kantarainitiative, profile picture
Uploaded bykantarainitiative
PPTX, PDF486 views

Kantara uma webinar july 2020

This document summarizes a presentation on how the User Managed Access (UMA) standard addresses challenges in health information interoperability and user control. It discusses how current health systems have data silos and lack of user access to their own health records. UMA allows for interoperability across services/data sources through a centralized authorization server. It enables user-directed delegation so others can access data on a user's behalf. Case studies demonstrate implementations like Trustee that use UMA to create a self-sovereign universal health record. Another case study discusses Ontario's FPX which uses UMA and standards for identity, authentication, and access in health care.

Embed presentation

Download to read offline
UMA: 21st century health information interoperability + user control July 21, 2020 Alec Laws & Adrian Gropper
Agenda ● Moderator's welcome ● Overview of current challenges in Health Care ● How does UMA address those challenges ● Case Study: US Health Care and Trustee by HIE of ONE ● Case Study: CAN Health Care and FPX by IDENTOS ● Discussion: Presenters offer their views ● Q & A ● Current UMA and Community Activity
UMA Implementers Embrace Health Care ForgeRock – financial, healthcare, IoT, G2C… Gluu (open source) – API protection, enterprise, G2C… HIE of One / Trustee (open source) – healthcare IDENTOS – healthcare, G2C, … PatientShare – healthcare HealthyMePHR – healthcare Pauldron (open source) – healthcare RedHat Keycloak (open source) – API protection, enterprise, IoT… ShareMedData – healthcare WSO2 (open source) – enterprise (more detail at tinyurl.com/umawg) ~50% of implementations have stated Health Care focus
Desired Patient Experience
Current problems in our healthcare ecosystem Data Silos Key information not visible Can’t share information Lack of trust: paper based records Have to tell my story over and over to different providers No support for complex patient journeys No digital access Can’t remember ID or password Unnecessary duplication of tests & services Fear of fraud and security breaches Miscommunication, missed visits, inefficiencies Lack of R&D innovation in digital spaces
Patient access to their health data is limited and fragmented across care settings and services. Providers access patient’s health data through different channels. Home care, community care, and non-clinical providers do not have access to Patient’s clinical data. Health Applications are not connected.
How does UMA address these challenges?
The Standard - Isolated User Experiences Me online x 120! 120 Walled Gardens Services Data Account Have information about me Know who I am Provide me with service(s)
Outcomes We’ve Learned to Live With Organizations normal is also flawed Effort & cost to repeatedly establish, maintain an Identity Inability to adequately serve user needs Friction connecting with ecosystem partners Our normal is fundamentally flawed Limited access to our own data! Non-transparent consent and sharing of our personal data Disconnected user journeys
We Can Do Better What if… we can create a user centered ecosystem?
Interoperability of Services and Data Sources UMA is Built for Wide Ecosystems User Control, Privacy and Delegation One Authorization Server protects many Data Sources Person requesting access different from data owner/subject User can create a fine-grained authorization policy Services are protected from authorization details
User Centered Data & Authorization One AS protects many RS One RS trusted many AS The AS and RS are decoupled ● Alice can manage many RS’s from a single AS ● An RS can delegate authorization, account and service management to the AS ● The AS does not need to hold or duplicate personal data OUTCOME: scalability and interoperability Services Data Account Have information about me Know who I amProvide me with service(s) Data Data Data
Services Data Account Services are interoperable Services decoupled from authorization details ● Services don’t need to know about every authorization domain (eg scopes) ● Services can dynamically discover user authx requirements ● Services interoperate against data types (eg images) or standards (eg FHIR) against many RS Have information about me Know who I amProvide me with service(s) Service Service Service
User Directed Delegation User requesting access is different from Data owner Data owner can create fine-grained policy ● There are many use-cases for delegation/guardianship ● I am not the only person who needs to see my data ● UMA models this, but doesn’t overspecify ● Policy can be against an entire API, or a specific file/path ● Policy can consider both the client and the Requesting User Provide me with service(s) Have information about me Know who I am Services Bob’s Account Services Data Account
