Framework for Analysing, Planning and Implementing Identity Management within E-Health

Transcription

1 Framework for Analysing, Planning and Implementing Identity Management within E-Health Version July 2007 Public Release Final National E-Health Transition Authority

2 National E-Health Transition Authority Ltd Level Pitt Street Sydney, NSW, 2000 Australia. Disclaimer NEHTA makes the information and other material ( Information ) in this document available in good faith but without any representation or warranty as to its accuracy or completeness. NEHTA cannot accept any responsibility for the consequences of any use of the Information. As the Information is of a general nature only, it is up to any person using or relying on the Information to ensure that it is accurate, complete and suitable for the circumstances of its use. Document Control This document is maintained in electronic form. The current revision of this document is located on the NEHTA Document Management System and is uncontrolled in printed form. It is the responsibility of the user to verify that this copy is of the latest revision. Trademarks Company, product, and service names mentioned herein may be trademarks or service marks; such marks are the property of their respective owners. Security The content of this document is Public Release. The information contained herein must only be used for the purpose for which it is supplied and must not be disclosed other than explicitly agreed in writing with NEHTA. Copyright 2007, NEHTA. This document contains information which is protected by copyright. All Rights Reserved. No part of this work may be reproduced or used in any form or by any means graphic, electronic, or mechanical, including photocopying, recording, taping, or information storage and retrieval systems without the permission of NEHTA. All copies of this document must include the copyright and other information contained on this page.

3 NEHTA 1 Introduction Identity Management Purpose and Scope of this document and its positioning within the NEHTA Identity Management document set Intended Audience Feedback Introduction to E-Health and NEHTA programs Emerging E-Health landscape NEHTA Programs Identity Management Program Secure Messaging Program UHI Service Shared E-Health Record E-Health Authentication Service Identity Management Scope and Positioning Scope Identity Management across Organisations Laws of Identity Identity Management Positioning Organisational, Jurisdictional and National E-Health Context Socio-legal context Enterprise Risk Management and ICT Security Context Technology Planning and Management Context Identity Management Vision for e-health Identity Management Framework Identity Management Policy Entity Management Registration Authority Verification Application Enrolment & Identity Mapping Information Management Significance of Information Management to IdM Information Classification and Control Classification Schema Authentication Management Identity Authentication Identity Mapping Credential Management Access Management Application Classification Access Policy Enforcement Governance and Operations Governance Procurement & Capital Expenditure and Systems Development Privacy and Public Policy Architecture, Standards and Guidelines Architecture Standards Guidelines Identity Management Planning and Implementation Identity Management Maturity Maturity of Strategy & Architecture v1.0 Public Release Final i

4 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA Maturity of Implementation Identity Management Lifecycle Maturity Identity Management Planning and Transition Appendix A - Key Reference Documents and URLs...47 NEHTA Australian Government National and International Standards Explanatory and best practice resources Appendix B Australian Government Authentication Framework 48 Endorsed approach to authentication of citizens and businesses The framework Scope and coverage Assurance levels Criteria for determining risk assurance levels of AGAF Articulating Assurance Levels into Authentication Approaches Authentication Assurance Level Matrix Credentials and protocols Appendix C - Laws of Identity...53 An Assessment Framework for Future Concepts Background to the Laws of Identity Law 1: User Control and Consent Law 2 - Minimal Disclosure for a Constrained Use Law 3 - Justifiable Parties Law 4 - Directed Identity Law 5 - Pluralism of Operators and Technologies Law 6 - Human Integration Law 7 - Consistent Experience Across Contexts Appendix D - Commonwealth Government Protective Security Manual...65 Appendix E - Identity Management Policy...69 Statement of Policy Policy Priority and Rationale Policy Purpose and Benefits Detailed Policy Statements Identification Registration Application Classification Authentication Access Rights Roles Group Access Administration Audit Cross recognition of Identities ii Public Release Final v1.0

