1

Federated, Secure Trust Networks for Distributed

Healthcare IT Services

Alfred WeaverSamuel Dwyer

Andrew SnyderJim Van Dyke

Tim MulhollandJames Hu

Xiaohui ChenAndrew Marshall

2

Industrial Informatics Applied to Healthcare

Health Insurance Portability and Accountability Act of 1996 privacy of patient encounters security of patient data encryption of medical information when stored or

transmitted access controls to retrieve information audit logs of data access

3

Healthcare Informatics Portal

Common medical data portal doctors, patients, staff see a customized view allied health services exchange information

electronically Authentication of users

biometric and conventional methods Authorization of access

role-based access control model Strong encryption of all data All built on a web services model

4

5

6

Federated, Secure Trust Networks for Distributed Healthcare IT Services

Medical Data Portal Web Services

AuthorizationService

AuthenticationService

Electronic Patient Record

2

3

9

10

11

12

RuleEngines

1

46

7

5

8

7

Research Issues

Authentication who are you?

Mobile devices what capabilities do you have?

Authorization what can you do?

Encryption which algorithm? what length key?

Shared trust off-network organizations

8

Authentication

Can support legacy techniques user ID and passwords, challenge-response

Newer identification technologies smartcards, access keys

Biometric identification fingerprints, iris scans signature analysis, voice recognition keyboard dynamics face, hand, finger, ear geometry

9

Fingerprints

70 points of differentiation (loops, whirls, deltas, ridges)Even identical twins have differing fingerprint patternsFalse positive rate < 0.01%False negative rate < 1.5%Can distinguish a live finger; fast to enrollInexpensive ($100-$200) for the reader

10

Iris Scans

Iris has 266 identification degrees of freedomIdentical twins have different iris patternsFalse positive rate < 0.01%False negative rate < 2%Does take some time and controlled lighting to enrollPattern is stored as a data template, not a pictureSome units control light to detect pupil dilation (prove live eye)

11

Mobile Devices

Legitimate access is no longer limited to desktops or in-hospital devices

Wave of the future includes PDAs (HP iPAQ Pocket PC h5455 with fingerprint

scanner built-in) tablet PCs (handwriting recognition) cell phones (voice recognition)

Personal authentication should work using the devices and capabilities available to the legitimate user

12

Fingerprints with Wireless PDA

HP iPAQ h5455 with fingerprint scannerThermal scanner detects live fingerWe wrote an authentication web service--send fingerprint pattern to service--compare against database of enrollees--confirm or deny identity--send confirmation to web portal--write cookie to device--cookie becomes an identification token containing:

--who the individual is--how identity was confirmed--trust level of the identification--e.g., iris scan > fingerprint > password

13

Authorization Now that we know who you are, what are you allowed

to do? Use role-based access control Roles for people with different privileges:

attending physician referring physician medical fellows medical students physician consultants other healthcare staff (nurses) technologists (diagnostic imagery) technicians (lab results) patient

Plus roles for other entities (insurance, pharmacy)

14

Authentication Rule Engine

Identity token

Access request

Rules

Hospital administrationrule templates

Authorization token

15

Authorization Rule Templates

AttendingReferringFellowStudentTechnicianTechnologistPatientInsuranceBillingPharmacyMed records

CanCan not

DemographicsClinical notesLab notesDiagnostic imagesPsych evaluation

Who Access Electronic Patient Record

16

Authorization Rule Engine

More complicated in practice doctor needs consultation doctor on vacation doctors practicing in groups

surgeons, radiologists emergencies

17

Encryption

Which encryption method? DES, 3DES, AES, RSA, others what length key?

Unintended consequences UVA does 380,000 radiological exams annually produce 9 TB of data every year encrypting one 3 MB chest x-ray is no problem but CT and MR produces 500-1000 slices each slice is a file typical MR is 68 MB

What is the workflow impact of encrypting/decrypting a 68 MB file each time it is touched?

18

Trust Networks

Trust, legitimately established, should be shared across the enterprise pharmacies insurance companies outpatient services

How does trust get quantified? How does trust get shared? WS-Trust does not yet provide guidance

19

Trust Networks

98

Identification tokensAuthorization tokensEncryptionDigital signatureTrust credentialsDynamic negotiation of credentials

Banks do this with ATMs;we need to do it amongcooperating healthcare providers

20

Trust Authority

Attribute

Criterion 1

Criterion 2

…

Criterion N

Rating

Identification Reliability

False positive rate < 0.1%False negative rate < 1.0%

Availability > 0.99

4.7 out of 10

21

Electronic Prescriptions

1. Encrypt prescription (doctor, medicine, details)2. Encrypt physician's identity token3. Digitally sign message4. Transmit to pharmacy

4. Check digital signature5. Decrypt prescription6. Decrypt physician's identity token7. Is this a valid physician?8. Send identity token to trust authority

9. Check how identity was established10. Recover trust level

11. Is trust level acceptable?12. Accept or reject

22

Summary of Issues

Authentication Mobile access technologies Biometric identification Authorization rule engine Role-based access control Simplified rule administration Trust sharing Dynamic negotiation of trust credentials

23

Acknowledgements

Funding for this project provided by:

David Ladd and Tom HealyUniversity Research Program

Microsoft ResearchMicrosoft Corporation