Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using HL7’s CCOW Standard to Create Secure Information Solutions Colorado Healthcare Information Systems Society (CHIMSS) January 12, 2001 Robert Seliger.

Published byCaroline Morrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Using HL7’s CCOW Standard to Create Secure Information Solutions Colorado Healthcare Information Systems Society (CHIMSS) January 12, 2001 Robert Seliger."— Presentation transcript:

1 Using HL7’s CCOW Standard to Create Secure Information Solutions Colorado Healthcare Information Systems Society (CHIMSS) January 12, 2001 Robert Seliger President and CEO, Sentillion Co-Chair HL7 CCOW Committee Copyright© 2001 Sentillion, Inc. All Rights Reserved

2 Secure? Copyright© 2001 Sentillion, Inc. All Rights Reserved

3 Agenda HIPAA Digital Security CCOW Practical Security Solutions Copyright© 2001 Sentillion, Inc. All Rights Reserved

4 HIPAA Final regulations published December 28, 2000 See: http://www.hhs.gov/ocr/hipaa.html Copyright© 2001 Sentillion, Inc. All Rights Reserved

5 HIPAA: Situation Statement According to the American Health Information Management Association (AHIMA), an average of 150 people ‘‘from nursing staff to x-ray technicians, to billing clerks’’ have access to a patient’s medical records during the course of a typical hospitalization.* * Standards for Privacy of Individually Identifiable Health Information; Final Rule, December 28, 2000, U.S. Dept. of Health and Human Services. Copyright© 2001 Sentillion, Inc. All Rights Reserved

6 HIPAA: Approach Ensure the rights that an individual who is a subject of individually identifiable health information should have. Specify the procedures that should be established for the exercise of such rights. Define the uses and disclosures of such information that should be authorized or required. Copyright© 2001 Sentillion, Inc. All Rights Reserved

7 HIPAA: Scope 1. Care, services, or supplies related to the health of an individual. 2. Health information maintained/transmitted electronically or via any other form or medium. Copyright© 2001 Sentillion, Inc. All Rights Reserved

8 HIPAA: Philosophy We do not prescribe the particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. (That is, as with other provisions of this rule, this requirement is ‘‘scalable.’’) * Standards for Privacy of Individually Identifiable Health Information; Final Rule, December 28, 2000, U.S. Dept. of Health and Human Services. Copyright© 2001 Sentillion, Inc. All Rights Reserved

9 HIPAA: Enforcement HSS’s Office for Civil Rights: 1.Voluntary 2. Civil monetary penalties and referrals for criminal prosecution. Copyright© 2001 Sentillion, Inc. All Rights Reserved

10 Digital Security Authentication Encryption Non-Repudiation Copyright© 2001 Sentillion, Inc. All Rights Reserved

11 Digital Signatures Secure Hash Value Encrypt Value COMPARE by Private key by Public key Receiver Sender Original message Signed Message Value Decrypt Copyright ©JungJoo-won, 1996, http://simac.kaist.ac.kr/~jwjung/seminar/ssl-ca-inst/slides.en Verified message

12 Digital Encryption Encrypt by Public keyby Private key Receiver Sender Original message Encrypted Message Decrypt Decrypted message Copyright ©JungJoo-won, 1996, http://simac.kaist.ac.kr/~jwjung/seminar/ssl-ca-inst/slides.en

13 Where Do Keys Reside? Private Keys: A “smart” card Embedded in a device On your personal computer Public Keys: In a file in “raw” form In a signed file, known as a digital certificate Copyright© 2001 Sentillion, Inc. All Rights Reserved

14 Digital Signature Inherent Limitations The verification process only establishes that the private key of the person whose public key is specified in the digital certificate was used to affix the digital signature. This verification process is a post-signing mechanism and does not correspond to the trusted witnessing mechanism established within the traditional signature environment. * * Non-Repudiation in the Digital Environment, Adrian McCullagh and William Caelli, First Monday, www.firstmonday.dk Copyright© 2001 Sentillion, Inc. All Rights Reserved

15 CCOW Multiple disparate applications: labs, meds, cardiology, scheduling, billing, etc. Users in need of easy access to data and tools: physicians, nurses, therapists, administrators, etc. Kiosk as well as personal workstations: hospitals, clinics, offices, homes, etc. Copyright© 2001 Sentillion, Inc. All Rights Reserved

