Transcript Secure Node

Integrating the Healthcare Enterprise
Audit Trail and Node Authentication
G. Claeys
Agfa Healthcare R&D
Vendor Co-chair IHE Europe
Courtesy of IHE Committees
7 February 2005
1
IHE Europe Educational Event
IHE IT Infrastructure 2004-2005
New
New
Cross-Enterprise
Document Sharing
Retrieve
Retrieve Information
Information New
for
Display
for Display
Audit Trail & Node
Authentication
Registration, distribution and
access across health
enterprises of clinical
documents forming a patient
electronic health record
Access
Accessa apatient’s
patient’sclinical
clinical
information
and
documents
in in
a
information and documents
formataready
be presented
formattoready
to be
to the requesting
presented user
to the requesting user
Centralized privacy audit trail
and node to node
authentication to create a
Patient Identifier secured domain.
Patient Identifier
Cross-referencing
for
Cross-referencing
MPI
for MPI
Map patient identifiers
Map patient
identifiers
across
independent
across
independent
identification domains
identification domains
7 February 2005
Consistent Time
Coordinate time across
networked systems
2
Personnel White Page
Access to workforce
contact information
Patient Demographics
Query
New
Patient Synchronized
Applications
Synchronize multiple
applications on a desktop to the
same patient
Enterprise User
Enterprise
User
Authentication
Authentication
Provide users a single name
and centralized authentication
process
across all systems
IHE Europe Educational Event
Scope
Defines basic security features for a system in a
healthcare enterprise in order to guarantee :
 Only authorized persons have access to PHI (Protected
Health Information)
 Protect PHI against alteration, destruction and loss
 Comply existing Privacy & Security regulations
Extends the IHE radiology oriented Basic Security
profile (2002) to be applicable to other healthcare
uses.
7 February 2005
3
IHE Europe Educational Event
Assumptions
IHE ATNA transactions takes place in a secure
domain
 User/devices in secure domain adhere to security policy of
hospital
 Secure network is isolated from external networks through
firewall
 Intrusion detection systems are in place to detect violations
Favor authentication & auditing over
authorization
7 February 2005
4
IHE Europe Educational Event
Security Mechanism
Authentication (user and device)
ATNA, EUA
Authorization
Accountability (audit trails)
ATNA
Confidentiality
ATNA
Integrity
ATNA
7 February 2005
5
IHE Europe Educational Event
ATNA - Security mechanism
Device/User Authentication
 “Who are you?”
 Proof that the user/device is the one who it claims to be
 ATNA features:
• Mutual device authentication over network, using certificates
• User authentication -> responsibility of implementation
Authorization
 “What are you allowed to do?”
 Role based access control (RBAC)
 ATNA features :
• Only authenticated users/devices can access PHI
• RBAC is on the IHE roadmap
7 February 2005
6
IHE Europe Educational Event
ATNA - Security mechanism (cont.)
Accountability (audit trails)
 “What have you done?”
 Mechanisms to record and examine user/system activity
 ATNA features :
•
Audit message format + transport protocol
Integrity
 Proof that data has not been altered or destroyed in an unauthorized
manner
 ATNA features :
•
TLS based network communication
Confidentiality




Protection of PHI, transmitted or stored
Optional for intra-muros transmission
Required for extra-muros transmission
ATNA features :
•
TLS option of AES
7 February 2005
7
IHE Europe Educational Event
IHE ATNA- Architecture
• Local access control (authentication of user)
• Strong authentication of remote node (digital certificates)
• network traffic encryption is not required, it is optional
• Audit trail with:
• Real-time access
• Time synchronization
Secured System
Secured System
Secure network
System B
System A
Central
Audit Trail
Repository
7 February 2005
8
IHE Europe Educational Event
IHE ATNA – New Actors
Secure Node
 Make an actor secure
Audit Record Repository




Receives audit messages
Correlate audit information from different sources
Patient- or user- centric analysis
Filter&forward messages to enterprise audit repositories
Time Server
 Maintain reference time
 Enables client application to synchronise their time
7 February 2005
9
IHE Europe Educational Event
IHE ATNA vs IHE Basic Security
Focus on enterprise and not on radiology
Support additional audit events (nonradiology related)
Support additional audit event format
 IETF format
Support additional transport mechanism
 Reliable syslog (cooked mode)
7 February 2005
10
IHE Europe Educational Event
Backward compatibility
ATNA is backward compatible with Basic
Security
 Applications, supporting Basic Security are ATNA
compliant
Basic security is deprecated
 No further extensions
 New applications are encouraged to use new
message format, transport mechanism
7 February 2005
11
IHE Europe Educational Event
IHE ATNA – Actor and Transactions
All existing IHE actors need to be grouped with a Secure
Node actor.
Audit Record
Repository
Time Server
Maintain Time
Record Audit Event
Secure Node
7 February 2005
Authenticate Node
Secure Node
12
“Any”
IHE actor
IHE Europe Educational Event
IHE ATNA – Transaction diagram
7 February 2005
13
IHE Europe Educational Event
Secure Node
Local user authentication
 Only needed at “client” node
 Authentication mechanism
•
•
User name and password (minimum)
Biometrics, smart card
 Secure nodes maintain list of authorized users :
local or central (using EUA)
 Security policy of hospital defines the relation
between user and user id
7 February 2005
14
IHE Europe Educational Event
Secure Node (cont.)
Mutual device authentication