UMA Puts it All Together There are still separate organizations and domains. However now data and services are interoperable at the direction of the person Alice’s Account (AS) Service Service Service Data Dara Data Bob’s Services Bob’s Account
Demo: What might this look like?
Demo Scope Alec’s Account (AS) Health Portal Banting Diabetes Manager BC EHR ON EHR Google PHR Google Account
More Information About UMA Get more information about the “How” of UMA: UMA 2:0 Deep Dive: Applying User-Managed Access | Identiverse 2018 https://www.youtube.com/watch?v=0cCXJvJ6GUY UMA Grant Spec https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html UMA Fedz Spec https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated- authz-2.0.html
Case Study: US Health Care & Trustee by HIE of ONE
Case Study: US Healthcare Challenges (but similar in many countries) ● HIPAA is not based on patient consent ● Un-sustainable ● Health records are not patient-centered ● Un-sustainable ● 80% of outcomes are based on social determinants, not medical treatment ● Patient identity “matching” is a problem unique to US healthcare ● 30% of US health costs (~$ 1T) are unwarranted ● US racial & wealth disparities in survival are unmatched in the rich world
Imagine: A Universal Health Record ● Self-sovereign to the individual ● Global, like medical science ● Open source and peer reviewed, like medical science ● Standards-based ● No institutional lock-in ● Easy to spot disparities across zip-codes and nations ● A human rights economic and sustainability model
Imagine: UMA as the Core of a Universal Health Record ● UMA 2.0 enables a self-sovereign Authorization Server ● No need to copy information through a “personal data store” ● No worry about loss of provenance ● Subject’s policies are never shared, just the decisions ● No patient matching issues ● Leverages self-sovereign identifier and verifiable credentials work ● Authorization policies are inherited from the community one chooses ● HIE of One influenced and builds around UMA 2.0
Example Implementation: Trustee® by HIE of One ● A self-sovereign authorization server enabled by standards ● Standards ● UMA 2.0 - for provenance and consent ● OAuth 2 - for legacy EHRs and Medicare ● OpenID Connect - for federated single sign-on ● W3C Verifiable Credentials - for self-sovereign single sign-on ● DID - W3C Decentralized Identifiers for non-repudiable signatures ● Public Blockchain (ETH) - decentralized timestamps for accountability ● Trustee Community - initializes the policies; competes for patients ● NOSH - A self-sovereign health record that doctors can sign-into with their credentials
Ontario Identity, Authentication, & Access by IDENTOS FPX
Case Study: Canadian Healthcare Challenges (key similarities & differences to the US) ● PHIPA does have provisions for patient consent ● However access is still limited as: ● Health records are not patient-centered ● Un-sustainable ● Patient identity “matching” is a less of a problem ● Due to Provincially issued health insurance and identifiers
What impact will patient digital access have? Digitally access personal health information (e.g. lab test results, prescription information), book appointments and track referrals. Interact virtually with a health care provider via video visit or secure messaging. Digitally share important information with their health care provider(s). Digitally ensure that patients control access to their data through consent and access controls.
Connecting Healthcare Journeys in Canada Digital Service Providers Identity Providers Data Resource Servers Digital Service Providers Data Resource Servers Identity Providers FPX Digital Service Providers Data Resource Servers Identity Providers FPX FPX National Health Ecosystem Regional Health Ecosystem Provincial Health Ecosystem UMA Authorization Hospital Ecosystem Digital Service Providers Data Resource Servers Identity Providers FPX
Discussion
Q&A
Closing Remarks & Current Activity
Current UMA Working Group ● Interested? Join the working group! Meet every Thursday ● Formalizing interop test suite ● Profiles and extensions ● AS first flows ● General resource definitions ● UMA “wallet”
Important Current Work ● TxAuth / OAuth 3 ● AS first ● Avoid client registration ● OAuth2 and UMA 2 are hard ● HEART ● Consent-based interop without “personal data stores” as intermediaries ● Influence TEFCA ● SIOP (Self-issued identity provider) ● Harmonize SSI and OpenID Connect

