wiki.siframework.org/RHEx

Slides:



Advertisements
Similar presentations
Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board
Advertisements

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Georgia Department of Community Health
Copyright © 2003 Pearson Education, Inc. Slide 8-1 Created by Cheryl M. Hughes, Harvard University Extension School Cambridge, MA The Web Wizards Guide.
Slide 1 FastFacts Feature Presentation September 21, 2010 We are using audio during this session, so please dial in to our conference line… Phone number:
EDOS Workgroup Update July 16, 2013 Laboratory Orders Interface Initiative.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Introduction to HTML, XHTML, and CSS
GT 4 Security Goals & Plans Sam Meder
Server Access The REST of the Story David Cleary
Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your.
© Telcordia Technologies 2004 – All Rights Reserved AETG Web Service Tutorial AETG is a service mark of Telcordia Technologies. Telcordia Technologies.
Information Systems Today: Managing in the Digital World
1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
25 July, 2014 Hailiang Mei, TU/e Computer Science, System Architecture and Networking 1 Hailiang Mei Remote Terminal Management.
CMPT 275 Software Engineering
31242/32549 Advanced Internet Programming Advanced Java Programming
Services Course Windows Live SkyDrive Participant Guide.
Executional Architecture
Getting Familiar with Web Pages 1 2 The Internet Worldwide collection of interconnected computer networks that enables businesses, organizations, governments,
Chapter 10: The Traditional Approach to Design
Systems Analysis and Design in a Changing World, Fifth Edition
PSSA Preparation.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
Presented by: HCN Clinical Operations Team. 2 TopicPage Top Reasons to have and use the Patient Portal3 Sample Portal Websites4 Portal 1016 Meaningful.
Profile. 1.Open an Internet web browser and type into the web browser address bar. 2.You will see a web page similar to the one on.
Introduction Peter Dolog dolog [at] cs [dot] aau [dot] dk Intelligent Web and Information Systems September 9, 2010.
Secure RESTful Interface Profile Phase 1 Briefing
Author of Record Digital Identity Management Sub-Workgroup December 5, 2012.
Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your.
Electronic Submission of Medical Documentation (esMD) Author of Record Recap and Harmonization of UC 1&2 Workgroup Friday, November 2,
Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
TATRC and MITRE to NwHIN Power Team 12 June 2013 RESTful Health Exchange (RHEx)
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Chapter 10: Authentication Guide to Computer Network Security.
Author of Record Digital Identity Management Sub-Workgroup October 24, 2012.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Automate Blue Button Initiative Push Workgroup Meeting January 7, 2013.
EsMD Structured Content Use Case 2 WG Meeting Wednesday, April 25 th, 2012.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage (eDoC) Home Health User Story February 4, 2015.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Wednesday, July 18,
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup and Harmonization of UC 1&2 Workgroup Friday, September 21,
Automate Blue Button Initiative Pull Workgroup Meeting November 20, 2012.
Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your.
Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage (eDoC) Workgroup August 21, 2013.
EsMD Pilots Workgroup December 12 th, Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call.
Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.
Electronic Submission of Medical Documentation (esMD) Electronic Determination of Coverage PMD User Story & Harmonization August 7, 2013.
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Friday, June 22,
Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your.
Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your.
Automate Blue Button Initiative Pull Workgroup Meeting December 13, 2012.
Secure Mobile Development with NetIQ Access Manager
Federation made simple
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Using SSL – Secure Socket Layer
NextGen Access Control Platform
OpenID Connect Working Group
Appropriate Access InCommon Identity Assurance Profiles
Presentation transcript:

Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your phone on mute Do not put your phone on hold – if you need to take a call, hang up and dial in again when finished with your other call Hold = Elevator Music = very frustrated speakers and participants This meeting, like all of our meetings, is being recorded Another reason to keep your phone on mute when not speaking! Feel free to use the “Chat” or “Q&A” feature for questions or comments, especially if you have a bad phone connection or background noise in your environment From S&I Framework to Participants: Hi everyone: remember to keep your phone on mute  NOTE: This meeting is being recorded and will be posted on the Wiki page after the meeting

