Managing Trust in e-health with Federated Identity Management

Similar documents
CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Kantara Identity Assurance Framework Catalyzing an Identity Services Marketplace

Health Information Exchange - A Critical Assessment: How Does it Work in the US and What Has Been Achieved?

Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity

The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services

Accelerate Your Enterprise Private Cloud Initiative

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Making Privacy Operational

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

GlobalPlatform Addressing Unique Security Challenges through Standardization

(60 min) California State Updates

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

University of Cincinnati Federated Identity Strategy

Transforming Healthcare with mhealth Solutions.

ISAO SO Product Outline

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

SECURETexas Health Information Privacy & Security Certification Program

EMERGING TRENDS AROUND AUTHENTICATION

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

California State Updates. Presenter: David A. Minch, President & COO, HealthShare Bay Area

April 2018 Page 1 of 14

Maryland Health Care Commission

Liberty Alliance Project

Identity Management: Setting Context

TEL2813/IS2820 Security Management

All Aboard the HIPAA Omnibus An Auditor s Perspective

Introduction to Device Trust Architecture

The Honest Advantage

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

BECOME TOMORROW S LEADER, TODAY. SEE WHAT S NEXT, NOW

Security Management Models And Practices Feb 5, 2008

The Next Frontier in Medical Device Security

Natural Security Alliance

California Trust Framework. Brief Report

The Value of ANSI Accreditation. Top 10 Advantages. of accredited third-party conformity assessment

Security and Privacy Governance Program Guidelines

Building an Assurance Foundation for 21 st Century Information Systems and Networks

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

01.0 Policy Responsibilities and Oversight

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Entity authentication assurance framework

Identity and capability management and federation

Select, simplify, fix: How Continua, IHE and other profiles contribute to making standards fit for purpose Michael Strübin, European Programme

Projecting and Budgeting Costs and Savings of HIPAA Compliance

Information Technology (CCHIT): Report on Activities and Progress

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

WELCOME. October 19, 2017 The Mandarin Oriental Washington, DC

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

HPH SCC CYBERSECURITY WORKING GROUP

Ohio Supercomputer Center

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

The ABCs of HIPAA Security

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Training and Certifying Security Testers Beyond Penetration Testing

HCISPP HealthCare Information Security and Privacy Practitioner

Is Your Compliance Strategy Putting Your Business at Risk?

Trusted Computing Group

Business White Paper IDENTITY AND SECURITY. Access Manager. Novell. Comprehensive Access Management for the Enterprise

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Forging the Link Between Global Interoperability and New Business Opportunities

white paper SMS Authentication: 10 Things to Know Before You Buy

CA Security Management

Achilles System Certification (ASC) from GE Digital

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Trust Services for Electronic Transactions

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

FiXs - Federated and Secure Identity Management in Operation

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

HIPAA Implementation: Steps to Creating a Budget for HIPAA Compliance

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

A NEW MODEL FOR AUTHENTICATION

A Quick Guide to EPCS. What You Need to Know to Implement Electronic Prescriptions for Controlled Substances

Cloud Security Alliance Quantum-safe Security Working Group

The simplified guide to. HIPAA compliance

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Cloud Services. Infrastructure-as-a-Service

Cyber Risk and Networked Medical Devices

White Paper. The Evolution of RBAC Models to Next-Generation ABAC: An Executive Summary

Putting It All Together:

Novell Access Manager 3.1

LAW OF THE REPUBLIC OF KAZAKSTAN «ON CERTIFICATION»

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Smart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012

2015 HFMA What Healthcare Can Learn from the Banking Industry

HIPAA AND SECURITY. For Healthcare Organizations

Cyber Security and Cyber Fraud

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

My name is Joe Bhatia, and I am president and CEO of the American National Standards Institute.

