using hl7’s ccow standard to create secure information solutions colorado healthcare information...
TRANSCRIPT
Using HL7’s CCOW Standard to Create Secure
Information Solutions Colorado Healthcare Information
Systems Society (CHIMSS)January 12, 2001
Robert SeligerPresident and CEO, SentillionCo-Chair HL7 CCOW Committee Copyright© 2001 Sentillion, Inc.
All Rights Reserved
Secure?
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Agenda
• HIPAA
• Digital Security
• CCOW
• Practical Security Solutions
Copyright© 2001 Sentillion, Inc.All Rights Reserved
HIPAA
Final regulations published December 28, 2000
See: http://www.hhs.gov/ocr/hipaa.html
Copyright© 2001 Sentillion, Inc.All Rights Reserved
HIPAA: Situation Statement
According to the American Health Information Management Association (AHIMA), an average of 150 people ‘‘from nursing staff to x-ray technicians, to billing clerks’’ have access to a patient’s medical records during the course of a typical hospitalization.** Standards for Privacy of Individually Identifiable Health Information; Final Rule, December 28, 2000, U.S. Dept. of Health and Human Services.Copyright© 2001 Sentillion, Inc.
All Rights Reserved
HIPAA: Approach
• Ensure the rights that an individual who is a
subject of individually identifiable health
information should have.
• Specify the procedures that should be established
for the exercise of such rights.
• Define the uses and disclosures of such
information that should be authorized or required.
Copyright© 2001 Sentillion, Inc.All Rights Reserved
HIPAA: Scope
1. Care, services, or supplies related to the health of an individual.
2. Health information maintained/transmitted electronically or via any other form or medium.
Copyright© 2001 Sentillion, Inc.All Rights Reserved
HIPAA: Philosophy
We do not prescribe the particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. (That is, as with other provisions of this rule, this requirement is ‘‘scalable.’’)* Standards for Privacy of Individually Identifiable
Health Information; Final Rule, December 28, 2000, U.S. Dept. of Health and Human Services.Copyright© 2001 Sentillion, Inc.
All Rights Reserved
HIPAA: Enforcement
HSS’s Office for Civil Rights:
1. Voluntary
2. Civil monetary penalties and referrals for criminal prosecution.
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Digital Security
Authentication
Encryption
Non-Repudiation
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Digital Signatures
Secure Hash
Secure Hash
Value
Encrypt Value
Value
COMPARE
by Private key by Public key
ReceiverSender
Original message
Signed Message
ValueDecrypt
Copyright ©Jung Joo-won, 1996, http://simac.kaist.ac.kr/~jwjung/seminar/ssl-ca-inst/slides.en
Verified message
Digital Encryption
Encrypt
by Public key by Private key
ReceiverSender
Original message
Encrypted Message
Decrypt
Decrypted message
Copyright ©Jung Joo-won, 1996, http://simac.kaist.ac.kr/~jwjung/seminar/ssl-ca-inst/slides.en
Where Do Keys Reside?
Private Keys:
A “smart” card
Embedded in a device
On your personal computer
Public Keys:
In a file in “raw” form
In a signed file, known as a digital certificate
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Digital SignatureInherent Limitations
The verification process only establishes that the private
key of the person whose public key is specified in the
digital certificate was used to affix the digital signature.
This verification process is a post-signing mechanism and
does not correspond to the trusted witnessing mechanism
established within the traditional signature environment. *
* Non-Repudiation in the Digital Environment, Adrian McCullagh and William Caelli, First Monday, www.firstmonday.dk
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW
Multiple disparate applications:
labs, meds, cardiology, scheduling, billing, etc.
Users in need of easy access to data and tools:
physicians, nurses, therapists, administrators, etc.
Kiosk as well as personal workstations:
hospitals, clinics, offices, homes, etc.
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW StatusANSI certified standard published by Health Level Seven
Uptake: 3M, Agilent, Bionetrix, CoreChange, Care Data Systems, Drager, DR Systems, Eclipsys, GE/Marquette, Medcon, Medscape, McKessonHBOC, Presideo, SpaceLabs/Burdick, Stockell, many others in 2001
Sites:Rex (1000), Marshfield Clinic (6500), St. Joes (1500), St. Als (2000), Cottage (2000), etc.
Co-Chairs:Robert Seliger, Sentillion (founding co-chair)Barry Royer, Siemens (SMS)Michael Macalusso, McKessonHBOC
Copyright© 2001 Sentillion, Inc.All Rights Reserved
What They’re Saying …
“Originally an ad hoc group created to solve the problem of insuring common context between different applications in simultaneous use on the desktop, CCOW is capturing extremely important space in web browser and user security areas.”*
* CHIM Standards Insight, Feb. 7, 2000
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Example: Patient Link
Nancy Furlow
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Demonstration
Show it!
