Kantara uma webinar july 2020
•Download as PPTX, PDF•
1 like•478 views
Kantara uma webinar july 2020
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Kantara uma webinar july 2020
Similar to Kantara uma webinar july 2020 (20)
More from kantarainitiative
More from kantarainitiative (20)
Recently uploaded
Recently uploaded (20)
Kantara uma webinar july 2020
- 1. UMA: 21st century health information interoperability + user control July 21, 2020 Alec Laws & Adrian Gropper
- 2. Agenda ● Moderator's welcome ● Overview of current challenges in Health Care ● How does UMA address those challenges ● Case Study: US Health Care and Trustee by HIE of ONE ● Case Study: CAN Health Care and FPX by IDENTOS ● Discussion: Presenters offer their views ● Q & A ● Current UMA and Community Activity
- 3. UMA Implementers Embrace Health Care ForgeRock – financial, healthcare, IoT, G2C… Gluu (open source) – API protection, enterprise, G2C… HIE of One / Trustee (open source) – healthcare IDENTOS – healthcare, G2C, … PatientShare – healthcare HealthyMePHR – healthcare Pauldron (open source) – healthcare RedHat Keycloak (open source) – API protection, enterprise, IoT… ShareMedData – healthcare WSO2 (open source) – enterprise (more detail at tinyurl.com/umawg) ~50% of implementations have stated Health Care focus
- 5. Current problems in our healthcare ecosystem Data Silos Key information not visible Can’t share information Lack of trust: paper based records Have to tell my story over and over to different providers No support for complex patient journeys No digital access Can’t remember ID or password Unnecessary duplication of tests & services Fear of fraud and security breaches Miscommunication, missed visits, inefficiencies Lack of R&D innovation in digital spaces
- 6. Patient access to their health data is limited and fragmented across care settings and services. Providers access patient’s health data through different channels. Home care, community care, and non-clinical providers do not have access to Patient’s clinical data. Health Applications are not connected.
- 7. How does UMA address these challenges?
- 8. The Standard - Isolated User Experiences Me online x 120! 120 Walled Gardens Services Data Account Have information about me Know who I am Provide me with service(s)
- 9. Outcomes We’ve Learned to Live With Organizations normal is also flawed Effort & cost to repeatedly establish, maintain an Identity Inability to adequately serve user needs Friction connecting with ecosystem partners Our normal is fundamentally flawed Limited access to our own data! Non-transparent consent and sharing of our personal data Disconnected user journeys
- 10. We Can Do Better What if… we can create a user centered ecosystem?
- 11. Interoperability of Services and Data Sources UMA is Built for Wide Ecosystems User Control, Privacy and Delegation One Authorization Server protects many Data Sources Person requesting access different from data owner/subject User can create a fine-grained authorization policy Services are protected from authorization details
- 12. User Centered Data & Authorization One AS protects many RS One RS trusted many AS The AS and RS are decoupled ● Alice can manage many RS’s from a single AS ● An RS can delegate authorization, account and service management to the AS ● The AS does not need to hold or duplicate personal data OUTCOME: scalability and interoperability Services Data Account Have information about me Know who I amProvide me with service(s) Data Data Data
- 13. Services Data Account Services are interoperable Services decoupled from authorization details ● Services don’t need to know about every authorization domain (eg scopes) ● Services can dynamically discover user authx requirements ● Services interoperate against data types (eg images) or standards (eg FHIR) against many RS Have information about me Know who I amProvide me with service(s) Service Service Service
- 14. User Directed Delegation User requesting access is different from Data owner Data owner can create fine-grained policy ● There are many use-cases for delegation/guardianship ● I am not the only person who needs to see my data ● UMA models this, but doesn’t overspecify ● Policy can be against an entire API, or a specific file/path ● Policy can consider both the client and the Requesting User Provide me with service(s) Have information about me Know who I am Services Bob’s Account Services Data Account
- 15. UMA Puts it All Together There are still separate organizations and domains. However now data and services are interoperable at the direction of the person Alice’s Account (AS) Service Service Service Data Dara Data Bob’s Services Bob’s Account
- 16. Demo: What might this look like?
- 17. Demo Scope Alec’s Account (AS) Health Portal Banting Diabetes Manager BC EHR ON EHR Google PHR Google Account
- 18. More Information About UMA Get more information about the “How” of UMA: UMA 2:0 Deep Dive: Applying User-Managed Access | Identiverse 2018 https://www.youtube.com/watch?v=0cCXJvJ6GUY UMA Grant Spec https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html UMA Fedz Spec https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated- authz-2.0.html
- 19. Case Study: US Health Care & Trustee by HIE of ONE
- 20. Case Study: US Healthcare Challenges (but similar in many countries) ● HIPAA is not based on patient consent ● Un-sustainable ● Health records are not patient-centered ● Un-sustainable ● 80% of outcomes are based on social determinants, not medical treatment ● Patient identity “matching” is a problem unique to US healthcare ● 30% of US health costs (~$ 1T) are unwarranted ● US racial & wealth disparities in survival are unmatched in the rich world
- 21. Imagine: A Universal Health Record ● Self-sovereign to the individual ● Global, like medical science ● Open source and peer reviewed, like medical science ● Standards-based ● No institutional lock-in ● Easy to spot disparities across zip-codes and nations ● A human rights economic and sustainability model
- 22. Imagine: UMA as the Core of a Universal Health Record ● UMA 2.0 enables a self-sovereign Authorization Server ● No need to copy information through a “personal data store” ● No worry about loss of provenance ● Subject’s policies are never shared, just the decisions ● No patient matching issues ● Leverages self-sovereign identifier and verifiable credentials work ● Authorization policies are inherited from the community one chooses ● HIE of One influenced and builds around UMA 2.0
- 23. Example Implementation: Trustee® by HIE of One ● A self-sovereign authorization server enabled by standards ● Standards ● UMA 2.0 - for provenance and consent ● OAuth 2 - for legacy EHRs and Medicare ● OpenID Connect - for federated single sign-on ● W3C Verifiable Credentials - for self-sovereign single sign-on ● DID - W3C Decentralized Identifiers for non-repudiable signatures ● Public Blockchain (ETH) - decentralized timestamps for accountability ● Trustee Community - initializes the policies; competes for patients ● NOSH - A self-sovereign health record that doctors can sign-into with their credentials
- 24. Ontario Identity, Authentication, & Access by IDENTOS FPX
- 25. Case Study: Canadian Healthcare Challenges (key similarities & differences to the US) ● PHIPA does have provisions for patient consent ● However access is still limited as: ● Health records are not patient-centered ● Un-sustainable ● Patient identity “matching” is a less of a problem ● Due to Provincially issued health insurance and identifiers
- 26. What impact will patient digital access have? Digitally access personal health information (e.g. lab test results, prescription information), book appointments and track referrals. Interact virtually with a health care provider via video visit or secure messaging. Digitally share important information with their health care provider(s). Digitally ensure that patients control access to their data through consent and access controls.