5 NEHTA v1.0 Public Release Final 3

6 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA 1 Introduction 1.1 Identity Management NEHTA sees Identity Management (IdM) as: an integrated system of policies, processes, and technologies that enables health organisations and the E-Health Community as a whole to facilitate and control users' access to applications and information resources while protecting confidential personal and business information from unauthorised users. When applied in a consistent and systematic way across a healthcare community, identity management underpins: identification of parties involved in healthcare activities providers, patients, organisations and locations; authorised access to resources; confidential transmission and receipt of private or sensitive information; integrity of information transferred between parties; and traceability and audit of activity between transacting parties. One pictorial view of the matters falling within the ambit of Identity Management is provided below: Figure 1 Identity Management elements per The Burton Group An examination of a range of Identity Management concepts and terms is presented in the companion NEHTA publication: Identity Management Glossary. 4 Public Release Final v1.0

7 NEHTA 1.2 Purpose and Scope of this document and its positioning within the NEHTA Identity Management document set This document provides an initial Framework to assist the E-Health Community in analysing, planning and implementing Identity Management within the national E-Health context. The key purpose is to identify the collective of issues that all healthcare providers and all E-Health infrastructural services will have to agree upon in order to ensure: Security and trust across the E-Health Community; Technical and process robustness and interoperability of Identity and Access elements between and across all stakeholders. As such this document provides the background to and overview of NEHTA s Identity Management (IdM) initiative. The document introduces and positions a range of detailed IdM resources that it is hoped will guide organisations and communities within the sector towards a target identity management state that will enable secure, efficient and seamless E-Health transacting across the sector. 1.3 Intended Audience 1.4 Feedback The intended audiences for this document are: NEHTA personnel; Identity Management Project Reference Group; Jurisdictional stakeholders including decision makers, strategic planners, enterprise architects, identity management solution architects, procurers, implementers and policy writers. Feedback for this document is sought from the E-Health community and State and Territory Health Departments. Feedback will be considered by NEHTA and will be incorporated, where relevant, into subsequent NEHTA documents. All comments will be welcomed and can be sent to identity@nehta.gov.au. v1.0 Public Release Final 5

8 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA 2 Introduction to E-Health and NEHTA programs 2.1 Emerging E-Health landscape The healthcare landscape in Australia is marked by the universality of network connections for most stakeholder groups including jurisdictions, providers and healthcare individuals. This highly networked environment is being increasingly leveraged for a range of healthcare and business purposes. One representative depiction of this landscape from the perspective of healthcare organisations is provided below: Figure 2 Networked Healthcare Landscape The environment depicted is one in which: most healthcare organisations make extensive use of networked technology environments for a range of practice-centric business and healthcare related purposes; and national, whole-of-sector E-Health initiatives are emerging encompassing both: the core NEHTA initiatives of the Unique Healthcare Identifier Service (UHI-S) and the Shared Electronic Health Record (SEHR) see section 2.2 below; and the burgeoning area of any-to-any messaging (eg as applied to e- referrals, e-pathology, e-prescribing, etc). Key common denominators across both environments are: A common group of stakeholders (eg provider individuals and organisations and individual healthcare recipients). The use of information technology and networks to provide access to information or to exchange information. 6 Public Release Final v1.0

9 NEHTA The requirement for robust ICT, organisational, personal and process security including identity management (in the form of authentication, authorisation and audit). 2.2 NEHTA Programs Although the NEHTA work program is addressing a broad raft of issues across the entire Australian health sector, two core themes from this suite of NEHTA programs are particularly relevant in this context: Programs focusing on Identity Management and Secure Messaging. Programs focusing on the establishment of overarching E-Health Infrastructure. These include the Unique Healthcare Identifier Service and the Shared Electronic Healthcare Record initiatives. An Authentication Service for E-Health is also under contemplation. The programs are discussed in further detail below Identity Management Program NEHTA s Identity Management initiative is developing a national approach and an alignment framework to guide the Australian health sector toward a uniform and comprehensive approach to managing digital identities and their access to E-Health applications and information resources. This requires that healthcare providers, across the board, migrate practices and systems to the point where they meet the interoperability and security requirements necessary to build a trusted national approach to E-Health. NEHTA s Identity Management program in the E-Health community has two key engagement zones, as illustrated below. The first engagement zone (on the left) relates to the local Identity Management practices that are in place in individual jurisdictional and provider systems environments within the broader Health Sector. The second engagement zone (on the right) highlights the compliance that will be required as organisations move to full participation within the the E-Health Community. This relates particularly to the initiatives/services being established by the NEHTA work program. Australian Health Sector State and Federal Funding E-Health Community Governance Jurisdiction National E-Health IdM Practice Jurisdiction Local IdM Practice Healthcare Provider National E-Health IdM Practice Healthcare Provider Local IdM Practice Individual National E-Health IdM Practice Individual Local IdM Practice National E-Health Infrastructure Future Identity Management Service Figure 3 Identity Management Engagement Points v1.0 Public Release Final 7