16 CCOW Status ANSI certified standard published by Health Level Seven Uptake: 3M, Agilent, Bionetrix, CoreChange, Care Data Systems, Drager, DR Systems, Eclipsys, GE/Marquette, Medcon, Medscape, McKessonHBOC, Presideo, SpaceLabs/Burdick, Stockell, many others in 2001 Sites: Rex (1000), Marshfield Clinic (6500), St. Joes (1500), St. Als (2000), Cottage (2000), etc. Co-Chairs: Robert Seliger, Sentillion (founding co-chair) Barry Royer, Siemens (SMS) Michael Macalusso, McKessonHBOC Copyright© 2001 Sentillion, Inc. All Rights Reserved

17 What They’re Saying … “Originally an ad hoc group created to solve the problem of insuring common context between different applications in simultaneous use on the desktop, CCOW is capturing extremely important space in web browser and user security areas.”* * CHIM Standards Insight, Feb. 7, 2000 Copyright© 2001 Sentillion, Inc. All Rights Reserved

18 Example: Patient Link Nancy Furlow Copyright© 2001 Sentillion, Inc. All Rights Reserved

19 Demonstration Show it! Copyright© 2001 Sentillion, Inc. All Rights Reserved

20 Architecture Copyright© 2001 Sentillion, Inc. All Rights Reserved

21 Architecture Copyright© 2001 Sentillion, Inc. All Rights Reserved

22 Architecture Copyright© 2001 Sentillion, Inc. All Rights Reserved

23 Theory of Operation: Patient Link (1) User selects the patient of interest using any application on the clinical desktop. 1 Copyright© 2001 Sentillion, Inc. All Rights Reserved

24 Theory of Operation: Patient Link (2) Application tells the context manager to start a context change transaction and sets the context data to indicate the newly selected patient. 2 Copyright© 2001 Sentillion, Inc. All Rights Reserved

25 3 Theory of Operation: Patient Link (3) Context manager tells patient mapping agent that a context change is occurring; mapping agent supplies the context manager with other identifiers by which the patient is known. Copyright© 2001 Sentillion, Inc. All Rights Reserved

26 4 Theory of Operation: Patient Link 4 (4) Context manager tells the other applications that a new patient context has been proposed. The context manager surveys the applications to determine whether each can apply the new context. 4 Copyright© 2001 Sentillion, Inc. All Rights Reserved

27 5 Theory of Operation: Patient Link 5 (5) Each application indicates whether or not it can apply the new context. 5 5 Copyright© 2001 Sentillion, Inc. All Rights Reserved

28 5 5 Theory of Operation: Patient Link (6) If one or more of the applications prefers not to, or cannot, apply the new context, the user is asked to decide whether to continue, cancel, or break the link. Otherwise, context change continues automatically. 6 Copyright© 2001 Sentillion, Inc. All Rights Reserved

29 5 5 Theory of Operation: Patient Link (7) Context manager tells each application to apply the new context, or that the transaction has been canceled. If apply, then each applications tunes to the new patient context. 7 7 Copyright© 2001 Sentillion, Inc. All Rights Reserved

30 User Link Conceptually, same as Patient Link: Context change transaction User mapping agent Incorporates secure “Chain of Trust”: Digitally signed communication between programs No exchange of user passwords Copyright© 2001 Sentillion, Inc. All Rights Reserved

31 Chain of Trust Theory of Operation: User Link (1) User signs on (enters logon name, password, swipes security card, etc.) 1 Copyright© 2001 Sentillion, Inc. All Rights Reserved

32 Chain of Trust 2 Theory of Operation: User Link (2) Application authenticates the user and tells context manager the user’s logon name; authentication data is not passed on to the context manager. Copyright© 2001 Sentillion, Inc. All Rights Reserved

33 Chain of Trust Theory of Operation: User Link (3) Context manager tells mapping agent context change is occurring; mapping agent supplies the context manager with other logon names for the user as known to each application. 3 Copyright© 2001 Sentillion, Inc. All Rights Reserved

