1 / 15

Organization Background

PKI in Healthcare Dave Barnett Systems Architect Kaiser Permanente dave.barnett@kp.org (925) 926-3520. Organization Background. Kaiser Permanente Medical Care Program First HMO (founded in 1945) Now in 11 states and District of Columbia 8 Million Members 11,000 Physicians

ely
Download Presentation

Organization Background

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI in Healthcare Dave Barnett Systems ArchitectKaiser Permanentedave.barnett@kp.org(925) 926-3520

  2. Organization Background • Kaiser Permanente Medical Care Program • First HMO (founded in 1945) • Now in 11 states and District of Columbia • 8 Million Members • 11,000 Physicians • 90,000 Employees • 30 Medical Centers • 360 Medical Facilities

  3. PKI Project Business Drivers • Move duplicated functions (e.g. security) from applications to infrastructure • Electronic Healthcare Records and Services replacing paper based • Regulatory compliance • Health Insurance Portability and Accountability Act (HIPAA) • http://aspe.os.dhhs.gov/admnsimp/

  4. PKI Project Business Drivers • Healthcare Community of Interest • California Medical Association estimates that each California Physician does business with 50 to 100 healthcare organizations • Considerable opportunity for e-business • Commerce (supplies, pharmaceuticals, etc.) • Patient services • Benefits (e.g., with Employer) • Referrals for Medical Services • Emergency Room

  5. KP PKI Project Scope • KP PKI-enabled CIS (Clinical Information System) • First 2,500 users in September 2000 • Roll-out to 70,000 users • VPN/Extranet • Applications with Affiliates • EDI and e-business

  6. KP PKI Project Scope • Secure E-mail (S/MIME) • Partner / Affiliate • Patient - Doctor • Web • Patient access to medical information and services • Partner and Affiliate access to resources • Interoperability demo with California Medical Association and Tunitas Group Healthcare PKI

  7. Healthcare PKI Demo Project • California Medical Association • CA for California Physicians • See http://www.cmanet.org/ for information on MEDePass program • CMA Bridge CA • Will interoperate with KP Bridge CA • PKI Interoperability Demo Workshop • Kaiser Permanente, CMA, Blue Shield of California, Scripps, Hill Physicians, Social Security Admin, Pacificare, Catholic Healthcare West, Sutter, St. Joseph, etc. • http://www.tunitas.com/pages/PKI/pki.htm

  8. Interoperability Issues • Healthcare Certificate Policies and Certification Practice Statements • Assurance of Identity • Certificate Profiles • Privilege Management (Future)

  9. CP and CPS • Existing CP / CPS examples not useful • Policy and legal requirements of an organization that sells certificates and CA services different from Healthcare provider requirements • Healthcare Model Policy Creation and Support is Critical • ANSI HISB Meeting March 1 - 2 2000 (http://www.ansi.org/rooms/room_41/default.htm) • ASTM E31.20 Healthcare Model Policy only work in progress under ANSI • See E31 Committee at http://www.astm.org • See draft Healthcare Model Policy at http://www.tunitas.com/pages/PKI/docs/

  10. Assurance of Identity • Assurance of Identity is one of the considerations for Assurance Level in CP • Healthcare Provider Certificate is a high value target • Allows impersonation of physician electronically • Identity assurance and authentication must be acceptable to industry and regulators • e.g., what would the DEA require for a digital signature for electronic prescriptions?

  11. Profile Proliferation • Tendency for each organization, vendor, application, and community of interest to create a certificate profile • Need to converge on smallest number of profiles required (e.g., vertical industry community of interest) • Need to develop an X.509 v3 profile for Healthcare based on RFC 2459 and ASTM E31.20

  12. Privilege Management • Access control and authorization can become very complex in Healthcare • Roles • Appointment Clerk, Billing, Physician, Radiologist, Lab, Psychiatric Social Worker, etc. • Content • HIV, Substance Abuse, Mental Health • National and State Regulations • Policy (organizational and departmental) • Context (Emergency Dept.) • Privilege changes may be frequent • Multiple roles not uncommon

  13. Privilege Management • ITU and IETF proposing Attribute Certificates (X.509) for PMI • Open Group just approved Authorization API (aznAPI) as a standard for authorization • Not mutually exclusive • aznAPI can use Attribute Certificates as well as other approaches (e.g., rule or role based “authorization engine”)

  14. Privilege Management • Standards not stabilized yet, products are very new • PMI can be very useful in Healthcare • Healthcare industry interest likely to grow in this area

  15. Thank you!

More Related