HIMSIG20080404

Jump to: navigation, search

Liberty Alliance Project
SIG Health Identity Management
April 4, 2008
11:00am-12:05pm (EST)
Conference Call
Meeting Notes
Author: Kurt Kolok

Attendance:

John Fraser, MedNet (Co-Chair)
Pete Palmer, Wells Fargo (Co-Chair)
Rick Moore, eHealth OHIO
Barry Hieb, Gartner
John Schoonmaker, Safe BioPharm Assoc.

Asa Hardcastle

Eric Tiffany, Liberty Staff
Kurt Kolok, Liberty Staff

ACTION: Asa will consider some type of Contrast/comparison document for the next call—Shibboleth and (ID-WSF can slide right inside Shibboleth). There is not much to compare/contrast, but maybe show how they work together.

Agenda:

1. Liberty’s interest in building an eHealth profile for SAML2
2. HITSP work and other projects
3. Open Liberty: Asa Hardcastle

1. Liberty’s interest in building an eHealth profile for SAML2

Summary of IHE (Integrating the Healthcare Enterprise)goals and objectives: Unifying access to medical records makes it possible for providers and healthcare customers to access information. IHE was trying to bring SAML-based technology into what they were doing. SAML2 was still being developed while ID-WSF was still based on LAP technology vs. SAML. The suggestion was to look at SAML2 and later ID-WSF to fill the gaps (this was 2-3 yrs ago). They adopted a SAML 2 assertion format and may have adopted a more SAML (full suite) protocol. They have adopted a more hybrid approach. The goal is to define a very few number of profiles and goals and get 50 or 60 vendors together to do interoperability testing every year. You do not want the lack of a credential to threaten lives. Shortcircuit certain parameters we typically use. IHE has been trying to come up with reliable auditing methods because a good audit trail is necessary. They claim not to write standards, although they cull existing standards into their model.

Besides going to HIMs and showing demos, what IP exists as a result of IHE?
The only people allowed to participate in IHE activities are those that have products that will ship. They are companies/organizations that are the big players in healthcare. They test things that can actually be deployed. IHE only recently became a more formal organization.

IHE does not create new standards; they adopt others. The only security they have to-date is TLS security with client cert authentication and half-baked interoperable XUA (that might be of interest to this group in particular).

XUA is a way to do cross-domain authentication ( access to one system will get you access to others). It requires PKI certificaiton for everything. There is a huge deployment/provisioning problem. There are better technologies they can adopt (such as SAML or ID-WSF). There is a lot of legacy work that does not necessarily fit well in the time frame they are working toward. They have some unique requirements: offline asynchronous mode of operation (email transport mechanism—send an email and later that email will get processed/responded to). That is a challenge in most of the other technologies. They are continuing to innovate. They do have use cases that are extremely valuable. They have gotten the farthest re: deploying healthcare services. The healthcare industry can get bogged down in details.

Is the SAML eHealth profile one that Liberty could develop and recommend to IHE?
Yes. Taking the egov approach, it is a more focused environment (make services available online). Healthcare environment goes beyond the framework. The ‘in the weeds’ notion seems to pervade the way of thinking around their system.

What info will go in there? What services?
Message reliability, security, etc… Access control, possibly web services would need to be addressed outside of their work. Getting people to adopt it is challenging.

Use of profile was fairly successful (proposed an XUA effort this year with IHE). There is a desire for some guidance on the part of IHE. The key is to get some resources within LAP to make that happen. We did not have any real healthcare IT domain nor many resources. The people would have to come from the SIG.

What order of magnitude of effort? You need to carve out a piece; XUA, framework for integrating systems into one identity authentication system for example. We should look at how we can take those specs and put them into a framework.

What is the value that Liberty could bring to these spaces?
RIOS settings would defer to stand alone businesses that manage accounts which follow the LAP ID Assurance framework. With that we would get separation of authentication and interoperability. Log in once and use SAML to get the data.