10 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA The Identity Management work program is intended to support the migration of organisations and applications from the broader sector into the National E- Health community. Inside the E-Health Community, identity management systems will need to be aligned with the principles described in the NEHTA Interoperability Framework (IF) and Enterprise Architecture (EA) documents. It is anticipated that the sector will adopt a Services Oriented Architecture (SOA) approach based on Web Services. Such systems will generally be developed as greenfields systems, filling a new role or acting as a migration target. Identity management systems of varying complexity exist outside the E-Health Community in the broader Australian Health Sector. Over time such systems will need to become more aligned with the directions being developed by NEHTA. These migration projects may not be initially fully compliant and conformant with the NEHTA Interoperability Framework and Enterprise Architecture, but will be able to adopt key principles and approaches from the Identity Management Framework that will ensure that future work can continue the transition towards a fully realised E-Health implementation Secure Messaging Program NEHTA s Secure Messaging initiative has been established to provide clear direction for secure information transfer for public sector health services in Australia. As such, it can also be expected to strongly influence secure information transfer within the private health sector. Secure messaging is an infrastructure component necessary for a broad range of NEHTA outcomes and doesn t exist as an isolated solution but more as a connectivity building block for all initiatives. Rather than treating it as an independent activity, as has been done historically, NEHTA is positioning secure messaging as part of a service-based architecture. Secure messaging has the following relationships with other NEHTA initiatives: In association with NEHTA s Identifier and Identity Management initiatives, it seeks to enable the electronic exchange of clinical information, between participants, in a manner that preserves confidentiality, integrity and availability. In association with NEHTA s Clinical Information initiative, it seeks to ensure the information exchanged is meaningful and usable by the recipient UHI Service Australia s healthcare system relies on an ability to uniquely and accurately identify individuals. Healthcare activities constantly involve the collection, exchange and transmission of health information often relating to one particular individual in the context of multiple providers. In February 2006, the Council of Australian Governments (COAG) approved $98 million in joint funding to NEHTA to deliver two fundamental elements of reliable electronic communication within healthcare: the Individual Healthcare Identifier (IHI) and the Healthcare Provider Identifier (HPI). Together, these initiatives are referred to as the Unique Healthcare Identifiers (UHI) program. The positioning of the UHI Service and the data flows between it and other players within the E-Health Community are illustrated below. 8 Public Release Final v1.0

11 NEHTA Figure 4 Unique Health Identifier Service Positioning and Flows Shared E-Health Record NEHTA is currently developing a business case for funding of a national approach to Shared EHR for consideration by COAG in It is proposed that the design of the Shared EHR Service will include: A Shared EHR Governance Board and Program Manager, which will collectively oversee the strategic direction, delivery and operations of the Shared EHR Service; A Shared EHR Service Provider, that will operate a Shared EHR Service and a Secondary Uses Service; and A choice of compatible software suppliers and local implementation managers who will be able to change healthcare providers existing (and new) software systems to ensure compatibility with the Shared EHR Service, and install, train and support users of the Shared EHR Service. An illustration of the positioning of SEHR within the E-Health Community is depicted below: v1.0 Public Release Final 9

12 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA Figure 5: National Shared Electronic Health Records System and Flows E-Health Authentication Service The vision for the authentication service is to provide a common platform, and supporting services for robust healthcare provider authentication across the majority of organisational, jurisdictional, cluster-based and national E-Health initiatives. The diagram below illustrates one possible model of how the authentication facility and environment might be positioned. This shows the authentication service being used for access to the national E-Health services (UHI Service and Shared EHR) as well as providing support for provider-to-provider, jurisdiction-to-jurisdiction and provider-to-jurisdiction authentication. The diagram also acknowledges that organisational, sectoral and jurisdictional authentication approaches (that have occurred outside of the national authentication service) will probably continue to persist. Figure 6 E-Health Authentication Service Scenario 10 Public Release Final v1.0

