basic security cor loef philips medical systems co-chair ihe radiology technical committee
DESCRIPTION
HIMSS/RSNAApril 2003 Workshop Overview Security Requirements Actors and TransactionsTRANSCRIPT
Basic SecurityBasic Security
Cor LoefPhilips Medical Systems
Co-Chair IHE Radiology Technical Committee
HIMSS/RSNA April 2003 Workshop
IHE Integration profilesIHE Integration profilesPatient
Informa-tion
Reconci-liation
Access to Radiology Information
Consistent Presentation
of Images
Scheduled Workflow
Basic Security
-
Evidence Documents
Key Image Notes
Simple Image and Numeric Reports
Presentation of Grouped Procedures
Post-Processing Workflow
Reporting Workflow
Charge Posting
HIMSS/RSNA April 2003 Workshop
Security requirementsReasons: Clinical Use and Privacy
– authorized persons must have access to medical data of patients, and the information must not be disclosed otherwise.
By means of procedures and security mechanisms, guarantee:– Confidentiality– Integrity– Availability– Authenticity
HIMSS/RSNA April 2003 Workshop
Security measures Authentication:
Establish the user and/or system identity, answers question: “Who are you?”
Authorization and Access controlEstablish user’s ability to perform an action, e.g. access to data, answers question: “Now that I know who you are, what can you do?”
HIMSS/RSNA April 2003 Workshop
Security measures
Accountability and Audit trailEstablish historical record of user’s or system actions over period of time, answers question: “What have you done?”
HIMSS/RSNA April 2003 Workshop
IHE is establishing the first level of enterprise-wide security infrastructure for meeting privacy requirements (HIPAA, and like regulations world-wide).
IHE Goal
HIMSS/RSNA April 2003 Workshop
IHE makes cross-node security management easy:
– Only a simple manual certificate installation is needed.
– Healthcare professionals are not hindered by ”complex” role based access control. However, policies may restrict them to ‘need to know information’.
– Enforcement driven by ‘a posteriori audits’ and real-time visibility.
IHE Goal
HIMSS/RSNA April 2003 Workshop
Integrating trusted nodes
System A System B
Secured SystemSecure network
• Strong authentication of remote node (digital certificates)• network traffic encryption is not required
Secured System
• Local access control (authentication of user)
• Audit trail with:• Real-time access • Time synchronization
Central Audit TrailRepository
HIMSS/RSNA April 2003 Workshop
Secured Domain: integrating trusted nodes
Secured NodeActor
Other ActorsOther Actors
Secured NodeActor
Other ActorsOther Actors
Secured NodeActor
Other ActorsOther Actors
Secured NodeActor
Other ActorsOther Actors
TimeServer
CentralAudit TrailRepository
HIMSS/RSNA April 2003 Workshop
Secured Domain: Limited AdministrationAudit Trail/Time Server + CA for certificates to each node
Secured NodeActor
Other ActorsOther Actors
Secured NodeActor
Other ActorsOther Actors
Secured NodeActor
Other ActorsOther Actors
Secured NodeActor
Other ActorsOther Actors
TimeServer
CentralAudit TrailRepository
HIMSS/RSNA April 2003 Workshop
IHE Audit Trail Events20 Non-Transaction Related
Trigger Event Description
Actor-Start-Stop Startup and shutdown of anyactor.
Actor- config Generated for any configurationchange related to the actor.
PHI-export Any export of PHI on media, eitherremovable or files.
PHI-Print Any printing activity that print PHI.
PHI-import Any import of PHI on media, eitherremovable or files.
HIMSS/RSNA April 2003 Workshop
IHE Audit Trail Events, 18 Transaction Related
Trigger Event Description
Modality-worklist-provided
Modality worklist query received.
Image-availability-query
Image availability query received.
Query-images Image query received.
Retrieve-images Images are transferred from onenode to the other. Report by sourcenode
Retrieve-images Images are transferred from onenode to the other. Report byreceiving node
HIMSS/RSNA April 2003 Workshop
Basic Security Integration ProfileBasic Security Integration ProfileActor and Transaction diagramActor and Transaction diagram
All existing IHE actors need to be grouped with a Secure Node actor.
Secure Node
Audit RecordRepository
“Any” IHE actor
Record Audit Event
Time Server
Secure Node Authenticate
Node
Maintain Time
HIMSS/RSNA April 2003 Workshop
Basic Security Integration ProfileActor grouping rules
If an actor wants to support the Basic Security Profile, this actor shall be grouped with a secure Node actor.
All actors grouped with a Secure Node actor in an implementation must support the Basic Security Profile.
At least one other IHE profile shall be supported by the actor
HIMSS/RSNA April 2003 Workshop
Authenticate Node transactionX.509 certificates for node identity and keysTCP/IP Transport Layer Security Protocol (TLS) for node
authentication, and optional encryptionSecure handshake protocol of both parties during Association
establishment:– Identify encryption protocol– Exchange session keys
Actor must be able to configure certificate list of authorized nodes.
HIMSS/RSNA April 2003 Workshop
Record Audit Event transaction
The BSD Syslog protocol (RFC 3164) for Audit Records
Audit trail events and content, no standard available at the time of writing.
IHE in Technical Framework : Use IHE defined XML Schema for defined content in payload of Syslog message
HIMSS/RSNA April 2003 Workshop
The Basic Security Integration Profile specifies the use of Syslog as the mechanism for logging audit record messages to the central audit record repository.
Two improvements may be expected in the near future:
1. Syslog will be replaced by Reliable Syslog2. The XML Schema will become an RFC standard
as a result of an HL7/DICOM/IETF collaboration
For both improvements a smooth evolution can be expected.