september, 2005what ihe delivers 1 iti security profiles – atna, ct ihe vendors webinar 2006 ihe...
TRANSCRIPT
1September, 2005 What IHE Delivers
ITI Security Profiles – ATNA, CT
IHE Vendors Webinar 2006IHE Vendors Webinar 2006
IHE IT Infrastructure EducationIHE IT Infrastructure Education
Robert Horn, Agfa HealthcareRobert Horn, Agfa Healthcare
2
IT Infrastructure ProfilesIT Infrastructure Profiles
2004 2004 Patient Identifier Cross-referencing for MPI (PIX) Patient Identifier Cross-referencing for MPI (PIX) Retrieve Information for Display (RID) Retrieve Information for Display (RID)
Consistent Time (CT) Consistent Time (CT) Patient Synchronized Applications (PSA) Patient Synchronized Applications (PSA) Enterprise User Authentication (EUA) Enterprise User Authentication (EUA)
20052005Patient Demographic Query (PDQ) Patient Demographic Query (PDQ) Cross Enterprise Document Sharing (XDS)Cross Enterprise Document Sharing (XDS)
Audit Trail and Note Authentication (ATNA)Audit Trail and Note Authentication (ATNA)Personnel White Pages (PWP)Personnel White Pages (PWP)
20062006Document Digital Signature (DSG)Document Digital Signature (DSG) Notification of Document Availability (NAV)Notification of Document Availability (NAV)Patient Administration/Management (PAM)Patient Administration/Management (PAM)
20072007Basic Patient Privacy Consents (BPPC)Basic Patient Privacy Consents (BPPC)
3
ATNA ATNA Assets protectedAssets protected
Patient and Staff SafetyPatient and Staff Safety• ATNA provides minor protections by restricting network accessATNA provides minor protections by restricting network access• Most safety related protection is elsewhere in products. Most safety related protection is elsewhere in products.
Security activity must not interfere with safety.Security activity must not interfere with safety.
Patient and Staff HealthPatient and Staff Health• As with Safety, ATNA provides minor health protection and As with Safety, ATNA provides minor health protection and
must not interfere.must not interfere.
Patient and Staff PrivacyPatient and Staff Privacy• Access Control at the node level can be enforced.Access Control at the node level can be enforced.• Audit Controls at the personal level are supported.Audit Controls at the personal level are supported.• Note that in Europe there are significant staff privacy Note that in Europe there are significant staff privacy
protections, not just patient privacy protections, in the laws.protections, not just patient privacy protections, in the laws.
4
ATNA ATNA Node AuthenticationNode Authentication
Authentication:Authentication:• ATATNANA defines: How to authenticate network connections. defines: How to authenticate network connections.• ATATNANA Supports: Authentication mechanisms, e.g. Enterprise Supports: Authentication mechanisms, e.g. Enterprise
User Authentication (EUA) or Cross Enterprise User User Authentication (EUA) or Cross Enterprise User Authentication (XUA).Authentication (XUA).
Authorization and Access control:Authorization and Access control:• ATATNANA defines: network connections shall be access controlled. defines: network connections shall be access controlled.• ATATNANA requires: System internal mechanisms for both local and requires: System internal mechanisms for both local and
network access controls. ATnetwork access controls. ATNANA does not specify policy. See the does not specify policy. See the XDS security presentation from the workshop for an example of XDS security presentation from the workshop for an example of the kind of policy that ATNA expects to support. The node the kind of policy that ATNA expects to support. The node authentication ensures that only known partners that share the authentication ensures that only known partners that share the security policy and cooperate in its implementation are granted security policy and cooperate in its implementation are granted access.access.
5
ATNA ATNA Audit TrailAudit Trail
Accountability and Audit trail:Accountability and Audit trail:Establish historical record of user’s or system actions over Establish historical record of user’s or system actions over period of timeperiod of time
• ATATNA Defines: Audit message format and transport protocolNA Defines: Audit message format and transport protocol
6
Secure NodeSecure Node
Secure Node ActorSecure Node Actor• Restricted access by login (if applicable to the product)Restricted access by login (if applicable to the product)• All access to private information is audited. All access to private information is audited. • Protects PHIProtects PHI• Tests will be defined by project managers.Tests will be defined by project managers.
7
ATNA ATNA Node AuthenticationNode Authentication
X.509 certificates for node identity and keysX.509 certificates for node identity and keys Be prepared for simultaneous use of both CA and self-Be prepared for simultaneous use of both CA and self-
signed certificates.signed certificates. Be prepared to accept or replace certificates on very short Be prepared to accept or replace certificates on very short
notice. notice.
