nknorsk h l tt’helsenett’s stksisecure token service (nts)nknorsk h l tt’helsenett’s...
TRANSCRIPT
N k H l tt’ S T k S iNorsk Helsenett’s Secure Token Service(NTS):
Opportunities for centralized ppauthentication and access control support
Peter Holmes (FHI)
Preliminaries• Nasjonalt Folkehelseinstitutt (FHI)
Norwegian Institute of Public Health (NIPH):Norwegian Institute of Public Health (NIPH): – vision: “a healthier population”
i l i i i f l– national competence institution for governmental authorities
– responsible for 10 of 15 central health registries• SYSVAK (vaccinations)• MSIS (communicable diseases)• DÅR (cause-of-death)
30 January 2013 NTS: centralized authentication and access control support
National health registries Established Responcible Data processor1. Causes of Death Registry 1925/1951 NIPH Statistics Norway2. Medical Birth Registry 1967 NIPH NIPH 3. Registry of Pregnancy Termination 1979/2007 NIPH NIPH3. Registry of Pregnancy Termination 1979/2007 NIPH NIPH 4. Norwegian Surveillance System for Communicable Diseases (MSIS) 1977 NIPH NIPH 5. The Central Tuberculosis Registry 1962 NIPH NIPH6. National Immunisation Registry (SYSVAK) 1995 NIPH NIPH ( )7. Norwegian Surveillance System for Antimicrobial Drug Resistance (NORM) 2003 NIPH
Univ. Hospital North Norway, Tromsø
8. Norwegian Surveillance System for Infections in Hospitals (NOIS) 2005 NIPH NIPH 9. Norwegian Prescription Database (NorPD) 2004 NIPH NIPH
10. Cancer Registry of Norway 1952 Helse Sør-Øst Cancer Registry of Norway
( ) /
Norwegian Directorate of Norwegian Directorate
f11. Norwegian Patient Registry (NPR) 1997/2007 Health of Health, Trondheim
12. Norwegian Information System for the Nursing and Care Sector (IPLOS) 2006
Norwegian Directorate of Health Statistics Norway Norwegian Directorate of
13. ePrescription 2008 Directorate of Health Ergo Group
14. Registry of the Norwegian Armed Forces Medical Services 2005
The Ministry of Defence Armed Forces Medical
15. Norwegian Cardiovascular Disease Registry 2010 NIPH NIPH
30 January 2013 NTS: centralized authentication and access control support
Registry
Preliminaries (ii)• Nasjonalt Folkehelseinstitutt (FHI):
five scientific divisions– five scientific divisions• Infectious Disease Control
E i t l M di i• Environmental Medicine• Epidemiology
M t l H lth• Mental Health• Forensic Toxicology and Drug Abuse Research
…plus division for Public Relations and Institute Resources
30 January 2013 NTS: centralized authentication and access control support
P li i i (iii)Preliminaries (iii)• own background:• own background:
– education: Computer Science and Engineering– Norsk Regnesentral: applied researchg pp– FHI: IT project leader
• register modernization and harmonizationl t i d t t• electronic data capture
• not a security expert nor technology wizard
• talk covers concepts and work started in 2008talk covers concepts and work started in 2008…– demonstrated in 2012– Norsk Helsenett has been NTS service developer and provider– FHI has been service ”bestiller” and consumer
30 January 2013 NTS: centralized authentication and access control support
Preliminaries (iv)• provisioning (authorization) vs. access control
FHI: provisioning not yet managed within a centralized– FHI: provisioning not yet managed within a centralizedarchitectural component…
l tifi t• personal certificates– "personlig kvalifisert sertifikat” (Datatilsynet) vs.