More Related Content

PPTX
HXR 2016: Free the Data Access & Integration -Peter Levin, Amida Technology S...
byHxRefactored
 
PDF
HIMSS GSA e-Authentication whitepaper June 2007
byRichard Moore
 
PPTX
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShield
byHxRefactored
 
PDF
KuraDoctorsDeck
byKarl McKinnie
 
PPTX
Direct 2.0 Boot Camp: Deep Dive Into the Direct Trusted Agent Accreditation P...
byBrian Ahier
 
PPTX
Webinar on the 21st Century Cures Act Final Rule
byNalashaa Healthcare Solutions
 
PPTX
Direct Boot Camp 2 0 Federal Agency requirements for exchange via direct
byBrian Ahier
 
PDF
Health delivery information system [HDIS] MVP
byACCESS Health Digital
 
HXR 2016: Free the Data Access & Integration -Peter Levin, Amida Technology S...
byHxRefactored
 
HIMSS GSA e-Authentication whitepaper June 2007
byRichard Moore
 
HXR 2016: Free the Data Access & Integration -Jonathan Hare, WebShield
byHxRefactored
 
KuraDoctorsDeck
byKarl McKinnie
 
Direct 2.0 Boot Camp: Deep Dive Into the Direct Trusted Agent Accreditation P...
byBrian Ahier
 
Webinar on the 21st Century Cures Act Final Rule
byNalashaa Healthcare Solutions
 
Direct Boot Camp 2 0 Federal Agency requirements for exchange via direct
byBrian Ahier
 
Health delivery information system [HDIS] MVP
byACCESS Health Digital
 

What's hot

PDF
Health information exchange (HIE)
byACCESS Health Digital
 
PPSX
Webinar on Using MS D365 for Hospitals During the COVID-19 Pandemic
byNalashaa Healthcare Solutions
 
DOC
Kairon overview
byJeff McCloud
 
PDF
Uptake and spread of digital technologies
byeHealthCareers
 
PDF
Health insurance information platform (hiip)
byACCESS Health Digital
 
PPTX
Building blockchain based Healthcare infrastructure with beyond block labs
byBeyond Block Labs
 
PPTX
Direct Boot Camp 2.0 - Tennesse Directories
byBrian Ahier
 
PPTX
mHealth & the Medical Provider
byLuca Sergio
 
PPTX
Himss12 Meet The Expert
byWilliam Kirsh, DO, MPH
 
PDF
Nicolas Terry, "Big Data, Regulatory Disruption, and Arbitrage in Health Care"
byThe Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics
 
PDF
Dialogue on HIPAA/HITECH Compliance
byBrian Ahier
 
PPTX
HIMSS12 Sentry Data System
byWilliam Kirsh, DO, MPH
 
PPT
Ghana Medical Banking Institute
byWilliam Kirsh, DO, MPH
 
PPTX
Himss Revenue Cycle Task Force Panel Presentation[1]
byWilliam Kirsh, DO, MPH
 
PDF
SOA enabled next generatione EMR/EHR
byVictor Chai
 
PDF
2016 iHT2 San Diego Health IT Summit
byHealth IT Conference – iHT2
 
PPTX
Patient Confidentiality wk1_dq2_mha690
byBrooklynRose1267
 
PDF
2015 iHT2 Health IT Beverly Hills Summit
byHealth IT Conference – iHT2
 
PDF
Telemedicine: Expanding Access to Medicaid Services
byVirginia Rural Health Association
 
PPS
E Health Trust
byhealthmashr
 
Health information exchange (HIE)
byACCESS Health Digital
 
Webinar on Using MS D365 for Hospitals During the COVID-19 Pandemic
byNalashaa Healthcare Solutions
 
