7 february 2005ihe europe educational event 1 audit trail and node authentication integrating the...
TRANSCRIPT
7 February 2005 IHE Europe Educational Event1
Audit Trail and Node Authentication
Integrating the Healthcare EnterpriseIntegrating the Healthcare Enterprise
G. ClaeysAgfa Healthcare R&D
Vendor Co-chair IHE Europe
Courtesy of IHE Committees
7 February 2005 IHE Europe Educational Event2
IHE IT Infrastructure 2004-2005IHE IT Infrastructure 2004-2005
Enterprise User AuthenticationEnterprise User Authentication
Provide users a single nameand centralized authentication
processacross all systems
Retrieve Information for Display
Access a patient’s clinical information and documents in a
format ready to be presentedto the requesting user
Retrieve Information for Display
Access a patient’s clinical information and documents in
a format ready to be presented
to the requesting user
Patient Identifier Cross-referencing
for MPIMap patient identifiers
across independent identification domains
Patient Identifier Cross-referencing for
MPI
Map patient identifiers across independent
identification domains
Synchronize multiple applications on a desktop to the
same patient
Patient Synchronized Applications
Consistent TimeCoordinate time across
networked systems
Patient Demographics Query New
Personnel White PageAccess to workforcecontact information
New
Cross-Enterprise Document Sharing
Registration, distribution and access across health enterprises of clinical
documents forming a patient electronic health record
New
Audit Trail & Node Authentication
Centralized privacy audit trail and node to node
authentication to create a secured domain.
New
7 February 2005 IHE Europe Educational Event3
ScopeScope
Defines basic security features for a system in a healthcare enterprise in order to guarantee : Only authorized persons have access to PHI (Protected
Health Information) Protect PHI against alteration, destruction and loss Comply existing Privacy & Security regulations
Extends the IHE radiology oriented Basic Security profile (2002) to be applicable to other healthcare uses.
7 February 2005 IHE Europe Educational Event4
AssumptionsAssumptions
IHE ATNA transactions takes place in a secure domain User/devices in secure domain adhere to security policy of
hospital Secure network is isolated from external networks through
firewall Intrusion detection systems are in place to detect violations
Favor authentication & auditing over authorization
7 February 2005 IHE Europe Educational Event5
Security MechanismSecurity MechanismAuthentication (user and device)
Authorization
Accountability (audit trails)
Confidentiality
Integrity
ATNA, EUA
ATNA
ATNA
ATNA
7 February 2005 IHE Europe Educational Event6
ATNA - Security mechanism ATNA - Security mechanism
Device/User Authentication “Who are you?” Proof that the user/device is the one who it claims to be ATNA features:
• Mutual device authentication over network, using certificates• User authentication -> responsibility of implementation
Authorization “What are you allowed to do?” Role based access control (RBAC) ATNA features :
• Only authenticated users/devices can access PHI• RBAC is on the IHE roadmap
7 February 2005 IHE Europe Educational Event7
ATNA - Security mechanism (cont.)ATNA - Security mechanism (cont.)
Accountability (audit trails) “What have you done?” Mechanisms to record and examine user/system activity ATNA features :
• Audit message format + transport protocol
Integrity Proof that data has not been altered or destroyed in an unauthorized
manner ATNA features :
• TLS based network communication
Confidentiality Protection of PHI, transmitted or stored Optional for intra-muros transmission Required for extra-muros transmission ATNA features :
• TLS option of AES
7 February 2005 IHE Europe Educational Event8
IHE ATNA- Architecture
System A System B
Secured SystemSecure network
• Strong authentication of remote node (digital certificates)• network traffic encryption is not required, it is optional
Secured System
• Local access control (authentication of user)
• Audit trail with:• Real-time access • Time synchronization
Central Audit TrailRepository
7 February 2005 IHE Europe Educational Event9
IHE ATNA – New ActorsIHE ATNA – New Actors Secure Node Make an actor secure
Audit Record Repository Receives audit messages Correlate audit information from different sources Patient- or user- centric analysis Filter&forward messages to enterprise audit repositories
Time Server Maintain reference time Enables client application to synchronise their time
7 February 2005 IHE Europe Educational Event10
IHE ATNA vs IHE Basic Security IHE ATNA vs IHE Basic Security
Focus on enterprise and not on radiology
Support additional audit events (non-radiology related)
Support additional audit event format IETF format
Support additional transport mechanism Reliable syslog (cooked mode)
7 February 2005 IHE Europe Educational Event11
Backward compatibilityBackward compatibility
ATNA is backward compatible with Basic Security Applications, supporting Basic Security are ATNA
compliant
Basic security is deprecated No further extensions New applications are encouraged to use new
message format, transport mechanism
7 February 2005 IHE Europe Educational Event12
All existing IHE actors need to be grouped with a Secure Node actor.
