7 february 2005ihe europe educational event 1 audit trail and node authentication integrating the...

7 February 2005 IHE Europe Educational Event1

Audit Trail and Node Authentication

Integrating the Healthcare EnterpriseIntegrating the Healthcare Enterprise

G. ClaeysAgfa Healthcare R&D

Vendor Co-chair IHE Europe

Courtesy of IHE Committees


IHE IT Infrastructure 2004-2005IHE IT Infrastructure 2004-2005

Enterprise User AuthenticationEnterprise User Authentication

Provide users a single nameand centralized authentication

processacross all systems

Retrieve Information for Display

Access a patient’s clinical information and documents in a

format ready to be presentedto the requesting user

Retrieve Information for Display

Access a patient’s clinical information and documents in

a format ready to be presented

to the requesting user

Patient Identifier Cross-referencing

for MPIMap patient identifiers

across independent identification domains

Patient Identifier Cross-referencing for

MPI

Map patient identifiers across independent

identification domains

Synchronize multiple applications on a desktop to the

same patient

Patient Synchronized Applications

Consistent TimeCoordinate time across

networked systems

Patient Demographics Query New

Personnel White PageAccess to workforcecontact information

New

Cross-Enterprise Document Sharing

Registration, distribution and access across health enterprises of clinical

documents forming a patient electronic health record

New

Audit Trail & Node Authentication

Centralized privacy audit trail and node to node

authentication to create a secured domain.

New


ScopeScope

Defines basic security features for a system in a healthcare enterprise in order to guarantee : Only authorized persons have access to PHI (Protected

Health Information) Protect PHI against alteration, destruction and loss Comply existing Privacy & Security regulations

Extends the IHE radiology oriented Basic Security profile (2002) to be applicable to other healthcare uses.


AssumptionsAssumptions

IHE ATNA transactions takes place in a secure domain User/devices in secure domain adhere to security policy of

hospital Secure network is isolated from external networks through

firewall Intrusion detection systems are in place to detect violations

Favor authentication & auditing over authorization


Security MechanismSecurity MechanismAuthentication (user and device)

Authorization

Accountability (audit trails)

Confidentiality

Integrity

ATNA, EUA

ATNA

ATNA

ATNA


ATNA - Security mechanism ATNA - Security mechanism

Device/User Authentication “Who are you?” Proof that the user/device is the one who it claims to be ATNA features:

• Mutual device authentication over network, using certificates• User authentication -> responsibility of implementation

Authorization “What are you allowed to do?” Role based access control (RBAC) ATNA features :

• Only authenticated users/devices can access PHI• RBAC is on the IHE roadmap


ATNA - Security mechanism (cont.)ATNA - Security mechanism (cont.)

Accountability (audit trails) “What have you done?” Mechanisms to record and examine user/system activity ATNA features :

• Audit message format + transport protocol

Integrity Proof that data has not been altered or destroyed in an unauthorized

manner ATNA features :

• TLS based network communication

Confidentiality Protection of PHI, transmitted or stored Optional for intra-muros transmission Required for extra-muros transmission ATNA features :

• TLS option of AES


IHE ATNA- Architecture

System A System B

Secured SystemSecure network

• Strong authentication of remote node (digital certificates)• network traffic encryption is not required, it is optional

Secured System

• Local access control (authentication of user)

• Audit trail with:• Real-time access • Time synchronization

Central Audit TrailRepository


IHE ATNA – New ActorsIHE ATNA – New Actors Secure Node Make an actor secure

Audit Record Repository Receives audit messages Correlate audit information from different sources Patient- or user- centric analysis Filter&forward messages to enterprise audit repositories

Time Server Maintain reference time Enables client application to synchronise their time


IHE ATNA vs IHE Basic Security IHE ATNA vs IHE Basic Security

Focus on enterprise and not on radiology

Support additional audit events (non-radiology related)

Support additional audit event format IETF format

Support additional transport mechanism Reliable syslog (cooked mode)


Backward compatibilityBackward compatibility

ATNA is backward compatible with Basic Security Applications, supporting Basic Security are ATNA

compliant

Basic security is deprecated No further extensions New applications are encouraged to use new

message format, transport mechanism


All existing IHE actors need to be grouped with a Secure Node actor.

