HIMSIG20080905
Liberty Alliance Project
Health Identity Management SIG Conference Call Minutes
September 5, 2008
8:00am-9:00am PDT
Conference Call
Meeting Notes
Author: Dervla O'Reilly
Attendance:
John Fraser, MEDNET
Pete Palmer, Wells Fargo
Gail Reynolds, AETNA
Matt Madison, CORHIO
Helen Hill, Henry Ford Health System
Rich Frank, IBM
Tony Mallia, USVA
Eric Tiffany, Liberty Staff
Kurt Kolok, Liberty Staff
New Actions:
Action20080905-01: Pete to send the link of Health and Human Services to the list serve that provides general information on current progress.
Action20080905-02: Pete to follow-up with Michael, will discuss Intro of the HIMSS “Patient Identity Integrity Work Group” on next call.
Agenda:
1. Welcome and Introductions
2. Introduction of NHIN project (Nationwide Health Information Network
3. Discussion of NHIN SAML2.0 security by Tony Mallia, with the US VA, (federal Veterans Administration)
4. Intro of the HIMSS “Patient Identity Integrity Work Group” (invited)
5. Other biz
1. Welcome and Introductions
Pete highlighted the previous call on August 22 went very well. Brett McDowell walked through ID Trust Framework draft 1.0 and challenged the group to come up with use cases in the healthcare sector that would accredit Liberty. This is a worthy challenge and a good mission. Please come up with use cases therefore we can educate the healthcare sector and let the community know its importance. KPMG is the first auditor and checking if they are in compliance with ID Trust Framework.
The benefit is health information exchange, member of federation/RHIO, etc. with an understanding what rules are being followed by other participants and they know what goes into issuing identity assurance. This is helpful for doctors, patients, etc. This ties real-life service to what Liberty is accomplishing with the framework.
When will the first identity providers be able to issue identities? We need to wait until the audit is more complete, date TBD.
If anyone has a project to offer, please let us know. It would be helpful to look at the Identity Assurance Framework to see what is involved.
2. Introduction of NHIN project (Nationwide Health Information Network)
Tony Mallia is a contractor with VA, loaned out by health exchange to participate in the NHIN trial implementation. Originally 9 participants involved, now 6 added, e.g. Kaiser Permanente. Specifications are done for interoperability, high gateway level to others (peer-to-peer mesh, no central repository - network of networks). In this process a number of committees set up where each member had 2 representatives (group that gets the specs done).</b>
3. Discussion of NHIN SAML2.0 security by Tony Mallia, with the US VA, (federal Veterans Administration)
The guidelines for the specs were to take the foundation of HITSP standards and tweak as needed as a plug-and-play interoperable specification. They dealt with a security and privacy piece with the user, i.e. someone making action to deal with public identity (dealing with subjects of the health record, they could but don't have to be users).
Authorization framework - SAML2.0: We might be able to do identity but provisioning was involved. One could not apply role-based interactivity as you didn't know the user, took this one level higher with SAML assertions. Firstly, this is about identity, threat, used attributes; one is role of the user, secondly the purpose for use by individual making request (taken from HIPAA privacy, the third is optional - assertion that patient has given user permission to retrieve records. Now it’s the right of the responding organization to take note of information coming in, dealing with various policies. With SAML2.0 policies were de-coupled, take all this into account and make a decision.
Are the assertions signed or encrypted? They are asserted by assertion authority, a trust mechanism (a reciprocal service agreement on behavior), the respondent knows who you are. SAML assertions get signed.
Are you able to re-apply these attributes? This is done on WS security, with time parameter stamp.
If you have hundreds, how can you remove point-to-point roadmap? Unlikely to have VPN tunnel, there are too many connections. Encryption is SSL, from a trusted security authority. The user doesn't see SAML assertions yet roles are defined. Policy engineers ask should we make the request, then assertion go to the target. The target makes the decision based on the information they have.
Subject discovery (how patient is identified with many different organizations):
IHE Connectathon in Chicago is running 9 years, vendors come to troubleshoot. They ran interoperability testing using SAML2.0 security assertion with a SOAP message for identity management. The scope was broad, testing 4 interfaces. Some were starting from scratch.
Trying to solve a privacy decision making problem. The program is to manage identities at local exchange. Identity management is inside the health information exchange and the focus was on privacy.
Who is the certification authority and what type of CA would qualify for this program? Computer Sciences Corp? Not sure if they are the CA, perhaps an org. from New York?
We are looking for only Liberty certification to providers. There are many layers for procedures and processes that result in issuing of certificates.
What is process for discussing authentication in each assertion? SAML2 standard has authentication strength, basic SAML2 XML, at a basic level. We don't recall NHIN operating procedures, it can be situational.
The user role is a value set and purpose for use is a value set. There is an optional authorization decision.
Are there links Dept. of Health and Human Services website tracking this project? (Note: I was unable to locate correct URL - hss.gov/HT/community/background) . AHIC meeting Sept. 23 will have demos. Demo at 8:30am with 2 separated demos on NHIN. This would be the most current information.
Action20080905-01: Pete to send the link of Health and Human Services to the list serve that provides general information on current progress
4. Intro of the HIMSS “Patient Identity Integrity Work Group” (invited)
Michael was not on the call.
Action20080905-02: Pete to follow-up with Michael, will discuss Intro of the HIMSS “Patient Identity Integrity Work Group” on next call.
5. Other biz
None
Next meeting: Friday, September 19, 2008 – Time 8:00-9:00am PDT
Meeting Adjourned