RESTful Health Exchange (RHEx) Security Overview WebEx #3 July 26, 2012 wiki.siframework.org/RHEx Powering Secure, Web-Based Health Data Exchange DRAFT—for discussion purposes only

Overview RHEx and the Security Challenge The RHEx Access Model The problems RHEx aims to solve RHEx and Document Linking – the Filing Cabinet analogy The RHEx Access Model The basic model Extensibility The underlying standards: OAuth and OpenID Connect RHEx Support for Services RHEx support for NIST Levels of Assurance Summary

Orientation - What is RHEx? An open source, exploratory project to apply proven web technologies to demonstrate a simple, secure, and standards-based health information exchange Sponsored by the Federal Health Architecture (FHA) program Called RESTful Health Exchange (RHEx) A Fiscal Year 2012 project demonstrating RESTful health information exchange in two phases Phase I: Security Approach (April-July 2012) Phase II: Content Approach (July-September 2012) Powering Secure, Web-Based Health Data Exchange wiki.siframework.org/RHEx

What Are the Elements of RHEx Security? IDENTITY Who am I? IDENTIFIERS How is that identity represented? AUTHENTICATION How can I prove who I am? AUTHORIZATION What can I do when I've proved who I am? Something you know Something you have Something unique to you

What Are the Basic Problems RHEx is Exploring? Data needs to be made available only to authorized parties Data needs to be accessible to services via API calls and end users within a browser Security protocols need to work with HTTP and REST Security needs to be easy for application providers to deploy on their systems Privacy is enforced by implementation of security controls People need to be given notice about data access

RHEx Security Take-away Points RHEx approach is secure Uses same trusted tools used by high volume, secure systems to move money and exchange other sensitive information Secure Transport: all transactions over Transport Layer Security protected HTTP Exchanged tokens verified by trusted 3rd party RHEx security is interoperable Integrates with JSON, XML, HTML, etc. Designed to support NIST Level of Assurance up to 3 (Identity Provider dependent) Harmonizes with existing NwHIN standards RHEx security is scalable Documents contain separable links to information – each uniquely securable Allows security and privacy to be applied atomically

RHEx as a RESTful Approach: Document Linking Documents contain HTTP links to information Clients (web browsers) fetch them separately Arbitrary granularity with a well-designed API Allows security and privacy to be applied atomically Each request can be to a different security domain Each request can have its own authentication parameters Supports privacy and security practices of existing deployments Availability of information can be hidden where appropriate Presence of a URL in one document does not indicate presence of information at that URL Knowledge of a URL does not automatically grant permission to view content at that URL

A RHEx Mental-Model: Filing Cabinets Historically, paper health records were separated Two physically distinct filing cabinets in different buildings held different parts of the records Traditional Electronic Health Record (EHR) approaches make one giant filing cabinet All records get pulled to a single digital filing cabinet and distributed from there RHEx approach allows digital separation Like having a file in one filing cabinet with a note stapled to it in the right place with the address of another filing cabinet If you want what’s in the other filing cabinet, you have to go to that cabinet to get it The other filing cabinet decides whether or not to let you in

Consider as a Model: The Paper-based System Primary Care Specialist In paper based systems, each organization keeps its records in its own filing cabinet

Traditional EHR Approach in This Model Data Gateway In a traditional EHR, everyone accesses data through the big digital filing cabinet in the sky, which has access to all member systems on your behalf.

The RHEx Approach in this Model URL link to record Primary Care Specialist With RHEx approach, each organization keeps its own cabinet, but records can contain pointers to files that live in someone else’s cabinet.

OpenID Connect Use in the RHEx Model OpenID provides a way for one user to log into another, remote system without having a username/password provisioned at that system, and without having a certificate from a central trusted authority. Primary Care Specialist OpenID Connect allows a user to use their account on one system to log in to a remote system in a verified way, without relying on a shared central authority.