Data Use and Reciprocal Support Agreement (DURSA) Overview

Development Authority of the North Country Governance Policies

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Medical Device Vulnerability Management

A company built on security

Healthcare and the Cloud:

Transcription:

ehealth Workshop Konolfingen (CH) Dec 4--5, 2007 Managing Trust in e-health with Federated Identity Management Dr. rer. nat. Hellmuth Broda Distinguished Director and CTO, Global Government Strategy, Sun Microsystems Inc. Spokesperson, Liberty Alliance; Member of the Business Marketing Expert Group Individual Member, SATW; Vice President, Scientific Advisory Board SATW

Healthcare Implications Healthcare is all about communities Patients Providers Insurances Pharmacy that need to share information Securely, with Strong Authentication, and Simplified Identity Management 2

Issues in Healthcare Healthcare: a complex landscape of interaction, information sharing and regulation Many systems and locations where authentication required Each system requires a different password or login Most systems don t interoperate/ talk to each other! Overall requirement to safeguard PHI Complexity reduces security Individuals and organizations must manage many identities Multiple points of vulnerability Adverse impact on interaction and privacy 3

Healthcare: A Complex Community Telemedicine Imaging Pharmacy Health Insurance Laboratory Services Family Doctor Patient Health Information Medical Specialist Research & Education Hospital Hospital Services Billing 4

Enter Liberty Liberty Alliance provides the means to build the Common Framework for e-health Technology Policy Knowledge Certifications Over 150 diverse member companies and organizations from around the world: Government organizations End-user companies System integrators Software and hardware vendors Huge adoption: Close to a billion identities already under Liberty standards 5

Who Is the Liberty Alliance? Consortium developing open standards For federated identity management In coordination with other standards groups Develops open specifications that anyone can implement Liberty does not deliver specific products or services Conformance testing & certification to ensure interoperability 30+ Liberty-enabled products and services currently available Addresses business & policy issues of identity Guidelines, best practices documents, checklists Support for global privacy regulations built into specs 6

Who is the Liberty Alliance? About 150 diverse member companies and organizations representing leaders in IT, mobility, government, service provision, system integration and finance from across the globe Management Board and Sponsor members include: 7

How We Can Build Trust The biggest concern of the principal/patient/customer is privacy Privacy does not mean that nobody knows nothing about me It is about managing the faith of the principal/patient/customer by adhering to the agreed scope and holding the information in trust Customers are afraid of Purpose Creep What could an architecture for privacy and trust management look like? 8

Security Management Identity Management Architecture for Trust Management Policy Authorization Authentication Identity Definitions A combination of business and technology practices which define how a relationship is conducted and services are performed A set of rules governing decisions about what the user can do: access to information, services or resources Assertion of validity of a set of credentials. Credentials express a person s identity. A Yes/No answer Basic set of information that creates a unique entity (a name with a corresponding 9 set of attributes)

Security Management Identity Management Architecture for Trust Management Policy Authorization Digitally Speaking... 4. Business practices to manage risk, enforce security/privacy, provide auditability. User, customer preferences, history, personalized services, 3. Determination of access rights to systems, applications and information: Match credentials against profiles, ACLs, policy Authentication Identity 2. Log on with a UID/PW, token, certificate, biometrics etc. A process that demands the prove that the person presenting them is indeed the person to which credentials were originally issued. accept or reject 1. User, customer, device facts, e.g., name, address, ID, DNA, keys; credentials, certificates 10 that were issued e. g. by a Certification authority

How People Will Trust Policies Policy and its audit have to be guaranteed and certified by a approved public or private independent organization, e. g.: Federal or State data protection agency TÜV (private institution) Audit firm Chamber of Commerce Postal Service or other basic service provider,... This can be achieved with defined processes and responsibilities similar to ISO 9000 ΦTrust is based on policies and the audit of those -- not just on security 11

Liberty's Structure Promotes Privacy and Security Federated structure means no single centralized data storage that would be vulnerable to attack End user has more control of data because permissions travel with data, guiding its use No global identifier--model protects against unauthorized data sharing 12

How it Happens Circle of Trust organizations and individuals Business relationships based on Liberty architecture & operational agreements Enables patients, physicians and healthcare organizations to safely share information in a secure and apparently seamless environment Principal e.g. Patient Principal Principal Principal e.g. Physician e.g.e.g. Physician Physician Identity Provider Identity Provider Authentication Authentication Federation Federation Discovery Service Discovery Service Personal Profile Personal Profile Circle of Trust Service Provider e.g. Hospital Without violating privacy Service Provider Identity-Based Web Service Provider e.g. eprescriptions.com Service Provider e.g. Pharmacy e.g. Physician 13