13 NEHTA 3 Identity Management Scope and Positioning 3.1 Scope Identity Management, as envisaged by NEHTA covers all policy, process and technology elements necessary to effectively service the Identity Management lifecycle as illustrated below. Establish entitlements Permissions Store(s) Identity or Entitlement Checking Registration & Provisioning Enrolment Application (A) C Issue Identity & credential Credential C Update roles Populate directory Transacting Identities Directory(ies) Authentication Access Authorisation Suspend identity; update roles Application (B) Application (C) Populate credential store Credential Store(s) Revoke credential De-registration & De-provisioning Figure 6 Identity Management Lifecycle While NEHTA s interest is primarily in the whole of E-Health Community aspects of Identity Management, it is recognised that the scheme nature of such a community, requires that each member s approach is concordant with the standards and practices of the community. 3.2 Identity Management across Organisations Case studies of cross-organisational (including sector-wide) e-services initiatives (eg financial services, airlines, travel reservations, trade and transport) highlight the extreme complexity and cost inherent in the establishment and maintenance of a trusted cross-organisational electronic environment. Whereas most cross-organisational e-services approaches commence with a bilateral approach to identity management and information security, the sheer number of linkages can rapidly overwhelm even the largest organisations, as illustrated below. v1.0 Public Release Final 11

14 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA Figure 7 Bilateral IdM approaches As a result, all highly networked industries that have mature e-services deployments (eg financial services, airlines, trade and transport, retail supplychain, telecommunications) have embraced sector-wide approaches (often at national and international levels) to identity management and information security. Such approaches usually distil down to the following elements: Some form of overarching, sector-level governance. Common policies (at least in so far as these relate to extraorganisational dealings). Defined scheme rules that govern key inter-organisational behaviour including allocation of roles and responsibilities, apportionment (and in some cases limitation) of liability, acceptable practices and articulation of service levels. Contractual frameworks to give effect to scheme rules and commercial agreements, and to address other legal matters such as jurisdiction, dispute resolution, etc. Adoption of appropriate industry or national or international standards or, in their absence, the establishment of sector/community/scheme standards. Minimum levels of intra-organisational identity management and information security. Industry/sectoral technology infrastructure (covering eg directories, authentication, access control) and operational and support services. These are often essential to gain participation of smaller organisations and individuals. The Identity Management Framework is an articulation of many of these principles and is intended to guide the E-Health Community toward the realisation of a state of maturity and interoperability comparable with the industries and sectors described above. 3.3 Laws of Identity The Laws of Identity 1 emanate from the work of Kim Cameron 2, a leading thinker in the field of Identity Management. His work provides an interesting lens through which to view the Identity Management principles that need to be adopted by the E-Health Community. 1 and 12 Public Release Final v1.0

15 NEHTA The Laws of Identity underpin a proposal for a unifying identity metasystem that is used to hold just information about the different identities which an entity may hold rather than attempting to aggregate numerous discrete identities together. It is the metasystem which is under the control of the user or entity, not the identities or the remote systems they interact with. The concept of a metasystem is a strong one. It avoids the complexity of trying to unify multiple different identity systems, instead using a describing approach to be able to capture any number of identities by referring to their characteristics rather than the actual identities they hold. This metadata framework approach aligns broadly with the Services Oriented Architecture approach being adopted by NEHTA as the basis for delivering project work from the initiatives. Cameron states that role of an identity metasystem is to provide a reliable way to establish who is connecting with what anywhere on the Internet. 3 A similar principle (ie being able to reliably enable and establish who is communicating with whom throughout the Australian Health Sector) is core to the work charter for NEHTA s Identity Management initiative. A synopsis of the Laws of Identity is provided below. 1. User Control and Consent. Technical identity systems must only reveal information identifying a user with the user s consent. 2. Minimal Disclosure for a Constrained Use. The solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution. 3. Justifiable Parties. Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. 4. Directed Identity. A universal identity system must support both omni-directional identifiers for use by public entities and unidirectional identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. 5. Pluralism of Operators and Technologies. A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers. 6. Human Integration. The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks. 7. Consistent Experience Across Contexts. The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. A more detailed examination of the Laws of Identity and their relevance to E- Health is provided in Appendix C (section 0). 3.4 Identity Management Positioning The evolution of Identity Management by organisations and the E-Health Community at large will occur within and have to take account of a number of contexts: an organisational, jurisdictional and national e-health context; v1.0 Public Release Final 13

