![Page 1: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/1.jpg)
Next Generation Standards Based RHIO Security
InfrastructureMS-HUG Tech Forum
HiMSS 2006
![Page 2: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/2.jpg)
Agenda• Statement of the Problem
• Solution Defined – Intro to Web Service Enhancements (WSE)– The WS-* specifications
– WSE defined
– WSE’s implementation of WS-*
– Where does WSE Fit in the MS stack• Solution Implementation: Case Study using WSE
– Goals & Requirements Defined– Overall Architecture– Security Concerns & Design Process– Communication Use Case scenarios
• Q&A
![Page 3: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/3.jpg)
Saint Francis Heart Hospital• New Cardiac Care Acute
Care Facility - 2004• All Digital
– External paper scanned– Internal : bedside EMR– CPOE, Med Management– PACS for images, Bedside
devices integrated
• Comprehensive rollout (OR, ICU, ED, Gen Floors)
• Inpatient solution from Vendor A (GE Healthcare)
Cardiology Of Tulsa• 30 Year old established
cardiology group with 20 cardiologists
• All Digital – Physician H&P– Nurse/Tech Notes– Dx Studies
• Comprehensive rollout within ambulatory Care
• Ambulatory Care solution from Vendor B (NexGen)
![Page 4: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/4.jpg)
Saint Francis Heart Hospital• New Cardiac Care Acute
Care Facility - 2004• All Digital
– External paper scanned– Internal : bedside EMR– CPOE, Med Management– PACS for images, Bedside
devices integrated
• Comprehensive rollout (OR, ICU, ED, Gen Floors)
• Inpatient solution from Vendor A (GE Healthcare)
Cardiology Of Tulsa• 30 Year old established
cardiology group with 20 cardiologists
• All Digital – Physician H&P– Nurse/Tech Notes– Dx Studies
• Comprehensive rollout within ambulatory Care
• Ambulatory Care solution from Vendor B (NexGen)
Two Digital Islands with Humans Serving as Bridge– >50% of admissions at SFHH come from COT– Ambulatory EMR printouts scanned into Inpatient EMR
for every patient !– No data continuity– Human intervention for each encounter – Expensive and error prone
We needed a LHIO (local health information org)
![Page 5: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/5.jpg)
Saint Francis Heart Hospital• New Cardiac Care Acute
Care Facility - 2004• All Digital
– External paper scanned– Internal : bedside EMR– CPOE, Med Management– PACS for images, Bedside
devices integrated
• Comprehensive rollout (OR, ICU, ED, Gen Floors)
• Inpatient solution from Vendor A (GE Healthcare)
Cardiology Of Tulsa• 30 Year old established
cardiology group with 20 cardiologists
• All Digital – Physician H&P– Nurse/Tech Notes– Dx Studies
• Comprehensive rollout within ambulatory Care
• Ambulatory Care solution from Vendor B (NexGen)
• Our LHIO had all the trappings of a RHIO except the organizational, structural, political obstacles to getting started. – No common patient identifier
– No common technology platform
– No common lexicon/dictionary
• Still had to contend with all privacy, confidentiality issues– Distinct legal entities
– Need to know basis for information sharing – JIT (just in time)
• Wanted to insure that technology infrastructure used in our LHIO scaled to the region– Federated architecture
– Sophisticated algorithm for patient matching
– Security/authentication infrastructure
– Use the web for communication infrastructure
![Page 6: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/6.jpg)
Agenda• Statement of the Problem
• Solution Defined – Intro to Web Service Enhancements (WSE)– The WS-* specifications
– WSE defined
– WSE’s implementation of WS-*
– Where does WSE Fit in the MS stack• Solution Implementation: Case Study using WSE
– Goals & Requirements Defined– Overall Architecture– Security Concerns & Design Process– Communication Use Case scenarios
• Q&A
![Page 7: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/7.jpg)
Evolution of Distributed Systems
Web Services• Open, Industry-Wide
Standards
• Service-Oriented
• Designed for Hostile Networks
• Standardized Xml Wire Protocols
• Web-Services with WS-* protocol stack is the gold standard
Component Architectures• Closed/Proprietary
Standards
• Object-Oriented
• Ill-Suited for Hostile Networks (i.e., Internet)
• Standardized Binary Wire Protocols
• Examples– DCOM – .NET Remoting– CORBA– Java RMI