”nivå 4” innlogging / autentisering (ID Porten)– privately acquired certificates vs.
certificates from employing organization
30 January 2013 NTS: centralized authentication and access control support
Abbreviations & icons• NHN
– Norsk Helsenett
• DIFI– Direktoratet for forvaltning og IKT
– Norwegian Health Net
Hdi
– Agency for Public Management and eGovernment
• Hdir– Helsedirektoratet – The Norwegian Directorate of Health
• FHI– Nasjonalt folkehelseinstitutt
Th N i I tit t f
• HODH l d t t t
– The Norwegian Institute of Public Health
– Helse- og omsorgsdepartementet– The Ministry of Health and
Care Services
• TpT– Tilgang-på-tvers– ”access across administrative domains”access across administrative domains
30 January 2013 NTS: centralized authentication and access control support 7
Timeline, context and agenda
renewedt it
PoC:NTS demoopportunity NTS demo
national initiative:NSInational re-prioritizations
momentum
opportunity
delays 2012
idea
2008
context of this talk (HelsIT 2012)…
30 January 2013 NTS: centralized authentication and access control support
2008
Objective of talk (HelsIT 2012)
• to describe the NTS concept and PoCt l if it iti ith t t th N i• to clarify its position with respect to the Norwegian Directorate of Health’s pre-study (NSI):”National security infrastructure for the health care sector”
Message to NSI:Message to NSI:- NTS is a PoC, not a final and finished solution!- however: NTS can be adapted to help address national needsnational needs30 January 2013 NTS: centralized authentication and access control support
Agenda (slide count)
• present NTS motivation and background history (9)
“fl b ” SYSVAK W b• “fly-by” SYSVAK Web (the demonstration vehicle) (4)
• describe purpose of the NTS PoC (2)p p• illustrate how NTS could be used (20)
• architectural characteristics• architectural characteristics (1)
• propose areas deserving further work and study (7)
• summary (6)
30 January 2013 NTS: centralized authentication and access control support
NTS motivation and background
• FHI alone has responsibility for more than half of Norway’s central health registersNorway s central health registers
• project to modernize SYSVAK (Nat’l. vaccination register)
t it f i t ti d h i– opportunity for registration and search services– possibility for web-based registration app.
di i ith th N i D t P t ti A th it b i i 2007• discussions with the Norwegian Data Protection Authority begin in 2007
• SYSVAKs design service-oriented– new message-based SYSVAK opened Dec. 2008
30 January 2013 NTS: centralized authentication and access control support
NTS motivation and background (ii)
• 2008FHI proposes a “centralized accreditation service” for– FHI proposes a centralized accreditation service for (S)HDIR and Norsk Helsenettno actor able / ready to lead a pre project– no actor able / ready to lead a pre-project
30 January 2013 NTS: centralized authentication and access control support
Tjenesteleverandør: validering
Valideringsserver
Certificate authority 1
Autentiseringsserver
Statens autorisasjonskontor for helsepersonell
Katalog server
«service facade»valideringstjenester
«service facade»autentiseringstjenester
C tifi t th it 2
(5) «service facade»HPR register
(4, 6)
Tjenesteleverandør: akkreditering
Certificate authority 2
Autentiseringsserver
«service facade»autentiseringstjenester
Scenario
1) sertifikat mottat av H-enhetens- meldingsserver- fagsystem- fagsystem proxy(initiativtaker m.h.p. akkrediteringstjenesten)
Norsk Helsenett
Akkrediteringsserver
«service facade»akkrediterings
Katalog server
«service facade»HER(7)
Helseenhet / Helseaktør
( p g j )
2) sertifikatet sendes til H-enhetensakkrediteringsserver
3) H-enhetens akkrediteringsserver sender sertifikatet til sentral leverandør av akkrediteringstjenester
4) den sentrale akkrediteringstjenesten sender sertifikatet til
(3, 8)
akkrediteringstjenester
HER( )
Helseenhet / Helseaktør
Akkrediteringsserver
) de se t a e a ed te gstje este se de se t atet tsentral leverandør av valideringstjenester