The Liberty Advantage Wide-spread adoption 1 billion identities under Liberty protocols Multiple vendor competition Freedom of choice Convergence with other standards e.g., SAML2.0, Shibboleth Federated authentication model No central point of failure Built on standards Works with existing legacy systems and future development plans Privacy & security best practices Create trust for all participants Conformance testing & certification Provides for multi-product interoperability 14

Benefits Of Liberty Standards Better information sharing among patient, physician, health insurance, pharmacy Leads to better patient outcomes Information is timely and coordinated Easier for doctor to use electronic systems No re-authentication required More secure for patient Personal health information shared in controlled manner Overall, better service to patient 15

Liberty s Global Membership ~ 150 diverse member companies and organizations representing leaders in IT, mobility, government, service provision, system integration and finance Management Board and Sponsor members include: 16

Accomplishments The de-facto standard for Identity Federation foundation and Web Services Over 1 billion federation-enabled touch-points Numerous case studies of successful deployments annual IDDY awards Global membership representing: enterprise deployers, vendors, governments, and non-profit organization Published Business and Policy guidelines for best practices in legal, privacy, and business deployments World-recognized Liberty Interoperable test and certification program. 17

Liberty Directions Educate the market Addressing Identity Management needs for a Web 2.0 Environment including: Full range of Identity Management use-case scenarios individual to enterprise Anonymous-to-strongly authenticated credential standards and privacy policies Worldwide privacy and government liaison Web-scalability smallest-to-largest systems Open and heterogeneous solution requirements Rich IdM client functionality for flexible deployments Help drive adoption 18

Need to Bring Together Disparate Identity Efforts New identity-related technologies are entering the market The development of generic web services standards has lagged behind identity web services standards Participation in open dialog between leaders followed silo development Despite recent convergence trends, only Liberty technologies have a certification program 19

Through an Open Approach Drive interoperability throughout the Internet Identity Layer Open the doors to collaboration Open up meetings Open up public forums & lists Grow liaison relationships with new communities Publish a huge inventory of previously confidential material The Concordia Program A public call for interop use cases for heterogeneous environments Expand certification program to meet the requirements 20

Concordia s Overarching Goal & Value Drive development of a ubiquitous, interoperable, privacy-respecting layer for identity Helps drive deployment costs down Assures implementers and deployers better success, greater productivity Leads to more commercial products and open source offerings=healthy market Opportunity for better realization of new service offerings Assure interoperability across this layer Deliver confidence to implementers and deployers in implementing today, successful interoperability tomorrow Open development process assures strong, cross-sector, cross-geography participation 21

If we don t act Loss of privacy Compliance regulations Unifying disparate models Lack of interoperability Integrating with legacy systems...all of which can be mitigated by Open technology standards Deployment policy guidance Independent 3rd-party certification 22

Liberty delivers solutions to real problems By Listening to the Market Collaborating with other relevant groups Documenting the requirements Developing specifications and guidelines to meet the needs Certify the products Continuous evolution and improvement 23

Organization 24

A sampling of vendor adoption 25

A sampling of deployment case studies 26

Exciting Current Activities openliberty.org Concordia Forum Identity Governance Framework MRD creation Advanced Client technical specification enhancements IDDY Awards second year Education & workshops Membership Agreement changes Open mail lists Public SIGs New Fee Structure New Membership Benefits structure 27

Call to Action: Join Us! Liberty brings value to our Healthcare members: Federated Identity Management provides plumbing standards that: Support key elements of interoperability Make it much easier for patients, providers and payers to share results of authentication Enable easier, faster compliance with government regulations Become Engaged: See the specifications and white papers at: www.projectliberty.org Become a member! Conformance and compliance testing that assure base levels of interoperability and functionality See also: User centric identity demo at: http://blogs.sun.com/hubertsblog For more information: https://www.projectliberty.org/resources/featured_verticals_health.php 28

Recommendation and Conclusion National and international interoperability with trust and privacy is key Build on existing standards Embrace Federated Identity for role based access and to protect patient's information Federated Identity scales much better than hierarchical approaches The Liberty Alliance is the ideal boiler plate to build the foundation for an interoperable national health network. Join the Alliance, talk to Sun (founder of the Alliance) 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback