Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.

Published byAugusta Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi."— Presentation transcript:

1 Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi

2 Sanzi-2 CSE5 810Problem  Many stakeholders want easy access to new systems  Physicians need to access patient data, no matter where it may be  Researchers want access to de-identified data repositories  Data may be needed quickly  Emergency medical situations leave little time to gain proper authorization  Systems today still use outdated username/password techniques  Incorrect assumption that physicians have time and ability to register with these systems

3 Sanzi-3 CSE5 810Requirements  Need a way for physicians identify themselves to any system  Users possess an electronic ID that they can present for authentication  Provide a method for verifying that presented credentials are legitimate  Allow systems to automatically allow or deny different levels of access based on the presented credentials

4 Sanzi-4 CSE5 810 SolutionOverview Solution Overview  A physician gains access to different systems over the course of a career  Ex. - Access to their local hospital's data  Access may happen under different roles  Use the physician's system access history as a set of credentials  Each system grants a certificate if access is allowed  Physicians can collect these certificates into a digital wallet and present them as credentials  Systems can see which other systems have granted access

5 Sanzi-5 CSE5 810Certificates  Identity certificates are used to establish a user's identity  Public key cryptography is used to ensure that you are communicating with the certificate's owner  Certificates are issued by Certificate Authorities (CAs)  Certificate authorities establish user's identity by other means before issuing a certificate  Ex. Driver's license, SSN  You trust any valid certificate issued by a certificate authority that you trust  Certificate authorities sign the certificates they issue  The user inspects the signature, a valid signature proves it was issued by the certificate authority

6 Sanzi-6 CSE5 810Certificates

7 Sanzi-7 CSE5 810 AttributeCertificates Attribute Certificates  A specialized certificate that stores attributes in a key- value pair format  Attribute certificates are signed by an attribute authority rather than a certificate authority  Attribute certificates are connected to an identity certificate  An identity certificate may be tied to multiple attribute certificates  We will use this ability to store information related to user access  Save information on user role assigned by the system

8 Sanzi-8 CSE5 810 DIRECTProject DIRECT Project  Has the concept of a HISP (Health Information Service Provider)  Concept encapsulates systems needed for health exchange  HISPs must maintain their domain and a list of Trusted Anchors  Trusted Anchors are like root certificates  If one certificate in a certificate chain during the certificate validation process is found to be a trusted anchor, the leaf certificate is valid

9 Sanzi-9 CSE5 810 DIRECT Project

10 Sanzi-10 CSE5 810OIDs  HL7 OIDs are prefixed with the code 2.16.840.1.113883  There are 3 root branches  The 2 indicates that the root of this branch is managed by JOINT-ISO-ITU-T  Each number represents another branch in a hierarchy  HL7 controls all the children of this code  New OIDs can be generated by registering them with a node's registration authority  HL7 provides a form where new OIDs can be submitted and become part of the HL7 OID standard  A record of the user who submitted the OID is kept on record

11 Sanzi-11 CSE5 810 MedicalRoleOIDs Medical Role OIDs Source: https://www.hl7.org/oid /index.cfm

12 Sanzi-12 CSE5 810 Gaining Access  When John Smith wants to obtain access to a new system, he will:  Create a secure connection to the system  Decide which credentials he will send to gain access  Send the relevant identity and attribute certificates along with the request  If access is granted, John Smith will generate a new public/private key pair and receive a new identity and attribute certificate issued by the system's certificate and attribute authority  The system may choose to use a session-scoped Rule Certificate to define John's security policy

13 Sanzi-13 CSE5 810 DefiningAnAccessPolicy Defining An Access Policy  Each system defines a security policy that specifies constraints based on:  The user role  The type of data being accessed  Valid certificates presented  Provide a mapping from HL7 defined roles to the data that the system guards  Mappings for remote, automatically authenticated users may be different from the mappings given to local users

14 Sanzi-14 CSE5 810Example  John Smith wants to access research data on diabetes management from Day Kimball Hospital  He does not have any kind of affiliation with Day Kimball Hospital  He does have his digital wallet of certificates proving his active involvement in the field of medical research

15 Sanzi-15 CSE5 810 John Smith's Wallet

16 Sanzi-16 CSE5 810 Choose Relevant Credentials

17 Sanzi-17 CSE5 810 Send Request With Credentials

18 Sanzi-18 CSE5 810 Check Security Policy

19 Sanzi-19 CSE5 810 Generate Certificates

20 Sanzi-20 CSE5 810 John Smith's New Wallet

21 Sanzi-21 CSE5 810 JohnSmith'sNewWallet John Smith's New Wallet  John Smith adds the identity and attribute certificates issued to him to his digital wallet  He can now use the certificate issued to him by Day Kimball hospital to gain access to other new systems  Day Kimball Hospital can now identify him with his new identity certificate  John Smith could also make requests for Physician role access using his attribute certificates that name him a physician and the certificates given to him by Day Kimball Hospital

22 Sanzi-22 CSE5 810 FutureWork Future Work  Increase the granularity of security policies  Providers may want to allow/deny access based on location as in Access Control based on Attribute Certificates for Medical Intranet Applications  If a physician is requesting information for a specific patient they have already treated it may help the decision process  May require extension to attribute certificates  Security based on Access Time or Count  Someone who only accessed research data once 20 years ago for a school project should not have automatic access to research data now  Differentiate between certificates issued by an employer and certificates issued in an automatic fashion

23 Sanzi-23 CSE5 810 FutureWork Future Work  Increase efficiency  Validating long certificate chains is a time consuming process  Updates to saved attributes would result in needing to have the Attribute Authority resign attribute certificates  How can a physician regain proper credentials if a CA is compromised?  How to handle local practices which may not have a separation between certificate administration and the medical providers using certificates  Need a method for constraining what local CAs can do

Download ppt "Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Similar presentations

Ads by Google