CAMP Med Identity and Access Management for HIPAA: Technology Model William A. Weems Assistant Vice President Academic Technology The University of Texas.

Slides:

Advertisements

Similar presentations

Implementing Federated Identity Management across a Multi-campus Statewide System: The Texas Experience William A. Weems Assistant Vice President Academic.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Lecture 23 Internet Authentication Applications

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Why Users Like PKI & Directory Services William A. Weems University of Texas Health Science Center at Houston.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

2/16/2010 The Family Educational Records and Privacy Act.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

CAMP Integration Reflect & Join A Case Study The University of Texas Health Science Center at Houston William A. Weems Assistant Vice President Academic.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.

Chapter 10: Authentication Guide to Computer Network Security.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

National Science Foundation Chief Information Officer CIO Fall Update for the Advisory Committee for Business and Operations: Identity Management 2.0 George.

Secure Electronic Transaction (SET)

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Configuring Directory Certificate Services Lesson 13.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6,

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Internet 2 Weaving a Trust Fabric Shibboleth & PKI Spring 2003 Barry R Ribbeck University of Texas Health Science Center at.

Identity Management Practical Issues Associated with Sharing Federated Services William A. Weems The University of Texas Health Science Center at Houston.

Identity Proofing, Signatures, & Encryption in Direct esMD Author of Record Workgroup John Hall Coordinator, Direct Project June 13, 2012.

DIGITAL SIGNATURE.

Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Using Public Key Cryptography Key management and public key infrastructures.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Trust Profiling for Adaptive Trust Negotiation

e-Infrastructure Workshop 28th March 2006, University of Leeds

State of e-Authentication in Higher Education Bernie Gleason

PASSHE InCommon & Federated Identity Workshop

HIMSS National Conference New Orleans Convention Center

Appropriate Access InCommon Identity Assurance Profiles

Presentation transcript:

CAMP Med Identity and Access Management for HIPAA: Technology Model William A. Weems Assistant Vice President Academic Technology The University of Texas Health Science Center at Houston

CAMP Med Middleware Makes the Global Sharing of Resources Invisible to Users.

CAMP Med 3 Increasingly, people must easily and securely exchange information in cyberspace among "known" individuals and to securely access restricted resources they “know” can be trusted without having to struggle with numerous and onerous security processes.

CAMP Med 4 How do you prove you are who you say you are? How do you know that someone is legitimate in his or her dealings with you, and how do you get redress if things go wrong? If your identity is stolen and used fraudulently, or personal records are altered without your knowledge or permission, how do you prove that it was not you? It is difficult enough to verify someone's identity in the tangible world where forgery, impersonation and credit card fraud are everyday problems related to authentication. Such problems take on a new dimension with the movement from face-to-face interaction, to the faceless interaction of cyberspace. Identity and Authentication by Simon Rogerson

CAMP Med 5 Ideally, individuals would each like a single digital credential that can be securely used to authenticate his or her identity anytime authentication of identity is required to secure any transaction.

CAMP Med 6 Ideally, a digital credential must positively identify a person, positively identify the certifying authority - i.e. the identity provider (IdP), be presentable only by the person it authenticates, be tamper proof, and be accepted by all systems.

CAMP Med 7 Texas Medical Center Forty One Institutions on 740 Acres Approximately 65,000 Employees Seven Large Hospitals 6,176 Licensed Beds & 334 Bassinets Baylor College of Medicine Rice University Texas A&M Institution of Biotechnology University of Texas Health Science Center at Houston University of Texas M.D. Anderson Cancer Center

CAMP Med 8 Scenario I UT-Houston Residency Programs have some attending physicians that are non-university personnel – e.g. M.D. Anderson & Baylor Dr. James at M.D. Anderson is to be an attending physician in the UT-Houston Internal Medicine Residency Program. On-line Graduate Medical Education Information System (GMEIS) contains confidential and sensitive information - including HIPAA data. Dr. James needs access to GMEIS. How is Dr. James’ identity verified, authenticated and authorized to have access as an attending physician? If Dr. James suddenly leaves M.D. Anderson, is his access to UT- Houston Residency Program immediately abolished?

CAMP Med 9 Scenario I - Problems Dr. James has no digital credentials. U.T. Houston policy requires that a responsible party at U. T. Houston assume responsibility for Dr. James and sponsor him as a “guest”. Dr. James must appear before a Local Registration Administration Agent (LRAA) to have his identity verified and be credentialed. –Does not verify his status with M.D. Anderson. If Dr. James leaves M.D. Anderson, there is no automatic process in place to revoke his access rights.

CAMP Med 10 UTHSC-H: An Identity Provider (IdP) It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific responsibilities and liabilities.

CAMP Med 11 Issuing a Digital Credential Individual appears before an Identity Provider (IdP) which accepts the responsibility to –positively determine and catalog a person's uniquely identifying physical characteristics (e.g. picture, two fingerprints, DNA sample), –assign a unique, everlasting digital identifier to each person identified, –issue each identified person a digital credential that can only be used by that person to authenticate his or her identity, –maintain a defined affiliation with each individual whereby the validity of the digital credential is renewed at specified intervals.

