1September, 2005 What IHE Delivers

Radiology Option for Audit Trail and

Node Authentication

IHE Vendors Workshop 2006IHE Vendors Workshop 2006

IHE IT Infrastructure EducationIHE IT Infrastructure Education

Robert Horn, Agfa HealthcareRobert Horn, Agfa Healthcare

ExportExportExportExport

2

IT Infrastructure ProfilesIT Infrastructure Profiles

2004 2004 Patient Identifier Cross-referencing for MPI (PIX) Patient Identifier Cross-referencing for MPI (PIX) Retrieve Information for Display (RID) Retrieve Information for Display (RID)

Consistent Time (CT) Consistent Time (CT) Patient Synchronized Applications (PSA) Patient Synchronized Applications (PSA) Enterprise User Authentication (EUA) Enterprise User Authentication (EUA)

20052005Patient Demographic Query (PDQ) Patient Demographic Query (PDQ) Cross Enterprise Document Sharing (XDS)Cross Enterprise Document Sharing (XDS)

Audit Trail and Note Authentication (ATNA)Audit Trail and Note Authentication (ATNA)Personnel White Pages (PWP)Personnel White Pages (PWP)

20062006

Document Digital Signature (DSG)Document Digital Signature (DSG) Notification of Document Availability (NAV)Notification of Document Availability (NAV)Patient Administration/Management (PAM)Patient Administration/Management (PAM)

3

Audit Trail and Node Authentication Audit Trail and Node Authentication (ATNA) + Radiology Option(ATNA) + Radiology Option

Defines basic security features for an Defines basic security features for an individual system for use as part of the individual system for use as part of the security and privacy environment for a security and privacy environment for a healthcare enterprise.healthcare enterprise. Provides host level authentication, which is used Provides host level authentication, which is used

in conjunction with the user authentication from in conjunction with the user authentication from EUA and XUA. EUA and XUA.

Provides audit trail mechanism for monitoring Provides audit trail mechanism for monitoring activities related to security and patient privacyactivities related to security and patient privacy

4

ATNA Compatibility with Basic SecurityATNA Compatibility with Basic Security

““But, what if I already have systems that But, what if I already have systems that support Basic Security?”support Basic Security?” ATNA + Radiology Option is backward compatible ATNA + Radiology Option is backward compatible

with Basic Securitywith Basic Security Integration Statements should change support Integration Statements should change support

claim from “Basic Security” to “Radiology Option claim from “Basic Security” to “Radiology Option for ATNA”for ATNA”

5

ATNA ATNA Value PropositionValue Proposition

Protect Patient Privacy and System Security:Protect Patient Privacy and System Security: Meet ethical and regulatory requirementsMeet ethical and regulatory requirements

Enterprise Administrative Convenience:Enterprise Administrative Convenience: Unified and uniform auditing systemUnified and uniform auditing system Common approach from multiple vendors simplifies Common approach from multiple vendors simplifies

definition of enterprise policies and protocols.definition of enterprise policies and protocols. Common approach simplifies administrationCommon approach simplifies administration

Development and support cost reduction through Development and support cost reduction through Code Re-use:Code Re-use: Allows vendors to leverage single development effort to Allows vendors to leverage single development effort to

support multiple actorssupport multiple actors Allows a single development effort to support the needs of Allows a single development effort to support the needs of

different security policies and regulatory environments.different security policies and regulatory environments.

6

ATNA ATNA Assets protectedAssets protected

Patient and Staff SafetyPatient and Staff Safety• ATNA provides minor protections by restricted network accessATNA provides minor protections by restricted network access• Most safety related protection is elsewhere in productsMost safety related protection is elsewhere in products

Patient and Staff HealthPatient and Staff Health• As with Health, ATNA provides minor protectionAs with Health, ATNA provides minor protection

Patient and Staff PrivacyPatient and Staff Privacy• Access Control at the node level can be enforced.Access Control at the node level can be enforced.• Audit Controls at the personal level are supported.Audit Controls at the personal level are supported.• Note that in Europe there are significant staff privacy Note that in Europe there are significant staff privacy

protections, not just patient privacy protections in the laws.protections, not just patient privacy protections in the laws.

7

ATNA ATNA Security RequirementsSecurity Requirements

Reasons: Clinical Use and PrivacyReasons: Clinical Use and Privacy authorized persons must have access to medical data of authorized persons must have access to medical data of

patients, and the information must not be disclosed patients, and the information must not be disclosed otherwise.otherwise.

