Federated, Secure Trust Networks for Distributed Healthcare IT Services Alfred Weaver Samuel Dwyer Andrew Snyder Jim Van Dyke Tim Mulholland James Hu Xiaohui Chen Andrew Marshall 1 Industrial Informatics Applied to Healthcare Health Insurance Portability and Accountability Act of 1996 privacy of patient encounters security of patient data encryption of medical information when stored or transmitted access controls to retrieve information audit logs of data access 2 Healthcare Informatics Portal Common medical data portal Authentication of users biometric and conventional methods Authorization of access doctors, patients, staff see a customized view allied health services exchange information electronically role-based access control model Strong encryption of all data All built on a web services model 3 4 5 Federated, Secure Trust Networks for Distributed Healthcare IT Services Medical Data Portal 12 10 Web Services Electronic Patient Record 5 1 6 4 7 2 Authorization Service 8 9 Rule Engines 3 Authentication Service 6 Research Issues Authentication Mobile devices what can you do? Encryption what capabilities do you have? Authorization who are you? which algorithm? what length key? Shared trust off-network organizations 7 Authentication Can support legacy techniques Newer identification technologies user ID and passwords, challenge-response smartcards, access keys Biometric identification fingerprints, iris scans signature analysis, voice recognition keyboard dynamics face, hand, finger, ear geometry 8 Fingerprints 70 points of differentiation (loops, whirls, deltas, ridges) Even identical twins have differing fingerprint patterns False positive rate < 0.01% False negative rate < 1.5% Can distinguish a live finger; fast to enroll Inexpensive ($100-$200) for the reader 9 Iris Scans Iris has 266 identification degrees of freedom Identical twins have different iris patterns False positive rate < 0.01% False negative rate < 2% Does take some time and controlled lighting to enroll Pattern is stored as a data template, not a picture Some units control light to detect pupil dilation (prove live eye) 10 Mobile Devices Legitimate access is no longer limited to desktops or in-hospital devices Wave of the future includes PDAs (HP iPAQ Pocket PC h5455 with fingerprint scanner built-in) tablet PCs (handwriting recognition) cell phones (voice recognition) Personal authentication should work using the devices and capabilities available to the legitimate user 11 Fingerprints with Wireless PDA HP iPAQ h5455 with fingerprint scanner Thermal scanner detects live finger We wrote an authentication web service --send fingerprint pattern to service --compare against database of enrollees --confirm or deny identity --send confirmation to web portal --write cookie to device --cookie becomes an identification token containing: --who the individual is --how identity was confirmed --trust level of the identification --e.g., iris scan > fingerprint > password 12 Authorization Now that we know who you are, what are you allowed to do? Use role-based access control Roles for people with different privileges: attending physician referring physician medical fellows medical students physician consultants other healthcare staff (nurses) technologists (diagnostic imagery) technicians (lab results) patient Plus roles for other entities (insurance, pharmacy) 13 Authentication Rule Engine Identity token Hospital administration rule templates Access request Rules Authorization token 14 Authorization Rule Templates Who Attending Referring Fellow Student Technician Technologist Patient Insurance Billing Pharmacy Med records Access Can Can not Electronic Patient Record Demographics Clinical notes Lab notes Diagnostic images Psych evaluation 15 Authorization Rule Engine More complicated in practice doctor needs consultation doctor on vacation doctors practicing in groups surgeons, radiologists emergencies 16 Encryption Which encryption method? Unintended consequences DES, 3DES, AES, RSA, others what length key? UVA does 380,000 radiological exams annually produce 9 TB of data every year encrypting one 3 MB chest x-ray is no problem but CT and MR produces 500-1000 slices each slice is a file typical MR is 68 MB What is the workflow impact of encrypting/decrypting a 68 MB file each time it is touched? 17 Trust Networks Trust, legitimately established, should be shared across the enterprise pharmacies insurance companies outpatient services How does trust get quantified? How does trust get shared? WS-Trust does not yet provide guidance 18 Trust Networks Identification tokens Authorization tokens Encryption Digital signature Trust credentials Dynamic negotiation of credentials 8 9 Banks do this with ATMs; we need to do it among cooperating healthcare providers 19 Trust Authority Attribute Identification Reliability Criterion 1 False positive rate < 0.1% False negative rate < 1.0% Availability > 0.99 Criterion 2 … Criterion N 4.7 out of 10 Rating 20 Electronic Prescriptions 4. Check digital signature 5. Decrypt prescription 6. Decrypt physician's identity token 7. Is this a valid physician? 8. Send identity token to trust authority 9. Check how identity was established 10. Recover trust level 1. Encrypt prescription (doctor, medicine, details) 11. Is trust identity level acceptable? 2. Encrypt physician's token 12. Accept or reject 3. Digitally sign message 4. Transmit to pharmacy 21 Summary of Issues Authentication Mobile access technologies Biometric identification Authorization rule engine Role-based access control Simplified rule administration Trust sharing Dynamic negotiation of trust credentials 22 Acknowledgements Funding for this project provided by: David Ladd and Tom Healy University Research Program Microsoft Research Microsoft Corporation 23