OAuth Use in the RHEx Model Primary Care Specialist OAuth allows the cabinets to be locked and controlled separately, but gives a way to issue limited-use keys to other parties.

The RHEx Access Model Start with a simple beginning Extend the model Physical security works generally on a whitelist model: if you have a key, you can open the door Whitelist individuals and providers to drive auditing, access control, and granular authorization Extend the model Employ User Attributes for trust decisions – extend the simple whitelist model and allow for expansion Use Trust Frameworks to manage whitelist Integrate existing standards Implement basic model, data exchange in a Trust Framework, and accommodate extensibility using technologies that already exist, and which are extensively employed commercially Provide support for end users and for services

RHEx Access Model Simple Beginning Whitelisting individuals Individual identities tagged as cleared to view a piece of information OpenID identifiers are like email addresses Don’t have to be held in a common global repository Contain both individual and organizational components “drbob@pcp.com has access to record /patient1234/medications” Whitelist identity providers Accept identities from certain domains “anybody from pcp.com can get basic patient information like name, height, and weight”

RHEx Access Model Extend the Model Attributes on users Attributes of a user can help us make access decisions Claimed attributes may be verified at a variety of identity or attribute providers “anybody with the attribute isAnOncologist from a trusted attribute provider can get at oncology records” Trust Frameworks How can you be sure that what another system says is true? Enforceable sets of business, legal, and technology rules National Strategy for Trusted Identity in Cyberspace (NSTIC) bases trust relationships on these Trust Frameworks

RHEx Access Model Extend the Model: Claims of User Attributes All claims are extensible JSON-based schema Profile information Name, email, phone Distributed claims URL to fetch more information Follows RESTful linking model { user_id: “12341”, name: “John Doe”, email: “jdoe@pcp.com”, clinicalRole: “oncology”, oncology: “http://asco.org/userinfo/jdoe” }

RHEx Access Model Extend the Model: Extending Claims for Health Care RHEx will extend the user attributes and claims with domain-specific information Claims need to be trustable We don’t want this self-asserted For example: Clinical role Organization that we trust claims “Dr. Joe is an Oncologist” Not all claims need to be held in a central store Not all claims need to be held at the IdP IdP points to attribute provider with a URL

RHEx Access Model Standards in Action OAuth2 Token-based protocol for securing data APIs Internet Engineering Task Force (IETF) Draft standard OpenID Connect Distributed identity API Built on top of OAuth2 OpenID Foundation JSON Web Tokens Structured, signed token format, used by OpenID Connect HTTPS All transactions over Transport Layer Security protected HTTP Server certificates from trusted sources, no client certificates Most successful pattern of use on the web today

RHEx Access Model Nascent Standards Built on Experience OpenID and OAuth spec authors and core implementers have years of deployment experience with: SAML OpenID 2.0, 1.0 OAuth 1.0 PKI Legacy protocols have shown limitations with use New protocols are needed to work effectively in today’s RESTful, AJAXy, mobile-friendly world wide web Take the best from all competitive technologies and apply it to a new world and new context OpenID Connect is the sum of this experience so far

The good thing about reinventing the wheel is that you can get a round one. - Douglas Crockford

RHEx Access Model Standards in Action: OAuth and OpenID In Use By Industry Built by a consortium with a lot at stake Trial by fire on the open internet

RHEx Access Model Services Authorization In addition to end user support, RHEx System must allow direct service connections (machine-to-machine) Can’t count on user-held credentials being present Will provide a module to authorize services to access data on behalf of a user OAuth 2 Access Tokens can be issued for this case Token inherits subset of permissions of user or service that authorized it Tokens can be scoped to express least required access Tokens can’t be replayed against other systems Tokens are made to be easy to throw away Unlike user’s credentials or certificates

