Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross-Enterprise Privacy Policy (XPP) Profile Proposal for 2008/09 presented to the IT Infrastructure Technical Committee Sören Bittins (eCR, Fraunhofer.

Published byJasper Paul Modified over 8 years ago

Similar presentations

Presentation on theme: "Cross-Enterprise Privacy Policy (XPP) Profile Proposal for 2008/09 presented to the IT Infrastructure Technical Committee Sören Bittins (eCR, Fraunhofer."— Presentation transcript:

1 Cross-Enterprise Privacy Policy (XPP) Profile Proposal for 2008/09 presented to the IT Infrastructure Technical Committee Sören Bittins (eCR, Fraunhofer ISST) November, 18th 2008

2 IT Infrastructure Technical Committee Editors Raik Kuhlisch, Jörg Caumanns (Fraunhofer ISST)Raik Kuhlisch, Jörg Caumanns (Fraunhofer ISST) Christof Strack (SUN Microsystems)Christof Strack (SUN Microsystems) Oliver Pfaff, Markus Franke (Siemens IT Solutions and Services)Oliver Pfaff, Markus Franke (Siemens IT Solutions and Services )

3 IT Infrastructure Technical Committee Data Privacy and Protection (short) Processing of medical information is generally forbidden but subject to the possibility of “authorisation” (refers technically to consent)Processing of medical information is generally forbidden but subject to the possibility of “authorisation” (refers technically to consent) This authorisation is bound to a specific and limited “purpose”This authorisation is bound to a specific and limited “purpose” The purpose as a key principle legally regulates the “context”The purpose as a key principle legally regulates the “context” Finally the context directly indicates the “actors” and their assigned “role” which are legally authorised to access the medical informationFinally the context directly indicates the “actors” and their assigned “role” which are legally authorised to access the medical information Inadequate implementation of the above may lead to:Inadequate implementation of the above may lead to: –Violation of the data protection regulations –Being forced to compensate for loss/damages suffered –Violation of the legal requirement concerning confidential and discrete medical communication with all its attached implications –Joint and personal liability for inappropriate risk management and assessment

4 IT Infrastructure Technical Committee Current Situation Private practices or very small hospitals usually delegate all rights to all of the concerned workforcePrivate practices or very small hospitals usually delegate all rights to all of the concerned workforce Hospitals are utilising rather static RBAC or DAC systems with a potential organisational emergency overrideHospitals are utilising rather static RBAC or DAC systems with a potential organisational emergency override Most legal requirements are merely enforced “organisationally”Most legal requirements are merely enforced “organisationally” Security measures are usually reactive and in retro-perspective:Security measures are usually reactive and in retro-perspective: –Access control rules usually grant more rights than usually required –Reliance on the audit trail if a breach is assumed / detected Role and rights assignment is usually only intra-enterpriseRole and rights assignment is usually only intra-enterprise Inconsistent enforcement of the patient’s consent to medical data processing in distributed, cooperative health care scenariosInconsistent enforcement of the patient’s consent to medical data processing in distributed, cooperative health care scenarios

5 IT Infrastructure Technical Committee Cross-Enterprise Policy Provision XPP features the cross-enterprise retrieval of situation- and role-aware policies and the concrete enforcement of those policiesXPP features the cross-enterprise retrieval of situation- and role-aware policies and the concrete enforcement of those policies XPP directly manages, controls and filters the transactions and actors within a medical networkXPP directly manages, controls and filters the transactions and actors within a medical network XPP may implement all core access control principles (RBAC, DAC, MAC) as well as the reflection of higher-level aspects (SoD)XPP may implement all core access control principles (RBAC, DAC, MAC) as well as the reflection of higher-level aspects (SoD) XPP enables automatic and flexible situation-aware decisions:XPP enables automatic and flexible situation-aware decisions: –Up-to-date reflection on the existence and contents of the patients consent –Limitations of the roles who may access a resource (Cardiologists only) –Controlled emergency override by a special policy –Distributed inter-enterprise policy retrieval and decisions in a federated and interconnected environment

6 IT Infrastructure Technical Committee Authorisation Pattern (RFC2753, XACML,...)

7 IT Infrastructure Technical Committee Requirements for Cross-Enterprise Authorisation Policy Pull vs. Policy PushPolicy Pull vs. Policy Push –optimisation of anticipated effort to discover and provide the matching policy Functionality is implemented by a Security Token ServiceFunctionality is implemented by a Security Token Service –consistent and standards-based (WS Trust) security layer Separation of Policy Registry and Policy RepositorySeparation of Policy Registry and Policy Repository –Policy lookup vs. policy retrieval –Policy semantics vs. policy encoding

8 IT Infrastructure Technical Committee Actors and Transactions

9 IT Infrastructure Technical Committee Proposed Standards & Systems WS Trust for policy retrievalWS Trust for policy retrieval SAML for integrating policies into security tokensSAML for integrating policies into security tokens XACML as possibility for policy encodingXACML as possibility for policy encoding OASIS XSPA draft standard as a referenceOASIS XSPA draft standard as a reference Activities should be synchronized with the activities of HITSP and VA/HL7 on role based access control policiesActivities should be synchronized with the activities of HITSP and VA/HL7 on role based access control policies

