identity federation in healthcare networks
Download
Skip this Video
Download Presentation
Identity Federation in Healthcare Networks

Loading in 2 Seconds...

play fullscreen
1 / 27

Identity Federation in Healthcare Networks - PowerPoint PPT Presentation


  • 253 Views
  • Uploaded on

Identity Federation in Healthcare Networks. Xiaohui Chen Department of Computer Science University of Virginia. Agenda. Introduction Current Efforts System Design System Implementation Demo Conclusions and future work. Introduction. What is identity?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Identity Federation in Healthcare Networks' - Samuel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
identity federation in healthcare networks

Identity Federation in Healthcare Networks

Xiaohui Chen

Department of Computer Science

University of Virginia

agenda
Agenda
  • Introduction
  • Current Efforts
  • System Design
  • System Implementation
  • Demo
  • Conclusions and future work

Department of Computer Science, University of Virginia

introduction
Introduction
  • What is identity?
    • The distinguishing characteristic or personality of an individual
  • Why is identity important?
    • All the important things you do require your identity
  • Why has identity become a problem?
    • Enterprise side
    • Personal side

Department of Computer Science, University of Virginia

introduction4
Introduction
  • Our proposed solution
    • “Identity Federation”
    • “The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains ”

Department of Computer Science, University of Virginia

slide5
Medical Data Portal

WS-Policy

Ancillary Services

Data Repository and Web Service

WSE 2.0

http://cs.virginia.edu/tl#TrustLevelToken

http://cs.virginia.edu/TrustLevelSTS.asmx

2.5

Data request + authentication token

Pharmacy

Data

Trust Establishment

and Federation

Return

generated

token

Request

authentication

token

Insurance

Authorization

decision

Authorization

request

Initial login

Store cookie

Authentication Web Service

(Secure Token Service)

Authorization Web Service

(Authorization Engine)

Authorization Rules

.....

IsAttending

==

true

TrustLevel

%gt;=

Fingerprint

.....

Billing

HP5550

Fingerprint

Scanner

Signature

e-Token

RFID

Clinics

current efforts
Current Efforts
  • OASIS and SAML
  • Microsoft, IBM and WS-Roadmap
  • Liberty Alliance
  • .NET Passport
  • Shibboleth

Department of Computer Science, University of Virginia

system design
System Design
  • Identity Federation by inter-domain identity mapping through anonymous token/attribute exchange via Token Exchange Service
  • Why choose this design?

Department of Computer Science, University of Virginia

system design8
System Design
  • Key Ideas:
    • Identity establishment/management with strong authentication
    • Trust establishment between domains
    • Universal identity with inter-domain identity mapping and attribute mapping
    • Inter-domain security information exchange via Token Exchange Server
    • Privacy protection – pseudonym, attribute exchange
    • Request forwarding for web single sign-on

Department of Computer Science, University of Virginia

system design9
System Design
  • Strong authentication
    • Biometric
    • Non-biometric
    • Two factors
  • Trust levels
    • Numerical
    • Comparable

Department of Computer Science, University of Virginia

system design10
System Design
  • Identity mapping
    • One-to-one
    • Many-to-one
    • One-to-many
    • Pseudonym

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

Department of Computer Science, University of Virginia

system design11
System Design
  • Attribute mapping
    • Any security information can establish meaningful mappings between domains along with a user’s identity, e.g. trust level mapping, role mapping, privilege mapping …
    • Standard attribute names

Department of Computer Science, University of Virginia

system design12
System Design
  • Trust Relation Setup
    • Defined by policy files
    • Administrated by authority
    • With whom to federate identity?
    • How to federate identity?