16 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA a socio-legal context; an enterprise risk management context; an ICT security context; a technology planning and management context. These are examined briefly below Organisational, Jurisdictional and National E-Health Context The adoption of a consistent and interoperable approach to IdM across the health community has implications at organisational, jurisdictional and national levels. The implications are: Budgetary. Achieving compliance/interoperability with the national E-Health IdM requirements will come at a cost at all levels. It will be necessary to develop compelling business cases that address the benefits to be gained at all levels. Priorities. Participation in the national E-Health Community will not be possible until the information storage and exchange, and IdM aspects of systems have been brought into line with the required standards, protocols and levels of resilience. This will often require the reprioritisation of activity and expenditure at all levels. Governance. Arrangements will have to be established, and agreed to by all participants, in order to achieve the required upfront and ongoing governance to ensure appropriate compliance with all significant policy, process and technology facets of a sector-wide IdM approach. Compliance. Participation in a national E-Health community will require that organisations/jurisdictions comply with minimum policy, process and technology standards to ensure the efficacy of the overarching national E-Health IdM approach, and thereby the security and privacy of individuals health information Socio-legal context Identity Management plays a pivotal role in ensuring community trust in the health sector in general and E-Health specifically. E-Health initiatives will be required to meet the legitimate, and already well known, expectations of healthcare recipients and providers in relation to safety, privacy, security and dependability. The deployment of E-Health has to meet the requirements of the federal Privacy Act (1988), various state and territory Privacy Acts, and the Victorian Government s Health Record Act. These matters are examined in substantial depth in NEHTA s Privacy Blueprints for the Unique Healthcare Identifier Service and the Shared Electronic Health Record Enterprise Risk Management and ICT Security Context Identity Management represents only one of many required responses to the exposures identified by holistic enterprise risk management and ICT security assessments. It is anticipated that the final approach to IdM within and across health organisations will be assessed based upon organisational and communitywide: Risk assessments conducted in accordance with Australian standard AS4360; and ICT security policies and standards assessments conducted in accordance with Australian and international standards, policies and frameworks. 14 Public Release Final v1.0

17 NEHTA This context is illustrated below: Figure 8 Risk Management and ICT Security Context Technology Planning and Management Context Entities at all levels will have to plan for the implementation of new, and/or the migration of old policies, processes and systems to achieve the required levels of compliance with the E-Health Community IdM approach They will have to adopt an approach to the internal planning, management and control and monitoring of ICT that is compatible with and supportive of E- Health Community architectures, standards, norms and service levels. For many organisations this will represent a radical shift away from what has been to date, a largely introverted view of ICT. v1.0 Public Release Final 15

18 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA 4 Identity Management Vision for e-health The IdM Vision for E-Health is based upon the networked health imperatives described in section 2.1 and seeks to emulate best practices as described in section 3.2. The Vision encompasses the following elements: An appropriate sector-level governance environment (eg as represented by NEHTA board and/or other associated forums). An agreed, monitored and enforced minimum level of identity management and information security policies and practices for all stakeholders. Agreed/harmonised assurance levels and authentication for all common transactions. Agreed/harmonised roles definitions for all stakeholders. Enabling infrastructure to smooth implementation and operation and particularly to support smaller stakeholders. Minimal redundancy/duplication in: User credentials; Enabling infrastructure. Agreed technology standards and the uses thereof. The success of an Identity Management implementation across a sector such as Health is predicated upon detailed agreement by the sector to all key facets that will enable interoperation between what are, in reality, sovereign entities. Three constructs have been shown to assist in developing the shared vision and detailed agreement, these being: A Framework (this document) that outlines all key factors that have to be agreed to achieve the required level of interoperability, and the essential characteristics and choices associated with these factors. A Blueprint that describes the target state/s to be achieved. The Blueprint takes the elements of the Framework and distils these down from a level of abstraction to a level of specificity. An Implementation/Transition Plan that describes how various stakeholder groups or sub-sectors will move towards the achievement of the target states detailed in the Blueprint. The latter two are documents that will be developed by NEHTA, in consultation with the jurisdictions and representatives of other key healthcare stakeholder groups (eg GPs, pathologists, pharmacies). The detailed Resource Materials (described in section 6.2) are intended to assist organisations and the sector as a whole in this regard. 16 Public Release Final v1.0

