using hl7’s ccow standard to create secure information solutions colorado healthcare information...

Using HL7’s CCOW Standard to Create Secure

Information Solutions Colorado Healthcare Information

Systems Society (CHIMSS)January 12, 2001

Robert SeligerPresident and CEO, SentillionCo-Chair HL7 CCOW Committee Copyright© 2001 Sentillion, Inc.

All Rights Reserved

Secure?

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Agenda

• HIPAA

• Digital Security

• CCOW

• Practical Security Solutions

Copyright© 2001 Sentillion, Inc.All Rights Reserved

HIPAA

Final regulations published December 28, 2000

See: http://www.hhs.gov/ocr/hipaa.html

Copyright© 2001 Sentillion, Inc.All Rights Reserved

HIPAA: Situation Statement

According to the American Health Information Management Association (AHIMA), an average of 150 people ‘‘from nursing staff to x-ray technicians, to billing clerks’’ have access to a patient’s medical records during the course of a typical hospitalization.** Standards for Privacy of Individually Identifiable Health Information; Final Rule, December 28, 2000, U.S. Dept. of Health and Human Services.Copyright© 2001 Sentillion, Inc.

All Rights Reserved

HIPAA: Approach

• Ensure the rights that an individual who is a

subject of individually identifiable health

information should have.

• Specify the procedures that should be established

for the exercise of such rights.

• Define the uses and disclosures of such

information that should be authorized or required.

Copyright© 2001 Sentillion, Inc.All Rights Reserved

HIPAA: Scope

1. Care, services, or supplies related to the health of an individual.

2. Health information maintained/transmitted electronically or via any other form or medium.

Copyright© 2001 Sentillion, Inc.All Rights Reserved

HIPAA: Philosophy

We do not prescribe the particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. (That is, as with other provisions of this rule, this requirement is ‘‘scalable.’’)* Standards for Privacy of Individually Identifiable

Health Information; Final Rule, December 28, 2000, U.S. Dept. of Health and Human Services.Copyright© 2001 Sentillion, Inc.

All Rights Reserved

HIPAA: Enforcement

HSS’s Office for Civil Rights:

1. Voluntary

2. Civil monetary penalties and referrals for criminal prosecution.

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Digital Security

Authentication

Encryption

Non-Repudiation

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Digital Signatures

Secure Hash

Secure Hash

Value

Encrypt Value

Value

COMPARE

by Private key by Public key

ReceiverSender

Original message

Signed Message

ValueDecrypt

Copyright ©Jung Joo-won, 1996, http://simac.kaist.ac.kr/~jwjung/seminar/ssl-ca-inst/slides.en

Verified message

Digital Encryption

Encrypt

by Public key by Private key

ReceiverSender

Original message

Encrypted Message

Decrypt

Decrypted message

Copyright ©Jung Joo-won, 1996, http://simac.kaist.ac.kr/~jwjung/seminar/ssl-ca-inst/slides.en

Where Do Keys Reside?

Private Keys:

A “smart” card

Embedded in a device

On your personal computer

Public Keys:

In a file in “raw” form

In a signed file, known as a digital certificate

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Digital SignatureInherent Limitations

The verification process only establishes that the private

key of the person whose public key is specified in the

digital certificate was used to affix the digital signature.

This verification process is a post-signing mechanism and

does not correspond to the trusted witnessing mechanism

established within the traditional signature environment. *

* Non-Repudiation in the Digital Environment, Adrian McCullagh and William Caelli, First Monday, www.firstmonday.dk

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW

Multiple disparate applications:

labs, meds, cardiology, scheduling, billing, etc.

Users in need of easy access to data and tools:

physicians, nurses, therapists, administrators, etc.

Kiosk as well as personal workstations:

hospitals, clinics, offices, homes, etc.

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW StatusANSI certified standard published by Health Level Seven

Uptake: 3M, Agilent, Bionetrix, CoreChange, Care Data Systems, Drager, DR Systems, Eclipsys, GE/Marquette, Medcon, Medscape, McKessonHBOC, Presideo, SpaceLabs/Burdick, Stockell, many others in 2001

Sites:Rex (1000), Marshfield Clinic (6500), St. Joes (1500), St. Als (2000), Cottage (2000), etc.

Co-Chairs:Robert Seliger, Sentillion (founding co-chair)Barry Royer, Siemens (SMS)Michael Macalusso, McKessonHBOC

Copyright© 2001 Sentillion, Inc.All Rights Reserved

What They’re Saying …

“Originally an ad hoc group created to solve the problem of insuring common context between different applications in simultaneous use on the desktop, CCOW is capturing extremely important space in web browser and user security areas.”*

* CHIM Standards Insight, Feb. 7, 2000

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Example: Patient Link

Nancy Furlow

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Demonstration

Show it!

