Presentation is loading. Please wait.

Presentation is loading. Please wait.

XDS Security ITI Technical Committee May, 2006. XDS Security Use Cases Prevent Indiscriminate attacks (worms, DOS) Normal Patient that accepts XDS participation.

Published byToby Gordon Modified over 8 years ago

Similar presentations

Presentation on theme: "XDS Security ITI Technical Committee May, 2006. XDS Security Use Cases Prevent Indiscriminate attacks (worms, DOS) Normal Patient that accepts XDS participation."— Presentation transcript:

1 XDS Security ITI Technical Committee May, 2006

2 XDS Security Use Cases Prevent Indiscriminate attacks (worms, DOS) Normal Patient that accepts XDS participation Patient asks for Accounting of Disclosures Protect against malicious neighbor doctor Patient that retracts consent to publish Provider Privacy Malicious Data Mining Emergency access data set VIP (movie star, sports figure) Domestic violence patient Daughter with sensitive tests, mental health, sexual health Guardian (cooperative)

3 Security Models Security protects Assets  In XDS the asset is the information in Reg & all Rep(s)  Confidentiality, Integrity, and Availability  Patient Safety trumps privacy (most of the time) Accountability options  Access Control model  Audit Control model Policy Enforcement options  Mutually agree to enforce Policies  Enforcement of policies centrally

4 Privacy Needs Protect against inappropriate disclosure Provide an Accounting of Disclosures Protect employee privacy Resulting in compliance with Laws and Regulations by the Legal Entity

5 Affinity Domain Policy Today there must be ONE policy Etc…

6 Classic n-Tier Security Client / Browser Application Server Database User Authentication User Interface Business Logic Policy Enforcement Data Index Data Values

7 Mapped to XDS EHR / Browser XDS Document Consumer Registry User Authentication User Interface Business Logic Policy Enforcement Repository A Repository B PIX Service PDQ Service ATNA Service Identity Svc RBAC Svc

8 XDS Affinity Domain (NHIN sub-network) Teaching Hospital PACS ED Application EHR System The Really Big Problem PMS Retrieve Document Register Document Query Document XDS Document Registry Provide & Register Docs XDS Document Repository A)The Registry is not the center, it is just a card catalogue to patient data. B)Disclosure happens on Export Physician Office EHR System B)A Retrieve does result in a permanent copy of the Document. C)The Document Consumer does agree to enforce policies forever

9 Current Solution to Big Problem Affinity Domain Policy (singular)  All ‘actors’ that participate must agree to enforce these policies XDS  Patient Centric Queries  Queries result in ONE patient exposed ATNA  Confidentiality, Integrity, Accountability  Accountability distributed  Access controls at point of care (sensitive to context) Enhanced locally by  EUA  PWP  DSIG Application specific (Not IHE specified)  RBAC, PMAC

10 XDS Affinity Domain (NHIN sub-network) Community Clinic Lab Info. System PACS Teaching Hospital PACS ED Application EHR System Physician Office EHR System Accountability PMS Retrieve Document Register Document Query Document XDS Document Registry ATNA Audit record repository CT Time server MaintainTime MaintainTime Maintain Time Provide & Register Docs XDS Document Repository ATNA Audit record repository

11 Today’s XDS Accountability Mitigation against unauthorized use  Investigate Audit log for patterns and behavior outside policy. Enforce policy  Secure Node requires appropriate Access Controls to enforce at the enterprise by XDS Source and Consumers Investigation of patient complaints  Investigate Audit log for specific evidence Support an Accounting of Disclosures  ATNA Report: XDS-Export + XDS-Import

12 XDS Security Use-Cases Supported Today  Prevent Indiscriminate attacks (worms)  Normal Patient that accepts XDS participation  Patient asks for Accounting of Disclosures  Patient that retracts consent to publish  Protect against malicious neighbor doctor  Provider Privacy Not directly supported with IHE technology  Emergency access data set  all XDS open, or no access  VIP  Don’t publish, or make special XDS  Domestic violence patient  Don’t publish any  Daughter with sensitive tests  Don’t publish, or make special XDS  Guardian (cooperative)  Local enforcement

13 Next Problem

14 Next Year Solution PCC – Basic Patient Consents enable the YELLOW policies  Enables more than one Policy to be defined and claimed Captured document with patient signature Captured document with patient signature Coded identifier to enable automated enforcement Coded identifier to enable automated enforcement  Enables data to be marked as to be controlled by a specific policy (Confidentiality Code)  Supporting Emergency Data Set, Clerical Data Set, Direct Caregiver Data Set.  ***Need query extensions to limit query results to those that match policy (Confidentiality Code) requested XDP  Can be used to handle sensitive data or sensitive patients

15 Conclusion IHE provides the necessary basic security for XDS today There is room for improvement Roadmap includes prioritized list of use-cases Continuous Risk Assessment is necessary at all levels  Product Design  Implementation  Organizational  Affinity Domain TODO: Include Risk Assessment Table and Map

16 Profile Security Considerations Volume 1 – Last section of the Profile description Volume 2 – Section for each Transaction Section Contents  Statement that a risk assessment has been done and is maintained in the IHE Risk Repository  Pre-Conditions – the expected environmental factors  Profile Specific Mitigations  Profile Unresolved Risks to be mitigated downstream

Download ppt "XDS Security ITI Technical Committee May, 2006. XDS Security Use Cases Prevent Indiscriminate attacks (worms, DOS) Normal Patient that accepts XDS participation."