RHEx and NIST Levels of Assurance (LoA) Defined in National Institute of Standards & Technology (NIST) Special Publication 800-63 LoA 1 – pseudonymity Same person over course of transaction Typical internet use case OpenID Connect with dynamic registration LoA 2 – identity proofing Claims verified by a trusted source OpenID Connect with whitelisted identity providers All tokens signed by public key or shared secret LoA 3 – multifactor remote protection Recommended that client signs requests OpenID Connect with signed Request Objects Tokens signed and encrypted with public key

RHEx and LoA Inheritance from the IdP Identity assurance starts at the IdP Clients request a certain LoA from the IdP LoA of transaction expressed inside of ID Token issued by IdP Enforce identity proofing by contract or regulation IdPs control who has accounts at the IdP Enforce account proofing at login Integrate with existing local website login systems Can use passwords, certificates, hard tokens, single-sign-on Authentication requirements limited to IdP Note: Trust model can map to DIRECT’s Provider Network

RHEx Security Summary RHEx is secure RHEx security is interoperable Uses same trusted tools used by high volume, secure systems to move money and exchange other sensitive information Secure Transport: all transactions over Transport Layer Security protected HTTP Exchanged tokens verified by trusted 3rd party RHEx security is interoperable Integrates with JSON, XML, HTML, Bluebutton, etc. Supports NIST Level of Assurance up to 3 (IdP dependent) Harmonizes with existing NwHIN standards RHEx security is scalable Documents contain separable links to information – each uniquely securable Allows security and privacy to be applied atomically

Questions & Follow-up Questions? For more information: http://wiki.siframework.org/RHEx Discussion on the Google Groups forums (https://groups.google.com/forum/?fromgroups#!forum/restfulhealthexchange)

Backups

OpenID Connect Family Tree OAuth 1.0/a XRDS OpenID 2.0 Hybrid WS* ID-WSF WRAP XRD AB AX PAPE SAML OAuth 2 Facebook Connect SWD JWT/JOSE OpenID Connect

Security Terminology Identity Provider (IdP) User Information Claim Service that can assert the identity of a logged in user to a remote system User Information Set of attributes about a user in a system Claim Verifiable attribute about a component in the system In our case, claims on users Token Disposable credential representing a subset of access and capabilities of an entity in the system

Basic OpenID Connect Flow (in RHEx Approach) RHEx site decides and configures which Identity Providers (IdPs) it wants to trust User shows up at remote RHEx site, asks to log in using OpenID Connect at their Identity Provider (IdP) User is redirected to their IdP User logs in to their IdP (using local password, certificate, single-sign-on, etc) User is issued a one-time-use code and redirect back to the RHEx site with that code RHEx picks up that code and sends it to the IdP to get two tokens ID Token contains claims about current session Access Token can be used to get further information about the user, such as profile information

OpenID Connect Authentication User User would like to interact with a RHEx compliant system User shows up at remote RHEx site, asks to log in using OpenID Connect at their Identity Provider (IdP) User has registered with a recognized IdP A site employing RHEx decides and configures which Identity Providers (IdPs) it wants to trust IdP RHEx Site

OpenID Connect Authentication User User is redirected to their IdP User logs in to their IdP (using local password, certificate, single-sign-on, etc) ? IdP RHEx Site

OpenID Connect Authentication User User is issued a one-time-use code and redirect back to the RHEx site with that code + IdP RHEx Site

OpenID Connect Authentication User ID Token contains claims about current session RHEx picks up that code and sends it to the IdP to get two tokens Access Token can be used to get further information about the user, such as profile information + IdP = RHEx Site Now we can use the API as long as that token stays valid.

= CheckID User IdP RHEx Site We can send the ID Token to the CheckID Endpoint to have the server validate it for us, so we don’t have to do client-side crypto. User = IdP RHEx Site

= User Info User IdP RHEx Site We can send the Access Token over to the User Info endpoint to fetch claims about a user, and pointers to remote claims about that user. User = IdP RHEx Site