Download
1 / 13
130 likes | 265 Vues
This presentation examines the Identity Assurance Framework (IAF) within the Danish healthcare system from a practical perspective. It reviews three years of efforts in establishing Identity Based Web Services by MedCom and Danish Regions, highlighting the challenges due to the absence of standardization, defined authentication levels, and trust assurance criteria. The talk discusses the significance of governance in creating reliable trust relationships and introduces strategies to implement a federated ESB model for secure health information exchange, aligning with NIST guidelines to enhance treatment quality in Digital Health Denmark.
E N D
Liberty Alliance Identity Assurance Framework from a practical point of view ... in a Danish context Jan Riis jri lakeside.dk @ IDTrust’08 - NIST - Gaithersburg - 2008-03-05
A little History • Danish Healthcare has been working 3 years with Identity Based Web Services • 2005 MedCom and Danish Regions • ”Competed” for the first standard/profile • No governance towards standardization: • No Authentication levels defined • No high level architecture for WS communication • No criteria for assuring trust of key WSP’s
Consequences • Parties started out with 6 levels of ”authenticity” • Some based on PKI • Some based on username/pwd • Some levels for ”delegated trust”(systems vouching for user authenticity) • Some levels target cross-cutting security properties(non-repudiation of messages etc.)
There is a need for IAF! • ITST standardized authentication levels in 2006 for all public systems • Directly referred to NIST work • 2007 Health sector standards were aligned with national guidelines • Without the national/international standards, this would not have happened!
Trust relationships? • NIST Authentication levels does not relate directly to “trust” • So how will the concept of “trust” be used in Danish Health Care? • Enter: “Digital Health Denmark” • Aims at increasing treatment quality by “enabling” access to all relevant information
A few years from now? Public Regional Solutions Other Health Solutions Governmental services (eg. public Medication/Prescription) Private HospitalSolutions Private Practitioners Solutions
Solution 1 - establish trust? Public Regional Solutions Other Health Solutions S T S S T S Governmental services (eg. public Medication/Prescription) Private HospitalSolutions Private Practitioners Solutions S T S S T S
Solution 2 - National ESB+PKI? Other Health Solutions Public Regional Solutions NationalESB+STSsolution Private Practitioners Solutions Private HospitalSolutions Governmental services (eg. public Medication/Prescription)
National Distributed ESB+PKI Other Health Solutions Public Regional Solutions NationalESB+STSsolution Private Practitioners Solutions Private HospitalSolutions Governmental services (eg. public Medication/Prescription)
Preconditions for implementation • Based on a “Federated ESB” pattern • Other parties are now exposing services on the “National ESB” • Digital Health is responsible for QoS etc. • Preconditions: • Common understanding of levels of authentication assurance • Very strong governance as to which criteria must be met to join the national ESB • Assessment criteria for services for the ESB • Accreditation and certification rules = Many parts of IAF
Taking IAF further? • IdP’s/STS’ are also WSP’s • My wish:Separate the WSP assessment criteria from and create “SPAF” • Make IAF an IdP specialization of “SPAF”
Trust! Another example of IAF usage • Health Professionals will once and again need access to other domains (other federations) IdP/STS
Thank You! ? Questions?