34 Chain of Trust Theory of Operation: User Link (4) Context manager tells other applications that there is a new user context. 4 4 4 Copyright© 2001 Sentillion, Inc. All Rights Reserved

35 Chain of Trust Theory of Operation: User Link (5) Each application gets user’s application- specific logon name from the context manager. 5 5 5 Copyright© 2001 Sentillion, Inc. All Rights Reserved

36 Chain of Trust Theory of Operation: User Link (6) Context manager tells each application to apply the new context, or that the transaction has been canceled. If apply, then each applications tunes to the new user context. 6 6 6 Copyright© 2001 Sentillion, Inc. All Rights Reserved

37 Practical Security Solutions HIPAA Requirements & Implications Requirements: Authenticate user access of patient records Audit user access of patient records Upon request, inform patients of access to records Implications: Effective administrative processes Practical security solutions Copyright© 2001 Sentillion, Inc. All Rights Reserved

38 Practical Security Solutions The Setting A building or campus of buildings A network within and between these buildings Connected to the Internet Caregivers, ancillary workers, patients, visitors, salesmen, etc. Computers everywhere Myriad patient-related applications Busy people Copyright© 2001 Sentillion, Inc. All Rights Reserved

39 Practical Security Solutions Key Considerations Physical Protection If can’t get at it, can’t have it Limited Trust If minimize dependencies, minimize exposure User Friendliness If easy to comply, people will System Understandability If don’t know how it works, won’t know if it works Copyright© 2001 Sentillion, Inc. All Rights Reserved

40 CCOW-Based Security Robust User Authentication Copyright© 2001 Sentillion, Inc. All Rights Reserved

41 CCOW-Based Security Single Sign-On Copyright© 2001 Sentillion, Inc. All Rights Reserved

42 CCOW-Based Security Roaming User Certificate Copyright© 2001 Sentillion, Inc. All Rights Reserved

43 CCOW-Based Security Context-Based Auditing Copyright© 2001 Sentillion, Inc. All Rights Reserved

44 CCOW-Based Security Context-Based Audit Reports Copyright© 2001 Sentillion, Inc. All Rights Reserved

45 CCOW-Based Security Context-Based Access Controls Copyright© 2001 Sentillion, Inc. All Rights Reserved

46 CCOW-Based Security Secure Network Appliance Copyright© 2001 Sentillion, Inc. All Rights Reserved

47 CCOW-Based Security Centralized Administration Copyright© 2001 Sentillion, Inc. All Rights Reserved

48 CCOW-Based Security Summary Need Authenticate User Access Audit User Access Inform Patients of Access Physical Protection Limited Trust User Friendliness System Understandability Solution User Authenticator Context Audit Logs Context Reporting Network Appliance Central Administration Single sign-on CCOW Standard Copyright© 2001 Sentillion, Inc. All Rights Reserved

49 Conclusion HIPAA Digital Security CCOW Practical Security Solutions Copyright© 2001 Sentillion, Inc. All Rights Reserved

50 Get Smart! Robert Seliger robs@sentillion.com www.sentillion.com Copyright© 2001 Sentillion, Inc. All Rights Reserved

Download ppt "Using HL7’s CCOW Standard to Create Secure Information Solutions Colorado Healthcare Information Systems Society (CHIMSS) January 12, 2001 Robert Seliger."

Similar presentations

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Copyright © 2001 HL7 HL7: Standards for e-Health CCOW Context Management Standard Robert Seliger CCOW Co-Chair President and CEO, Sentillion, Inc.

Copyright © 2001 HL7 HL7: Standards for e-Health CCOW Context Management Standard Robert Seliger CCOW Co-Chair President and CEO, Sentillion, Inc.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
SLIDE 1 Westbrook Technologies from Fortis: A Healthcare Solution for Medical Records, Billing and HIPAA.

SLIDE 1 Westbrook Technologies from Fortis: A Healthcare Solution for Medical Records, Billing and HIPAA.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Free HIPAA Training BCI Computers Free HIPAA Training (c) 2014 BCI Computers all rights reserved.

Free HIPAA Training BCI Computers Free HIPAA Training (c) 2014 BCI Computers all rights reserved.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

Similar presentations

Ads by Google