TCP/IP Transport Layer Security Protocol (TLS) TCP/IP Transport Layer Security Protocol (TLS) for node authentication, and optional encryptionfor node authentication, and optional encryption TLS is not SSL. TLS is not SSL. TLS is available from: OpenSSL (which includes both SSL TLS is available from: OpenSSL (which includes both SSL
and TLS), as part of Microsoft’s .NET, Sun and IBM’s Java and TLS), as part of Microsoft’s .NET, Sun and IBM’s Java implementations, and other sources.implementations, and other sources.
8
ATNA ATNA Node AuthenticationNode Authentication
TLS Encryption options:TLS Encryption options: IHE mandates a minimum mandatory set to ensure that a IHE mandates a minimum mandatory set to ensure that a
compatible pair will exist.compatible pair will exist. Additional encryption options may be implementedAdditional encryption options may be implemented TLS specifies how the encryption will be selected from the TLS specifies how the encryption will be selected from the
proposed list. It need not be one of the IHE minimum set.proposed list. It need not be one of the IHE minimum set. Some environments permit NULL encryption (e.g., internal Some environments permit NULL encryption (e.g., internal
radiology operations). Others do not (e.g., XDS).radiology operations). Others do not (e.g., XDS).
ATNA presently specifies mechanisms for using TLS ATNA presently specifies mechanisms for using TLS with HTTP, DICOM, and HL7.with HTTP, DICOM, and HL7. DICOM toolkits incorporate TLS supportDICOM toolkits incorporate TLS support Some HL7 libraries incorporate TLS supportSome HL7 libraries incorporate TLS support Some web servers (e.g. Tomcat, Apache) incorporate TLS support.Some web servers (e.g. Tomcat, Apache) incorporate TLS support.
9
ATNA ATNA Auditing SystemAuditing System
Designed for surveillance rather than forensic use. Designed for surveillance rather than forensic use. This is not a substitute for internal product detailed This is not a substitute for internal product detailed logs.logs.
Two audit message formats. Two audit message formats. IHE Radiology interim format, for backward compatibility with IHE Radiology interim format, for backward compatibility with
radiologyradiology IETF/DICOM/HL7/ASTM format, for future growthIETF/DICOM/HL7/ASTM format, for future growth
• DICOM Supplement 95DICOM Supplement 95• IETF Draft for Common Audit MessageIETF Draft for Common Audit Message• ASTM E.214ASTM E.214• HL7 Audit Informative documentsHL7 Audit Informative documents
New profile work will utilize the new schema for messages, so use New profile work will utilize the new schema for messages, so use the new schema unless there is a product need for compatibility the new schema unless there is a product need for compatibility with the Radiology interim format.with the Radiology interim format.
10
ATNA ATNA Auditing SystemAuditing System
Both formats are XML encoded messages, Both formats are XML encoded messages, permitting extensions using XML standard permitting extensions using XML standard extension mechanisms.extension mechanisms. Do not redefine current attributes or elementsDo not redefine current attributes or elements Only extend when existing attributes or elements are Only extend when existing attributes or elements are
insufficientinsufficient Document the source schema for extensions and make it Document the source schema for extensions and make it
freely available because audit repositories will need it.freely available because audit repositories will need it.
If there might be messages using different schema If there might be messages using different schema from a single system, use the source field in the from a single system, use the source field in the syslog message to distinguish the format. All syslog message to distinguish the format. All messages from a specific source must use the messages from a specific source must use the same schema.same schema.
11
ATNA ATNA Record Audit EventRecord Audit Event
BSD Syslog protocol (RFC 3164) will be part of BSD Syslog protocol (RFC 3164) will be part of the Connectathon infrastructure.the Connectathon infrastructure. Support messages up to 32768 bytes long.Support messages up to 32768 bytes long. Clients should be configurable to send to any port and Clients should be configurable to send to any port and
destination.destination.
IETF continues to resolve issues surrounding IETF continues to resolve issues surrounding Reliable Syslog (RFC 3195). There will be no Reliable Syslog (RFC 3195). There will be no connectathon support of testing Reliable Syslog, connectathon support of testing Reliable Syslog, but private testing may take place.but private testing may take place.
12
Consistent Time (CT)Consistent Time (CT)
Network Time Protocol ( NTP) version 3 Network Time Protocol ( NTP) version 3 (RFC 1305) for time synchronization(RFC 1305) for time synchronization
Actor must support manual configuration Actor must support manual configuration for NTP sources.for NTP sources.
Required accuracy: 1 secondRequired accuracy: 1 second
Options:Options: SNTP (Simple Network Time Protocol) SNTP (Simple Network Time Protocol) Secure NTPSecure NTP