170 likes | 300 Vues
PKI in Healthcare Dave Barnett Systems Architect Kaiser Permanente dave.barnett@kp.org (925) 926-3520. Organization Background. Kaiser Permanente Medical Care Program First HMO (founded in 1945) Now in 11 states and District of Columbia 8 Million Members 11,000 Physicians
E N D
PKI in Healthcare Dave Barnett Systems ArchitectKaiser Permanentedave.barnett@kp.org(925) 926-3520
Organization Background • Kaiser Permanente Medical Care Program • First HMO (founded in 1945) • Now in 11 states and District of Columbia • 8 Million Members • 11,000 Physicians • 90,000 Employees • 30 Medical Centers • 360 Medical Facilities
PKI Project Business Drivers • Move duplicated functions (e.g. security) from applications to infrastructure • Electronic Healthcare Records and Services replacing paper based • Regulatory compliance • Health Insurance Portability and Accountability Act (HIPAA) • http://aspe.os.dhhs.gov/admnsimp/
PKI Project Business Drivers • Healthcare Community of Interest • California Medical Association estimates that each California Physician does business with 50 to 100 healthcare organizations • Considerable opportunity for e-business • Commerce (supplies, pharmaceuticals, etc.) • Patient services • Benefits (e.g., with Employer) • Referrals for Medical Services • Emergency Room
KP PKI Project Scope • KP PKI-enabled CIS (Clinical Information System) • First 2,500 users in September 2000 • Roll-out to 70,000 users • VPN/Extranet • Applications with Affiliates • EDI and e-business
KP PKI Project Scope • Secure E-mail (S/MIME) • Partner / Affiliate • Patient - Doctor • Web • Patient access to medical information and services • Partner and Affiliate access to resources • Interoperability demo with California Medical Association and Tunitas Group Healthcare PKI
Healthcare PKI Demo Project • California Medical Association • CA for California Physicians • See http://www.cmanet.org/ for information on MEDePass program • CMA Bridge CA • Will interoperate with KP Bridge CA • PKI Interoperability Demo Workshop • Kaiser Permanente, CMA, Blue Shield of California, Scripps, Hill Physicians, Social Security Admin, Pacificare, Catholic Healthcare West, Sutter, St. Joseph, etc. • http://www.tunitas.com/pages/PKI/pki.htm
Interoperability Issues • Healthcare Certificate Policies and Certification Practice Statements • Assurance of Identity • Certificate Profiles • Privilege Management (Future)
CP and CPS • Existing CP / CPS examples not useful • Policy and legal requirements of an organization that sells certificates and CA services different from Healthcare provider requirements • Healthcare Model Policy Creation and Support is Critical • ANSI HISB Meeting March 1 - 2 2000 (http://www.ansi.org/rooms/room_41/default.htm) • ASTM E31.20 Healthcare Model Policy only work in progress under ANSI • See E31 Committee at http://www.astm.org • See draft Healthcare Model Policy at http://www.tunitas.com/pages/PKI/docs/
Assurance of Identity • Assurance of Identity is one of the considerations for Assurance Level in CP • Healthcare Provider Certificate is a high value target • Allows impersonation of physician electronically • Identity assurance and authentication must be acceptable to industry and regulators • e.g., what would the DEA require for a digital signature for electronic prescriptions?
Profile Proliferation • Tendency for each organization, vendor, application, and community of interest to create a certificate profile • Need to converge on smallest number of profiles required (e.g., vertical industry community of interest) • Need to develop an X.509 v3 profile for Healthcare based on RFC 2459 and ASTM E31.20
Privilege Management • Access control and authorization can become very complex in Healthcare • Roles • Appointment Clerk, Billing, Physician, Radiologist, Lab, Psychiatric Social Worker, etc. • Content • HIV, Substance Abuse, Mental Health • National and State Regulations • Policy (organizational and departmental) • Context (Emergency Dept.) • Privilege changes may be frequent • Multiple roles not uncommon
Privilege Management • ITU and IETF proposing Attribute Certificates (X.509) for PMI • Open Group just approved Authorization API (aznAPI) as a standard for authorization • Not mutually exclusive • aznAPI can use Attribute Certificates as well as other approaches (e.g., rule or role based “authorization engine”)
Privilege Management • Standards not stabilized yet, products are very new • PMI can be very useful in Healthcare • Healthcare industry interest likely to grow in this area