Socket Messaging• Ad-hoc application-level
protocols
• Message-Oriented
• Usually required private networks
• Custom Wire Protocols
• Examples– HL7
TIME
![Page 8: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/8.jpg)
The WS-* Specifications• Defined
– A collection of standards that provide for secure, transacted, distributed messaging by extending the Simple Object Access Protocol (SOAP)
• Why they’re needed– It’s a standard way for servers
running different operating systems to communicate with one another between institutions over potentially hostile networks (like the internet)
• Development– The standards body OASIS
coordinates specification releases– Maturity
• First revisions released in 2002-2003
• Second revisions in 2004-2005
Actional
Adobe Systems
AmberPoint
Argonne National Laboratory
BEA Systems
BMC Software
Computer Associates
ContentGuard
Cybertrust
Cyclone Commerce
Datapower
EMC
Forum Systems
Fujitsu
GeoTrust
Hewlett-Packard
Hitachi
IBM
Lockheed Martin
Microsoft
Nokia
Nortel
Oracle
RSA Security
Sarvega
SeeBeyond
Sun Microsystems
Systinet
TIBCO Software
US Navy
Verisign
(and more)
• Participants
![Page 9: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/9.jpg)
WS-* Specifications
XMLXml Namespaces Infoset
MessagingSOAP WS-Addressing MTOM
Security WS-Security WS-SecurityPolicy WS-SecureConversation WS-Security-Kerberos WS-Trust WS-Federation
Reliable Messaging WS- Reliable Messaging WS-RM Policy
Transactions WS- Coordination WS-Atomic Transaction WS-Business Activity
Metadata XML Schema WSDL WS-Policy WS-Policy Assertions WS-PolicyAttachment
http://msdn.microsoft.com/webservices/webservices/understanding/specs/
![Page 10: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/10.jpg)
WSE Defined
• Microsoft Web Service Enhancements– A secure, distributed messaging framework
that implements a subset of the WS-* standards
– Extends existing web service .Net libraries (System.Web.Services)
• MS has boiled down very broad and inclusive WS-* standards intomore concrete implementation choices
![Page 11: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/11.jpg)
WSE 3.0 Coverage of WS-*
XMLXml Namespaces Infoset
MessagingSOAP WS-Addressing MTOM
Security WS-Security WS-SecurityPolicy WS-SecureConversation WS-Security-Kerberos WS-Trust WS-Federation
Reliable Messaging WS- Reliable Messaging WS-RM Policy
Transactions WS- Coordination WS-Atomic Transaction WS-Business Activity
Metadata XML Schema WSDL WS-Policy WS-Policy Assertions WS-PolicyAttachment
WSE 3.0 .Net Framework Will be in Indigo
![Page 12: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/12.jpg)
WSE’s Place in the MS Stack• Development
– Designed for .NET• C#• VB.Net• Managed C++
• Hosting Environment– Use IIS– Self-host (using the Windows service controller, for example)
• Installation– WSE Runtime must be installed on each dev/test/production box
• Future Releases– MS says WSE 3.0 is the final version– Longhorn will natively include WSE functionality in
the Windows Communication Framework (WCF)
![Page 13: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/13.jpg)
Interoperability
• Primary MS Partners for WS-* are IBM and BEA– Java will have enterprise-grade, commercial
WS-* implementations that will interoperate with WSE/Indigo
• IBM WebSphere• BEA WebLogic
– Axis is the premiere open-source Web Services provider over Apache
• Does not support WS-Security et al,yet. Work still ongoing in this area
![Page 14: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/14.jpg)
Agenda• Statement of the Problem
• Solution Defined – Intro to Web Service Enhancements (WSE)– The WS-* specifications
– WSE defined
– WSE’s implementation of WS-*
– Where does WSE Fit in the MS stack• Solution Implementation: Case Study using WSE
– Goals & Requirements Defined– Overall Architecture– Security Concerns & Design Process– Communication Use Case scenarios
• Q&A
![Page 15: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/15.jpg)
System Goals
• The architecture should enable RHIOs to seamlessly share information
• Support heterogeneous environments, many CDRs / EMRs from many vendors
• Design as a Service Oriented Architecture (SOA) to logically and physically simplify the design
![Page 16: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/16.jpg)
System Requirements
