Trust Profiling for Adaptive Trust Negotiation Eugene Sanzi 1

Problem Many healthcare stakeholders want easy access to new systems Physicians need to access patient data, no matter where it may be Researchers want access to de-identified data repositories Data may be needed quickly Emergency medical situations leave little time to gain proper authorization Method needed to authorize healthcare professionals to access private data, even if the data holder has no previous knowledge of them 2

Requirements Need a way to authorize any physician to healthcare data located at unknown providers Users must possess digital credentials that they can present for authorization Provide a method for verifying that presented credentials are legitimate Allow systems to automatically allow or deny different levels of access based on the presented credentials

Solution Overview A physician gains access to different systems over the course of a career Ex. - Access to their local hospital's data Access may happen under different roles Use the physician's healthcare data access history as a set of credentials Each healthcare system grants a new credential if access is allowed Physicians create a collection of these credentials, called a trust profile into a digital wallet Healthcare systems can see who else have granted access to the physician Past handling of secure data informs future behavior

Background Authentication vs. Authorization Authentication – verification of the user’s identity Authorization – determining whether a user is allowed to take a specified action (ex. read/write data) Trust – the ability of two entities to believe one another Participants must be able to verify credentials Participants must have assurance that each will handle sensitive data safely and correctly Trust may be required before some credentials can be disclosed Utilize Trust Negotiation to establish a baseline of trust and exchange credentials

Trust Negotiation Method for establishing trust between two participants Past contact not required Exchange sets of credentials until trust is established The requestor initiates trust negotiation to gain access to a service or data The controller receives the request and uses trust negotiation to decide whether access is granted The controller may decide to modify the data or perform other actions (ex. dispatch auditor notifications)

Trust Negotiation Example Controller HIT System Medical System Certification Security Certification Medical License Role Affiliation Requestor (Physician)

Trust Negotiation Example Controller HIT System Medical System Certification Medical License Role Affiliation Requestor (Physician) Security Certification

Trust Negotiation Example Medical License Controller HIT System Medical System Certification Role Affiliation Requestor (Physician) Security Certification

Trust Negotiation Example Medical License Controller HIT System Role Medical System Certification Affiliation Requestor (Physician) Security Certification

Trust Negotiation Example Medical License Controller HIT System Role Affiliation Medical System Certification Requestor (Physician) Security Certification

Trust Negotiation Example Medical License Controller HIT System Role Affiliation Medical System Certification Requestor (Physician) Security Certification

Trust Negotiation Example Medical License Controller HIT System Role Affiliation Health Data Medical System Certification Requestor (Physician) Security Certification

Certificates Identity certificates are used to establish a user's identity Public key cryptography is used to ensure that you are communicating with the certificate's owner Certificates are issued by Certificate Authorities (CAs) Certificate authorities establish user's identity by other means before issuing a certificate Ex. Driver's license, SSN, Email sent from administrator account on a domain You trust any valid certificate issued by a certificate authority that you trust Certificate authorities digitally sign the certificates The signature is inspected, a valid signature proves it was issued by the certificate authority

Certificate Hierarchy

Attribute Certificates A specialized certificate that stores data describing the holder Attribute certificates are signed by an attribute authority rather than a certificate authority Attribute certificates are attached to one identity certificate An identity certificate may be associated with multiple attribute certificates We will use this ability to store information related to user access Save information on user role and access history Identity certificates provide the ability for a user to prove ownership of an attribute certificate Identity itself is not useful since the requestor and controller are unknown to each other

Infrastructure Root Medical Authority Local Hospital (Hartford Hospital) Authority Local Hospital (St. Francis) Authority steve@harthosp.org yaira@stfranciscare.org xian@harthosp.org steve@stfranciscare.org gino@harthosp.org

Defining An Access Policy Each system defines a security policy that specifies constraints based on: The user role The type of data being requested The presented trust profile The user role and type of data being requested influence the requirements imposed on the trust profile Other actions may be taken based on the level of trust established Some accesses may result in notification being dispatched to auditors Some data may be denied to the user while access to other data is allowed

Making a Data Request When Dr. Smith wants to obtain access to a new system, he will: Create a secure connection to the system Decide which credentials he will send to gain access Send the relevant identity and attribute certificates along with the request If access is granted, Dr. Smith will generate a new public/private key pair and receive a new identity and attribute certificate issued by the controller's certificate and attribute authorities

Example Dr. Smith wants to access his patient’s electronic health record from Day Kimball Hospital He does not have any kind of affiliation with Day Kimball Hospital He does have his trust profile proving his successful access to his patient’s data

Dr. Smith's Wallet Access History

Choose Relevant Credentials Access History

Send Request With Credentials X.509 Hartford Hosptial X.509 St. Francis Physician Physician Trust Profile

Generate Certificates X.509 Day Kimball Physician X.509 Day Kimball Physician Physician Health Data

John Smith's New Wallet Access History

John Smith's New Wallet John Smith adds the identity and attribute certificates issued to him to his digital wallet He can now use the certificate issued to him by Day Kimball hospital to gain access to other new systems Day Kimball Hospital can now identify him with his new identity certificate Over the course of his career, Dr. Smith builds a trust profile consisting of these credentials that can be utilized in attempts at data access