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Architecture

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Architecture

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Architecture

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Theory of Operation: Patient Link

(1) User selects the patient of interest using any application on the clinical desktop.

1

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Theory of Operation: Patient Link

(2) Application tells the context manager to start a context change transaction and sets the context data to indicate the newly selected patient.

2

Copyright© 2001 Sentillion, Inc.All Rights Reserved

3

Theory of Operation: Patient Link

(3) Context manager tells patient mapping agent that a context change is occurring; mapping agent supplies the context manager with other identifiers by which the patient is known.

Copyright© 2001 Sentillion, Inc.All Rights Reserved

4

Theory of Operation: Patient Link

4

(4) Context manager tells the other applications that a new patient context has been proposed. The context manager surveys the applications to determine whether each can apply the new context.

4

Copyright© 2001 Sentillion, Inc.All Rights Reserved

5

Theory of Operation: Patient Link

5

(5) Each application indicates whether or not it can apply the new context.

5

5

Copyright© 2001 Sentillion, Inc.All Rights Reserved

5

5

Theory of Operation: Patient Link

(6) If one or more of the applications prefers not to, or cannot, apply the new context, the user is asked to decide whether to continue, cancel, or break the link. Otherwise, context change continues automatically.

6

Copyright© 2001 Sentillion, Inc.All Rights Reserved

5

5

Theory of Operation: Patient Link

(7) Context manager tells each application to apply the new context, or that the transaction has been canceled. If apply, then each applications tunes to the new patient context.

77

Copyright© 2001 Sentillion, Inc.All Rights Reserved

User Link

Conceptually, same as Patient Link:

Context change transaction

User mapping agent

Incorporates secure “Chain of Trust”:

Digitally signed communication between programs

No exchange of user passwords

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Chain of Trust

Theory of Operation: User Link

(1) User signs on (enters logon name, password, swipes security card, etc.)

1

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Chain of Trust

2

Theory of Operation: User Link

(2) Application authenticates the user and tells context manager the user’s logon name; authentication data is not passed on to the context manager.

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Chain of Trust

Theory of Operation: User Link

(3) Context manager tells mapping agent context change is occurring; mapping agent supplies the context manager with other logon names for the user as known to each application.

3

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Chain of Trust

Theory of Operation: User Link

(4) Context manager tells other applications that there is a new user context. 4

44

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Chain of Trust

Theory of Operation: User Link

(5) Each application gets user’s application-specific logon name from the context manager.

55 5

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Chain of Trust

Theory of Operation: User Link

(6) Context manager tells each application to apply the new context, or that the transaction has been canceled. If apply, then each applications tunes to the new user context.

66

6

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Practical Security SolutionsHIPAA Requirements & Implications

Requirements:

Authenticate user access of patient records

Audit user access of patient records

Upon request, inform patients of access to records

Implications:

Effective administrative processes

Practical security solutions

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Practical Security SolutionsThe Setting

• A building or campus of buildings

• A network within and between these buildings

• Connected to the Internet

• Caregivers, ancillary workers, patients, visitors, salesmen, etc.

• Computers everywhere

• Myriad patient-related applications

• Busy peopleCopyright© 2001 Sentillion, Inc.All Rights Reserved

Practical Security SolutionsKey Considerations

Physical Protection

If can’t get at it, can’t have it

Limited Trust

If minimize dependencies, minimize exposure

User Friendliness

If easy to comply, people will

System Understandability

If don’t know how it works, won’t know if it works

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW-Based SecurityRobust User Authentication

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW-Based SecuritySingle Sign-On

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW-Based SecurityRoaming User Certificate

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW-Based SecurityContext-Based Auditing

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW-Based SecurityContext-Based Audit Reports

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW-Based SecurityContext-Based Access Controls

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW-Based SecuritySecure Network Appliance

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW-Based SecurityCentralized Administration

Copyright© 2001 Sentillion, Inc.All Rights Reserved

CCOW-Based SecuritySummary

Need

Authenticate User Access

Audit User Access

Inform Patients of Access

Physical Protection

Limited Trust

User Friendliness

System Understandability

Solution

User Authenticator

Context Audit Logs

Context Reporting

Network Appliance

Central Administration

Single sign-on

CCOW Standard

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Conclusion

• HIPAA

• Digital Security

• CCOW

• Practical Security Solutions

Copyright© 2001 Sentillion, Inc.All Rights Reserved

Get Smart!

Robert Seligerrobs@sentillion.comwww.sentillion.comCopyright© 2001 Sentillion, Inc.

All Rights Reserved