5) den sentrale valideringstjenesten sjekker med relevant CA og får info om:- at sertifikatet er ekte og ikke ’revoked’- sertifikateierens Fnr
6) den sentrale akkrediteringstjenesten får svar info fra den
fagsystem proxy
«service facade»
fagsystem host
«service facade»akkrediteringstjenester
6) den sentrale akkrediteringstjenesten får svar info fra den sentrale valideringstjenesten
7) den sentrale akkrediteringstjenesten sender Fnr og evt. sertifikatet til NHN og SAFH og får info om sertifikateierens akkreditiver, f.eks.: - HPR-nummer + evt. HER-ID - kategori helsepersonell (kodeverk 9060)- organisatoriske tilknytninger samt roller
(2, 9)
«cache»sertifikater og akkreditiver
service facadeproxytjenester
fagsystem host
«executable»fagsystem
«file»
Meldingsserver
«executable»ebXML
Autoriseringsserver
«service facade»autoriseringstjenester
organisatoriske tilknytninger samt roller
8) den sentrale akkrediteringstjenesten leverer svar info til H-enhetens akkrediteringstjeneste
9) H-enhetens akkrediteringstjeneste returnerer svar og info til initiativtaker
10) opsjon: initiativtaker ber om interne
(10)
NTS: centralized authentication and access control support30 January 2013
«file»fagmelding Kommunikasjonsmodul 10) opsjon: initiativtaker ber om interne
autoriseringstjenester
Tjenesteleverandør: validering
Valideringsserver
Certificate authority 1
Autentiseringsserver
Statens autorisasjonskontor for helsepersonell
Katalog serverID Provider Fact«service facade»
valideringstjenester«service facade»
autentiseringstjenester
C tifi t th it 2
(5) «service facade»HPR register
(4, 6)
ID Provider RepositoriesCertificateA th iti Tjenesteleverandør:
akkrediteringCertificate authority 2
Autentiseringsserver
«service facade»autentiseringstjenester
Scenario
1) sertifikat mottat av H-enhetens- meldingsserver- fagsystem- fagsystem proxy(initiativtaker m.h.p. akkrediteringstjenesten)
Norsk Helsenett
Akkrediteringsserver
«service facade»akkrediterings
Katalog server
«service facade»HER(7)
FactP id
Authorities ID + FactProvider
Helseenhet / Helseaktør
( p g j )
2) sertifikatet sendes til H-enhetensakkrediteringsserver
3) H-enhetens akkrediteringsserver sender sertifikatet til sentral leverandør av akkrediteringstjenester
4) den sentrale akkrediteringstjenesten sender sertifikatet til
(3, 8)
akkrediteringstjenester
HER( )
ProviderProvider(”accreditation service”)
Helseenhet / Helseaktør
Akkrediteringsserver
) de se t a e a ed te gstje este se de se t atet tsentral leverandør av valideringstjenester
5) den sentrale valideringstjenesten sjekker med relevant CA og får info om:- at sertifikatet er ekte og ikke ’revoked’- sertifikateierens Fnr
6) den sentrale akkrediteringstjenesten får svar info fra den
fagsystem proxy
«service facade»
fagsystem host
«service facade»akkrediteringstjenester
6) den sentrale akkrediteringstjenesten får svar info fra den sentrale valideringstjenesten
7) den sentrale akkrediteringstjenesten sender Fnr og evt. sertifikatet til NHN og SAFH og får info om sertifikateierens akkreditiver, f.eks.: - HPR-nummer + evt. HER-ID - kategori helsepersonell (kodeverk 9060)- organisatoriske tilknytninger samt roller
(2, 9)
«cache»sertifikater og akkreditiver
service facadeproxytjenester
Service Providerfagsystem host
«executable»fagsystem
«file»
Meldingsserver
«executable»ebXML
Autoriseringsserver
«service facade»autoriseringstjenester
organisatoriske tilknytninger samt roller
8) den sentrale akkrediteringstjenesten leverer svar info til H-enhetens akkrediteringstjeneste
9) H-enhetens akkrediteringstjeneste returnerer svar og info til initiativtaker
10) opsjon: initiativtaker ber om interne
(10)
NTS: centralized authentication and access control support30 January 2013
«file»fagmelding Kommunikasjonsmodul 10) opsjon: initiativtaker ber om interne
autoriseringstjenester
Tjenesteleverandør: validering
Valideringsserver
Certificate authority 1
Autentiseringsserver
Statens autorisasjonskontor for helsepersonell
Katalog server
«service facade»valideringstjenester
«service facade»autentiseringstjenester
C tifi t th it 2
(5) «service facade»HPR register
(4, 6)
Tjenesteleverandør: akkreditering