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Architecture
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Architecture
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Architecture
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Theory of Operation: Patient Link
(1) User selects the patient of interest using any application on the clinical desktop.
1
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Theory of Operation: Patient Link
(2) Application tells the context manager to start a context change transaction and sets the context data to indicate the newly selected patient.
2
Copyright© 2001 Sentillion, Inc.All Rights Reserved
3
Theory of Operation: Patient Link
(3) Context manager tells patient mapping agent that a context change is occurring; mapping agent supplies the context manager with other identifiers by which the patient is known.
Copyright© 2001 Sentillion, Inc.All Rights Reserved
4
Theory of Operation: Patient Link
4
(4) Context manager tells the other applications that a new patient context has been proposed. The context manager surveys the applications to determine whether each can apply the new context.
4
Copyright© 2001 Sentillion, Inc.All Rights Reserved
5
Theory of Operation: Patient Link
5
(5) Each application indicates whether or not it can apply the new context.
5
5
Copyright© 2001 Sentillion, Inc.All Rights Reserved
5
5
Theory of Operation: Patient Link
(6) If one or more of the applications prefers not to, or cannot, apply the new context, the user is asked to decide whether to continue, cancel, or break the link. Otherwise, context change continues automatically.
6
Copyright© 2001 Sentillion, Inc.All Rights Reserved
5
5
Theory of Operation: Patient Link
(7) Context manager tells each application to apply the new context, or that the transaction has been canceled. If apply, then each applications tunes to the new patient context.
77
Copyright© 2001 Sentillion, Inc.All Rights Reserved
User Link
Conceptually, same as Patient Link:
Context change transaction
User mapping agent
Incorporates secure “Chain of Trust”:
Digitally signed communication between programs
No exchange of user passwords
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Chain of Trust
Theory of Operation: User Link
(1) User signs on (enters logon name, password, swipes security card, etc.)
1
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Chain of Trust
2
Theory of Operation: User Link
(2) Application authenticates the user and tells context manager the user’s logon name; authentication data is not passed on to the context manager.
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Chain of Trust
Theory of Operation: User Link
(3) Context manager tells mapping agent context change is occurring; mapping agent supplies the context manager with other logon names for the user as known to each application.
3
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Chain of Trust
Theory of Operation: User Link
(4) Context manager tells other applications that there is a new user context. 4
44
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Chain of Trust
Theory of Operation: User Link
(5) Each application gets user’s application-specific logon name from the context manager.
55 5
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Chain of Trust
Theory of Operation: User Link
(6) Context manager tells each application to apply the new context, or that the transaction has been canceled. If apply, then each applications tunes to the new user context.
66
6
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Practical Security SolutionsHIPAA Requirements & Implications
Requirements:
Authenticate user access of patient records
Audit user access of patient records
Upon request, inform patients of access to records
Implications:
Effective administrative processes
Practical security solutions
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Practical Security SolutionsThe Setting
• A building or campus of buildings
• A network within and between these buildings
• Connected to the Internet
• Caregivers, ancillary workers, patients, visitors, salesmen, etc.
• Computers everywhere
• Myriad patient-related applications
• Busy peopleCopyright© 2001 Sentillion, Inc.All Rights Reserved
Practical Security SolutionsKey Considerations
Physical Protection
If can’t get at it, can’t have it
Limited Trust
If minimize dependencies, minimize exposure
User Friendliness
If easy to comply, people will
System Understandability
If don’t know how it works, won’t know if it works
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW-Based SecurityRobust User Authentication
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW-Based SecuritySingle Sign-On
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW-Based SecurityRoaming User Certificate
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW-Based SecurityContext-Based Auditing
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW-Based SecurityContext-Based Audit Reports
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW-Based SecurityContext-Based Access Controls
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW-Based SecuritySecure Network Appliance
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW-Based SecurityCentralized Administration
Copyright© 2001 Sentillion, Inc.All Rights Reserved
CCOW-Based SecuritySummary
Need
Authenticate User Access
Audit User Access
Inform Patients of Access
Physical Protection
Limited Trust
User Friendliness
System Understandability
Solution
User Authenticator
Context Audit Logs
Context Reporting
Network Appliance
Central Administration
Single sign-on
CCOW Standard
Copyright© 2001 Sentillion, Inc.All Rights Reserved
Conclusion
• HIPAA
• Digital Security
• CCOW
• Practical Security Solutions
Copyright© 2001 Sentillion, Inc.All Rights Reserved