1September, 2005 What IHE Delivers

ITI Security Profiles – ATNA, CT

IHE Vendors Webinar 2006IHE Vendors Webinar 2006

IHE IT Infrastructure EducationIHE IT Infrastructure Education

Robert Horn, Agfa HealthcareRobert Horn, Agfa Healthcare

2

IT Infrastructure ProfilesIT Infrastructure Profiles

2004 2004 Patient Identifier Cross-referencing for MPI (PIX) Patient Identifier Cross-referencing for MPI (PIX) Retrieve Information for Display (RID) Retrieve Information for Display (RID)

Consistent Time (CT) Consistent Time (CT) Patient Synchronized Applications (PSA) Patient Synchronized Applications (PSA) Enterprise User Authentication (EUA) Enterprise User Authentication (EUA)

20052005Patient Demographic Query (PDQ) Patient Demographic Query (PDQ) Cross Enterprise Document Sharing (XDS)Cross Enterprise Document Sharing (XDS)

Audit Trail and Note Authentication (ATNA)Audit Trail and Note Authentication (ATNA)Personnel White Pages (PWP)Personnel White Pages (PWP)

20062006Document Digital Signature (DSG)Document Digital Signature (DSG) Notification of Document Availability (NAV)Notification of Document Availability (NAV)Patient Administration/Management (PAM)Patient Administration/Management (PAM)

20072007Basic Patient Privacy Consents (BPPC)Basic Patient Privacy Consents (BPPC)

3

ATNA ATNA Assets protectedAssets protected

Patient and Staff SafetyPatient and Staff Safety• ATNA provides minor protections by restricting network accessATNA provides minor protections by restricting network access• Most safety related protection is elsewhere in products. Most safety related protection is elsewhere in products.

Security activity must not interfere with safety.Security activity must not interfere with safety.

Patient and Staff HealthPatient and Staff Health• As with Safety, ATNA provides minor health protection and As with Safety, ATNA provides minor health protection and

must not interfere.must not interfere.

Patient and Staff PrivacyPatient and Staff Privacy• Access Control at the node level can be enforced.Access Control at the node level can be enforced.• Audit Controls at the personal level are supported.Audit Controls at the personal level are supported.• Note that in Europe there are significant staff privacy Note that in Europe there are significant staff privacy

protections, not just patient privacy protections, in the laws.protections, not just patient privacy protections, in the laws.

4

ATNA ATNA Node AuthenticationNode Authentication

Authentication:Authentication:• ATATNANA defines: How to authenticate network connections. defines: How to authenticate network connections.• ATATNANA Supports: Authentication mechanisms, e.g. Enterprise Supports: Authentication mechanisms, e.g. Enterprise

User Authentication (EUA) or Cross Enterprise User User Authentication (EUA) or Cross Enterprise User Authentication (XUA).Authentication (XUA).

Authorization and Access control:Authorization and Access control:• ATATNANA defines: network connections shall be access controlled. defines: network connections shall be access controlled.• ATATNANA requires: System internal mechanisms for both local and requires: System internal mechanisms for both local and

network access controls. ATnetwork access controls. ATNANA does not specify policy. See the does not specify policy. See the XDS security presentation from the workshop for an example of XDS security presentation from the workshop for an example of the kind of policy that ATNA expects to support. The node the kind of policy that ATNA expects to support. The node authentication ensures that only known partners that share the authentication ensures that only known partners that share the security policy and cooperate in its implementation are granted security policy and cooperate in its implementation are granted access.access.

5

ATNA ATNA Audit TrailAudit Trail

Accountability and Audit trail:Accountability and Audit trail:Establish historical record of user’s or system actions over Establish historical record of user’s or system actions over period of timeperiod of time

• ATATNA Defines: Audit message format and transport protocolNA Defines: Audit message format and transport protocol

6

Secure NodeSecure Node

Secure Node ActorSecure Node Actor• Restricted access by login (if applicable to the product)Restricted access by login (if applicable to the product)• All access to private information is audited. All access to private information is audited. • Protects PHIProtects PHI• Tests will be defined by project managers.Tests will be defined by project managers.

7

ATNA ATNA Node AuthenticationNode Authentication

X.509 certificates for node identity and keysX.509 certificates for node identity and keys Be prepared for simultaneous use of both CA and self-Be prepared for simultaneous use of both CA and self-

signed certificates.signed certificates. Be prepared to accept or replace certificates on very short Be prepared to accept or replace certificates on very short

notice. notice.

