a distribution network using pki or pgp and architecture barriers presented by: jared davison b. inf...
TRANSCRIPT
![Page 1: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/1.jpg)
A Distribution Network using PKI or PGP and
Architecture Barriers Presented by:Jared Davison
B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS.
Software Engineer Buderim GE Centre
![Page 2: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/2.jpg)
Buderim Gastroenterology Centre• Small privately owned day surgery• 3 Specialists, 17 Staff• Catchment area ~250,000• Established 12 years
EHR• Active HL7 R&D program since 1999.• HL7 USA member since 1999• HL7 Australia member since inception
![Page 3: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/3.jpg)
Electronic Records• Developed HL7 system
• 35,000 patients• 190,000 reports • 250 GPs in the local area.
• w/copies 244,000 individual recipients• 1.3 copies per document
• Pathology dating to the start of PIT distribution by QML & S&N path.
• All outgoing clinical letters since 1991
• HL7 format for storage for all this = 750 MB
![Page 4: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/4.jpg)
Report Distribution Trial• Real-time HL7 Transmission of
– Specialist reports– GP referrals
• > 12 months
• 240 connected doctors• 22 specialists• Sunshine Coast Division Allied Health • Nursing Home
• 40,000 reports delivered (including copies to other recipients doctors)
![Page 5: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/5.jpg)
Report Distribution Trial• Integrated with existing practice software
– GP computer systems– Specialist computer systems
• Report delivery into GP software is an unattended operation
• All transmission in HL7 format, encrypted & signed
• PIT conversion performed as necessary
• Imported by GP computer system – same as pathology import
![Page 6: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/6.jpg)
Transmission• Specialist report
creation– Word Processor
integration– HL7 based
custom reporting clients
![Page 7: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/7.jpg)
Transmission• GP referrals
– Captured from clinical practice software
– Digitally signed HESA PKI USB key
– Encrypted with PKI certificates
– Encrypted provider lookup– Zero configuration install
• Reports are delivered real-time
![Page 8: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/8.jpg)
GP Referral
DigitalSignatureBlock
![Page 9: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/9.jpg)
Architectural & Technical Barriers to distribution network implementation
• Transport
• Recipient/Provider Addressing
• Delivery & Acknowledgment Protocols
• Security & Authentication
• Routing
• Use of standards – HL7
![Page 10: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/10.jpg)
Transport• Internet access assumed
• Consideration of OSI Layer 6 protocols– HL7 over Email– HL7 over HTTP – HL7 Lower Level Protocol
![Page 11: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/11.jpg)
Transport - Email• Advantages
– Technical Simplicity– Widely accessible– Asynchronous (recipient need not be online when sending)
• Disadvantages– No acknowledgement of delivery– No guaranteed order of delivery
– Spam filters / Spam– Backup Mail Servers
– No sender authentication– No control over infrastructure quality– Blacklists
![Page 12: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/12.jpg)
HL7 over HTTP• Advantages
– HL7 standard acknowledgement possible– Ability to reject connections
– Industry standard– Ease of interoperability for 3rd parties– Connectionless scalable– URL & Headers available for protocol variations
• Eg. Http1.1 keep alive, content types
• Disadvantages– Need for full time internet presence
![Page 13: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/13.jpg)
Chosen TransportHL7 over HTTP
HL7 Lower Level Protocol
• Email supported – for compatibility & interoperability
![Page 14: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/14.jpg)
Provider Addressing IssuesHIC Provider Numbers
• Advantages– Specified by Australian HL7 Standard– Ideal for doctors in private practice– Check digit scheme– Location Specific– Virtually always obtained (billing)
![Page 15: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/15.jpg)
Provider Addressing IssuesHIC Provider Numbers
• Disadvantages– Not universal– Not all health care providers/facilities have
HIC provider numbers• Public hospital doctors• Nursing homes• Allied health• Nursing staff
– Only some sections of medical community have access to Provider number lists
![Page 16: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/16.jpg)
An Addressing Solution• A mixed solution
• HIC provider numbers used where available
• Proprietary identifiers used if no provider number– Disadvantage: some software only accepts provider
numbers
• PKI key common name used for Author identification
![Page 17: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/17.jpg)
Address/Recipient Lookup• HL7 2.3 Master files
– Defines messages for maintenance & query for providers using the STF segment
– CH 8.3.3
• Solution: Master files implemented
![Page 18: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/18.jpg)
HL7 Master Files Query
![Page 19: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/19.jpg)
HL7 for Mere Mortals
![Page 20: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/20.jpg)
Protocol• Standard HL7 Delivery Protocol
• Message Acknowledgement
• Eg. ORU – ACK, REF – ACK (messages)
• Assumes – Internet server availability– Push model as new reports are sent
unsolicited (ORU)
• Retry sending if ACK not received
![Page 21: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/21.jpg)
Protocol• Problems
– Many clients DO NOT or CAN NOT• open their networks (inadequate knowledge/skills)• have persistent internet connectivity
Some clients need to poll
![Page 22: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/22.jpg)
Polling protocol• Non-HL7 standard
• QRY.Z02 ORU.R01 (report downloads)
• ACK.R01 OK
• But the payload is HL7 standard!