- 27. Connecting Healthcare Journeys in Canada Digital Service Providers Identity Providers Data Resource Servers Digital Service Providers Data Resource Servers Identity Providers FPX Digital Service Providers Data Resource Servers Identity Providers FPX FPX National Health Ecosystem Regional Health Ecosystem Provincial Health Ecosystem UMA Authorization Hospital Ecosystem Digital Service Providers Data Resource Servers Identity Providers FPX
- 28. Discussion
- 29. Q&A
- 30. Closing Remarks & Current Activity
- 31. Current UMA Working Group ● Interested? Join the working group! Meet every Thursday ● Formalizing interop test suite ● Profiles and extensions ● AS first flows ● General resource definitions ● UMA “wallet”
- 32. Important Current Work ● TxAuth / OAuth 3 ● AS first ● Avoid client registration ● OAuth2 and UMA 2 are hard ● HEART ● Consent-based interop without “personal data stores” as intermediaries ● Influence TEFCA ● SIOP (Self-issued identity provider) ● Harmonize SSI and OpenID Connect
Editor's Notes
- Virtual health is more important than ever
- Ecosystems we’re designed for orgs to manage their risk. However the outcome for people is this
- Why UMA is made to solve the HC challenges BRIEF HOW SO WHAT -> 1 closed vs wide ecosystems, 2 user control and choicce (privacy!)
- The internet evolved amazingly through the introduction of new services - we were amazed by the value created as we could do more on the internet … This evolution happened quickly - and happenstance led us to the emergent topology we see today… We have many relationships with online services, each operating in silos each knowing a different digital version of me … each collecting, maintaining and we hope protecting some data about me. Research has shown that the average person has in excess of 120 online accounts/passwords.
- As users - we are not in control…the disconnect in our journey becomes critically obvious in ecosystems like healthcare where the handoffs and silos make for repetitive effort/frustration...and very little access to digital. Organizations are all investing over and over to solve the same problem and create another version of me…their burden, and friction to innovate and collaborate is at an all time high….
- 7. What if the internet protocols and organizations evolved …. ? --- what ive trust over IP existed and allowed organizations to know how and how its safe to connect with? --- imagine how we can unbind and accelerate the data economy with when the internet is working for the consumer who is actively participating to drive the exchange of value online --- how amazing would it be to have less version of you online...less
- Loosely coupled AS and RS This allows a person to protect many distributed resources from a single control point. This breaks the siloed data centered experience and presents a user centered ecosystem Dynamic Client Flows Client traditionally need significant knowledge of the resource and authorization setup. By enabling dynamic flows UMA supports wider choice in client and interoperability between authorization domains Party to Party Authz Alice isn’t the only person who needs access to her files. The ability to share her data with others, using policy under her control better represents the real world and quickly expands possible use cases. Fine Grained Authorization Alec TODO
- Ex Data is HIE, no manage account/services HIE/Repository introduction HC example/link back to our 4 challenges
- Make sure contrast to OAuth is highlighted, Alice->Alice doesn’t need fine grained Link back to doctor
- I will show an RS, AS, and two services, all in different domains. THe API access is entirely controlled by Alice. This shows some elements of fine grained auth, but not delegate
- Why UMA is made to solve the HC challenges BRIEF HOW SO WHAT -> 1 closed vs wide ecosystems, 2 user control and choice (privacy!)
- Trustee Community - policy initialization Policies are never on the wire Credentialed users can bypass institutions Public blockchain for accountability Patient is the customer
- Why UMA is made to solve the HC challenges BRIEF HOW SO WHAT -> 1 closed vs wide ecosystems, 2 user control and choice (privacy!)
- HICs require a high level of assurance and a lot of trust in the consumer apps that connect to sensitive digital health assets in order to minimize the risk of inappropriate access. In ON we’re giving people Options to login with required assurance for Health Care A hospital operated Authorization Server People may then put their HC data, such as provincial health records, under UMA protection And share these resources to existing public and private health portals, apps and services
- We started in healthcare...but more importantly instead of boiling the ocean, we’re introducing trust and access control, one ecosystem at a time... From the perspective that online trust, and access control needs to start with meaningful ecosystems...and interop is critical to move from bootstrapping to a meaningfully connected online experience. Interoperability of trust is the expansion of and connection of these local ecosystems
- Why UMA is made to solve the HC challenges BRIEF HOW SO WHAT -> 1 closed vs wide ecosystems, 2 user control and choice (privacy!)