Department of Computer Science, University of Virginia

system design13
System Design
  • Inter-domain security information exchange
    • Heterogeneous systems have different security information formats
    • Attribute exchange via standard web service interface
    • Standard token formats – SAML, WS-Trust
  • Single-Sign-On

Department of Computer Science, University of Virginia

system design14
System Design
  • Security Token Service
  • Token Exchange Service
  • Trust Authority

Department of Computer Science, University of Virginia

system design15
System Design

Department of Computer Science, University of Virginia

system design16
System Design
  • Security Token Service
    • WSE2.0 based
    • Attribute extension
      • Trust level
      • Location
      • Time
      • Role
    • Identity Federation extension
      • Inter-domain request control
      • Endpoint for inter-domain security information exchange with web service
      • Identity and attribute mapping

Department of Computer Science, University of Virginia

system design17
System Design
  • Token Exchange Service
    • Facilitates inter-domain security information exchange with request forwarding
    • Automatic directory lookup
    • Trust broker
    • Define standard attribute names

Department of Computer Science, University of Virginia

system design18
System Design
  • Trust Authority
    • Manages inter-domain trust relationship
    • Publishes domain information
    • Defines attributes provided
    • Defines services provided

Department of Computer Science, University of Virginia

system design19
System Design

Department of Computer Science, University of Virginia

system implementation
System Implementation
  • Three trust domains
    • Medical portal – hospital
    • Pharmacy portal – pharmacy
    • News portal – MSN
  • Related services
    • Security token service
    • Trust authority
    • Token Exchange Service

Department of Computer Science, University of Virginia

system implementation21
System Implementation
  • Medical Portal
    • Authentication and authorization
    • Medical data management
    • Doctor/Patient portal service
    • Electronic prescription management/submission via active federation
    • Event alert system

Department of Computer Science, University of Virginia

system implementation22
System Implementation
  • Pharmacy Portal
    • Structurally the same as hospital portal
    • Electronic prescription management
    • Automatically sends/receives prescription information to hospital via active federation

Department of Computer Science, University of Virginia

system implementation23
System Implementation
  • Mock MSN Portal
    • Represents a third party news portal
    • Federates identity with hospital portal
    • Web Single-Sign-On

Department of Computer Science, University of Virginia

slide24
Demo
  • Trust Level
  • Alerts with active federation
  • Federation between MSN and hospital

Department of Computer Science, University of Virginia

conclusion
Conclusion
  • Identity federation with user identity mapping between domains is flexible, maintainable and powerful
  • Token Exchange Service with web service security information exchange successfully hides local security system implementation
  • Trust authority with domain information publishing is a practical way to administrate trust relationship
  • Levels of authentication provide one way to evaluate identity trustworthiness across domains
  • Identity federation with Single Sign-On successfully alleviates the identity crisis

Department of Computer Science, University of Virginia

future work
Future Work
  • Fully automatic trust negotiation and establishment
  • More powerful attribute exchange/evaluation algorithm to protect user privacy
  • Become SAML compliant
  • Standards other than Microsoft and IBM’s WS-X
  • Integration with other federation approaches

Department of Computer Science, University of Virginia

publications
Publications
  • Xiaohui Chen and Alfred C. Weaver, Identity Federation in Federated Trust Healthcare Network, Submitted to XXXX
  • Alfred C. Weaver, Samuel J. Dwyer III, Andrew M. Snyder, James Van Dyke, James Hu, Xiaohui Chen, Timothy Mulholland, Andrew Marshall, Federated, Secure Trust Networks for Distributed Healthcare IT Services, IEEE International Conference on Industrial Informatics, Banff, Alberta, Canada, August 2003
  • Junzhe Hu and Alfred C. Weaver, A Dynamic, Context-Aware Security Infrastructure for Distributed Healthcare Applications,Pervasive Privacy Security, Privacy, and Trust (PSPT2004), Boston, MA, August, 2004
  • Alfred C. Weaver, Enforcing Distributed Data Security via Web Services,Workshop on Factory Communications (WFCS2004), Vienna, Austria, September 21-24, 2004

Department of Computer Science, University of Virginia

ad