Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

Published byVernon Austin Modified over 9 years ago

Similar presentations

Presentation on theme: "OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”"— Presentation transcript:

1 openPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

2  Phase 1 openPASS Services are intended to provide the basic capabilities that allow a patient or provider to request access to patient health information from a protected resource and, based upon the security and privacy policies applied by the resource, have that access either be granted or denied.  To accomplish this objective, Phase 1 openPASS Services must provide at least basic functionality for  Patient Identity Resolution  Provider Identity Authentication, Assertion and Validation  Provider Credential Assertion  Point-to-Point and Message-based Document/Message Transport  Policy-driven Access Control Decisions and Enforcement  Audit Event Record Generation and Submission to Audit Logging Services openPASS Phase 1 Proposed Scope

3 openPASS HL7 SOA-PASS Service Functional Models and Platform Independent Models

4  Guiding Principles  Service Orientation  Focus on gaps in existing standards or adaptation to service environment  Platform Independent  Policy-driven  Composable

5 openPASS Services in Architectural Context Health Service Bus PASS Common Service Patient Identifier Service Protected ResourceWorkstation UI Services Terminology Services HL7 V3 Services Admin Support Services Clinical Support Services Process EHR Registry EHR Repository Runtime Platform Messages PASS Services Infrastructure Service Terminology Service openPASS Services

6 PASSServiceInventory Terminology Service Inventory Network Layer Clinical Document Service Inventory UI Services Process Service Inventory UtilityServiceInventory Code Schema Policy Configuration Data Objects Generic Process/Service Message Transport Service Inventory Process Executive Services Messages- platform Messages- internet

7 CredentialIdentifierIdentity binds to Entity

8  Subprojects  Federated Identity Resolution  Policy-driven Access Control  Audit

9 Typical Health ID Federation Topology HIDN vHIN Identity Provider 2 vHIN Health ID Resolution Service User User Context Login Service Identity Provider 2 Authentication Service Identity Provider 2 Authentication Service Identity Provider 1 Authentication Service Identity Provider 1 Authentication Service Identity Provider n Authentication Service Identity Provider n Authentication Service vHIN Authority A Invokes submitAuditRecord AAAA A A Description Locates and returns User’s “authoritative” Identity Provider Gaps Metadata Exchange Schema Token Schema SFM HIDN Federation Agreements Reference Implementation Benefits Supports mutlple Identity Providers Supports pseudonymisation

10 Access Enforcement Point Resource Role Assertion Decision Identity x.509 Cert Policy 1 Policy 2 Service Invocation Consent Directive Policy n Policy Engine Consent Repository Interaction Policy

11

12

13

14

15

16 Typical Health ID Federation Topology (Standards Domains) HIDN vHIN Identity Provider 2 vHIN Health ID Resolution Service Unique ID Service User WS-*, PASS-IDF WS-*, SAML User Context Login Service Identity Provider 2 Authentication Service Identity Provider 2 Authentication Service Identity Provider 1 Authentication Service Identity Provider 1 Authentication Service Identity Provider n Authentication Service Identity Provider n Authentication Service UID vHIN vHIN Authority A Invokes submitAuditRecord AAAA AA A I Identity Token II Locates and returns User’s Identity Provider

17 Typical Health Information Exchange (HIE) Federation Topology PHR 1 vHIN vHIN Authority HIE Credential Provider vHIN HIE Member Credential Provider A Healthcare Organization 1 Healthcare Organization 2 Healthcare Organization n HIE HCO Credential Provider vHIN HCO Human Resources Credential Provider A Employee 1 Employee 2 Employee n HCO HIE HCO I HIE HCO I HIE HCO I HIE HCO I HIE Authorization with Policy Decision Engine HIE Health Information Exchange with Access Enforcement A HIE Authority AA HIEHCO I HIE HCO I HIE HCO I HIE HCO I Identity Token HIE Member Token Healthcare Org Employee Token A Invokes submitAuditRecord Collects/Submits Tokens Standards: WS-*, SAML, PASS Consumes Tokens Standards: WS-*, SAML, XACML, PASS Issues Tokens Standards: WS-*, SAML, PASS

18 Other Authorization Decision Factors Typical Policy-Driven Access Control Topology PHR 1 vHIN Credential Provider n PHR 1 Authorization with Policy Decision Engine Credential Provider 1 User Digital Cert Validation Identity Provider Validation Service Identity Provider Validation Service User User Context PHR 1 Personal Health Record Service with Access Enforcement A Patient Context Consent Directive Service Session Context Other Authorization Decision Factors Runtime (assumes user authenticated ) Credential Provider 1 vHIN Credential Provider n vHIN Identity Provider vHIN Consent Directive vHIN PHR 1 Authority Credential Provider A A AAAAA AA I Patient Context vHIN Authority HCO I Identity Token Healthcare Org Employee Token A Invokes submitAuditRecord HCO I I 

19 Credential Provider Access Control Authorization Service Health ID Resolution Service PASS Context Service Identity Provider Authentication Service openPASS Architecture HIDN vHIN CIC Personal Health Record Service Standards: WS-*, OASIS, PASS Standards: WS-*, SAML, PASS Standards: WS-*, SAML Standards: WS-*, PASS-IDF PHR vHIN Standards: WS-*, PASS Identity Provider A Invokes PASS submitAuditRecord or equivalent AAAA C AA Verified Identity Token Request Privacy Policy I Identifier Redirect- Identity Provider Login Identifier, Assertions Request Credential Verified Credential User Role Assertion C Request PHR Access, submit credentials Access Granted- Redirect Request User Role Access PHR Request PHR Access Credential Provider Standards: WS-*, HL7

20 Development Plan  Reference implementations  Code Base  Review and refactor  WS, Java,.NET components  Commercialization issues  Policy Agents for major web and application servers

21

Download ppt "OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”"

Similar presentations

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept. 2012.

PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept
Purpose of HIPAA Administrative Simplification

Purpose of HIPAA Administrative Simplification
SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
CS 5511 Introduction to WS Authorization Brian P. Barrett.

CS 5511 Introduction to WS Authorization Brian P. Barrett.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
A Successful RHIO Implementation

A Successful RHIO Implementation
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Note: This is a preliminary discussion

Note: This is a preliminary discussion

Similar presentations

Ads by Google