Kairon overview
byJeff McCloud
 
Uptake and spread of digital technologies
byeHealthCareers
 
Health insurance information platform (hiip)
byACCESS Health Digital
 
Building blockchain based Healthcare infrastructure with beyond block labs
byBeyond Block Labs
 
Direct Boot Camp 2.0 - Tennesse Directories
byBrian Ahier
 
mHealth & the Medical Provider
byLuca Sergio
 
Himss12 Meet The Expert
byWilliam Kirsh, DO, MPH
 
Nicolas Terry, "Big Data, Regulatory Disruption, and Arbitrage in Health Care"
byThe Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics
 
Dialogue on HIPAA/HITECH Compliance
byBrian Ahier
 
HIMSS12 Sentry Data System
byWilliam Kirsh, DO, MPH
 
Ghana Medical Banking Institute
byWilliam Kirsh, DO, MPH
 
Himss Revenue Cycle Task Force Panel Presentation[1]
byWilliam Kirsh, DO, MPH
 
SOA enabled next generatione EMR/EHR
byVictor Chai
 
2016 iHT2 San Diego Health IT Summit
byHealth IT Conference – iHT2
 
Patient Confidentiality wk1_dq2_mha690
byBrooklynRose1267
 
2015 iHT2 Health IT Beverly Hills Summit
byHealth IT Conference – iHT2
 
Telemedicine: Expanding Access to Medicaid Services
byVirginia Rural Health Association
 
E Health Trust
byhealthmashr
 

Similar to Kantara uma webinar july 2020

PDF
Protecting Personal Data in a IoT Network with UMA
byDomenico Catalano
 
PDF
Protecting Personal Data in a IoT Network with UMA
bykantarainitiative
 
PDF
Extending the Power of Consent with User-Managed Access & OpenUMA
bykantarainitiative
 
PDF
UMA as Authorization mechanism for IoT: a healthcare scenario
byDomenico Catalano
 
PPTX
Doing Authorisation, Consent, and Delegation Right with UMA - London Identity...
byForgeRock
 
PPTX
The state of uma 2014 11-03
bykantarainitiative
 
PDF
Uma webinar 2014 06-19
bykantarainitiative
 
PDF
Uma webinar 2014 03-20
bykantarainitiative
 
PDF
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
byForgeRock
 
PDF
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
byEve Maler
 
PDF
NEW INNOVATIONS IN CONSENT, PRIVACY, AND USER-MANAGED ACCESS
byForgeRock
 
PDF
Blockchain-Based AI-Assisted Hospital Management System
byIRJET Journal
 
PPTX
Professor George Crooks - ECO 19: Care closer to home
byInnovation Agency
 
PDF
Connected Health Interoperability Platform_White Paper_Cisco UCSF_2016
byWernhard Berger
 
PDF
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
byWSO2
 
PPTX
mHealth Israel_Blockchain Overview_Lea Dias, CEO, Quaefacta
byLevi Shapiro
 
PPTX
The Future of Healthcare EMREHR Software Development Trends.pptx
byEMed HealthTech Pvt Ltd
 
PDF
Healthcare IT Analysis
byDraup
 
PDF
CareConnect: Healthcare Innovation Hub - An Integrated Patient Care Management
byRakshitBhardwaj20
 
PDF
Quæfacta GCCCF May 22th, 2019
byDavid Andrianavalontsalama
 
Protecting Personal Data in a IoT Network with UMA
byDomenico Catalano
 
Protecting Personal Data in a IoT Network with UMA
bykantarainitiative
 
Extending the Power of Consent with User-Managed Access & OpenUMA
bykantarainitiative
 
UMA as Authorization mechanism for IoT: a healthcare scenario
byDomenico Catalano
 
Doing Authorisation, Consent, and Delegation Right with UMA - London Identity...
byForgeRock
 
The state of uma 2014 11-03
bykantarainitiative
 
Uma webinar 2014 06-19
bykantarainitiative
 
Uma webinar 2014 03-20
bykantarainitiative
 
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
byForgeRock
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
byEve Maler
 