CAMP Med 12 Identity Provider (IdP) uth.tmc.edu Person IdP Obtains Physical Characteristics Identity Vetting & Credentialing Identifier Permanently Bound Assigns Everlasting Identifier Digital Credential Issues Digital Credential Person Only Activation Permanent Identity Database

CAMP Med 13 Identity Provider (IdP) uth.tmc.edu PersonIdentifierDigital Credential Permanently Bound Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Person Only Activation Identity Vetting & Credentialing UTHSC-H Two Factor Authentication Permanent Identity Database ? ?

CAMP Med 14 Identity Provider (IdP) uth.tmc.edu PersonIdentifierDigital Credential Permanently Bound Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Person Only Activation Using Network Username Password Identity Vetting & Credentialing UTHSC-H Username/Password Authentication Permanent Identity Database ??????? ?

CAMP Med 15 Identity & Authentication Attributes Identity Vetting –Basic Trust Level –Medium Trust Level –High Trust Level Credential Strength –Two-factor PKI Biometric Token –Two-factor PKI Password Token –One-factor Network Username/Password

CAMP Med 16 UTHSC-H Strategic Authentication Goals Two authentication mechanisms. –Single university ID (UID) and password –Public Key Digital ID on Token (two-factor authentication) Digital Signatures Highly Secure Access Control Potential for inherent global trust

CAMP Med Public Key Infrastructure: The Broad Enabler of Collaborative Trust

CAMP Med 18 Agencies are using the Internet for an increasing spectrum of applications. Doing so requires that agencies confront the issues of user authentication, confidentiality and integrity of data transferred, and the ability to hold transaction parties accountable when necessary. While there are many technologies which meet some of the requirements, only one provides the tools for meeting all of them: public key technology, implemented in the form of Public Key Infrastructure (PKI). Richard A Guida, June 2000

CAMP Med 19 Using Digital IDs (DIDs) Digital Signatures –authenticates senders –guarantees that messages are unaltered (message integrity) –provides for non-repudiation –legal signature with the United States Encryption of –Provides confidentiality of when required Digitally Signing On-line Forms Strong Authentication for Access Control

CAMP Med 20 Mass Mailing of Signed & Encrypted Automated Mailer Mailing List Signed & Encrypted LDAP Directory Service Request Recipient's Digital Cert. Message

CAMP Med 21 Two Categories of Identity Physical Identity – Body Identity - Authentication –Facial picture, –Fingerprints –DNA sample Identity Attributes – Authorization Attributes –Common name, –Address, –Institutional affiliations - e.g. faculty, student, staff, contractor. –Specific group memberships –Birth date –City of Birth –Clinical Credentials –Etc.

CAMP Med 22 Identity Provider (IdP) uth.tmc.edu Federated Services Identity (IdP) & Resource Providers (RP) Identity Provider (IdP) utsystem.edu Identity Provider (IdP) bcm.edu Resource Provider (RP) library.tmc.edu Blackboard (RP) uth.tmc.edu GMEIS (RP) uth.tmc.edu Identity Provider (IdP) mdanderson.org Identity Provider (IdP) utmb.edu Federation WAYF Service InCommon

CAMP Med 23 Identity Provider (IdP) uth.tmc.edu Federated Services Identity (IdP) & Resource Providers (RP) Identity Provider (IdP) utsystem.edu Identity Provider (IdP) bcm.edu Resource Provider (RP) library.tmc.edu Blackboard (RP) uth.tmc.edu GMEIS (RP) uth.tmc.edu Identity Provider (IdP) mdanderson.org Identity Provider (IdP) utmb.edu Federation WAYF Service InCommon Public Key Infrastructure

CAMP Med 24 Home Organization Attribute Authority Authentication System (ISO/SSO/Cert) Handle Service ORIGIN RBAC Authorization System - LDAP (eduperson) Browser Federation WAYF SERVICE (IN COMMON) Attributes determined by ARP Resource Provider SHIRE SHAR Resource Manager TARGET Web Site Shib Software =

CAMP Med What Does an Institution Do When There is NO Identity Provider?

CAMP Med 26 Policy and procedures associated with identifying, credentialing and authenticating employees, students and residents are reasonably appropriate at the university. However, another group of individuals such as contractors, research collaborators and others having legitimate, professional affiliations with the university do not have digital credentials issued by identity providers having relying partying agreements with UTHSC-H.

CAMP Med 27 Currently, the university accepts the legal responsibility of identifying these individuals, designated as guests, and issuing them digital credentials which they can use to authenticate their university certified identity to others. Individuals in this group are designated as “guests”.

CAMP Med 28 Because of the extremely varied circumstances associated with how “guest” affiliations arise and terminate, it is difficult to determine the current status of “guest” affiliations and associated levels of “trust”. To ensure that appropriate assurance levels can be asserted by UTHSC-H as an identity provider, special policies exist for identity proofing and credentialing of persons sponsored by individual university personnel.