Eric: SAML is independent of authentication. You can develop a framework and wherever authentication comes from you can use that to determine authorization. Not sure we would tie into the existing credential SP.

Pete: There is a period of transition. CSP will continue as long as their account management system is compliant with LAP (that’s all that matters).

Eric: You could have a decoupling. Whether or not it becomes the ‘gold standard’ we still need the framework that utilizes that. SAML framework is a mechanism for transporting trust at a very high level with high reliability. The amount of trust you transport is defined by authentication and the amount of background work you do for authentication.

John: XUA, as it is currently written, does have SAML. It has to be separated from the ID assurance process. Unless we get resources from LAP it is difficult to get a group to work on these profiles on a weekly basis. We need dedication and organization around this project.

There are two roles with regard to XUA: profiling work and implementation work. If we are going to do anything with regard to XUA we need more resources.

We will ask John to describe his work with Shiboleth on the next call.

2. HITSP work and other projects:

Discussion focused on the State of Florida Pharmacology Project. Its goal is to put PDAs in doctors hands so they can see (in real time) if a patient had taken a particular medication in the past. The physicians were credentialed on a F2F process and the project was rolled out across the state. Physicians could turn on the PDA (no data stayed on the device) and see any scripts that were filled at midnight the night before for example (this was done in order to target drug shoppers). The credential side is something new this year. They developed an enterprise process following NIST 863. They created guidelines and are currently going through a Q&A process right now (internally). We are currently working on trying to advance this and empower individuals with their own authentication capabilities. This supports the use cases in HITSP.

Pharmacology project was a Florida Medicaid project (with Sprint and others). Its headquarters is located in Orlando, FL. They are looking at some other possible projects (role-based access controls, consent mgmt, etc). The consumer has to wrap the tools into the process because of population mobility.

Identity proofing should allow for the ability to go through online processing of an individual (if you need two-factor authentication then you need to be able to do that in all states) and empower the individual and trace it electronically. It is audited through the mail system. As we look at health savings accounts we need to match the individual with the account, etc…

Are you issuing PKI certs once you’ve done due diligence? Yes
Are you using that purely for authentication purposes or is there data/attributes being passed along? On the physician’s side there are attributes being passed along; on the consumer side you need to pass it with the identifier (drill down to the granular level). There is an identifying mark.

Doesn’t that create challenging privacy issues if you have certs floating around with information?
Yes. Issues include the example of a psyczhophrenic – you need to be able to determine if they are in a state of mind to control their data.

3. Asa Hardcastle: Open Liberty

Summary of Open Liberty: Conor Cahill and Sampo Kellomaki put their code in. You want an identity based web services system where people can share with each other. ID-WSF is based on the individual having control over his/her information (profile info, people service, etc…). You would bootstrap into this environment with SAML2 single sign on. The user would get in from the outside. Discovery service (with secure SOAP transactions happening)—can be signed, encrypted, etc…. I am allowing you to get some of my information.

Two years ago at HIMMS we demonstrated the ability to do SAML single sign on to show access of a discovery service and discovery personal health record service which would give you access to the HIMMS database. Building connections to other data sources and other services is key. Interaction is a way to communicate with a customer or someone with authority to give access (through SMS, phone call, etc…). We have a client library in beta which is rapidly becoming finalized and interoperability tested. We have a Java based server library. All of these are ready to begin building implementations.

Jim’s contact information will be up on the wiki.

We will continue this discussion on the next call (Asa has confirmed that he will be able to join).

We would like to look for demonstrations.

ACTION: Asa will consider some type of Contrast/comparison document for the next call—Shibboleth and (ID-WSF can slide right inside Shibboleth). There is not much to compare/contrast, but maybe show how they work together.

Meeting Adjourned 12:05

Retrieved from "http://wiki.projectliberty.org/index.php/HIMSIG20080404"
Personal tools