19 NEHTA 5 Identity Management Framework An effective response to the Identity Management challenge requires that management of healthcare organisations have a comprehensive and unified approach to: the identification and active control of entities who may legitimately gain access to information, services and assets, and the determination of what rights they may have in regard to these; and the identification and active control of information, services and assets, and the determination of the intrinsic value and/or sensitivity of these. This section outlines a Framework to assist organisations within the E-Health Community and the E-Health Community as a whole, in the analysis, planning, architecting and assessment of approaches to Identity (and Access) Management. The Framework is regarded as appropriate for usage at an organisational, organisation-cluster, and whole of E-Health Community level. The Framework is intended to assist in the achievement of: effectiveness (ensuring the efficacy of IdM); efficiency (ensuring the cost-effectiveness of IdM approaches); and interoperability (ensuring the harmonisation of approaches through the use of standards, protocols, guidelines and agreed best-practices to ensure inter-working between IdM environments for the benefit of organisations and users). The first two are of most importance at an organisational level. The third is important in an organisational-cluster and whole of E-Health Community context. The Framework is intended to cover all human classes of users of information including healthcare provider individuals and healthcare individuals and their authorised representatives. The Framework is also seen as broad enough to encompass treatment of technology-based users (eg hardware, applications). The Framework is exclusively focused on the electronic environment ie one in which information and/or services and/or assets may be accessed by gaining access to computers across telecommunications networks. Many of the key principles and processes could and should be applied to the nonelectronic instances of IdM as well. The intention of the Identity Management Framework is to: describe all key factors that have to be agreed to by the sector (or subscribed to across the sector) in order to achieve the required level of interoperability; describe all the essential characteristics and choices associated with these factors; describe the interdependencies/relationship between the factors. v1.0 Public Release Final 17

20 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA It is important to stress that IdM Framework does not provide all of the detailed answers required to achieve the IdM Vision for E-Health in Australia. It does however provide a comprehensive catalogue of each of the areas for which detailed compliance guidelines, priorities and timetables will need to be hammered out in a collective and cooperative manner by players in the E- Health Community. The key pillars of an Identity Management Framework are illustrated below: Figure 9 Identity Management Framework An explanation of each element of the IdM Framework is provided below. 5.1 Identity Management Policy The IdM Policy represents the minimum subset of principles, standards and practices that each member of the E-Health Community undertakes to comply with, both within their organisations and in their interactions with other members and services within the E-Health community. It is anticipated that the final policy positions will be largely driven by the jurisdictions, in consultation with the provider community and NEHTA. An outline IdM Policy position and related matters, which may be useful particularly for provider organisations, are explored in Appendix E. Further References: NEHTA IdM Resource Materials: Id Mgt Governance Guideline Strategic Alignment Guideline 5.2 Entity Management Entity Management refers to the group of processes that support the: provision (and recovery/de-activation) of an authentication credential to a user; and the enrolment of, and granting of authorities to, the user with respect to various applications, systems or resources. These major functions are shown within figure 10 above as: Registration - including conducting evidence-of-identity (EOI) or evidence-of-relationship (EOR) validation in most cases. Authority Verification. Application Enrolment/De-enrolment. 18 Public Release Final v1.0

21 NEHTA While often completed as part of a single process, each of these functions is relatively independent of the others, albeit the implied sequence typically applies. Moreover, these major functions are essentially user activation tasks that, unlike day to day application access and transacting, are completed infrequently during a user s lifecycle of engagement with an organisation or community. It will be necessary for the E-Health Community to agree minimum standards for Entity Management across the sector Registration User registration will typically incorporate all or some of the following elements: The verification or checking of identity documentation in order to achieve a level of confidence in the identity of the individual or provider or their representative that is otherwise unknown. This might include: face-to-face contact and the sighting of original documentation such as provider registration certificate, passport, drivers licence etc. reliance upon checks already completed by another organisation (eg Medicare) or trusted third party (eg professional registration body) online validation of a pre-existing relationship (between a user and the organisation) determined through knowledge-based authentication of the relationship. This has come to be known as proof of relationship. The exact nature of the checking will depend on the assurance level that is required in respect to the veracity of the claimed identity. The Financial Transactions Reporting Act (FTRA) provides guidelines on minimum identification methods for the financial sector, often referred to as 100 point checks. These and similar checks are in broad use across a range of industries and are the subject of ongoing review and refinement to ensure continuing confidence in their use. The NEHTA Authentication Assessment Methodology (based upon the Australian Government Authentication Framework (AGAF) and its associated Better Practice Guides) provide guidance on the requirements for assignment of assurance levels to the identity verification process. The assignment of an identifier for the user which is unique within the domain. This is one of the prime functions for the Unique Healthcare Identifier Service. Where required, the collection and / or verification of attributes of the user. These can vary widely depending on any provisions made for attributes within an organisation s or community s IdM Policy. Within the Healthcare environment, attributes might well be used for maintaining security clearance, police check status, or other individual specific information that may be of use across organisations. The issuance of a credential to the individual or provider organisation that will be used as the key element of subsequent online authentication of the user. Details of the credential, and methods of validation, will be held in a directory or user store. A credential can include a password, a token of some kind such as a smart card or one-time-password device, or a digital certificate. v1.0 Public Release Final 19

