HIMSIG20080222

Jump to: navigation, search

Liberty Alliance Project
HIM SIG
February 22, 2008
Conference Call
Meeting Notes
Author: Kurt Kolok

Attendance:

John Fraser, MedNet (Co-Chair)
Pete Palmer, Wells Fargo (Co-Chair)

Matt Madison, CORHIO
Dan Combs, Global Identity Solutions
Richard Frank, IBM
Bob Pinheiro, Individual Contributor
Steve Olshansky, Internet2
Adrian Gropper, Medcommons
John Schoonmaker, Safe BioPharm Assoc.
Paul ?, SAIC


Action: Kurt will send an email to Joni re: not having a link to HIM SIG from public community section on LAP public site. ONGOING

Proposed Agenda

1. Welcome and Introductions
2. Payer needs in this space (Aetna representative invited to call)
3. OpenID Discussion - how it fits with Liberty
4. HiTrust Discussion – a person from HiTrust has been invited to call as well
5. HIMSS Activities people want to share
6. Next Meeting

1. Welcome and Introductions
John left a voice mail for someone at High Trust, Pete will follow up directly with Dan to confirm his participation on the next call.

Action: Pete Palmer will follow up with High Trust re: participation in this group.

Medcommons is using Open ID . They have built everything using Verisign’s Open ID source which is currently recognized as the mechanism for both patients and clinicians (used in a standard way).

Bob: personal identity in healthcare, Open ID works by claiming an identity from somewhere else. Verisign gives you a url to use in different places.

Adrian: Sun decided to issue Open IDs to their employees. When you have an Open ID whose domain is sun.com you know that they are an employee in good standing at Sun.

It is not standardized. There are a lot of things that could be done, without knowing more about how the individual SP or IDP is performing the functions. You do not know what a particular provider is doing to verify identities. Wells Fargo is not tracking this. There does not seem to be a real trust model at this time. Wikipedia has a good explanation of Open ID.

Dan: As it is it does not fit in with a lot of the ways those in this group have thought of doing identity. Don’t you need identity proofing and policy in place?

Pete: The reason we are all here is that we want a common policy. Liberty is setting the standard for credential service providers. They should not be focused on Aetna IDs for Aetna clients, we are looking at IDs that follow the same policies, etc…

Isn’t it possible that Open ID can have multiple levels of assurance (such as the current Open Id direction and one higher) that would be compatible with Liberty policy? Yes.

Adrian: What aspect of trust management cannot be done by Open ID? At what point does Open ID stop providing protection?

John: There are many service interactions that happen today due a lack of vetting. No healthcare operation would allow an Open ID person they’ve never met before to access clinical information at a hospital. There are certain service interactions where you need additional vetting based on policy.

Adrian: Policies are different from protocols.

John: If LAP does not work with groups like Open ID, which may become a large player at a lower identity assurance level, then Liberty may isolate itself. There is a role for LAP to talk about the risks and possibilities.

Bob: Open ID is like working at assurance level 1 of the 4 LAP assurance levels. Why would there be a need for assurance level 1 in Liberty? If Open ID is equivalent to LAP level 1 it would not be good enough for healthcare-related identity.

If you get a new factor token with PayPal what makes it an Open ID? The protocol behind it is Open ID. Does it compete with LAP supported SAML? Is that an issue?

When we are talking about big payers we should have an opinion about it. There should not be any medical information exchanged in the level 1 assurance example. At Level 2 maybe LAP could have a policy re: how a level 2 could interact with an Open ID system. There are a lot more people having this discussion now. The right person getting access to the right information is not just a technical interoperability issue. You have to have common/compatible policies and technology and make sure that people are doing what they say. With Microsoft Passport: Reliant Parties cannot necessarily trust the identity of the person they are asserting.

Dan: It is only a technology. Policy has to be compatible and technology has to interoperate.

Action: Kurt will create an Open ID workspace on the wiki page. Gaps, difference, and info we could agree on.

Does anyone have a contact at Open ID that could speak to it on this call?

Concordia Project Information: http://projectliberty.org/liberty/public_community/concordia_project

There are more fundamental issues (translating the trust associated with the identity assurance process itself). Are you looking at models that have safely addressed this? What is the associated identity assurance process used in the process of assuring the identity credentials? How do you begin leveraging those? How do you address identity assurance levels with different types of credentials.

John S: there are a number of different assurance levels going through process verification, which are expected to be available soon within the pharmaceutical industry and then eventually in the healthcare arena.

How do you compare SAFE’s assurance levels with Liberty’s mapping of assurance?

John S.: We have not addressed this yet.

The Liberty trust framework could become the master policy. We understand what makes a trustworthy credential that is being asserted.

Note: Dan was part of the original team that wrote the SAFE policy and has been a continuing participant in the eAuthentication work.

Paul: Our company is an SP for SAFE. SAFE maps into assurance levels 2, 3 and 4. They could map into level 1 if needed. At level 4 we see many different types of assurance levels, there is not a one-to-one mapping for issuing only 1 type of credential.

The application does not want to have to deal with identity authentication.

Adrian: SAML was much harder to implement than Open ID in my experience.

If you do not have the trust framework, then liability comes up. What kind of liability will they be accepting?

John F: MedNet has just signed an agreement with SAFE to do some pilots within the industry. That will give us some experience into some of these other trust frameworks.

At the end of the day we will recognize Open ID as a protocol.

Note: Two weeks from today we will have our next call and we hope to have an Aetna representative present to speak about the payer side.

2. Payer needs in this space (Aetna representative invited to call)

Gail was unable to make today’s call. Identity across multiple provider/payer/institutions. There is interest in integration and trustworthiness (Open ID, Microsoft Identity service, etc…). Gail will be on the call in two weeks to discuss these items further.

We were unable to get through the remaining agenda items (below) due to time constraints.

3. OpenID Discussion - how it fits with Liberty
4. HiTrust Discussion – a person from HiTrust has been invited to call as well
5. HIMSS Activities people want to share
6. Next Meeting

Meeting Adjourned

Retrieved from "http://wiki.projectliberty.org/index.php/HIMSIG20080222"
Personal tools