NEW INNOVATIONS IN CONSENT, PRIVACY, AND USER-MANAGED ACCESS
byForgeRock
 
Blockchain-Based AI-Assisted Hospital Management System
byIRJET Journal
 
Professor George Crooks - ECO 19: Care closer to home
byInnovation Agency
 
Connected Health Interoperability Platform_White Paper_Cisco UCSF_2016
byWernhard Berger
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
byWSO2
 
mHealth Israel_Blockchain Overview_Lea Dias, CEO, Quaefacta
byLevi Shapiro
 
The Future of Healthcare EMREHR Software Development Trends.pptx
byEMed HealthTech Pvt Ltd
 
Healthcare IT Analysis
byDraup
 
CareConnect: Healthcare Innovation Hub - An Integrated Patient Care Management
byRakshitBhardwaj20
 
Quæfacta GCCCF May 22th, 2019
byDavid Andrianavalontsalama
 

More from kantarainitiative

PPTX
Kantara initiative - AGM 2022
bykantarainitiative
 
PDF
2021 Annual General Meeting
bykantarainitiative
 
PDF
2020 Annual General Meeting Executive Summary
bykantarainitiative
 
PDF
2020 Annual General Meeting
bykantarainitiative
 
PDF
AARC Assurance Profiles for Kantara Initiative
bykantarainitiative
 
PPTX
Kantara webinar 800 63-3 approval 2020-07-15
bykantarainitiative
 
PDF
Kantara webinar 800 63-3 approval 2020-07-15
bykantarainitiative
 
PPTX
Kantara orientation april 2020
bykantarainitiative
 
PDF
Kantara Initiative orientation 2019 (incl. 10th Anniversary video)
bykantarainitiative
 
PDF
Kantara Initiative orientation 2019 (incl. 10th Anniversary video)
bykantarainitiative
 
PPTX
Kantara Initiative orientation 2019 (incl. 10th Anniversary video)
bykantarainitiative
 
PPTX
Kantara orientation 2018
bykantarainitiative
 
PPTX
Kantara Overview 2017
bykantarainitiative
 
PPTX
Kantara Workshop at CIS
bykantarainitiative
 
PPTX
Cloud Identity Summit
bykantarainitiative
 
PPTX
Trust Frameworks Explained
bykantarainitiative
 
PPTX
Mobile Device and Attribute Validation (MDAV)
bykantarainitiative
 
PDF
Kantara Initiative, Inc in 2016
bykantarainitiative
 
PDF
Kantara - Consent & Information Sharing WG Update
bykantarainitiative
 
PPTX
Laws of relationships v7
bykantarainitiative
 
Kantara initiative - AGM 2022
bykantarainitiative
 
2021 Annual General Meeting
bykantarainitiative
 
2020 Annual General Meeting Executive Summary
bykantarainitiative
 
2020 Annual General Meeting
bykantarainitiative
 
AARC Assurance Profiles for Kantara Initiative
bykantarainitiative
 
Kantara webinar 800 63-3 approval 2020-07-15
bykantarainitiative
 
Kantara webinar 800 63-3 approval 2020-07-15
bykantarainitiative
 
Kantara orientation april 2020
bykantarainitiative
 
Kantara Initiative orientation 2019 (incl. 10th Anniversary video)
bykantarainitiative
 
Kantara Initiative orientation 2019 (incl. 10th Anniversary video)
bykantarainitiative
 
Kantara Initiative orientation 2019 (incl. 10th Anniversary video)
bykantarainitiative
 