22 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA Authentication Mechanisms, incorporating the selection and use of credentials are dealt with in more detail in NEHTA Authentication Assessment Methodology. The creation of user entries in a directory or user store that will provide an electronic record of the user or practice s identity and any associated information to be used in subsequent maintenance of the directory. This electronic record should ideally also maintain information or indexes to information detailing the checks (eg EOI) that were completed as part of registration. This directory will typically be maintained by the issuer of the identifier and may include information provided as part of the registration process that is privacy sensitive (this will be more germane in an individual as opposed to a practice context). The extent and availability of this registration related information to relying parties (ie those who will rely upon the authentication credentials presented) needs to be considered carefully where an identifier is to be used openly across the E-Health community. User registration can be completed by a jurisdiction/provider or by third parties that issue credentials that can be utilised to authenticate users to a range of organisations. Examples of the latter include: Verisign, as a Gatekeeper certificate issuer and an ABN-DSC issuer, is an example of a non-government individual and business credential issuer. HeSA (Health esignature Authority) 4, as an issuer of certificates to health service providers, including individuals and businesses. In E-Health it is probable that registration will be delegated to: Government entity (eg Medicare) in relation to provider organisations. Professional bodies for provider individuals. Providers in relation to employees that are not registered providers (eg receptionists). Medicare and provider organisations in relation to healthcare individuals. The extent to which such identities can be relied upon outside of the specific application domain needs to be carefully considered and is ultimately defined by policies analogous to organisation-issued identities and credentials addressing the liabilities and obligations of the various parties Authority Verification Authorities relate to specific business applications or groups of applications, and in particular relate to the specific access permissions or privileges granted to a user by the application or information owner (application owner). Permissions are assigned based upon the verification of the authority of a user to undertake specified processes or access specified information. Permissions are typically assigned on a role, group membership or rule basis by the application owner. The authority verification process may be completed directly by the application owner through, for example, reference to physical authority documents prepared by the HR department. Alternatively, in the case of practices, authority verification may be delegated by the application owner to an authorised practice representative. Administration of this delegated verification process, and the subsequent 4 HeSA is now part of Medicare Australia. 20 Public Release Final v1.0

23 NEHTA assignment of permissions, might be effected through electronic or manual workflows. Similarly, individuals may delegate their existing authority to deal on their behalf to an agent (eg authorised representative) Application Enrolment & Identity Mapping User enrolment into an application system is a one-time activity that provides a user with authorised access to specific application and information resources. Application enrolment needs to accommodate two types of users: Users that have registered within the application s domain and thereby are known within the domain and have an identifier and credential that is recognised within that domain. Users that have registered within another organisation s domain, or within a trusted external domain, and thereby are initially unknown within the application domain, and have an identifier that is potentially meaningless outside the issuing domain. For the first category of user, enrolment proceeds as a natural extension of the registration process described above. In this case, which is typical in an employee registration, the user will be issued with a credential and, based on verification of user authorities, will be given access permissions to access various organisation applications and information resources. The assurance level of the credential used in this context is well understood by the organisation as the organisation was the issuer of the credential and previously completed all elements of the registration and issuance processes. Whilst there is a logical separation of registration and enrolment within the entity management systems, to the user, registration and enrolment steps would be seen as a seamless processes and indistinguishable from one another. For the second category of user (ie those initially unknown within the application domain) the enrolment method requires the mapping of an externally issued identifier into the application s domain as is the case in a federated identity management environment. Issues that need to be considered from an application owner s perspective in supporting this type of user access include: The suitability of the authentication mechanism associated with the identifier, addressing both the robustness of the original identification and user registration processes, and the strength of the credential (password, token, smart card etc). Accessibility and ongoing availability of credential validation services from the issuer of the credential. Commercial and legal issues, including liabilities, relating to reliance on the identifier and associated authentication mechanism. Broader consideration of the organisation s online deployment strategy, taking into account the number of third party credentials issued by various issuers and the extent of overlap of the credential holders with the particular organisation application concerned Once the authentication mechanism has satisfied the 'fitness-for-purpose test, processes need to be developed to link the credential holder with the organisation s instance of, or knowledge of, the credential holder. These may take the form of an alternate identifier, and/or a user record/entry in a database or directory. This might involve the mapping of, say, a digital certificate to an account number, licence number or other internal application based identifier that represents the relying organisation s existing record of the individual or practice. v1.0 Public Release Final 21

