html5-img
1 / 27

Identity Federation in Healthcare Networks

Identity Federation in Healthcare Networks. Xiaohui Chen Department of Computer Science University of Virginia. Agenda. Introduction Current Efforts System Design System Implementation Demo Conclusions and future work. Introduction. What is identity?

Samuel
Download Presentation

Identity Federation in Healthcare Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia

  2. Agenda • Introduction • Current Efforts • System Design • System Implementation • Demo • Conclusions and future work Department of Computer Science, University of Virginia

  3. Introduction • What is identity? • The distinguishing characteristic or personality of an individual • Why is identity important? • All the important things you do require your identity • Why has identity become a problem? • Enterprise side • Personal side Department of Computer Science, University of Virginia

  4. Introduction • Our proposed solution • “Identity Federation” • “The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains ” Department of Computer Science, University of Virginia

  5. Medical Data Portal WS-Policy Ancillary Services Data Repository and Web Service WSE 2.0 <wsp:Policy wsu:Id="trustlevelsec-token"> <wssp:SecurityToken wsp:Usage="wsp:Required"> <wssp:TokenType> http://cs.virginia.edu/tl#TrustLevelToken </wssp:TokenType> <wssp:TokenIssuer> http://cs.virginia.edu/TrustLevelSTS.asmx </wssp:TokenIssuer> <wstl:TrustLevel> 2.5 </wstl:TrustLevel> </wssp:SecurityToken> </wsp:Policy> Data request + authentication token Pharmacy Data Trust Establishment and Federation Return generated token Request authentication token Insurance Authorization decision Authorization request Initial login Store cookie Authentication Web Service (Secure Token Service) Authorization Web Service (Authorization Engine) Authorization Rules ..... <Condition> <Context>IsAttending</Context> <Operator>==</Operator> <Expected>true</Expected> </Condition> <Condition> <Context>TrustLevel</Condition> <Operator>%gt;=</Operator> <Expected>Fingerprint</Expected> </Condition> ..... Billing HP5550 Fingerprint Scanner Signature e-Token RFID Clinics

  6. Current Efforts • OASIS and SAML • Microsoft, IBM and WS-Roadmap • Liberty Alliance • .NET Passport • Shibboleth Department of Computer Science, University of Virginia

  7. System Design • Identity Federation by inter-domain identity mapping through anonymous token/attribute exchange via Token Exchange Service • Why choose this design? Department of Computer Science, University of Virginia

  8. System Design • Key Ideas: • Identity establishment/management with strong authentication • Trust establishment between domains • Universal identity with inter-domain identity mapping and attribute mapping • Inter-domain security information exchange via Token Exchange Server • Privacy protection – pseudonym, attribute exchange • Request forwarding for web single sign-on Department of Computer Science, University of Virginia

  9. System Design • Strong authentication • Biometric • Non-biometric • Two factors • Trust levels • Numerical • Comparable Department of Computer Science, University of Virginia

  10. System Design • Identity mapping • One-to-one • Many-to-one • One-to-many • Pseudonym 54087@hospital.com John@hospital.com John@pharmacy.com Tom@hospital.com guest@pharmacy.com Department of Computer Science, University of Virginia

  11. System Design • Attribute mapping • Any security information can establish meaningful mappings between domains along with a user’s identity, e.g. trust level mapping, role mapping, privilege mapping … • Standard attribute names Department of Computer Science, University of Virginia

  12. System Design • Trust Relation Setup • Defined by policy files • Administrated by authority • With whom to federate identity? • How to federate identity? Department of Computer Science, University of Virginia

  13. System Design • Inter-domain security information exchange • Heterogeneous systems have different security information formats • Attribute exchange via standard web service interface • Standard token formats – SAML, WS-Trust • Single-Sign-On Department of Computer Science, University of Virginia

  14. System Design • Security Token Service • Token Exchange Service • Trust Authority Department of Computer Science, University of Virginia

  15. System Design Department of Computer Science, University of Virginia

  16. System Design • Security Token Service • WSE2.0 based • Attribute extension • Trust level • Location • Time • Role • Identity Federation extension • Inter-domain request control • Endpoint for inter-domain security information exchange with web service • Identity and attribute mapping Department of Computer Science, University of Virginia

  17. System Design • Token Exchange Service • Facilitates inter-domain security information exchange with request forwarding • Automatic directory lookup • Trust broker • Define standard attribute names Department of Computer Science, University of Virginia

  18. System Design • Trust Authority • Manages inter-domain trust relationship • Publishes domain information • Defines attributes provided • Defines services provided Department of Computer Science, University of Virginia

  19. System Design Department of Computer Science, University of Virginia

  20. System Implementation • Three trust domains • Medical portal – hospital • Pharmacy portal – pharmacy • News portal – MSN • Related services • Security token service • Trust authority • Token Exchange Service Department of Computer Science, University of Virginia

  21. System Implementation • Medical Portal • Authentication and authorization • Medical data management • Doctor/Patient portal service • Electronic prescription management/submission via active federation • Event alert system Department of Computer Science, University of Virginia

  22. System Implementation • Pharmacy Portal • Structurally the same as hospital portal • Electronic prescription management • Automatically sends/receives prescription information to hospital via active federation Department of Computer Science, University of Virginia

  23. System Implementation • Mock MSN Portal • Represents a third party news portal • Federates identity with hospital portal • Web Single-Sign-On Department of Computer Science, University of Virginia

  24. Demo • Trust Level • Alerts with active federation • Federation between MSN and hospital Department of Computer Science, University of Virginia

  25. Conclusion • Identity federation with user identity mapping between domains is flexible, maintainable and powerful • Token Exchange Service with web service security information exchange successfully hides local security system implementation • Trust authority with domain information publishing is a practical way to administrate trust relationship • Levels of authentication provide one way to evaluate identity trustworthiness across domains • Identity federation with Single Sign-On successfully alleviates the identity crisis Department of Computer Science, University of Virginia

  26. Future Work • Fully automatic trust negotiation and establishment • More powerful attribute exchange/evaluation algorithm to protect user privacy • Become SAML compliant • Standards other than Microsoft and IBM’s WS-X • Integration with other federation approaches Department of Computer Science, University of Virginia

  27. Publications • Xiaohui Chen and Alfred C. Weaver, Identity Federation in Federated Trust Healthcare Network, Submitted to XXXX • Alfred C. Weaver, Samuel J. Dwyer III, Andrew M. Snyder, James Van Dyke, James Hu, Xiaohui Chen, Timothy Mulholland, Andrew Marshall, Federated, Secure Trust Networks for Distributed Healthcare IT Services, IEEE International Conference on Industrial Informatics, Banff, Alberta, Canada, August 2003 • Junzhe Hu and Alfred C. Weaver, A Dynamic, Context-Aware Security Infrastructure for Distributed Healthcare Applications,Pervasive Privacy Security, Privacy, and Trust (PSPT2004), Boston, MA, August, 2004 • Alfred C. Weaver, Enforcing Distributed Data Security via Web Services,Workshop on Factory Communications (WFCS2004), Vienna, Austria, September 21-24, 2004 Department of Computer Science, University of Virginia

More Related