Andrew Hinchley CPL Consulting Infrastructure Requirements for Fast, Reliable and Secure HL7 V3 Messaging 11 December 2003 Infrastructure Requirements for Fast, Reliable and Secure HL7 V3 Messaging Andrew Hinchley CPL Consulting
UK direction HL7 V3 offers many options as how the supporting network and security infrastructure is implemented HL7 V3 Infrastructure ballot offers rich set of options for implementing message wrappers and related support messages This is a brief review of the directions that the NHS is taking in supporting HL7 V3 for ICRS messaging
Caveats –NPfIT development In a number of areas, NPfIT decisions depend on the results of contractual negotiations which are still under way In others, decisions have yet to be taken with the immediate focus being on completing what is needed to specify and develop the Electronic Booking Service for mid-2004
General Principles in networking and security area Supply a set of network services able to be used for a variety of purposes including messaging Implement security infrastructure that provides protection against threats to a variety of communication flows
General status - December 2003 Much of the detailed solution has been specified by each short-listed NASP against the NHS stated requirements Selection of the NASP in December will trigger the implementation of the selected NASP’s solutions
Security Approach ICRS focuses on high level security mechanisms to counter risks Pseudonymisation for Secondary Uses Legitimate Relationships and Sealed enveloped Role Based Access Control ICRS security solutions for the underlying network can then use standard components Retain NHS private network with NHS access controls and Code of Connection Where necessary use link encryption or VPN encryption as appropriate
Security Approach For the purposes of this talk, Legitimate Relationships and Sealed envelopes do not impact messages or the network Role Base Access Control may impact messaging if/when authorisation meta-data needs to be carried with the message For initial ICRS applications this is not yet found to be necessary
Role-based Access Control In an organisation with as many staff as the NHS, authorised access to clinical information on a “need-to-know” basis is seen as a key requirement Need to provide methods whereby access can be checked and authorised before access is granted A successful universal approach can be used for many types of access including GUI and message-based access
Role-based Access Control(RBAC) RBAC requires up-to-date accurate directories of staff Need to tie into NHS initiatives to build staff directories Issues How many access roles need to be defined? Business functions can be classified in a way which helps defines which roles should be granted access
Role-based Access Control healthcare experiences elsewhere Some implementation experience from US Recent proposals from Veterans Administration –to be presented to HL7 at next WGM Likely to include specific proposals for including authorisation information in message wrappers
Network Infrastructure Retain and strengthen dedicated network for NHSnet comes up for replacement – revised N3 Consider applying encryption close to network : link SSL Increasing focus by Cabinet Office on robustness of key national resources: CNI - Critical National Infrastructure, which includes health. Pressure to enhance network integrity and security from perspective of risks to CNI Specific to Messaging: Need for specific HL7 V3 message transport specifications
Message Routing The message wrapper provides a permanent envelope for the message throughout this transit Messages will be forwarded through relays which need to be able to use the V3 wrapper to apply forward routing as needed V3 messages may need to be carried over a number of different transport protocols between source and destination
Message transport services In line with general ICRS approach to communications infrastructure services designed to support a number of requirements including messaging Web Services is a potentially attractive general solution:- Define message transport services based on SOAP In HL7 Microsoft have submitted drafts which include use of WSDL
Web Services Architecture
Web Services transport Reliable Delivery Service not yet stable Link encryption adequate for now. Do not require WS-Security WSDL preferred by companies such as Microsoft to standardise stub software SOAP wrapper may need to duplicate some of the information in the V3 wrapper
Application acknowledgements HL7 V3 messaging should not have to rely completely on the network for reliable delivery HL7 V3 defines an end-to-end application acknowledgement and this is being used in NPfIT applications. Messaging is then a true end-to-end service, an independent service layer in the network stack
Requirements for message-based authentication or encryption? Current NPfIT plans do not include requirements for either of these:- Messages pass between trusted NHS Organisations. There is no requirement therefore for authentication information to be carried in the message Where necessary, link-level encryption can be used to protect messages in transit between NHS Organisations Within an NHS Organisation any protection requirements are addressed by a local assessment of risks
TMS - Transaction and Messaging Service Over time the ICRS TMS will provide an increasing level of functionality TMS provides additional routing intelligence over that of a standard message relay TMS may create message copies, for instance to allow copies of clinical reports to be stored in the spine TMS will have the capability of splitting or recombining messages in future applications as/when these functions are found useful
Summary (1) N3 replacement needs less functions than existing network Focus on high integrity High speed High availability Network Code of Conduct Level 3 eGIF dial-up access Interconnects with LSPs
Summary (2) Underlying network does not need specific messaging capabilities NASP/LSPs manage messaging layers together Security focus is high level, protecting access to assets on need-to-know basis