching, outdated or missing antivirus software, lack of encryption of data on portable devices and media, lack of system event logging or review, shared user accounts, excessive user access and administrative rights. encrypting data stored on mobile devices, such as compact disks (CD) and thumb drives; requiring two-factor authentication when remotely accessing an HIT system; patching the operating systems (OS) of computer systems that process and store EHR. Inspector General “HIPAA does not provides adequate general IT security”
40. List of Technical Components A simple account system with identity information from each account holding patient information, including first, last name, phone, address, etc. A URI/URL for each Patient Account A SAML 2.0 service that can send each Relying Party (Shibboleth) PIDS URI/URL or OID and either the Patient URI/URL or another OID to that Relying Party PIDS Credentials An OpenID service An Advanced Credential issuance or adoption service (enabling a patient to use, bind and/or link different identity credentials to their PIDS account) Advanced credential 1 is an X.509v3 digital certificate (optional) Advanced credential 2a is a Registered Mobile Phone for voice and/or text and/or keypad-based verification (optional) Advanced credential 2b is a Registered Smart Phone for 2a functions plus... (optional) Advanced credential 3 is an RSA Data Security Key Fob (optional) Advanced credential 4 is a PIV, PIV-I or other variations of these Cards (optional) (option) An Authentication as a Service account linkage, enabling the account credentials to be linked to KBA, crypto-based and other methods (option) An Authorization as a Service account linkage, enabling the account credential to be linked to UACS/RBAC and XACML types of services (option) An eSignature Service, enabling the use of credential to assent to or otherwise approve a document, signify consent or perform other related transactions Credential Suspension/De-linking/De-binding and Termination Service (option) Time Stamp Service and other real-time audit-friendly tools (e.g. GIS, HTTP logs, etc) Audit and Logging Service OpenID Connect and Oauth Services 38
41. Legal Architecture Roles and Relatioship Tbd Legal Design Spec. Federation PoV Patient PoV RP PoV IdPPoV AS PoV Multilateral Contract Operating Rules and Trust Framework Governance Dispute Resolution Recourse Records Retention and Audit Privacy and FIPPs Participation Agreements Patients Relying Party Provider Apps/Service 39
42. Legal Ecosystem 40 Statutes & Regulations Government Policies and Procedures Accreditation, Certification, Licensing Contracts and ToS Interest Groups and Oversight Organizations Advocacy and Internal Controls, Ombuds & Dispute Resolution
43. Next Steps 41 Ph.1 報告書の完成 Ph.1.5 – Ph.2 参加者の確定 LOI – Scopeの明確な定義 Ph.2 パイロットシステム Agile Development Funding Ideas MIT Media Lab と New Media Medicing group と共同で科研費を取得 NSTICパイロット予算の獲得 産業界からの参加者
45. 報告書もくじ-1 Executive Summary Objective Goals Solution Open Architecture Public Infrastructure Introduction Requirements and Constraints Use Cases, Field Survey and Requirements Gathering Patient and Individual End-User Needs Conceptual Solution Design and Options Functional Description-Patient Perspective Functional Description-Relying Party Perspective Functional Description-External Credential Provider (?) Actors and Elements of PIDS List of Technical Components Details of PIDS Process PIDS Instance Host and Business Models Process for Enrollment Linkage to Identity Credentials and Token PIDS Used with OpenID Connect Web Services Functional Design Layers 1. Identity Service 2. Authentication Service 3. Authorization/Attribute Service Legal Architecture Roles and Relationships Legal Design Specification 43
46. 報告書もくじ-2 Phase 2 Development and Implementation Plan Agile Coding and Waterfall Method Phase 2 Pilot and Testing Servers, Platforms, Applications, Services, Sub-Components and Partner Systems Pilot Test System, Service and Test Cases: Certifications and Accreditation NIST 800-63-1 Certified Level 1, 2 and 3 and FIPS 201 Authentication Products and Services Release and Evolve Budget Assumptions and Alternatives Alternative Budget #1 Alternative Budget #2 Schedule Conclusion Contact Information 44