Kantara orientation 2018
bykantarainitiative
 
Kantara Overview 2017
bykantarainitiative
 
Kantara Workshop at CIS
bykantarainitiative
 
Cloud Identity Summit
bykantarainitiative
 
Trust Frameworks Explained
bykantarainitiative
 
Mobile Device and Attribute Validation (MDAV)
bykantarainitiative
 
Kantara Initiative, Inc in 2016
bykantarainitiative
 
Kantara - Consent & Information Sharing WG Update
bykantarainitiative
 
Laws of relationships v7
bykantarainitiative
 

Recently uploaded

PDF
How to Prepare for the RWA Tokenization Trend
byrose mason
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
How to Prepare for the RWA Tokenization Trend
byrose mason
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 

Kantara uma webinar july 2020

  • 1.
    UMA: 21st centuryhealth information interoperability + user control July 21, 2020 Alec Laws & Adrian Gropper
  • 2.
    Agenda ● Moderator's welcome ●Overview of current challenges in Health Care ● How does UMA address those challenges ● Case Study: US Health Care and Trustee by HIE of ONE ● Case Study: CAN Health Care and FPX by IDENTOS ● Discussion: Presenters offer their views ● Q & A ● Current UMA and Community Activity
  • 3.
    UMA Implementers EmbraceHealth Care ForgeRock – financial, healthcare, IoT, G2C… Gluu (open source) – API protection, enterprise, G2C… HIE of One / Trustee (open source) – healthcare IDENTOS – healthcare, G2C, … PatientShare – healthcare HealthyMePHR – healthcare Pauldron (open source) – healthcare RedHat Keycloak (open source) – API protection, enterprise, IoT… ShareMedData – healthcare WSO2 (open source) – enterprise (more detail at tinyurl.com/umawg) ~50% of implementations have stated Health Care focus
  • 4.
  • 5.
    Current problems inour healthcare ecosystem Data Silos Key information not visible Can’t share information Lack of trust: paper based records Have to tell my story over and over to different providers No support for complex patient journeys No digital access Can’t remember ID or password Unnecessary duplication of tests & services Fear of fraud and security breaches Miscommunication, missed visits, inefficiencies Lack of R&D innovation in digital spaces
  • 6.
    Patient access to theirhealth data is limited and fragmented across care settings and services. Providers access patient’s health data through different channels. Home care, community care, and non-clinical providers do not have access to Patient’s clinical data. Health Applications are not connected.
  • 7.
    How does UMAaddress these challenges?
  • 8.
    The Standard -Isolated User Experiences Me online x 120! 120 Walled Gardens Services Data Account Have information about me Know who I am Provide me with service(s)
  • 9.
    Outcomes We’ve Learnedto Live With Organizations normal is also flawed Effort & cost to repeatedly establish, maintain an Identity Inability to adequately serve user needs Friction connecting with ecosystem partners Our normal is fundamentally flawed Limited access to our own data! Non-transparent consent and sharing of our personal data Disconnected user journeys
  • 10.
    We Can DoBetter What if… we can create a user centered ecosystem?
  • 11.
    Interoperability of Services andData Sources UMA is Built for Wide Ecosystems User Control, Privacy and Delegation One Authorization Server protects many Data Sources Person requesting access different from data owner/subject User can create a fine-grained authorization policy Services are protected from authorization details
  • 12.
    User Centered Data& Authorization One AS protects many RS One RS trusted many AS The AS and RS are decoupled ● Alice can manage many RS’s from a single AS ● An RS can delegate authorization, account and service management to the AS ● The AS does not need to hold or duplicate personal data OUTCOME: scalability and interoperability Services Data Account Have information about me Know who I amProvide me with service(s) Data Data Data
  • 13.
    Services Data Account Services are interoperable Servicesdecoupled from authorization details ● Services don’t need to know about every authorization domain (eg scopes) ● Services can dynamically discover user authx requirements ● Services interoperate against data types (eg images) or standards (eg FHIR) against many RS Have information about me Know who I amProvide me with service(s) Service Service Service
  • 14.
    User Directed Delegation Userrequesting access is different from Data owner Data owner can create fine-grained policy ● There are many use-cases for delegation/guardianship ● I am not the only person who needs to see my data ● UMA models this, but doesn’t overspecify ● Policy can be against an entire API, or a specific file/path ● Policy can consider both the client and the Requesting User Provide me with service(s) Have information about me Know who I am Services Bob’s Account Services Data Account
