1. Federated [Organization] Registry Brief Profile Proposal for 2008/09 presented to the IT Infrastructure Planning Committee J. Caumanns (eCR, Fraunhofer ISST, IHE-D) 16 October 2008

2. IT Infrastructure Planning Committee Use Case Mr. A has been to hospital B for a surgery. After his stay he gets a discharge letter for his PCP where the follow-up medication is determined. On the way to his PCP Mr. A lost the letter in the bus. He asks the PCP to call the hospital for copy. PCP is calling the directory assistance. PCP A: Hi, this is PCP A: Can you please provide me the number of the cardiological dept. of hospital B? DirAssist: We do not have the numbers of the departments listed. But the number of the hospital’s central office is 12345. Should I connect you? PCP: Yes please. Hospital: Hospital B. What can I do for you? PCP: Could you please give me the number of the cardiological dept.?

3. IT Infrastructure Planning Committee Use Case Hospital: The phone number is 123456. But for technical reasons I cannot connect you. PCP is dialing 123456. CardDept: Hospital B. Cardiological dept. Can I help you? PCP: Yes please. My name is PCP X and I’m here with Mr. A who lost his discharge letter in the bus. Could you please send me a copy by fax? CardDept:No Problem. Please give me your name and fax number. PCP: My name is PCP X and my fax number is 444. Thank you. 2 minutes later the discharge letter arrives by fax. The PCP prescribes the medicine as stated in the discharge letter.

4. IT Infrastructure Planning Committee The Problem Directory lookups and identity information exchanged in the use case:Directory lookups and identity information exchanged in the use case: –PCP X calling the directory assistance –Directory assistance looking up the phone number [identity attribute] of Hospital B –Hospital B looking up the phone number [identity attribute] of the cardiologic department. –Cardiologic department asking for name and fax number [identity attributes] of PCP X Shifting this scenario into the digital age would require comparable lookup services and mechanisms for the exchange of identity informationShifting this scenario into the digital age would require comparable lookup services and mechanisms for the exchange of identity information

5. IT Infrastructure Planning Committee Use Case (continued) Two days later Mr. A dies from a contraindication caused by the medicine PCP X gave him. During their investigation the police finds out that the cardiologic department of hospital B never sent a fax to PCP X. It is possible for an intruder to do a man-in-the-middle attack with this scenario because PCP X had no easy way to authenticate his communication partners and to verify the accuracy of the identity and directory information exchanged.

6. IT Infrastructure Planning Committee Conclusion Incompliant directory services using different trust models make it hard to verify the authenticity of the service and the data provided.Incompliant directory services using different trust models make it hard to verify the authenticity of the service and the data provided. Missing directory services make it impossible to establish a trusted communication with partners only known by name.Missing directory services make it impossible to establish a trusted communication with partners only known by name. -> a unique model for trust establishment is required-> a unique model for trust establishment is required -> an operational model is needed that allows for a high accuracy of the directory data-> an operational model is needed that allows for a high accuracy of the directory data -> the authenticity of the entry point for a chain of directory queries must be verifiable with local data only-> the authenticity of the entry point for a chain of directory queries must be verifiable with local data only

7. IT Infrastructure Planning Committee Federated Directory Services

8. IT Infrastructure Planning Committee Proposed Standards & Systems The proposed profile should use existing directory standards (i. e. LDAP)The proposed profile should use existing directory standards (i. e. LDAP) RFC 2798 is a good basis for the registry data setRFC 2798 is a good basis for the registry data set Entity Identification Service (Service Functional Model Specification) + OMG Spec.Entity Identification Service (Service Functional Model Specification) + OMG Spec. The use of DSML and/or SPML should be consideredThe use of DSML and/or SPML should be considered Federation and trust establishment/brokerage should be based on the respective WS* standards (e. g. using the recommendations of the HL7 v3 transport specification)Federation and trust establishment/brokerage should be based on the respective WS* standards (e. g. using the recommendations of the HL7 v3 transport specification)

9. IT Infrastructure Planning Committee Discussion Level of effort:Level of effort: –medium Profile Editor:Profile Editor: –Ben Kraufmann, Olaf Rode (Fraunhofer ISST, eCR Consortium) –Members from IHE Germany, IHE Austria, and eCR industry partners