Certificate authority 2
Autentiseringsserver
«service facade»autentiseringstjenester
Scenario
1) sertifikat mottat av H-enhetens- meldingsserver- fagsystem- fagsystem proxy(initiativtaker m.h.p. akkrediteringstjenesten)
Norsk Helsenett
Akkrediteringsserver
«service facade»akkrediterings
Katalog server
«service facade»HER(7)
ID + FactProvider
Helseenhet / Helseaktør
( p g j )
2) sertifikatet sendes til H-enhetensakkrediteringsserver
3) H-enhetens akkrediteringsserver sender sertifikatet til sentral leverandør av akkrediteringstjenester
4) den sentrale akkrediteringstjenesten sender sertifikatet til
(3, 8)
akkrediteringstjenester
HER( )Provider(”accreditation service”)
Helseenhet / Helseaktør
Akkrediteringsserver
) de se t a e a ed te gstje este se de se t atet tsentral leverandør av valideringstjenester
5) den sentrale valideringstjenesten sjekker med relevant CA og får info om:- at sertifikatet er ekte og ikke ’revoked’- sertifikateierens Fnr
6) den sentrale akkrediteringstjenesten får svar info fra den
fagsystem proxy
«service facade»
fagsystem host
«service facade»akkrediteringstjenester
6) den sentrale akkrediteringstjenesten får svar info fra den sentrale valideringstjenesten
7) den sentrale akkrediteringstjenesten sender Fnr og evt. sertifikatet til NHN og SAFH og får info om sertifikateierens akkreditiver, f.eks.: - HPR-nummer + evt. HER-ID - kategori helsepersonell (kodeverk 9060)- organisatoriske tilknytninger samt roller
(2, 9)
«cache»sertifikater og akkreditiver
service facadeproxytjenester
Service Providerfagsystem host
«executable»fagsystem
«file»
Meldingsserver
«executable»ebXML
Autoriseringsserver
«service facade»autoriseringstjenester
organisatoriske tilknytninger samt roller
8) den sentrale akkrediteringstjenesten leverer svar info til H-enhetens akkrediteringstjeneste
9) H-enhetens akkrediteringstjeneste returnerer svar og info til initiativtaker
10) opsjon: initiativtaker ber om interne
(10)
NTS: centralized authentication and access control support30 January 2013
«file»fagmelding Kommunikasjonsmodul 10) opsjon: initiativtaker ber om interne
autoriseringstjenester
NTS motivation and background (iii)
• 2009 (A1H1 pandemi)
PANVAK: a simple web registration system– PANVAK: a simple web-registration system• authenitication via MinID
t l b d kl i f HPR d t• access control based on weekly copies of HPR data– HPR copies and semi-manual update archaic
30 January 2013 NTS: centralized authentication and access control support
NTS motivation and background (iv)
• 2010: ’Dagens Helsetall’– FHI-initiated program of work– FHI-initiated program of work– Mine registerdata project started in 2010
Mine registerdata project goals• Mine registerdata project goals– develop a solution for access to one’s own health data
d i ff t t t bli h– drive efforts to establish a commonaccreditation service for the health sector
30 January 2013 NTS: centralized authentication and access control support
NTS motivation and background (v)• 2010-2011
– HOD decides upon helesenorge.nop g– FHI proposes ”Mine vaksiner” project
• FHI receives funding from Hdir
• project deliverables– to offer access to one’s own vaccination data
P C t d t t t FHI h lth i t d t f h lth– PoC to demonstrate access to FHIs health register data for healthpersonnel (”NTS PoC”)
– PoC for delivery of vaccination data as a service on Norsk Helsenetts yservice platform / service bus
30 January 2013 NTS: centralized authentication and access control support
NTS motivation and background (vi)• 2011
– Helseinformasjonssikkerhetsforskriften (HISF)j ( )
• Q1 2012:– Mine vaksiner project’s PoCs cancelled due to delays– Norsk Helsenett and FHI pursue the NTS PoC at own tempop p
• Q2 2012:Q 0– SYSVAK Web technically completed, but without NTS use
30 January 2013 NTS: centralized authentication and access control support
Agenda
• present NTS motivation and background history“fl b ” SYSVAK W b• “fly-by” SYSVAK Web
• describe purpose of the NTS PoC• illustrate how an NTS could be used• examine its architectural characteristics• examine its architectural characteristics• propose areas deserving further work and study