  • 15.
    UMA Puts itAll Together There are still separate organizations and domains. However now data and services are interoperable at the direction of the person Alice’s Account (AS) Service Service Service Data Dara Data Bob’s Services Bob’s Account
  • 16.
    Demo: What mightthis look like?
  • 17.
  • 18.
    More Information AboutUMA Get more information about the “How” of UMA: UMA 2:0 Deep Dive: Applying User-Managed Access | Identiverse 2018 https://www.youtube.com/watch?v=0cCXJvJ6GUY UMA Grant Spec https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html UMA Fedz Spec https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated- authz-2.0.html
  • 19.
    Case Study: USHealth Care & Trustee by HIE of ONE
  • 20.
    Case Study: USHealthcare Challenges (but similar in many countries) ● HIPAA is not based on patient consent ● Un-sustainable ● Health records are not patient-centered ● Un-sustainable ● 80% of outcomes are based on social determinants, not medical treatment ● Patient identity “matching” is a problem unique to US healthcare ● 30% of US health costs (~$ 1T) are unwarranted ● US racial & wealth disparities in survival are unmatched in the rich world
  • 21.
    Imagine: A UniversalHealth Record ● Self-sovereign to the individual ● Global, like medical science ● Open source and peer reviewed, like medical science ● Standards-based ● No institutional lock-in ● Easy to spot disparities across zip-codes and nations ● A human rights economic and sustainability model
  • 22.
    Imagine: UMA asthe Core of a Universal Health Record ● UMA 2.0 enables a self-sovereign Authorization Server ● No need to copy information through a “personal data store” ● No worry about loss of provenance ● Subject’s policies are never shared, just the decisions ● No patient matching issues ● Leverages self-sovereign identifier and verifiable credentials work ● Authorization policies are inherited from the community one chooses ● HIE of One influenced and builds around UMA 2.0
  • 23.
    Example Implementation: Trustee® byHIE of One ● A self-sovereign authorization server enabled by standards ● Standards ● UMA 2.0 - for provenance and consent ● OAuth 2 - for legacy EHRs and Medicare ● OpenID Connect - for federated single sign-on ● W3C Verifiable Credentials - for self-sovereign single sign-on ● DID - W3C Decentralized Identifiers for non-repudiable signatures ● Public Blockchain (ETH) - decentralized timestamps for accountability ● Trustee Community - initializes the policies; competes for patients ● NOSH - A self-sovereign health record that doctors can sign-into with their credentials
  • 24.
  • 25.
    Case Study: CanadianHealthcare Challenges (key similarities & differences to the US) ● PHIPA does have provisions for patient consent ● However access is still limited as: ● Health records are not patient-centered ● Un-sustainable ● Patient identity “matching” is a less of a problem ● Due to Provincially issued health insurance and identifiers
  • 26.
    What impact willpatient digital access have? Digitally access personal health information (e.g. lab test results, prescription information), book appointments and track referrals. Interact virtually with a health care provider via video visit or secure messaging. Digitally share important information with their health care provider(s). Digitally ensure that patients control access to their data through consent and access controls.
  • 27.
    Connecting Healthcare Journeysin Canada Digital Service Providers Identity Providers Data Resource Servers Digital Service Providers Data Resource Servers Identity Providers FPX Digital Service Providers Data Resource Servers Identity Providers FPX FPX National Health Ecosystem Regional Health Ecosystem Provincial Health Ecosystem UMA Authorization Hospital Ecosystem Digital Service Providers Data Resource Servers Identity Providers FPX
  • 28.
  • 29.
  • 30.
    Closing Remarks &Current Activity
  • 31.
    Current UMA WorkingGroup ● Interested? Join the working group! Meet every Thursday ● Formalizing interop test suite ● Profiles and extensions ● AS first flows ● General resource definitions ● UMA “wallet”
  • 32.
    Important Current Work ●TxAuth / OAuth 3 ● AS first ● Avoid client registration ● OAuth2 and UMA 2 are hard ● HEART ● Consent-based interop without “personal data stores” as intermediaries ● Influence TEFCA ● SIOP (Self-issued identity provider) ● Harmonize SSI and OpenID Connect