![Page 23: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/23.jpg)
Security & Authentication• Encryption used for security• Digital signatures used for all authentication• 1024 bit public keys only• Encryption Mechanisms:
– X.509 HeSA Certificates & HIC PKI– Native PGP compatible (explicit trust model only)
• No usernames / passwords – (weak security)
![Page 24: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/24.jpg)
Routing• Enable communication between practices
and doctors running independent systems.
• Manual configuration of connections between every practice is not feasible– Because the number of direct path
configurations required is• n(n-1)/2 (where n is the number of independent
systems)
• Internet enables virtual/potential connections
![Page 25: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/25.jpg)
Routing• Solution: use HL7 Master File messages
to enable dynamic discovery of newly connected users
• Allow existing users to change their address without manual reconfiguration being required
![Page 26: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/26.jpg)
Centralised vs. Distributed nets.• Centralised (Star network)
– Each node communicates with each other node via central point
– Issues• Service availability
– Network connections– Limited Processing capacity
• Redundancy required• Serial communication• DDoS (distributed denial of
service) attacks on hub• Vulnerability of stored/transit
data (all eggs in one basket)
• Natural disaster– Eg. earthquake
![Page 27: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/27.jpg)
Centralised vs. Distributed nets.• Distributed network (fully connected mesh)
– Every node is able to communicate directly with any other node
– Fewer points of failure in transit– Very powerful
• Load sharing possibilities
– Parallel communication– Very Fast– DDoS can at worst case affect
limited nodes only– Robust to natural disasters
![Page 28: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/28.jpg)
HL7 Support• Workable delivery format at this time is HL7
ORU messages.– This is all we have delivered at this stage to GPs
• Minor modifications to messages are required depending on target application.– Satisfying import assumptions of software– No change to report payload.
• REF message have potential in future– No support in practice software at present
![Page 29: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/29.jpg)
HL7 Support• By sticking to published standards we
have had few compatibility problems
• Moral: Stick to Standards!
![Page 30: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/30.jpg)
Putting it together• The Software “Medical Objects”
• Currently undergoing beta testing
• Participants welcome
![Page 31: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/31.jpg)
HL7 Servers• Servers
– Message encoding supported• HL7 v2.x (Classic & XML), PIT
– Win32 platform– Multi-tier architecture
• SQL database tier (Linux or Windows)• Application server tier
– Replication supported (over HL7)– Standalone Service IIS (ISAPI) or Apache (module)– run locally or in Application Service Provider (ASP) mode– Persists 10,000+ messages per hour (Athlon 1.5GHz, 7200 RPM, 512 RAM)– Serves queries many-many times more!!!
• Server Types– Lightweight GP receive only (file based db)– Gateway– Distribution– Practice– Provider Directory– Terminology– Routing
![Page 32: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/32.jpg)
GP Solutions• Receiving Specialist Messages
– GP Reception Server• Acks messages and saves as files• Win 32 platform (95, 98, ME, NT4, 2000, XP, 2003)
– Polling Client (works with Distribution Service)• Win 32 platform (95, 98, ME, NT4, 2000, XP, 2003)
– Tray Icon service– NT service
• Linux• Mac OS X• Any future HIC PKI Supported platform• Integrated PIT conversion• Acknowledged delivery
• Simple download setup 4.2MB• Easy install – no reboots or downtime
![Page 33: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/33.jpg)
GP Solutions• Sending Referrals
– Win32 (98, ME, 2000, XP, 2003)– PKI Signed referrals– HIC PKI Rainbow iKey required
– Setup: • 2.7MB internet download • Zero configuration easy install• no reboots or downtime
![Page 34: A Distribution Network using PKI or PGP and Architecture Barriers Presented by: Jared Davison B. Inf Tech (QUT), B. Eng (QUT), M. IEEE, GradIEAust, AACS](https://reader038.vdocuments.us/reader038/viewer/2022110116/5518b94b550346881f8b52a5/html5/thumbnails/34.jpg)
Specialist Solution• Sending Reports
– Word Processor integration• Word 97, 2000, XP, 2003• Word Perfect 10
– PKI signing possible
– Setup• 3 MB download• Easy & quick install• No reboots