Federated, Secure Trust
Networks for Distributed
Healthcare IT Services
Alfred Weaver
Samuel Dwyer
Andrew Snyder
Jim Van Dyke
Tim Mulholland
James Hu
Xiaohui Chen
Andrew Marshall
1
Industrial Informatics Applied
to Healthcare

Health Insurance Portability and
Accountability Act of 1996





privacy of patient encounters
security of patient data
encryption of medical information when stored or
transmitted
access controls to retrieve information
audit logs of data access
2
Healthcare Informatics Portal

Common medical data portal



Authentication of users



biometric and conventional methods
Authorization of access


doctors, patients, staff see a customized view
allied health services exchange information
electronically
role-based access control model
Strong encryption of all data
All built on a web services model
3
4
5
Federated, Secure Trust Networks for
Distributed Healthcare IT Services
Medical Data Portal
12
10
Web Services
Electronic
Patient
Record
5
1
6
4
7
2
Authorization
Service
8
9
Rule
Engines
3
Authentication
Service
6
Research Issues

Authentication


Mobile devices


what can you do?
Encryption


what capabilities do you have?
Authorization


who are you?
which algorithm? what length key?
Shared trust

off-network organizations
7
Authentication

Can support legacy techniques


Newer identification technologies


user ID and passwords, challenge-response
smartcards, access keys
Biometric identification




fingerprints, iris scans
signature analysis, voice recognition
keyboard dynamics
face, hand, finger, ear geometry
8
Fingerprints
70 points of differentiation (loops, whirls, deltas, ridges)
Even identical twins have differing fingerprint patterns
False positive rate < 0.01%
False negative rate < 1.5%
Can distinguish a live finger; fast to enroll
Inexpensive ($100-$200) for the reader
9
Iris Scans
Iris has 266 identification degrees of freedom
Identical twins have different iris patterns
False positive rate < 0.01%
False negative rate < 2%
Does take some time and controlled lighting to enroll
Pattern is stored as a data template, not a picture
Some units control light to detect pupil dilation (prove live eye) 10
Mobile Devices


Legitimate access is no longer limited to
desktops or in-hospital devices
Wave of the future includes




PDAs (HP iPAQ Pocket PC h5455 with fingerprint
scanner built-in)
tablet PCs (handwriting recognition)
cell phones (voice recognition)
Personal authentication should work using
the devices and capabilities available to the
legitimate user
11
Fingerprints with Wireless PDA
HP iPAQ h5455 with fingerprint scanner
Thermal scanner detects live finger
We wrote an authentication web service
--send fingerprint pattern to service
--compare against database of enrollees
--confirm or deny identity
--send confirmation to web portal
--write cookie to device
--cookie becomes an identification token containing:
--who the individual is
--how identity was confirmed
--trust level of the identification
--e.g., iris scan > fingerprint > password
12
Authorization



Now that we know who you are, what are you allowed
to do?
Use role-based access control
Roles for people with different privileges:










attending physician
referring physician
medical fellows
medical students
physician consultants
other healthcare staff (nurses)
technologists (diagnostic imagery)
technicians (lab results)
patient
Plus roles for other entities (insurance, pharmacy)
13
Authentication Rule Engine
Identity token
Hospital administration
rule templates
Access request
Rules
Authorization token
14
Authorization Rule Templates
Who
Attending
Referring
Fellow
Student
Technician
Technologist
Patient
Insurance
Billing
Pharmacy
Med records
Access
Can
Can not
Electronic Patient Record
Demographics
Clinical notes
Lab notes
Diagnostic images
Psych evaluation
15
Authorization Rule Engine

More complicated in practice



doctor needs consultation
doctor on vacation
doctors practicing in groups


surgeons, radiologists
emergencies
16
Encryption

Which encryption method?



Unintended consequences







DES, 3DES, AES, RSA, others
what length key?
UVA does 380,000 radiological exams annually
produce 9 TB of data every year
encrypting one 3 MB chest x-ray is no problem
but CT and MR produces 500-1000 slices
each slice is a file
typical MR is 68 MB
What is the workflow impact of encrypting/decrypting
a 68 MB file each time it is touched?
17
Trust Networks

Trust, legitimately established, should be
shared across the enterprise






pharmacies
insurance companies
outpatient services
How does trust get quantified?
How does trust get shared?
WS-Trust does not yet provide guidance
18
Trust Networks
Identification tokens
Authorization tokens
Encryption
Digital signature
Trust credentials
Dynamic negotiation of credentials
8
9
Banks do this with ATMs;
we need to do it among
cooperating healthcare providers
19
Trust Authority
Attribute
Identification Reliability
Criterion 1
False positive rate < 0.1%
False negative rate < 1.0%
Availability > 0.99
Criterion 2
…
Criterion N
4.7 out of 10
Rating
20
Electronic Prescriptions
4. Check digital signature
5. Decrypt prescription
6. Decrypt physician's identity token
7. Is this
a valid
physician?
8. Send
identity
token
to trust authority
9. Check how identity was established
10. Recover trust level
1. Encrypt prescription (doctor, medicine, details)
11. Is trust identity
level acceptable?
2. Encrypt physician's
token
12. Accept
or reject
3. Digitally sign
message
4. Transmit to pharmacy
21
Summary of Issues








Authentication
Mobile access technologies
Biometric identification
Authorization rule engine
Role-based access control
Simplified rule administration
Trust sharing
Dynamic negotiation of trust credentials
22
Acknowledgements

Funding for this project provided by:
David Ladd and Tom Healy
University Research Program
Microsoft Research
Microsoft Corporation
23