Secure Node

Audit RecordRepository

“Any” IHE actor

Record Audit Event

Time Server

Secure Node Authenticate Node

Maintain Time

IHE ATNA – Actor and TransactionsIHE ATNA – Actor and Transactions


IHE ATNA – Transaction diagramIHE ATNA – Transaction diagram


Secure NodeSecure Node

Local user authentication Only needed at “client” node Authentication mechanism

• User name and password (minimum)• Biometrics, smart card

Secure nodes maintain list of authorized users : local or central (using EUA)

Security policy of hospital defines the relation between user and user id


Secure Node (cont.)Secure Node (cont.)

Mutual device authentication Establish a trust relationship between 2 network nodes Strong authentication by exchanging X.509 certificates Certificates have a expiration date of 2 yr Actor must be able to configure certificate list of trusted nodes.

TCP/IP Transport Layer Security Protocol (TLS) Used with DICOM/HL7/HTTP messages Secure handshake protocol of both parties during Association

establishment:• Identify encryption protocol• Exchange session keys

Supported cyphersuite :• TLS_RSA_WITH_NULL_SHA (message signing, no encryption, default)• TLS_RSA_WITH_AES_128_CBC_SHA (message signing + encryption,

optional)


What it takes to be a secure nodeWhat it takes to be a secure node

The Secure node is not a simple add-on of an auditing capability. The larger work effort is: Instrument all applications to detect auditable events and generate

audit messages. Ensure that all communications connections are protected (system

hardening). Establish a local security mechanism to protect all local resources Establish configuration mechanisms for:

• Time synchronization• Certificate management• Network configuration

Implement the audit logging facility


Audit Record RepositoryAudit Record Repository

Receives audit events from applications/actors accessing PHI

ATNA defines List of events that generate audit messages Audit message format Transport mechanism


Audit EventsAudit Events

Audit triggers are defined for every operation that access PHI (create, delete, modify, import/export)

IHE TF describes the supported Audit Trigger per Actor

Audit triggers are grouped on study level to minimize overhead


IHE Audit Trail EventsCombined list of IETF and DICOM events

Actor-start-stop The starting or stopping of any application or actor.

Audit-log-used Reading or modification of any stored audit log

Begin-storing-instances The storage of any persistent object, e.g. DICOM instances, is begun

Health-service-event Other health service related auditable event.

Images-availability-query The query for instances of persistent objects.

Instances-deleted The deletion of persistent objects.

Instances-stored The storage of persistent objects is completed.



Medication Medication is prescribed, delivered, etc.

Mobile-machine-event Mobile equipment is relocated, leaves the network, rejoins the network

Node-authentication-failure

An unauthorized or improperly authenticated node attempts communication

Order-record-event An order is created, modified, completed.

Patient-care-assignment Patient care assignments are created, modified, deleted.

Patient-care-episode Auditable patient care episode event that is not specified elsewhere.

Patient-record-event Patient care records are created, modified, deleted.



PHI-export Patient information is exported outside the enterprise, either on media or electronically

PHI-import Patient information is imported into the enterprise, either on media or electronically

Procedure-record-event The patient record is created, modified, or deleted.

Query-information Any auditable query not otherwise specified.

Security-administration Security alerts, configuration changes, etc.

Study-object-event A study is created, modified, or deleted.

Study-used A study is viewed, read, or similarly used.


Audit Message FormatAudit Message Format

Two audit message formats IHE Radiology Provisional format, for backward compatibility

with radiology

New ATNA format, for future growth• Joint effort of IETF/DICOM/HL7/ASTM• Draft version : http://www.ietf.org/rfc/rfc3881.txt

Both formats are XML encoded messages, permitting extensions using XML standard extension mechanisms.

XSLT transformation is provided to convert “Provisional scheme” to “ATNA” scheme


Audit Transport MechanismAudit Transport Mechanism

Reliable Syslog – cooked mode Preferred mechanism RFC 3195 Connection oriented Support certificate based authentication,

encryption

BSD Syslog protocol (RFC 3164) for backward compatibility


More information….More information….IHE Web sites:

www.ihe.netwww.ihe-europe.org

Technical Frameworks:• ITI V1.0, RAD V5.5, LAB V1.0

Technical Framework Supplements - Trial Implementation• May 2004: Radiology• August 2004: Cardiology, IT Infrastructure

Non-Technical Brochures :• Calls for Participation• IHE Fact Sheet and FAQ• IHE Integration Profiles: Guidelines for Buyers• IHE Connect-a-thon Results• Vendor Products Integration Statements

7 february 2005ihe europe educational event 1 audit trail and node authentication integrating the...

Documents

atna compliantbasic

beatna features

basic securityapplications

mpimap patient identifiers

different sources patient

secure domainuserdevices

mutual device authentication

external networks