1 Federated, Secure Trust Networks for Distributed Healthcare IT Services Alfred Weaver Samuel Dwyer Andrew Snyder Jim Van Dyke Tim Mulholland James Hu Xiaohui Chen Andrew Marshall

2 Industrial Informatics Applied to Healthcare Health Insurance Portability and Accountability Act of 1996 privacy of patient encounters security of patient data encryption of medical information when stored or transmitted access controls to retrieve information audit logs of data access

3 Healthcare Informatics Portal Common medical data portal doctors, patients, staff see a customized view allied health services exchange information electronically Authentication of users biometric and conventional methods Authorization of access role-based access control model Strong encryption of all data All built on a web services model

4

5

6 Federated, Secure Trust Networks for Distributed Healthcare IT Services Medical Data Portal Web Services Authorization Service Authentication Service Electronic Patient Record Rule Engines

7 Research Issues Authentication who are you? Mobile devices what capabilities do you have? Authorization what can you do? Encryption which algorithm? what length key? Shared trust off-network organizations

8 Authentication Can support legacy techniques user ID and passwords, challenge-response Newer identification technologies smartcards, access keys Biometric identification fingerprints, iris scans signature analysis, voice recognition keyboard dynamics face, hand, finger, ear geometry

9 Fingerprints 70 points of differentiation (loops, whirls, deltas, ridges) Even identical twins have differing fingerprint patterns False positive rate < 0.01% False negative rate < 1.5% Can distinguish a live finger; fast to enroll Inexpensive ($100-$200) for the reader

10 Iris Scans Iris has 266 identification degrees of freedom Identical twins have different iris patterns False positive rate < 0.01% False negative rate < 2% Does take some time and controlled lighting to enroll Pattern is stored as a data template, not a picture Some units control light to detect pupil dilation (prove live eye)

11 Mobile Devices Legitimate access is no longer limited to desktops or in-hospital devices Wave of the future includes PDAs (HP iPAQ Pocket PC h5455 with fingerprint scanner built-in) tablet PCs (handwriting recognition) cell phones (voice recognition) Personal authentication should work using the devices and capabilities available to the legitimate user

12 Fingerprints with Wireless PDA HP iPAQ h5455 with fingerprint scanner Thermal scanner detects live finger We wrote an authentication web service --send fingerprint pattern to service --compare against database of enrollees --confirm or deny identity --send confirmation to web portal --write cookie to device --cookie becomes an identification token containing: --who the individual is --how identity was confirmed --trust level of the identification --e.g., iris scan > fingerprint > password

13 Authorization Now that we know who you are, what are you allowed to do? Use role-based access control Roles for people with different privileges: attending physician referring physician medical fellows medical students physician consultants other healthcare staff (nurses) technologists (diagnostic imagery) technicians (lab results) patient Plus roles for other entities (insurance, pharmacy)

14 Authentication Rule Engine Identity token Access request Rules Hospital administration rule templates Authorization token

15 Authorization Rule Templates Attending Referring Fellow Student Technician Technologist Patient Insurance Billing Pharmacy Med records Can Can not Demographics Clinical notes Lab notes Diagnostic images Psych evaluation WhoAccess Electronic Patient Record

16 Authorization Rule Engine More complicated in practice doctor needs consultation doctor on vacation doctors practicing in groups surgeons, radiologists emergencies

17 Encryption Which encryption method? DES, 3DES, AES, RSA, others what length key? Unintended consequences UVA does 380,000 radiological exams annually produce 9 TB of data every year encrypting one 3 MB chest x-ray is no problem but CT and MR produces slices each slice is a file typical MR is 68 MB What is the workflow impact of encrypting/decrypting a 68 MB file each time it is touched?

18 Trust Networks Trust, legitimately established, should be shared across the enterprise pharmacies insurance companies outpatient services How does trust get quantified? How does trust get shared? WS-Trust does not yet provide guidance

19 Trust Networks 9 8 Identification tokens Authorization tokens Encryption Digital signature Trust credentials Dynamic negotiation of credentials Banks do this with ATMs; we need to do it among cooperating healthcare providers

20 Trust Authority Attribute Criterion 1 Criterion 2 … Criterion N Rating Identification Reliability False positive rate < 0.1% False negative rate < 1.0% Availability > out of 10

21 Electronic Prescriptions 1. Encrypt prescription (doctor, medicine, details) 2. Encrypt physician's identity token 3. Digitally sign message 4. Transmit to pharmacy 4. Check digital signature 5. Decrypt prescription 6. Decrypt physician's identity token 7. Is this a valid physician? 8. Send identity token to trust authority 9. Check how identity was established 10. Recover trust level 11. Is trust level acceptable? 12. Accept or reject

22 Summary of Issues Authentication Mobile access technologies Biometric identification Authorization rule engine Role-based access control Simplified rule administration Trust sharing Dynamic negotiation of trust credentials

23 Acknowledgements Funding for this project provided by: David Ladd and Tom Healy University Research Program Microsoft Research Microsoft Corporation