september, 2005what ihe delivers 1 g. claeys, agfa healthcare ([email protected]) audit trail...
TRANSCRIPT
1September, 2005 What IHE Delivers
G. Claeys, Agfa Healthcare G. Claeys, Agfa Healthcare ([email protected])([email protected])
Audit Trail and Node Audit Trail and Node AuthenticationAuthentication
2
ScopeScope
Defines basic security features for a system in a healthcare enterprise in order to guarantee : Only authorized persons have access to PHI (Protected
Health Information) Protect PHI against alteration, destruction and loss Comply existing Privacy & Security regulations
Extends the IHE radiology oriented Basic Security profile (2002) to be applicable to other healthcare uses.
3
Security MechanismSecurity Mechanism
Authentication (user and device)
Authorization
Accountability (audit trails)
Confidentiality
Integrity
ATNA, EUA
ATNA
ATNA
ATNA
4
IHE ATNA- Architecture
System A System B
Secured SystemSecure network
Secured System
Central Audit TrailRepository
Secure network
• Local authentication of user• Strong authentication of remote node (digital certificates)• Audit trail that logs privacy&security related operations
5
All existing IHE actors need to be grouped with a Secure Node actor.
Secure Node
Audit RecordRepository
“Any” IHE actor
Record Audit Event
Time Server
Secure Node Authenticate Node
Maintain Time
IHE ATNA – Actor and TransactionsIHE ATNA – Actor and Transactions
6
Secure NodeSecure Node
Local user authentication Only needed at “client” node Authentication mechanism
• User name and password (minimum)• Biometrics, smart card
Secure nodes maintain list of authorized users : local or central (using EUA)
Security policy of hospital defines the relation between user and user id
7
Secure Node (cont.)Secure Node (cont.)
Mutual device authentication Establish a trust relationship between 2 network nodes Strong authentication by exchanging X.509 certificates Actor must be able to configure certificate list of trusted nodes.
TCP/IP Transport Layer Security Protocol (TLS) Used with DICOM/HL7/HTTP messages Secure handshake protocol during Association establishment: Encryption :
• Intra-muros (default): no encryption • Extra-muros : AES128
TLS/SSL negotiations problems were detected at connectathon 2006 USA Caused by incorrect configuration of SSL/TLS packages (e.g.
STunnel) Guidelines will follow
8
Secure node – additional effortSecure node – additional effort
Instrument all applications to detect auditable events and generate audit messages.
Ensure that all communications connections are protected (system hardening).
Establish a local security mechanism to protect all local resources
Establish configuration mechanisms for: Time synchronization Certificate management Network configuration
9
Certificate ManagementCertificate ManagementCertificates can be signed by device (self-signing) or via a CA (e.g. hospital) Use self-signed certificates for testing interoperability Connectathon has a CA
Support at least direct comparison of certificates Import certificate of each trusted peer device Compare each received certificate with list of trusted
certificate
Certificate management white paper from NEMA’s Security&Privacy committee www.nema.org/prod/med/security
10
Auditing SystemAuditing System
Auditing system consists of List of events that generate audit messages Audit message format Transport mechanism
Designed for surveillance rather than forensic use.
11
Audit EventsAudit Events
Audit triggers are defined for every operation that access PHI (create, delete, modify, import/export)
IHE TF describes the supported Audit Trigger per Actor
Audit triggers are grouped on transaction/ study level to minimize overhead
12
Audit Message FormatAudit Message Format
XML encoded message
IHE Radiology Provisional format for backward compatibility with radiology
ATNA format Preferred format Joint effort of IETF/DICOM/HL7/ASTM XML schema (rfc3881) :
www.xml.org/xml/schema/7f0d86bd/healthcare-security-audit.xsd
XSLT transformation is provided to convert “Provisional scheme” to “ATNA” scheme
13
Audit Transport MechanismAudit Transport Mechanism
Reliable Syslog – cooked mode RFC 3195 Connection oriented Support certificate based authentication,
encryption But limited industry support
BSD Syslog protocol (RFC 3164) Preferred transport mechanism for the time being
14
Backward compatibilityBackward compatibility
ATNA is backward compatible with Basic Security (IHE Radiology) Basic security = Provisional XML scheme + BSD syslog Applications, supporting Basic Security are ATNA compliant
Basic security is deprecated Basic Security Profile being deprecated by Radiology Option
for ATNA No further extensions New applications are encouraged to use new message
format
15
Audit system - lessons learnedAudit system - lessons learned
BSD Syslog Ensure that the BSD header format is correct, otherwise the
messages may get trashed. BSD Syslog messages longer than 1k may get truncated
• -> keep the messages short
Date/Time : UTC format EventDateTime="2006-01-17T17:01:25-06:00“ or EventDateTime="2006-01-17T17:01:25-06:00Z“
Patient ID Use either the MRN (preferred) or a properly defined local
Patient ID. Patient Names can be arbitrary format.
16
Audit system - lessons learned (cont.)Audit system - lessons learned (cont.)
Active Participant Identification Use one ActiveParticipant per event Use an identifiable user as ActiveParticipant If not possible then use the node/process as
ActiveParticipant
Node names Use host names instead of ip addresses
Audit Source Id : hostname or stationName
17
Audit system - lessons learned (cont.)Audit system - lessons learned (cont.)
Event Identification (EventID): use DCM code set (DICOM supplement 95) or IHE
code set (ATNA) avoid proprietary values.
Schema checking Ensure that the messages conform to the schema
defined in RFC3881 Do not include schema items with null contents.
18
www.ihe-europe.orgwww.ihe-europe.org
Frequently Asked QuestionsFrequently Asked Questions
Integration Profiles in Technical Frameworks:Integration Profiles in Technical Frameworks: CardiologyCardiology IT InfrastructureIT Infrastructure LaboratoryLaboratory Patient Care CoordinationPatient Care Coordination RadiologyRadiology
Connectathon ResultsConnectathon Results
Vendor Products Integration StatementsVendor Products Integration Statements
Participation in Committees & ConnectathonsParticipation in Committees & Connectathons