Similar presentations

Profile Proposals IHE Cardiology 2007-2008. Proposals Image Enabled Office –Grouping of actors in top half of Scheduled Workflow into Practice Management.

Profile Proposals IHE Cardiology Proposals Image Enabled Office –Grouping of actors in top half of Scheduled Workflow into Practice Management.
IHE IT Infrastructure Domain Update

IHE IT Infrastructure Domain Update
What IHE Delivers Basic Patient Privacy Consents HIT-Standards – Privacy & Security Workgroup John Moehrke GE Healthcare.

What IHE Delivers Basic Patient Privacy Consents HIT-Standards – Privacy & Security Workgroup John Moehrke GE Healthcare.
September, 2005What IHE Delivers 1 Basic Patient Privacy Consents (BPPC) IHE Vendors Workshop 2006 IHE Patient Care Coordination Education

September, 2005What IHE Delivers 1 Basic Patient Privacy Consents (BPPC) IHE Vendors Workshop 2006 IHE Patient Care Coordination Education
September, 2005What IHE Delivers 1 IHE Quality Domain February 26, 2008.

September, 2005What IHE Delivers 1 IHE Quality Domain February 26, 2008.
XDS Security ITI Technical Committee May 27, 2006.

XDS Security ITI Technical Committee May 27, 2006.
IHE IT Infrastructure Domain Update

IHE IT Infrastructure Domain Update
PRESENTATION TITLE Name of Presenter Company Affiliation IHE Affiliation.

PRESENTATION TITLE Name of Presenter Company Affiliation IHE Affiliation.
June 28-29, 2005IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Cross-enterprise Document Sharing for Imaging (XDS-I) Rita Noumeir.

June 28-29, 2005IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Cross-enterprise Document Sharing for Imaging (XDS-I) Rita Noumeir.
Cross Community (XC) Profiles Karen Witting. Outline Vision – as described in 2006 IHE White Paper on Cross Community Exchange Existing – what has been.

Cross Community (XC) Profiles Karen Witting. Outline Vision – as described in 2006 IHE White Paper on Cross Community Exchange Existing – what has been.
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT, EUA, PWP, DSIG IHE Vendors Workshop 2006 IHE IT Infrastructure Education Robert Horn,

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT, EUA, PWP, DSIG IHE Vendors Workshop 2006 IHE IT Infrastructure Education Robert Horn,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
IHE Security and Privacy John Moehrke GE Healthcare IHE ITI Technical Committee Member March 6, 2011.

IHE Security and Privacy John Moehrke GE Healthcare IHE ITI Technical Committee Member March 6, 2011.
Cross-Enterprise Document Sharing Cross-Enterprise Document Sharing Bill Majurski National Institute of Standards and Technology IT Infrastructure Co-Chair.

Cross-Enterprise Document Sharing Cross-Enterprise Document Sharing Bill Majurski National Institute of Standards and Technology IT Infrastructure Co-Chair.
This presentation prepared for Now is the time to initiate the one change that will have the most leverage across your business systems Patient Identity.

This presentation prepared for Now is the time to initiate the one change that will have the most leverage across your business systems Patient Identity.
Security Controls – What Works

Security Controls – What Works
Cross Domain Patient Identity Management Eric Heflin Dir of Standards and Interoperability/Medicity.

Cross Domain Patient Identity Management Eric Heflin Dir of Standards and Interoperability/Medicity.
Slide 1 Sharing Images without CDs, The Next Imaging Sea Change GE Healthcare Chris Lindop GE Healthcare Interoperability & Standards.

Slide 1 Sharing Images without CDs, The Next Imaging Sea Change GE Healthcare Chris Lindop GE Healthcare Interoperability & Standards.
Cross Domain Patient Identity Management Eric Heflin Dir of Standards and Interoperability/Medicity.

Cross Domain Patient Identity Management Eric Heflin Dir of Standards and Interoperability/Medicity.
What IHE Delivers Healthcare Provider Directories IHE IT Infrastructure Planning Committee Eric Heflin – Medicity/THSA.

What IHE Delivers Healthcare Provider Directories IHE IT Infrastructure Planning Committee Eric Heflin – Medicity/THSA.

Similar presentations

Ads by Google