Unauthorized persons should not be able to interfere with Unauthorized persons should not be able to interfere with operations or modify dataoperations or modify data

By means of procedures and security By means of procedures and security mechanisms, guarantee:mechanisms, guarantee: ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability AuthenticityAuthenticity

8

ATNA ATNA Security MeasuresSecurity Measures

Authentication:Authentication: Establish the user and/or system Establish the user and/or system identity, answers question: “identity, answers question: “Who are you?Who are you?””

• ATNA defines: How to authenticate network connections.ATNA defines: How to authenticate network connections.• ATNA Supports: Authentication mechanisms, e.g. Enterprise ATNA Supports: Authentication mechanisms, e.g. Enterprise

User Authentication (EUA) or Cross Enterprise User User Authentication (EUA) or Cross Enterprise User Authentication (XUA)..Authentication (XUA)..

Authorization and Access control:Authorization and Access control:Establish user’s ability to perform an action, Establish user’s ability to perform an action, e.g. access to data, answers question: e.g. access to data, answers question: “Now that I know who you are, “Now that I know who you are, what can you dowhat can you do?”?”

• ATNA defines: How to authorize network connections.ATNA defines: How to authorize network connections.• ATNA requires: System internal mechanisms for both local and ATNA requires: System internal mechanisms for both local and

network access.network access.

9

ATNA ATNA Security MeasuresSecurity Measures

Accountability and Audit trail:Accountability and Audit trail:Establish historical record of user’s or system Establish historical record of user’s or system actions over period of time, answers question: actions over period of time, answers question: ““What have you done?”What have you done?”

• ATNA Defines: Audit message format and transport ATNA Defines: Audit message format and transport protocolprotocol

10

ATNA ATNA IHE GoalIHE Goal

IHE makes cross-node security IHE makes cross-node security management easy:management easy: Only a simple manual certificate installation is Only a simple manual certificate installation is

needed, although more sophisticated systems can needed, although more sophisticated systems can be usedbe used

Separate the authentication, authorization, and Separate the authentication, authorization, and accountability functions to accommodate the accountability functions to accommodate the needs of different approaches.needs of different approaches.

Enforcement driven by ‘a posteriori audits’ and Enforcement driven by ‘a posteriori audits’ and real-time visibility.real-time visibility.

11

ATNA ATNA Integrating Trusted NodesIntegrating Trusted Nodes

System A System B

Secured SystemSecure network

• Strong authentication of remote node (digital certificates)• network traffic encryption is not required, it is optional

Secured System

• Local access control (authentication of user)

• Audit trail with:• Real-time access • Time synchronization

Central Audit TrailRepository

12

ATNA ATNA Suitable Network EnvironmentsSuitable Network Environments

Physically secured networksPhysically secured networks• Explicit physical security preventing access by other nodes, orExplicit physical security preventing access by other nodes, or• VPN and VLAN technologies that provide equivalent network VPN and VLAN technologies that provide equivalent network

isolation.isolation.

Protected networksProtected networks• Physical security that prevents modification or installation of Physical security that prevents modification or installation of

unauthorized equipmentunauthorized equipment• The network is shared with other authorized nodes within the The network is shared with other authorized nodes within the

enterprise that should not have unrestricted access to patient enterprise that should not have unrestricted access to patient information.information.

Unprotected networksUnprotected networks• Not generally supported, although nodes with sufficient node Not generally supported, although nodes with sufficient node

level security and using encryption may be safe.level security and using encryption may be safe.

13

ATNA ATNA Node SecurityNode Security

ATNA specifies some of the capabilities that are ATNA specifies some of the capabilities that are needed, e.g. access control.needed, e.g. access control.

ATNA does not specify policiesATNA does not specify policies

ATNA does not specify mechanisms, although ATNA does not specify mechanisms, although other IHE protocols like EUA are obvious other IHE protocols like EUA are obvious candidates.candidates.

This permits vendors and enterprises to select This permits vendors and enterprises to select technologies and policies that are appropriate to technologies and policies that are appropriate to their own purposes without conflicting with the their own purposes without conflicting with the ATNA profile.ATNA profile.

14

ATNA ATNA Node AuthenticationNode Authentication

X.509 certificates for node identity and keysX.509 certificates for node identity and keys

TCP/IP Transport Layer Security Protocol (TLS) for TCP/IP Transport Layer Security Protocol (TLS) for node authentication, and optional encryptionnode authentication, and optional encryption

Secure handshake protocol of both parties during Secure handshake protocol of both parties during Association establishment:Association establishment: Identify encryption protocolIdentify encryption protocol Exchange session keysExchange session keys

Actor must be able to configure certificate list of Actor must be able to configure certificate list of authorized nodes.authorized nodes.