TCP/IP Transport Layer Security Protocol (TLS) TCP/IP Transport Layer Security Protocol (TLS) for node authentication, and optional encryptionfor node authentication, and optional encryption TLS is not SSL. TLS is not SSL. TLS is available from: OpenSSL (which includes both SSL TLS is available from: OpenSSL (which includes both SSL

and TLS), as part of Microsoft’s .NET, Sun and IBM’s Java and TLS), as part of Microsoft’s .NET, Sun and IBM’s Java implementations, and other sources.implementations, and other sources.

8

ATNA ATNA Node AuthenticationNode Authentication

TLS Encryption options:TLS Encryption options: IHE mandates a minimum mandatory set to ensure that a IHE mandates a minimum mandatory set to ensure that a

compatible pair will exist.compatible pair will exist. Additional encryption options may be implementedAdditional encryption options may be implemented TLS specifies how the encryption will be selected from the TLS specifies how the encryption will be selected from the

proposed list. It need not be one of the IHE minimum set.proposed list. It need not be one of the IHE minimum set. Some environments permit NULL encryption (e.g., internal Some environments permit NULL encryption (e.g., internal

radiology operations). Others do not (e.g., XDS).radiology operations). Others do not (e.g., XDS).

ATNA presently specifies mechanisms for using TLS ATNA presently specifies mechanisms for using TLS with HTTP, DICOM, and HL7.with HTTP, DICOM, and HL7. DICOM toolkits incorporate TLS supportDICOM toolkits incorporate TLS support Some HL7 libraries incorporate TLS supportSome HL7 libraries incorporate TLS support Some web servers (e.g. Tomcat, Apache) incorporate TLS support.Some web servers (e.g. Tomcat, Apache) incorporate TLS support.

9

ATNA ATNA Auditing SystemAuditing System

Designed for surveillance rather than forensic use. Designed for surveillance rather than forensic use. This is not a substitute for internal product detailed This is not a substitute for internal product detailed logs.logs.

Two audit message formats. Two audit message formats. IHE Radiology interim format, for backward compatibility with IHE Radiology interim format, for backward compatibility with

radiologyradiology IETF/DICOM/HL7/ASTM format, for future growthIETF/DICOM/HL7/ASTM format, for future growth

• DICOM Supplement 95DICOM Supplement 95• IETF Draft for Common Audit MessageIETF Draft for Common Audit Message• ASTM E.214ASTM E.214• HL7 Audit Informative documentsHL7 Audit Informative documents

New profile work will utilize the new schema for messages, so use New profile work will utilize the new schema for messages, so use the new schema unless there is a product need for compatibility the new schema unless there is a product need for compatibility with the Radiology interim format.with the Radiology interim format.

10

ATNA ATNA Auditing SystemAuditing System

Both formats are XML encoded messages, Both formats are XML encoded messages, permitting extensions using XML standard permitting extensions using XML standard extension mechanisms.extension mechanisms. Do not redefine current attributes or elementsDo not redefine current attributes or elements Only extend when existing attributes or elements are Only extend when existing attributes or elements are

insufficientinsufficient Document the source schema for extensions and make it Document the source schema for extensions and make it

freely available because audit repositories will need it.freely available because audit repositories will need it.

If there might be messages using different schema If there might be messages using different schema from a single system, use the source field in the from a single system, use the source field in the syslog message to distinguish the format. All syslog message to distinguish the format. All messages from a specific source must use the messages from a specific source must use the same schema.same schema.

11

ATNA ATNA Record Audit EventRecord Audit Event

BSD Syslog protocol (RFC 3164) will be part of BSD Syslog protocol (RFC 3164) will be part of the Connectathon infrastructure.the Connectathon infrastructure. Support messages up to 32768 bytes long.Support messages up to 32768 bytes long. Clients should be configurable to send to any port and Clients should be configurable to send to any port and

destination.destination.

IETF continues to resolve issues surrounding IETF continues to resolve issues surrounding Reliable Syslog (RFC 3195). There will be no Reliable Syslog (RFC 3195). There will be no connectathon support of testing Reliable Syslog, connectathon support of testing Reliable Syslog, but private testing may take place.but private testing may take place.

12

Consistent Time (CT)Consistent Time (CT)

Network Time Protocol ( NTP) version 3 Network Time Protocol ( NTP) version 3 (RFC 1305) for time synchronization(RFC 1305) for time synchronization

Actor must support manual configuration Actor must support manual configuration for NTP sources.for NTP sources.

Required accuracy: 1 secondRequired accuracy: 1 second

Options:Options: SNTP (Simple Network Time Protocol) SNTP (Simple Network Time Protocol) Secure NTPSecure NTP