30 January 2013 NTS: centralized authentication and access control support
SYSVAK Web: hovedsideSYSVAK Web: hovedside
30 January 2013 NTS: centralized authentication and access control support
SYSVAK Web: registrering
NTS: centralized authentication and access control support
SYSVAK W b kSYSVAK Web: søk
30 January 2013 NTS: centralized authentication and access control support
SYSVAK Web: søkresultat
NTS: centralized authentication and access control support30 January 2013
Purpose of the NTS PoC
• to study and address core issues around centralized support for authentication and accesscentralized support for authentication and access control
hit t l i ti ti– architectural investigation– technology validation
Kjernejournal (målbilde)…
30 January 2013 NTS: centralized authentication and access control support
1 2 å 1 5 å 5 10 å
Kjernejournal - funksjonelt målbilde
Nasjonal kjernejournal
Bruk
1-2 år 1-5 år 5-10 år
Helsepersonell i
Akuttmedisinsk kj d
Helsepersonell med tjenstlig behov etter nærmere vurdering
Helsepersonell i sykehus, sykehjem,hjemmetjenesten kjernejournalsscenarier
kjede,
Fastlegekontor,
Borgere
Referanse til epikriser
Referanse til prøvesvar
Referanse til annen informasjon
Felles legemiddeloversikt
apotek (kun legemiddeloversikt)
Personalia
FastlegeinfoIntegrert sikkerhet
med EPJIntegrert i fagsystem,
men egne visninger for
Vedtak om kommunale tjenester med kontaktinfo til
ansvarlig tjenesteyter
Førstevalg behandling
Merking av feilNasjonal innføringFunksjona
Fastlegeinfo
Utleverte legemidler
Forskrevne eResepter
Kritisk informasjon
Kontaktliste med
Portal, lese og skrive
Tilgjengeliggjøre
men egne visninger for kjernejournalUtprøving felles
legemiddeloversikt
g
Koordinert innføring,
Fullmakt
Sperringer
alitet og inn
o ta t ste edhelsetjenesten
Kontaktpersoner og pårørende
Pasientens felt
Logg over brukMulighet for å reservere seg fra løsning
Hovedregel: Samtykke ved brukPersonlig kvalifiserte sertifikater i portal
gj g ggjgrensesnitt for
integrasjon med fagsystem
Koordinert innføring, avhengig av blant annet
eResept og Medikasjons-tjenesteprosjektet
Innføring
hold
Tilgangskontroll og personvern Grensesnitt
g pTilgang basert på regler om HPR og
godkjennelse fra virksomhetEtablere varslings- og kontrollorgan
Portal, hovedsaklig lesetilgang
Pilot
Avhengig av innføring av nytt apoteksystem og
eResept
30.01.2013
InnføringTilgangskontroll og personvern Grensesnitt
NTS: centralized authentication and access control support30 January 2013
Agenda
• present NTS motivation and background history“fl b ” SYSVAK W b• “fly-by” SYSVAK Web
• describe purpose of the NTS PoC• illustrate how an NTS could be used• examine its architectural characteristics• examine its architectural characteristics• propose areas deserving further work and study
30 January 2013 NTS: centralized authentication and access control support
NTS concept and variations of possible use
• contrast with SYSVAK Web prod• NTS use: logical overview of alternatives• NTS evolution: use of alternative ID providersNTS evolution: use of alternative ID providers
30 January 2013 NTS: centralized authentication and access control support
NTS concept
• contrast with SYSVAK Web prod• NTS use: logical overview of alternativesNTS use: logical overview of alternatives• NTS evolution: use of alternative ID providers
30 January 2013 NTS: centralized authentication and access control support
SYSVAK Web
• deployment pending fulfillment of legal relations• no NTS useno NTS use
30 January 2013 NTS: centralized authentication and access control support
NTS: centralized authentication and access control support30 January 2013
NTS: centralized authentication and access control support30 January 2013
NTS concept
• contrast with SYSVAK Web prod• NTS use: logical overview of alternativesNTS use: logical overview of alternatives• NTS evolution: logical overview of alternatives
30 January 2013 NTS: centralized authentication and access control support
NTS use: logical overview of alternatives
• for authentication support only:
1) NTS uses an ID provider for authentication*
2) call from application to NHNs HPR service to obtain attributes for access controlobtain attributes for access control
*NTS PoC offers either ID-porten or another ID providerp p
30 January 2013 NTS: centralized authentication and access control support
NTS: centralized authentication and access control support30 January 2013
NTS use: logical overview of alternatives
• for authentication and access control support– NTS uses an ID provider for authenticationNTS uses an ID provider for authentication– NTS returns token which includes HPR attributes
30 January 2013 NTS: centralized authentication and access control support
NTS: centralized authentication and access control support30 January 2013
NTS: centralized authentication and access control support30 January 2013
NTS concept
• contrast with SYSVAK Web prod• NTS use: logical overview of alternativesNTS use: logical overview of alternatives• NTS evolution: use of alternative ID providers
30 January 2013 NTS: centralized authentication and access control support
ID Provider”Helse ID-Porten”
NTS: centralized authentication and access control support30 January 2013
ID Provider”Helse ID-Porten”
NTS: centralized authentication and access control support30 January 2013
Illustration of NTS use (from demo)…
30 January 2013 NTS: centralized authentication and access control support
4
23
2
1
5
NTS: centralized authentication and access control support30 January 2013
30 January 2013 NTS: centralized authentication and access control support
30 January 2013 NTS: centralized authentication and access control support
Tjenesteleverandør: validering
Valideringsserver
Certificate authority 1
Autentiseringsserver
Statens autorisasjonskontor for helsepersonell
Katalog servercentral «service facade»valideringstjenester
«service facade»autentiseringstjenester
C tifi t th it 2
(5) «service facade»HPR register
(4, 6)ID + FactProvider
central
Tjenesteleverandør: akkreditering
Certificate authority 2
Autentiseringsserver
«service facade»autentiseringstjenester
Scenario
1) sertifikat mottat av H-enhetens- meldingsserver- fagsystem- fagsystem proxy(initiativtaker m.h.p. akkrediteringstjenesten)
Norsk Helsenett
Akkrediteringsserver
«service facade»akkrediterings
Katalog server
«service facade»HER(7)
Provider(”accreditation service”)
Helseenhet / Helseaktør
( p g j )
2) sertifikatet sendes til H-enhetensakkrediteringsserver
3) H-enhetens akkrediteringsserver sender sertifikatet til sentral leverandør av akkrediteringstjenester
4) den sentrale akkrediteringstjenesten sender sertifikatet til
(3, 8)
akkrediteringstjenester
HER( )
ID + Factlocal
Helseenhet / Helseaktør
Akkrediteringsserver
) de se t a e a ed te gstje este se de se t atet tsentral leverandør av valideringstjenester
5) den sentrale valideringstjenesten sjekker med relevant CA og får info om:- at sertifikatet er ekte og ikke ’revoked’- sertifikateierens Fnr
6) den sentrale akkrediteringstjenesten får svar info fra den
fagsystem proxy
«service facade»
ID FactProvider
fagsystem host
«service facade»akkrediteringstjenester
6) den sentrale akkrediteringstjenesten får svar info fra den sentrale valideringstjenesten
7) den sentrale akkrediteringstjenesten sender Fnr og evt. sertifikatet til NHN og SAFH og får info om sertifikateierens akkreditiver, f.eks.: - HPR-nummer + evt. HER-ID - kategori helsepersonell (kodeverk 9060)- organisatoriske tilknytninger samt roller
(2, 9)
«cache»sertifikater og akkreditiver
service facadeproxytjenester
Service Servicefagsystem host
«executable»fagsystem
«file»
Meldingsserver
«executable»ebXML
Autoriseringsserver
«service facade»autoriseringstjenester
organisatoriske tilknytninger samt roller
8) den sentrale akkrediteringstjenesten leverer svar info til H-enhetens akkrediteringstjeneste
9) H-enhetens akkrediteringstjeneste returnerer svar og info til initiativtaker
10) opsjon: initiativtaker ber om interne
(10)Service Provider Service Provider
Service Provider
NTS: centralized authentication and access control support30 January 2013