ATNA presently specifies mechanisms for HTTP, ATNA presently specifies mechanisms for HTTP, DICOM, and HL7DICOM, and HL7

15

Why Node AuthenticationWhy Node Authentication

Many systems are shared access, e.g. CT systems, where Many systems are shared access, e.g. CT systems, where the machine identity is more important than the operator’s the machine identity is more important than the operator’s identity for security purposes. identity for security purposes.

• A CT operator is only permitted to update CT records from a CT A CT operator is only permitted to update CT records from a CT system.system.

Some systems operate autonomously, e.g. PACS archive.Some systems operate autonomously, e.g. PACS archive.• Knowing identity of the PACS administrator on duty is not useful when Knowing identity of the PACS administrator on duty is not useful when

monitoring PACS activity. There might be nobody logged in.monitoring PACS activity. There might be nobody logged in.

Machine access is usually controlled by the site Machine access is usually controlled by the site administration. administration.

• Even authorized users are not permitted to use personal machines.Even authorized users are not permitted to use personal machines.

16

ATNA ATNA Auditing SystemAuditing System

Designed for surveillance rather than forensic use.Designed for surveillance rather than forensic use.

Two audit message formatsTwo audit message formats IHE Radiology interim format, for backward compatibility with IHE Radiology interim format, for backward compatibility with

radiologyradiology IETF/DICOM/HL7/ASTM format, for future growthIETF/DICOM/HL7/ASTM format, for future growth

• DICOM Supplement 95DICOM Supplement 95• IETF Draft for Common Audit MessageIETF Draft for Common Audit Message• ASTM E.214ASTM E.214• HL7 Audit Informative documentsHL7 Audit Informative documents

Both formats are XML encoded messages, Both formats are XML encoded messages, permitting extensions using XML standard permitting extensions using XML standard extension mechanisms.extension mechanisms.

17

ATNA ATNA Auditable EventsAuditable Events

Actor-start-stopActor-start-stop The starting or stopping of any The starting or stopping of any application or actor.application or actor.

Audit-log-usedAudit-log-used Reading or modification of any stored Reading or modification of any stored audit logaudit log

Begin-storing-instancesBegin-storing-instances The storage of any persistent object, e.g. The storage of any persistent object, e.g. DICOM instances, is begunDICOM instances, is begun

Health-service-eventHealth-service-event Other health service related auditable Other health service related auditable event.event.

Images-availability-queryImages-availability-query The query for instances of persistent The query for instances of persistent objects.objects.

Instances-deletedInstances-deleted The deletion of persistent objects.The deletion of persistent objects.

Instances-storedInstances-stored The storage of persistent objects is The storage of persistent objects is completed.completed.

18

ATNA ATNA Auditable EventsAuditable Events

MedicationMedication Medication is prescribed, delivered, etc.Medication is prescribed, delivered, etc.

Mobile-machine-eventMobile-machine-event Mobile equipment is relocated, leaves Mobile equipment is relocated, leaves the network, rejoins the networkthe network, rejoins the network

Node-authentication-Node-authentication-failurefailure

An unauthorized or improperly An unauthorized or improperly authenticated node attempts authenticated node attempts communicationcommunication

Order-record-eventOrder-record-event An order is created, modified, completed.An order is created, modified, completed.

Patient-care-assignmentPatient-care-assignment Patient care assignments are created, Patient care assignments are created, modified, deleted.modified, deleted.

Patient-care-episodePatient-care-episode Auditable patient care episode event that Auditable patient care episode event that is not specified elsewhere.is not specified elsewhere.

Patient-record-eventPatient-record-event Patient care records are created, Patient care records are created, modified, deleted.modified, deleted.

19

ATNA ATNA Auditable EventsAuditable Events

PHI-exportPHI-export Patient information is exported outside Patient information is exported outside the enterprise, either on media or the enterprise, either on media or electronicallyelectronically

PHI-importPHI-import Patient information is imported into the Patient information is imported into the enterprise, either on media or enterprise, either on media or electronicallyelectronically

Procedure-record-eventProcedure-record-event The patient record is created, modified, The patient record is created, modified, or deleted.or deleted.

Query-informationQuery-information Any auditable query not otherwise Any auditable query not otherwise specified.specified.

Security-administrationSecurity-administration Security alerts, configuration changes, Security alerts, configuration changes, etc.etc.

Study-object-eventStudy-object-event A study is created, modified, or deleted.A study is created, modified, or deleted.

Study-usedStudy-used A study is viewed, read, or similarly A study is viewed, read, or similarly used.used.

20

ATNA ATNA Record Audit EventRecord Audit Event

BSD Syslog protocol (RFC 3164) is the BSD Syslog protocol (RFC 3164) is the interim approach while the IETF continues interim approach while the IETF continues to resolve issues surrounding Reliable to resolve issues surrounding Reliable Syslog (RFC 3195).Syslog (RFC 3195).