Secure Node
Audit RecordRepository
“Any” IHE actor
Record Audit Event
Time Server
Secure Node Authenticate Node
Maintain Time
IHE ATNA – Actor and TransactionsIHE ATNA – Actor and Transactions
7 February 2005 IHE Europe Educational Event13
IHE ATNA – Transaction diagramIHE ATNA – Transaction diagram
7 February 2005 IHE Europe Educational Event14
Secure NodeSecure Node
Local user authentication Only needed at “client” node Authentication mechanism
• User name and password (minimum)• Biometrics, smart card
Secure nodes maintain list of authorized users : local or central (using EUA)
Security policy of hospital defines the relation between user and user id
7 February 2005 IHE Europe Educational Event15
Secure Node (cont.)Secure Node (cont.)
Mutual device authentication Establish a trust relationship between 2 network nodes Strong authentication by exchanging X.509 certificates Certificates have a expiration date of 2 yr Actor must be able to configure certificate list of trusted nodes.
TCP/IP Transport Layer Security Protocol (TLS) Used with DICOM/HL7/HTTP messages Secure handshake protocol of both parties during Association
establishment:• Identify encryption protocol• Exchange session keys
Supported cyphersuite :• TLS_RSA_WITH_NULL_SHA (message signing, no encryption, default)• TLS_RSA_WITH_AES_128_CBC_SHA (message signing + encryption,
optional)
7 February 2005 IHE Europe Educational Event16
What it takes to be a secure nodeWhat it takes to be a secure node
The Secure node is not a simple add-on of an auditing capability. The larger work effort is: Instrument all applications to detect auditable events and generate
audit messages. Ensure that all communications connections are protected (system
hardening). Establish a local security mechanism to protect all local resources Establish configuration mechanisms for:
• Time synchronization• Certificate management• Network configuration
Implement the audit logging facility
7 February 2005 IHE Europe Educational Event17
Audit Record RepositoryAudit Record Repository
Receives audit events from applications/actors accessing PHI
ATNA defines List of events that generate audit messages Audit message format Transport mechanism
7 February 2005 IHE Europe Educational Event18
Audit EventsAudit Events
Audit triggers are defined for every operation that access PHI (create, delete, modify, import/export)
IHE TF describes the supported Audit Trigger per Actor
Audit triggers are grouped on study level to minimize overhead
7 February 2005 IHE Europe Educational Event19
IHE Audit Trail EventsCombined list of IETF and DICOM events
Actor-start-stop The starting or stopping of any application or actor.
Audit-log-used Reading or modification of any stored audit log
Begin-storing-instances The storage of any persistent object, e.g. DICOM instances, is begun
Health-service-event Other health service related auditable event.
Images-availability-query The query for instances of persistent objects.
Instances-deleted The deletion of persistent objects.
Instances-stored The storage of persistent objects is completed.
7 February 2005 IHE Europe Educational Event20
IHE Audit Trail EventsCombined list of IETF and DICOM events
Medication Medication is prescribed, delivered, etc.
Mobile-machine-event Mobile equipment is relocated, leaves the network, rejoins the network
Node-authentication-failure
An unauthorized or improperly authenticated node attempts communication
Order-record-event An order is created, modified, completed.
Patient-care-assignment Patient care assignments are created, modified, deleted.
Patient-care-episode Auditable patient care episode event that is not specified elsewhere.
Patient-record-event Patient care records are created, modified, deleted.
7 February 2005 IHE Europe Educational Event21
IHE Audit Trail EventsCombined list of IETF and DICOM events
PHI-export Patient information is exported outside the enterprise, either on media or electronically
PHI-import Patient information is imported into the enterprise, either on media or electronically
Procedure-record-event The patient record is created, modified, or deleted.
Query-information Any auditable query not otherwise specified.
Security-administration Security alerts, configuration changes, etc.
Study-object-event A study is created, modified, or deleted.
Study-used A study is viewed, read, or similarly used.
7 February 2005 IHE Europe Educational Event22
Audit Message FormatAudit Message Format
Two audit message formats IHE Radiology Provisional format, for backward compatibility
with radiology
New ATNA format, for future growth• Joint effort of IETF/DICOM/HL7/ASTM• Draft version : http://www.ietf.org/rfc/rfc3881.txt
Both formats are XML encoded messages, permitting extensions using XML standard extension mechanisms.
XSLT transformation is provided to convert “Provisional scheme” to “ATNA” scheme
7 February 2005 IHE Europe Educational Event23
Audit Transport MechanismAudit Transport Mechanism
Reliable Syslog – cooked mode Preferred mechanism RFC 3195 Connection oriented Support certificate based authentication,
encryption
BSD Syslog protocol (RFC 3164) for backward compatibility
7 February 2005 IHE Europe Educational Event25
More information….More information….IHE Web sites:
www.ihe.netwww.ihe-europe.org
Technical Frameworks:• ITI V1.0, RAD V5.5, LAB V1.0
Technical Framework Supplements - Trial Implementation• May 2004: Radiology• August 2004: Cardiology, IT Infrastructure
Non-Technical Brochures :• Calls for Participation• IHE Fact Sheet and FAQ• IHE Integration Profiles: Guidelines for Buyers• IHE Connect-a-thon Results• Vendor Products Integration Statements