10 IT Infrastructure Technical Committee IHE Profile Grouping XPP is designed to initially group with existing IHE ITI profiles:XPP is designed to initially group with existing IHE ITI profiles: XUA: for providing subject identity information and ensuring the authenticity of the policy assertionsXUA: for providing subject identity information and ensuring the authenticity of the policy assertions PWP: as a policy information point for a subject’s attributesPWP: as a policy information point for a subject’s attributes ATNA: for auditing transactions and operating XPP actors as secure and mutual authenticated nodesATNA: for auditing transactions and operating XPP actors as secure and mutual authenticated nodes XDS: most prominent example for the actors and transactions to be safeguardedXDS: most prominent example for the actors and transactions to be safeguarded More grouping may follow when other transactions who might benefit from XPP are identified and implementedMore grouping may follow when other transactions who might benefit from XPP are identified and implemented

11 IT Infrastructure Technical Committee Expected Acceptance It has shown that the XPP actors and transactions can be implemented using standard “off-the-shelf” libraries:It has shown that the XPP actors and transactions can be implemented using standard “off-the-shelf” libraries: –Open Source eCR Reference Implementation (Fraunhofer ISST) –Security Framework for a large hospital chain (Siemens) –eCR Implementation for a University Hospital (iSoft, Microsoft) –eCR implementation for large municipal hospital (ISPro, SUN) eCR v1.4 will incorporate the XPP Integration Profile:eCR v1.4 will incorporate the XPP Integration Profile: –11 pilot projects together with hospitals that represent 15% of the German hospital market –strong vendor involvement (Agfa, Siemens, NoemaLife, SUN, Microsoft, iSoft, Tieto Enator, ICW,...) Austrian governmental initiative ELGA (electronic health record) is also aligning to this directionAustrian governmental initiative ELGA (electronic health record) is also aligning to this direction

Download ppt "Cross-Enterprise Privacy Policy (XPP) Profile Proposal for 2008/09 presented to the IT Infrastructure Technical Committee Sören Bittins (eCR, Fraunhofer."

Similar presentations

IT Infrastructure Glen Marshall Siemens Health Solutions IHE IT Infrastructure Committee Co-chair.

IT Infrastructure Glen Marshall Siemens Health Solutions IHE IT Infrastructure Committee Co-chair.
What IHE Delivers Basic Patient Privacy Consents HIT-Standards – Privacy & Security Workgroup John Moehrke GE Healthcare.

What IHE Delivers Basic Patient Privacy Consents HIT-Standards – Privacy & Security Workgroup John Moehrke GE Healthcare.
XDS Security ITI Technical Committee May 27, 2006.

XDS Security ITI Technical Committee May 27, 2006.
PRESENTATION TITLE Name of Presenter Company Affiliation IHE Affiliation.

PRESENTATION TITLE Name of Presenter Company Affiliation IHE Affiliation.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Federated Directory Services Brief Profile Proposal for 2009/10 presented to the IT Infrastructure Planning Committee J. Caumanns, O. Rode, R. Kuhlisch,

Federated Directory Services Brief Profile Proposal for 2009/10 presented to the IT Infrastructure Planning Committee J. Caumanns, O. Rode, R. Kuhlisch,
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.

NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.
Cross Domain Patient Identity Management Eric Heflin Dir of Standards and Interoperability/Medicity.

Cross Domain Patient Identity Management Eric Heflin Dir of Standards and Interoperability/Medicity.
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
Cross Domain Patient Identity Management Eric Heflin Dir of Standards and Interoperability/Medicity.

Cross Domain Patient Identity Management Eric Heflin Dir of Standards and Interoperability/Medicity.
What IHE Delivers Healthcare Provider Directories IHE IT Infrastructure Planning Committee Eric Heflin – Medicity/THSA.

What IHE Delivers Healthcare Provider Directories IHE IT Infrastructure Planning Committee Eric Heflin – Medicity/THSA.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
IBM Rhapsody Simulation of Distributed PACS and DIR systems Krupa Kuriakose, MASc Candidate.

IBM Rhapsody Simulation of Distributed PACS and DIR systems Krupa Kuriakose, MASc Candidate.
Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Audit Trail and Node Authentication Robert Horn Agfa Healthcare.

Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Audit Trail and Node Authentication Robert Horn Agfa Healthcare.
7 February 2005IHE Europe Educational Event 1 Audit Trail and Node Authentication Integrating the Healthcare Enterprise G. Claeys Agfa Healthcare R&D Vendor.

7 February 2005IHE Europe Educational Event 1 Audit Trail and Node Authentication Integrating the Healthcare Enterprise G. Claeys Agfa Healthcare R&D Vendor.
Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Overview of IHE IT Infrastructure Patient Synchronized Applications.

Sept 13-15, 2004IHE Interoperability Workshop 1 Integrating the Healthcare Enterprise Overview of IHE IT Infrastructure Patient Synchronized Applications.
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.

Similar presentations

Ads by Google