Editor's Notes

  • #5 Virtual health is more important than ever
  • #6 Ecosystems we’re designed for orgs to manage their risk. However the outcome for people is this
  • #8 Why UMA is made to solve the HC challenges BRIEF HOW SO WHAT -> 1 closed vs wide ecosystems, 2 user control and choicce (privacy!)
  • #9 The internet evolved amazingly through the introduction of new services - we were amazed by the value created as we could do more on the internet … This evolution happened quickly - and happenstance led us to the emergent topology we see today… We have many relationships with online services, each operating in silos each knowing a different digital version of me … each collecting, maintaining and we hope protecting some data about me. Research has shown that the average person has in excess of 120 online accounts/passwords.
  • #10 As users - we are not in control…the disconnect in our journey becomes critically obvious in ecosystems like healthcare where the handoffs and silos make for repetitive effort/frustration...and very little access to digital. Organizations are all investing over and over to solve the same problem and create another version of me…their burden, and friction to innovate and collaborate is at an all time high….
  • #11 7. What if the internet protocols and organizations evolved …. ? --- what ive trust over IP existed and allowed organizations to know how and how its safe to connect with? --- imagine how we can unbind and accelerate the data economy with when the internet is working for the consumer who is actively participating to drive the exchange of value online --- how amazing would it be to have less version of you online...less
  • #12  Loosely coupled AS and RS This allows a person to protect many distributed resources from a single control point. This breaks the siloed data centered experience and presents a user centered ecosystem Dynamic Client Flows Client traditionally need significant knowledge of the resource and authorization setup. By enabling dynamic flows UMA supports wider choice in client and interoperability between authorization domains Party to Party Authz Alice isn’t the only person who needs access to her files. The ability to share her data with others, using policy under her control better represents the real world and quickly expands possible use cases. Fine Grained Authorization Alec TODO
  • #13 Ex Data is HIE, no manage account/services HIE/Repository introduction HC example/link back to our 4 challenges
  • #15 Make sure contrast to OAuth is highlighted, Alice->Alice doesn’t need fine grained Link back to doctor
  • #17 I will show an RS, AS, and two services, all in different domains. THe API access is entirely controlled by Alice. This shows some elements of fine grained auth, but not delegate
  • #20 Why UMA is made to solve the HC challenges BRIEF HOW SO WHAT -> 1 closed vs wide ecosystems, 2 user control and choice (privacy!)
  • #24 Trustee Community - policy initialization Policies are never on the wire Credentialed users can bypass institutions Public blockchain for accountability Patient is the customer
  • #25 Why UMA is made to solve the HC challenges BRIEF HOW SO WHAT -> 1 closed vs wide ecosystems, 2 user control and choice (privacy!)
  • #27 HICs require a high level of assurance and a lot of trust in the consumer apps that connect to sensitive digital health assets in order to minimize the risk of inappropriate access. In ON we’re giving people Options to login with required assurance for Health Care A hospital operated Authorization Server People may then put their HC data, such as provincial health records, under UMA protection And share these resources to existing public and private health portals, apps and services
  • #28 We started in healthcare...but more importantly instead of boiling the ocean, we’re introducing trust and access control, one ecosystem at a time... From the perspective that online trust, and access control needs to start with meaningful ecosystems...and interop is critical to move from bootstrapping to a meaningfully connected online experience. Interoperability of trust is the expansion of and connection of these local ecosystems
  • #29 Why UMA is made to solve the HC challenges BRIEF HOW SO WHAT -> 1 closed vs wide ecosystems, 2 user control and choice (privacy!)