Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

esMD Industry Scan - Cerner Presentation-2

Cerner Presentation to S&I esMD
Workgroup – Industry Scan
John Travis
Senior Director and Solution Strategist –
Compliance
Outline
User Identification and Authentication
Recording User Identity for Electronic Health Record Entry
Proxy
Use of Advanced Authentication
Use of Cryptographic Means of Author/Record Linking
Support for PKI and Digital Certificates
Verification of External Author of Record (AoR) Credentials
Support for Various Levels of AoR Determination
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
2
User Definition Within The System
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
3
Password Definition
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
4
Password Policies Supported
Minimum Length
Mixed Character Sets
Minimum Numbers of Alpha, Numeric and Special
Characters
Expiration Policies
Password History
Configured to retain “n” prior versions
Encrypted Store
Never Passed as Plain Text
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
5
Recording User Identity for Electronic Record Entry
General abilities
System generally relies on authenticated user identity for session
System supports time out policies for suspension and termination
configurable to the application server (Citrix) or end user device
depending on the context
System supports password based signer authentication for order and
document signature
System supports advanced authentication methods for medication
management events
• Order verification and co-signature
• Medication Administration
• Medication Dispensing
We are in process of enabling requirements of DEA IFR for
Electronic Prescribing of Controlled Substances (EPCS)
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
6
Refresher – DEA IRF Authentication Credential
Authentication must be two factor with two of the three
factors being from among
A biometric
A knowledge factor such as a password
A hard token
For hard tokens
Must be FIPS 140-2 Security Level 1 compliant
Must be stored on a device separate from the computer used to
access the application
Could leverage an existing hard token, but would need to still be
issued credentials specific to eRX of controlled substances
May use hardware devices such as a PDA, a cell phone, a smart card,
a USB fob or other devices
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
7
Refresher – DEA IFR Authentication Credential
For biometrics
May be stored on a computer, hard token or biometric reader
• If on a computer or PDA, device must be in a known controlled location
or must be build directly into the computer or PDA
Storage of biometric data must be adequately protected or maintained
• Subsystem must store device ID data at enrollment with biometric
data
• Device ID must be verified at time of user authentication
• Raw data and templates must be protected if authentication is not
local
• For an open network, data must be
Cryptographically source authenticated
Combined with a random challenge, nonce or timestamp
Cryptographically protected
Sent only to authorized systems
 TLS may be used
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
8
Refresher – DEA IFR Authentication Credential
For biometrics
Biometric subsystem must
• Operate at a false match rate of 0.0001 or lower
• Use matching software with demonstrated performance corresponding to
the required false match rate
• Conform to Personal Identity Verification (PIV) specifications as per NIST
SP 800-76-1
• Be independently tested by NIST or a DEA approved testing laboratory
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
9
Controlled Substance Prescribing Example
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
10
Proxies – General Principles
Assuming appropriate security authorizations are in place,
one user may grant proxy to another for purpose of
notifications of signing events
Proxies are granted to categories of events – not individual events
Proxies typically are set for a time period to designated individuals
Proxies can be revoked or granted at a user’s election on a specific
basis while active
Granted proxies can be limited in access to those which have been
assigned to a user to take
Proxy can be granted in an emergency case even if not generally
enabled
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
11
Granting Proxies for Signature – Set Up
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
12
Setting Up Proxy Rights – Grant or Revoke
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
13
Setting Up Proxy Rights – Individual User
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
14
Notification of Proxies to a Recipient User
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
15
Use of Advanced Authentication
For user authentication for a session and for medication
management workflow, Cerner Millennium supports
integration with Imprivata for strong authentication
Imprivata currently has support for
Fingerprint biometric authentication. Support for biometric technology
found in Lenovo, Dell and other laptop PCs, Motion tablets, etc., using
UPEK TouchStrip or Authentec technology
USB tokens
One-Time-Password (OTP) tokens
Windows smart cards and national ID smart cards
Active and passive proximity cards
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
16
Support for Advanced Authentication/Cryptographic
Means/Use of PKI – EPCS Example
Basic Flow
deployment Deployment
Cerner Hub
Millennium
SureScripts
Impriv ata
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
17
Support for Advanced Authentication/Cryptographic
Means/Use of PKI – EPCS Example
System will interface with Imprivata for strong authentication and the
Certificate Management service for digitally signing controlled substance eRX
deployment Millennium View
FSI
Outbound
Pow erOrders
Certificate Management Serv ice
Impriv ata
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
18
Support for Advanced Authentication/Cryptographic
Means/Use of PKI – EPCS Example
Basic workflow for EPCS
sd Workflow
PowerOrders
Imprivata
Certificate
Management
FSI Outbound
Cerner Hub
Prescription Ready()
Strong Authentication Challenge()
Sign Prescription()
Transmit Prescription()
Validate Signature()
Transmit Prescription()
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
19
Support for Advanced Authentication/Cryptographic
Means/Use of PKI – EPCS Example
Certificate Management Service
Cryptographic module used to digitally sign the EPCS is at least FIPS
140-2 Level 1 validated and can be higher for deployment
Digital signature service and hash function complies with FIPS 186-3
and FIPS 180-3
Private key will be stored encrypted on a FIPS 140-2 Level 1 or higher
cryptographic module using a FIPS approved encryption algorithm
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
20
Support for Validation of External AoR Credentials
This is not an ability we currently enable
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
21
Supporting Various Levels of AofR
General System Behaviors
Upon signature, authorship is included within the document
Signing actions are viewable in a action list view
Specific contributions are tracked and able to be viewed in the
document view with a tracked changes feature
Signer authentication currently uses password based method if
enabled
• From a use standpoint, most clients rely on authenticated session identity
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
22
Support for Varying Levels of AofR – Single Author
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
23
Support for Varying Levels of AofR – Multiple Author
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
24
Support for Varying Levels of AofR – Tracking of
Multiple Authors
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
25
Example of a Signed Document as Output and
Online for a Clinic Note
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
26
Example of Signed H&P – Shows Co-Sign and
Authenticator Role
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
27
Example of Section of Signed Radiology Report
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
28
Example of Signed Section of ED Report – Multiple
Contributors for given sections
© 2011 Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information which may not be reproduced or transmitted without the express written consent of Cerner.
29
QUESTIONS?
jtravis@cerner.com
Related documents
PowerInsight Direct Mail This Cerner product
PowerInsight Direct Mail This Cerner product
Interview questions for Group A project
Interview questions for Group A project
JC2009rev2 - Healthcare Technology Alliance
JC2009rev2 - Healthcare Technology Alliance
Opportunities in the Evolving Health Landscape
Opportunities in the Evolving Health Landscape
selecting and implementing an academic ehr
selecting and implementing an academic ehr
Experience - Amazon S3
Experience - Amazon S3
Presentation
Presentation
View the July 2014 Cerner EMR Update PowerPoint with NOTES
View the July 2014 Cerner EMR Update PowerPoint with NOTES
Download