• Clinical data must pass directly from the sending institution to the receiving institution; no middle men
• Aggregated demographic information must be one-way hashed to limit the index’s value to potential attackers
• Individual institutions must have the last say regarding data transfer and maintain a local audit
• It must be easy to add new sites to the network• Patients must be able to opt out• The system must scale up and down• Must operate securely over the internet
![Page 17: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/17.jpg)
Top-level Architecture
Blinded Record Index (BRI)
Site B
Adapter
Site C
Adapter
Site A
Adapter
… …
![Page 18: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/18.jpg)
Security Checklist
Identity verification Data confidentiality Data origin Message integrity Protect against malformed
or malicious messages Shield exceptions from revealing
sensitive implementation details Replay protection Generate audit logs
![Page 19: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/19.jpg)
Design Process
• Define trust boundaries• Model threats• Design security solution
– Identify an authentication mechanism– Implement security policies– Additional security measures
• Verify threat coverage
![Page 20: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/20.jpg)
Security Implementation Choices
• Authentication– Direct
• Windows Authentication
• Active Directory• Custom password file
– Brokered• Kerberos• X.509 Public Key
Infrastructure (PKI)• Security Token Service
(STS)
• Transmission Security– Message Level
• Shared secret• Asymmetric encryption
– Transport Level• SSL• VPN
– IPSec
– PPtP
![Page 21: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/21.jpg)
Direct Authentication
• Benefits– Simple– Compatible: It’s easy to leverage an
existing password store• Windows Auth• Active Directory• Custom password files
• Liabilities– No sessions: proof-of-possession must
be sent each time which requires password caching
– Home-cooked password files must be carefully secured
– Direct trust: every actor must directly trust the others
– Scales poorly: May result in many password files, each needing to be updated when a new user is added
![Page 22: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/22.jpg)
Kerberos Authentication• Benefits
– Sessions: client need only authenticate once to interact with services many times
– Single password file– Allows for impersonation / delegation
• Liabilities– KDC may be a single point of failure– Requires Active Directory– Centralized nature makes it
inappropriate for many cross-organization scenarios
– Clocks must be synchronized
![Page 23: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/23.jpg)
X.509 Authentication
• Benefits– Supports sessions– Broadly accepted: suitable for cross-
organization authentication– There’s no password file to maintain;
certificates are signed once to establish trust– May need a CA such as Windows Certificate
Services
• Liabilities– Higher one-time setup cost makes it suitable
for architectures with relatively fewer actors
– Must maintain a revocation list: certificate lifetime is a concern
– Clients must be careful to protect their private key
– Can be computationally expensive
![Page 24: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/24.jpg)
Security Token Service (STS)• Benefits
– Can support cross-organization authentication
– Most flexible option allows for heterogeneous environments including X.509, Kerberos and custom auth
– Can enable web service federation
• Liabilities– More work to implement– Requires a more thorough
understanding of security implications– Requires the use of a separate
encryption/signing mechanism
![Page 25: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/25.jpg)
Top-level Architecture Revised
Blinded Record Index (BRI)
Site B
Adapter
Site C
Adapter
Site A
Adapter
… …
Security Token Service (STS)
![Page 26: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/26.jpg)
Communication ScenariosSite sending data to BRI
Blinded Record Index (BRI)
Site A
Adapter
Security Token Service (STS)
Site B
Adapter
1
2
3
Site A requests a security tokenand signs the message
STS verifies the signatureand issues the security token
Site A sends a message to BRIsigned with Site A’s cert andencrypted with BRI’s.