Establish a trust relationship between 2 network nodes
Strong authentication by exchanging X.509 certificates
Certificates have a expiration date of 2 yr
Actor must be able to configure certificate list of trusted nodes.
TCP/IP Transport Layer Security Protocol (TLS)
 Used with DICOM/HL7/HTTP messages
 Secure handshake protocol of both parties during Association
establishment:
•
•
Identify encryption protocol
Exchange session keys
 Supported cyphersuite :
•
TLS_RSA_WITH_NULL_SHA (message signing, no encryption, default)
•
TLS_RSA_WITH_AES_128_CBC_SHA (message signing + encryption,
optional)
7 February 2005
15
IHE Europe Educational Event
What it takes to be a secure node
The Secure node is not a simple add-on of an auditing
capability. The larger work effort is:
 Instrument all applications to detect auditable events and generate
audit messages.
 Ensure that all communications connections are protected (system
hardening).
 Establish a local security mechanism to protect all local resources
 Establish configuration mechanisms for:
•
•
•
Time synchronization
Certificate management
Network configuration
Implement the audit logging facility
7 February 2005
16
IHE Europe Educational Event
Audit Record Repository
Receives audit events from
applications/actors accessing PHI
ATNA defines
 List of events that generate audit messages
 Audit message format
 Transport mechanism
7 February 2005
17
IHE Europe Educational Event
Audit Events
Audit triggers are defined for every
operation that access PHI (create, delete,
modify, import/export)
IHE TF describes the supported Audit
Trigger per Actor
Audit triggers are grouped on study level
to minimize overhead
7 February 2005
18
IHE Europe Educational Event
IHE Audit Trail Events
Combined list of IETF and DICOM events
Actor-start-stop
The starting or stopping of any
application or actor.
Audit-log-used
Reading or modification of any stored
audit log
Begin-storing-instances
The storage of any persistent object, e.g.
DICOM instances, is begun
Health-service-event
Other health service related auditable
event.
Images-availability-query
The query for instances of persistent
objects.
Instances-deleted
The deletion of persistent objects.
Instances-stored
The storage of persistent objects is
completed.
7 February 2005
19
IHE Europe Educational Event
IHE Audit Trail Events
Combined list of IETF and DICOM events
Medication
Medication is prescribed, delivered, etc.
Mobile-machine-event
Mobile equipment is relocated, leaves
the network, rejoins the network
Node-authenticationfailure
Order-record-event
An unauthorized or improperly
authenticated node attempts
communication
Patient-care-assignment
Patient care assignments are created,
modified, deleted.
Patient-care-episode
Auditable patient care episode event that
is not specified elsewhere.
Patient-record-event
Patient care records are created,
modified, deleted.
7 February 2005
An order is created, modified,
completed.
20
IHE Europe Educational Event
IHE Audit Trail Events
Combined list of IETF and DICOM events
PHI-export
Patient information is exported outside
the enterprise, either on media or
electronically
PHI-import
Patient information is imported into the
enterprise, either on media or
electronically
Procedure-record-event
The patient record is created, modified,
or deleted.
Query-information
Any auditable query not otherwise
specified.
Security-administration
Security alerts, configuration changes,
etc.
Study-object-event
A study is created, modified, or deleted.
Study-used
A study is viewed, read, or similarly
used.
7 February 2005
21
IHE Europe Educational Event
Audit Message Format
Two audit message formats
 IHE Radiology Provisional format, for backward compatibility
with radiology
 New ATNA format, for future growth
• Joint effort of IETF/DICOM/HL7/ASTM
• Draft version : http://www.ietf.org/rfc/rfc3881.txt
 Both formats are XML encoded messages, permitting
extensions using XML standard extension mechanisms.
 XSLT transformation is provided to convert “Provisional
scheme” to “ATNA” scheme
7 February 2005
22
IHE Europe Educational Event
Audit Transport Mechanism
Reliable Syslog – cooked mode
 Preferred mechanism
 RFC 3195
 Connection oriented
 Support certificate based authentication,
encryption
BSD Syslog protocol (RFC 3164) for
backward compatibility
7 February 2005
23
IHE Europe Educational Event
More information….
IHE Web sites:
www.ihe.net
www.ihe-europe.org
Technical Frameworks:
•
ITI V1.0, RAD V5.5, LAB V1.0
Technical Framework Supplements - Trial Implementation
•
•
May 2004: Radiology
August 2004: Cardiology, IT Infrastructure
Non-Technical Brochures :
•
•
•
•
•
Calls for Participation
IHE Fact Sheet and FAQ
IHE Integration Profiles: Guidelines for Buyers
IHE Connect-a-thon Results
Vendor Products Integration Statements
7 February 2005
25
IHE Europe Educational Event