1 / 17

Integrating the Healthcare Enterprise

This workshop focuses on the basic security measures required to integrate healthcare systems and ensure secure access to medical data. Topics covered include authentication, authorization, accountability, and audit trails. The goal is to establish a trusted network of nodes with limited administration and centralized audit trails. Participants will learn how to implement the Basic Security Profile and integrate secure nodes into their systems.

nfitts
Télécharger la présentation

Integrating the Healthcare Enterprise

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrating the Healthcare Enterprise Basic Security Robert Horn Agfa Healthcare IHE Interoperability Workshop

  2. Basic Security (SEC) Charge Posting Presentation of Grouped Procedures Reporting Workflow KeyImageNotes Simple Image & Numeric Reports NMImage Consistent Present-ation of Images EvidenceDocs Access to Radiology Information Portable Data for Imaging Scheduled Workflow - Patient Info. Recon-ciliation Post-Processing Workflow Basic Security IHE Interoperability Workshop

  3. Overview • Security Requirements • Actors and Transactions IHE Interoperability Workshop

  4. Security requirements • Reasons: Clinical Use and Privacy • authorized persons must have access to medical data of patients, and the information must not be disclosed otherwise. • By means of procedures and security mechanisms, guarantee: • Confidentiality • Integrity • Availability • Authenticity IHE Interoperability Workshop

  5. Security measures • Authentication: Establish the user and/or system identity, answers question: “Who are you?” • Authorization and Access controlEstablish user’s ability to perform an action, e.g. access to data, answers question: “Now that I know who you are, what can you do?” IHE Interoperability Workshop

  6. Security measures • Accountability and Audit trailEstablish historical record of user’s or system actions over period of time, answers question: “What have you done?” IHE Interoperability Workshop

  7. IHE Goal IHE is establishing the first level of enterprise-wide security infrastructure for meeting privacy requirements (HIPAA, and like regulations world-wide). IHE Interoperability Workshop

  8. IHE Goal IHE makes cross-node security management easy: • Only a simple manual certificate installation is needed. • Healthcare professionals are not hindered by ”complex” role based access control. However, policies may restrict them to ‘need to know information’. • Enforcement driven by ‘a posteriori audits’ and real-time visibility. IHE Interoperability Workshop

  9. Integrating trusted nodes • Local access control (authentication of user) • Strong authentication of remote node (digital certificates) • network traffic encryption is not required • Audit trail with: • Real-time access • Time synchronization Secured System Secured System Secure network System B System A Central Audit TrailRepository IHE Interoperability Workshop

  10. Secured Domain: integrating trusted nodes Other Actors Other Actors Other Actors Other Actors Secured Node Actor Central Audit TrailRepository Other Actors Other Actors Other Actors Other Actors TimeServer Secured Node Actor Secured Node Actor Secured Node Actor IHE Interoperability Workshop

  11. Secured Domain: Limited AdministrationAudit Trail/Time Server + CA for certificates to each node Other Actors Other Actors Other Actors Other Actors Secured Node Actor Central Audit TrailRepository Other Actors Other Actors Other Actors Other Actors TimeServer Secured Node Actor Secured Node Actor Secured Node Actor IHE Interoperability Workshop

  12. Basic Security Integration ProfileActor and Transaction diagram All existing IHE actors need to be grouped with a Secure Node actor. Audit Record Repository Time Server Record Audit Event Maintain Time Secure Node “Any” IHE actor Secure Node Authenticate Node IHE Interoperability Workshop

  13. Basic Security Integration Profile Actor grouping rules • If an actor wants to support the Basic Security Profile, this actor shall be grouped with a secure Node actor. • All actors grouped with a Secure Node actor in an implementation must support the Basic Security Profile. IHE Interoperability Workshop

  14. Authenticate Node transaction • X.509 certificates for node identity and keys • TCP/IP Transport Layer Security Protocol (TLS) for node authentication, and optional encryption • Secure handshake protocol of both parties during Association establishment: • Identify encryption protocol • Exchange session keys • Actor must be able to configure certificate list of authorized nodes. IHE Interoperability Workshop

  15. Record Audit Event transaction • The BSD Syslog protocol (RFC 3164) for Audit Records • Audit trail events and content, no standard available at the time of writing. • IHE in Technical Framework : Use IHE defined XML Schema for defined content in payload of Syslog message IHE Interoperability Workshop

  16. IT Infrastructure – Secure Node • The Radiology Basic Secure Node is also an IT Infrastructure Secure Node, but • IT Infrastructure adds: • Use of reliable syslog as an option • Audit messages defined by IETF, HL7, and DICOM. These accommodate more than just radiology uses. The secure node may use either format. IHE Interoperability Workshop

  17. More information…. • IHE Web sites: http://www.himss.org/IHE http://www.rsna.org/IHE http://www.acc.org/quality/ihe.htm. • Technical Frameworks: • ITI V1.0, RAD V5.5, LAB V1.0 • Technical Framework Supplements - Trial Implementation • May 2004: Radiology • August 2004: Cardiology, IT Infrastructure • Non-Technical Brochures : • Calls for Participation • IHE Fact Sheet and FAQ • IHE Integration Profiles: Guidelines for Buyers • IHE Connect-a-thon Results • Vendor Products Integration Statements IHE Interoperability Workshop

More Related