12
3
![Page 27: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/27.jpg)
Communication Scenarios
Blinded Record Index (BRI)
Site A
Adapter
Site B
Adapter
Security Token Service (STS)
1
2
3
1
2
3
BRI requests a security tokenand signs the message
STS verifies the signatureand issues the security token
BRI sends a message to Site Asigned with BRI’s cert andencrypted with Site A’s.
Site receiving data from BRI
![Page 28: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/28.jpg)
Communication Scenarios
Blinded Record Index (BRI)
Site A
Adapter
Site B
Adapter
Security Token Service (STS)
12
3
1
2
3
Site A requests a security tokenand signs the message
STS verifies the signatureand issues the security token
Site A sends a message to Site Bsigned with A’s cert and encryptedwith B’s.
Sites requesting data from each other
![Page 29: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/29.jpg)
Security Token Service (STS)
Communication Scenarios
3
MicrosoftCertificateServices
2
1
1
2
3
Administrator provides newsite information
STS generates a key pair andsigns a certificate for the new site
Administrator securely transfersthe private key and certificate tothe new site
Administrator
New site coming online
![Page 30: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/30.jpg)
Security Checklist
Identity verification Data confidentiality Data origin Message integrity Protect against malformed
or malicious messages Shield exceptions from revealing
sensitive implementation details Replay protection Generate audit logs
X.509 Signing & Encryption
WSE & .Net Framework
WSE custom assertion
Custom implementation
Not addressed
![Page 31: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/31.jpg)
HostSystem
Adapter
Internal Network
Adapter Architecture
LocalDataService Clinical
DataServiceData
TransferService
IndexService
Perimeter Service Router
Audit DB
LocalIndex
![Page 32: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/32.jpg)
Internal Network
Communication ScenariosExternal Communication
Perimeter Service Router
Audit DB
1
2
DataTransferService
IndexService
1 BRI has sends index informationto the Adapter
2 The Service Router authenticatesthe request and forwards it
![Page 33: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/33.jpg)
Communication ScenariosService-to-Service Communication
1 Send message signed byservice account withWindows AuthenticationInternal Network
LocalDataService Clinical
DataServiceData
TransferService
IndexService
LocalIndex
1
![Page 34: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/34.jpg)
Security Checklist
Identity verification Data confidentiality Data origin Message integrity Protect against malformed
or malicious messages Shield exceptions from revealing
sensitive implementation details Replay protection Generate audit logs
X.509 Signing & Encryption
WSE & .Net Framework
WSE custom assertion
Custom implementation
Not addressed
![Page 35: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/35.jpg)
In Summary
• RHIOs require– High security– Solid interoperability
• WSE 3.0 offers– Powerful libraries to enable complex RHIO
scenarios– Security features that are flexible and
configurable– Interoperability that is key to
guaranteeing the long termviability of the solution
![Page 36: Next Generation Standards Based RHIO Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062418/554be5a3b4c9055a368b4902/html5/thumbnails/36.jpg)
Agenda• Statement of the Problem
• Solution Defined – Intro to Web Service Enhancements (WSE)– The WS-* specifications
– WSE defined
– WSE’s implementation of WS-*
– Where does WSE Fit in the MS stack• Solution Implementation: Case Study using WSE
– Goals & Requirements Defined– Overall Architecture– Security Concerns & Design Process– Communication Use Case scenarios
• Q&A