Audit trail events and content based on Audit trail events and content based on IETF, DICOM, HL7, and ASTM standards. IETF, DICOM, HL7, and ASTM standards. Also, Radiology Basic Security audit event Also, Radiology Basic Security audit event format is allowed for backward format is allowed for backward compatibility.compatibility.

21

ATNA - Radiology OptionATNA - Radiology Option

Radiology Option for ATNA defines radiology Radiology Option for ATNA defines radiology specific trigger events (in two main categories)specific trigger events (in two main categories)

Security Events: Security Events: For example: “The access permissions for Dr. Kildare were For example: “The access permissions for Dr. Kildare were

changed on the PACS” or “Node authentication between the changed on the PACS” or “Node authentication between the CT scanner and the PACS failed” CT scanner and the PACS failed”

Patient Privacy Events: Patient Privacy Events: For example: “Dr. Welby looked at Mrs. Smith’s MR images For example: “Dr. Welby looked at Mrs. Smith’s MR images

and report on 6/29/05” or “Bob Jones’ Renal US study was and report on 6/29/05” or “Bob Jones’ Renal US study was exported to a CD on 6/30/05”.exported to a CD on 6/30/05”.

22XDS Affinity Domain (NHIN sub-network)

Community Clinic

Lab Info. System

PACS

Teaching Hospital

PACS

ED Application

EHR System

Physician Office

EHR System

AccountabilityAccountability

PMS

Retrieve DocumentRetrieve Document

Register DocumentRegister DocumentQuery DocumentQuery Document

XDS Document Registry

ATNA Audit ATNA Audit record repositoryrecord repository CT Time serverCT Time server

MaintainMaintainTimeTime

MaintainMaintainTimeTime

Maintain TimeMaintain TimeProvide & Register Docs

XDS Document Repository

XDSDocumen

t Reposito

ry

ATNA Audit ATNA Audit record repositoryrecord repository

ExportExportExportExport

QueryQuery

QueryQuery

ImportImportImportImport

ExportExport

23

What it takes to be a secure nodeWhat it takes to be a secure node

The entire host must be secured, not just individual actors.The entire host must be secured, not just individual actors.

The entire host must have appropriate user access controls The entire host must have appropriate user access controls for identification, authentication, and authorization.for identification, authentication, and authorization.

All communications that convey protected information All communications that convey protected information must be authenticated and protected from interception. must be authenticated and protected from interception. This means every protocol, not just the IHE transactions.This means every protocol, not just the IHE transactions.

All health information activities should generate audit trails, All health information activities should generate audit trails, not just the IHE actors.not just the IHE actors.

24

What it takes to be a secure nodeWhat it takes to be a secure node

The Secure node is not a simple add-on of an The Secure node is not a simple add-on of an auditing capability. The complete work effort auditing capability. The complete work effort includes:includes:

• Instrumenting all applications to detect auditable events and Instrumenting all applications to detect auditable events and generate audit messages.generate audit messages.

• Ensuring that all communications connections are protected.Ensuring that all communications connections are protected.• Establishing a local security mechanism to protect all local Establishing a local security mechanism to protect all local

resources.resources.• Establishing configuration mechanisms for:Establishing configuration mechanisms for:

– Time synchronization using Consistent Time (CT) profileTime synchronization using Consistent Time (CT) profile– Certificate managementCertificate management– Network configurationNetwork configuration

Implement the audit logging facilityImplement the audit logging facility

25

IHE and PHI ProtectionIHE and PHI Protection

User Identity → PWP, EUAUser Identity → PWP, EUA

User Authentication → EUAUser Authentication → EUA

Node Authentication → ATNANode Authentication → ATNA

Security Audit Trails → ATNASecurity Audit Trails → ATNA

Data Integrity Controls → CT, ATNA TLS optionData Integrity Controls → CT, ATNA TLS option

Data Confidentiality → ATNA TLS optionData Confidentiality → ATNA TLS option

Access Controls → Future item in IHE roadmapAccess Controls → Future item in IHE roadmap

26

Consistent Time (CT)Consistent Time (CT)

Network Time Protocol ( NTP) version 3 Network Time Protocol ( NTP) version 3 (RFC 1305) for time synchronization(RFC 1305) for time synchronization

Actor must support manual configurationActor must support manual configuration

Required accuracy: 1 secondRequired accuracy: 1 second

Optionally Secure NTP may be usedOptionally Secure NTP may be used

Required for use of ATNA, EUA, XUARequired for use of ATNA, EUA, XUA

27