«file»fagmelding Kommunikasjonsmodul 10) opsjon: initiativtaker ber om interne
autoriseringstjenester
Architectural characteristics (DIFI)• ”Overarching ICT Architecture Principles for the Public Sector”
– Service-orientation– Interoperability– Accessibility– Security– Openness
Flexibility– Flexibility– Scalability
• NTS architecture reflects thoughtful consideration andNTS architecture reflects thoughtful consideration and application of these principles
30 January 2013 NTS: centralized authentication and access control support
Areas deserving further work and study
• claim standardizationidentify and specify claims needed to satisfy HISF– identify and specify claims needed to satisfy HISF
– resolution of claim dependency issues– representation of claim dependencies
30 January 2013 NTS: centralized authentication and access control support
Claim standardization
• identify and specify claims needed to satisfy HISF– SYSVAK Web motivated choice for claims within NTS PoC
• claim source: verifiable facts vs. ”assertions” (egenerklæringer)
– shared kodeverk for ’role’• resolution of claim dependency issues• representation of claim dependencies• representation of claim dependencies
30 January 2013 NTS: centralized authentication and access control support
C did t l i f t d di tiCandidate claims for standardization
30 January 2013 NTS: centralized authentication and access control support
shared kodeverk for ’role’
30 January 2013 NTS: centralized authentication and access control support
Claim standardization (ii)
• first draft for needed claims• first draft for needed claims• resolution of claim dependency issues
– multiple HER-IDs– multiple HPR authorizations
• evt. ’disposisjon’ from certain requirements in HISF
30 January 2013 NTS: centralized authentication and access control support
Claim dependencies
HER-ID HPR nr.
123456789
HER ID 12345 Virksomhet A
3 56789HER-ID 67890
HPR authorization 1Virksomhet B
HPR authorization N
- profession 1- speciality 1i,… speciality 1m
HPR authorization N- profession N- speciality Ni,… speciality Nm
30 January 2013 NTS: centralized authentication and access control support
Claim standardization (iii)
• identify and specify claims needed to satisfy HISF• identify and specify claims needed to satisfy HISF• resolution of claim dependency issues• representation of claim dependencies
– XACML: eXtensible Access Control Markup LanguageC e te s b e ccess Co t o a up a guage
30 January 2013 NTS: centralized authentication and access control support
NTS position (i)
• NTS PoC must be understood as a technology validation for claims based ID managementvalidation for claims-based ID management
• NTS could be one of several common i hi i l icomponents within a national security
infrastructure
30 January 2013 NTS: centralized authentication and access control support
STSID Provider
STSNTSSTS
AdministrativeRegisters
ID P idID Provider
ID ProviderSTS
ID Provider
NTS: centralized authentication and access control support30 January 2013
MålNasjonal sikkerhetsinfrastruktur forSikkerhetsinfrastruktur for
Internett Helsenett
Nasjonal sikkerhetsinfrastruktur forhelse- og omsorgssektoren
Sikkerhetsinfrastruktur forinnbyggere
Mi d l (HDIR)
helsenorge.noReservasjon
Samtykke
ReservasjonMine egenandeler (HDIR)
Bytte fastlege (HDIR)
Mine vaksiner (FHI)Mine resepter (HDIR)
jj
Sperring
Fullmakt
Logg
Admregister
Buypass CommfidesBankIDID-porten
NTSSTS
Påloggingvia helsenorge.no
Påloggingvia helsenorge.noLogg inn
eID for Innbygger
eID for ansatt i helsesektor
NTS position (ii)
• NTS PoC must be understood as a technology validation for claims based ID managementvalidation for claims-based ID management
• NTS could be one of several common i hi i l icomponents within a national security
infrastructure• the NTS concept and PoC solution design is
being provided as input to NSI pre-studybeing provided as input to NSI pre study
30 January 2013 NTS: centralized authentication and access control support
E d iExpected impacts
NSI t d• NSI pre-study– expected to conclude summer 2013– "personlig kvalifisert sertifikat” (Datatilsynet) vs.
