1 / 11

PASS—Privacy, Security and Access Services

PASS—Privacy, Security and Access Services. Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept. 2012. Don Jorgenson. HL7 PASS Concept Diagram 0.1. HL7 PASS Concept Diagram 0.1. Candidate Access Control Logical Architectures. HL7 PASS Access DSTU.

cecily
Télécharger la présentation

PASS—Privacy, Security and Access Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PASS—Privacy, Security and Access Services Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept. 2012 Don Jorgenson

  2. HL7 PASS Concept Diagram 0.1

  3. HL7 PASS Concept Diagram 0.1

  4. Candidate Access Control Logical Architectures

  5. HL7 PASS Access DSTU Identity Provider Policy Decision Service 9. Decision Factors 8. Decision Rules 10. Return Decision Token:Deny, or Permit, or Permit with Provisions 3. Return Authentication Token 2. Request Authentication Status 7. Resource Access Decision Requested 1. Request Resource 6. Request Resource Access Coordination Access Enforcement 11. Request Resource 1 1 3 1 2 2 2 14. Resource 12. Resource 13. Resource (if Permit) 5. Return Project Credential 4. Request Project Credential SAML - hGrid profile of SAML XACML - hGrid profile of XACML hGrid 2.0 Project WS-Trust - hGrid profile of WS-Trust Encryption - FIPS 140-2 validated encryption Policy Enforcement Flow Information Flow Secure Message- hGrid profile of WS-Security

  6. Representitive Use Case Trust Infrastructure 1 2 Audit Service – IMS Audit Service – IDS 2 1 1 1 1 1 1 1 2 2 2 2 2 1 1c 1b 1b 1b 1 1c Request Access «PEP» Request AccessPrivacy «PEP» Image/Data Image/Data Radiologist Workstation Image Data Service (IDS) Image Analysis Service (IMS) Authorization Policies SSO Log In 1a 1a 1a Authentication Service Authorization Service – IMS Authorization Service – IDS 1a 1a 1a 1a 1 1 1 1 1 1 1 Privacy Policies 2 2 2 2 2 2 SSO Log In 1 1c 1b 1b 1b 1b Trust MessageInfrastructure 1a 1a 1a 1b 1b 1b 1b Authentication Trust Token 1 1 1 1 1 1 1 2 2 2 2 2 2 Authorization Trust Token 1 Trust Token Flow 1c AuthenticationTrust Token- Delegated 1 2 Audit Trust Token-Secure protocol

  7. Security, Privacy and Grid Computing “This sharing is, necessarily, highly controlled, with resource providers and consumers defining clearly and carefully just what is shared, who is allowed to share, and the conditions under which sharing occurs. A set of individuals and/or institutions defined by such sharing rules form what we call a virtual organization (VO).” --Foster el al in “The Anatomy of the Grid”

  8. Security/Privacy Framework—vHIN-based Requestor Resource Access Enforcement Access Enforcement requires access to protects managed by authenticates to Resource Authority Virtual HIN (vHIN) defines policy requires authorizes Identity Provider defines Access Policy Virtual Organization (VO) specifies is a kind of Access Requirements Access Policy Decision drives is a kind of uses Trusted Information Source Access Decision Information provides

  9. Security, Privacy and Governance Access DecisionInformation Factors may include: Requestor- Identity Organization Role Purpose of request Time of request Privacy Preferences Policy Decisions (remote) Resource- Attributes Access DecisionPolicy Sources may include: Jurisdictions- National State Organization (custodial) hGrid 2.0 VO Consumer- Patient Delegate Patient- Privacy Preferences Policy Decision Rules reference Decision Information Decision Factor 1 Policy 1 3. Request Decision Information Policy Information Service Decision Factor 2 Policy Decision Service «PIP» «PDP» Policy 2 4. Decision Information Decision Factor n 2. RequestDecision 5. Decision Policy m 1. Request Resource Policy Enforcement Agent «access» «PEP» 6. Request 8. Resource (if Permit) 7. Response Resource

  10. Rhode Island Consent Gateway Access DecisionInformation Factors may include: Requestor- Identity Organization Role Purpose of request Time of request Privacy Preferences Policy Decisions (remote) Resource- Attributes Access DecisionPolicy Sources may include: Jurisdictions- Federal State Organization (custodial) RIQI Consumer- Patient Patient- Privacy Preferences Policy Decision Rules reference Decision Information Identity Proofed to NIST Level 3 Covered Entity? RITC Membership? Patient Consented? Provider DSP Agreement Executed Provider BA Agreement Executed HIPAA X.509Cert Request Decision Information Policy Information Service Policy Decision Service «PIP» «PDP» RI 2. RequestDecision Decision Information RequestDecision Decision Patient 1. CCD Submitted Direct Enforcement Agent «PEP» ConsentEnforcement Agent «PEP» 6. Deliver CCD . Consent Not Granted RI State HIE

  11. Security, Privacy and Governance Intermediary hGrid 2.0 Monitor Access Policy Enforcement Grid Policy Enforcement Resource Policy Enforcement Proxy hGrid 2.0 Service Request/Response hGrid 2.0 Service Request/Response Governance Control Points

More Related