This is the talk that I had at Med-e-Tel 2015, presenting IHE security profiles, how to exploit IHE to fulfill the security needs of local, regional, national, continental, healthcare information exchange

1. What IHE Delivers
Massimiliano Masi,
Tiani “Spirit” GmbH
Addressing Security and
Privacy through IHE Profiles

2. Layers of Policies
International
Country-Specific
Horizontal Industry
Enterprise
OECD Guidelines on Transborder Flows
Examples
Profilesenables/enforces
US-HIPAA; eIDAS; JP-Act 57 - 2003
Medical Professional Societies
Backup and Recovery
May 3, 2015 2

3. Risk Scenario
In this scenario:
• The vulnerability is the
hole in the roof
• The threat is the rain
cloud
• Rain could exploit the
vulnerability
The risk is that the building and equipment in the building
could be damaged as long as the vulnerability exists and
there is a likely chance that rain will fall.
May 3, 2015 3

4. Security Dimensions
May 3, 2015 4

5. Security Dimensions
Risk
Assessment
Detail the
Measures
Apply for
a solution
May 3, 2015 5

6. Security & Privacy Controls
IHE Profile Profile
Issued
AuditLog
Identificationand
Authentication
DataAccess
Control
Secrecy
DataIntegrity
Non-Repudiation
PatientPrivacy
Audit Trails and Node Authentication 2004 √ √ √ √ √ √ √
Consistent Time 2003 √ ∙ √
Enterprise User Authentication 2003 √ ∙ ∙ ∙
Cross-Enterprise User Assertion 2006 √ ∙ ∙ ∙
Basic Patient Privacy Consents 2006 ∙ √
Personnel White Pages 2004 √ √ ∙
Healthcare Provider Directory 2010 √ ∙ ∙
Document Digital Signature 2005 √ √ √
Document Encryption 2011 √ √ ∙
Profiles mapped to Security & Privacy Controls
May 3, 2015 6

7. Security & Privacy Controls
IHE Profile Profile
Issued
AuditLog
Identificationand
Authentication
DataAccess
Control
Secrecy
DataIntegrity
Non-Repudiation
PatientPrivacy
Internet User Authorization 2015 √ √
Secure Retrieve 2015 √ √
Access Control WP 2009 √ √ √
Profiles mapped to Security & Privacy Controls
May 3, 2015 7

8. Example: the epSOS project
epSOS (2008-2014) was a large scale pilot that enabled
the secure and reliable exchange of Patient Summary
and ePrescription
epSOS has been built on the IHE profiles
Security Requirements related to the pan-European
exchange of Private Healthcare Information
Now sustained through EXPAND, input from EU
projects as e-SENS, Trillium Bridge
May 3, 2015 8

9. Example: the epSOS project
Authentication made through IHE Cross Enterprise
Document assertion
Authorization following the IHE White Paper on
Access Control
Traceability through Audit Trail and Node
Authentication
Consistent Time
Privacy Consent through Basic Patient Privacy
Consent
May 3, 2015 9

10. Example: the epSOS Project
Profiles are flexible enough that can cope with
any Health IT project (IHE starts with a Clinical
Use Case)
Grouping (e.g.) merging, enables the building
of complex IT Architectures that are
successfully constrained by the Regional /
Governmental / Enterprise policies
Usage of IHE profiles ease the compliance
with regulations and industry best practices
May 3, 2015 10

11. Example: technology
IHE Security profiles uses the state of the art of the IT
Security Technology
 Security Assertion Markup Language (SAML) for authentication tokens
(e.g. Stork)
 OAuth2.0 (JWT / SAML) for RESTFul authorization (e.g., Google)
 XaDES for Digital Signature (e.g., ETSI)
 CMS for document encryption (and hash)
 X.509 certificates (and full PKI support) to authenticate nodes (TLSv1.2)
 rfc5424 for audit trails (ex rfc3881)
 NTP to maintain time
 Kerberos (Active Directory) for Enterprise-level authentication (e.g.,
SPNEGO, GSSAPI)
May 3, 2015 11

12. Conclusion
IHE Security Profiles provides the “security glue” for
IHE standards such as XDS, PIX
Easy to specify and to combine with the widely used
profiles for data sharing
Flexible and extensible enough to adapt to
international / governmental / regional / enterprise
level policy
Widely adopted in EU LSP: epSOS, e-SENS, EXPAND,
Trillium Bridge, and in dozens of national projects
(NÖGUS, Veneto region, ELGA, eFA …)
May 3, 2015 12

13. 13
More Information
IHE Web site: www.ihe.net
 IHE official material
Technical Framework documents
IHE Wiki site: wiki.ihe.net
 IHE committee pages
 Implementation Notes
 Ongoing committee work
IHE ITI technical committee mailing list
 Instructions on the bottom of :
http://www.ihe.net/IT_Infra/committees
May 3, 2015

14. 14May 3, 2015