”nivå 4” innlogging / autentisering (ID Porten)• use of ID Porten for authentication of helsepersonnel
– privately acquired certificates vs. p y qcertificates from employing organization
• HODHOD– Melding til Stortinget (Meld. St. 9): ”Én innbygger – én journal”
30 January 2013 NTS: centralized authentication and access control support
ReferencesReferences• SYSVAK: http://www.fhi.no/sysvak
• Dagens Helsetall: http://www.fhi.no/artikler/?id=70287
• Mine registerdata: http://www.fhi.no/artikler/?id=84175
• Helsenorge.no: http://helsenorge.nog p g
• Mine vaksiner:– http://www.fhi.no/minevaksiner– http://helsenorge.no/Selvbetjening/Sider/Mine-vaksiner/Om-Mine-vaksiner.aspxp g j g p
• Helseinformasjonssikkerhetsforskriften– http://www.lovdata.no/cgi-wift/ldles?doc=/sf/sf/sf-20110624-0628.html
• Norm for informasjonssikkerhetNorm for informasjonssikkerhet– http://www.helsedirektoratet.no/publikasjoner/norm-for-informasjonssikkerhet/Sider/default.aspx
• ”Overarching ICT Architecture Principles for the Public Sector” (DIFI)– http://www.difi.no/filearchive/2009-10-08-architecture-principles-v-2-0-eng.pdfhttp://www.difi.no/filearchive/2009 10 08 architecture principles v 2 0 eng.pdf
• XACML– http://en.wikipedia.org/wiki/XACML– https://www.oasis-open.org/committees/tc home.php?wg abbrev=xacmlhttps://www.oasis open.org/committees/tc_home.php?wg_abbrev xacml
30 January 2013 NTS: centralized authentication and access control support
References (ii)References (ii)• Melding til Stortinget (Meld. St. 9): ”Én innbygger – én journal”
htt // j i / b/d /h d/d k/ bl/ t ld/2012 2013/ ld t 9– http://www.regjeringen.no/nb/dep/hod/dok/regpubl/stmeld/2012-2013/meld-st-9-20122013.html?id=708609
• ”E-helse - status og veien videre”, HelsIT 2012, Divisjonsdirektør Christine Berglandhttp://www kith no/upload/6590/ChristineBergland Helsit2012 PLOn 1000 pdf– http://www.kith.no/upload/6590/ChristineBergland-Helsit2012-PLOn-1000.pdf
30 January 2013 NTS: centralized authentication and access control support
Special thanks and gratitude…
• Norsk HelsenettO– Ola Vikland
– Axel Anders Kvale– Bjørn Elvestad Moe– Bjørn Elvestad Moe– Sindre Solem
• Folkehelseinstituttet– Kent Aune– David Cescato– Fredrik Røssel Hegli– Andreas Mäki
30 January 2013 NTS: centralized authentication and access control support