24 Framework for Analysing, Planning and Implementing Identity Management within E-Health NEHTA This mapping would be achieved through matching of user details against records held within the organisation s application systems. This matching process, or establishment of Evidence of Relationship, is similar in affect to the completion of an EOI which is normally done at registration time. Once the mapping is established through this process, access permissions for various transactions offered by the organisation will be established described below. Further References: NEHTA IdM Resource Materials: Risk Management Guideline Lifecycle Management Template Directory Services Building Block Identity Federation Structures Building Block Provisioning Building Block 5.3 Information Management It will be necessary for members of the E-Health Community to agree on harmonised approach to Information Management covering the classification, storage and transfer of health information. This section outlines the issues that will have to be examined and agreed Significance of Information Management to IdM IdM is intended to ensure that entities gain access to only information (and services and assets) to which they are entitled. The determination of who gains access to information is largely determined by the relationship between the entity (and possibly their role) and the information. The protection of information is often seen as falling within the process and systems that make up an IdM regime. This perspective fails to appreciate the vital role that Information Management plays in the early and ongoing determination of the fundamental rules that govern information and its disposition. Information has certain intrinsic characteristics that need to be tightly coupled with the information irrespective of the form it is in or the location/media in which it is stored. These characteristics or attributes relate to: Ownership. Who is the fundamental owner of the data? Guardianship. Who is the guardian or custodian of the data? Sensitivity. How sensitive is the data from a privacy, commercial or other (eg national security) perspective? This is handled by classifying the data. These attributes will play a major role in determining who is able to access the information to add, view, alter or delete it. The attributes should be created when the data set is initiated, travel with the data set (eg as meta data) and be referenced whenever decisions are made regarding the data set eg creation, maintenance or decommissioning of datastores and/or the applications that access such stores Information Classification and Control For IdM to have integrity it is essential that organisations have a consistent approach to the classification and control of all information. 22 Public Release Final v1.0

25 NEHTA ISO-IEC , Information technology code of practice for information security management provides an appropriate framework within which organisations should approach this matter. This commences by noting that: [i]nformation is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security is characterized here as the preservation of: a) confidentiality: ensuring that information is accessible only to those authorized to have access; b) integrity: safeguarding the accuracy and completeness of information and processing methods; c) availability: ensuring that authorised users have access to information and associated assets when required. It continues: Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organizational structures and software functions. All major information assets should be accounted for and have a nominated owner. Accountability for assets helps to ensure that appropriate protection is maintained. Owners should be identified for all major assets and the responsibility for the maintenance of appropriate controls should be assigned. Responsibility for implementing controls may be delegated. Accountability should remain with the nominated owner of the asset. Information should be classified to indicate the need, priorities and degree of protection. Information has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification system should be used to define an appropriate set of protection levels, and communicate the need for special handling measures. Procedures for the handling and storage of information should be established in order to protect such information from unauthorized disclosure or misuse. Procedures should be drawn up for handling information consistent with its classification. Section 5, Asset classification and control, describes the requirement for: [undertaking an] Inventory [of information assets] [undertaking] Classification [of information assets] Information labelling and handling. Information/data classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted. The classification of the data should then determine the extent to which the data needs to be controlled / secured and is also indicative of its value in terms of Business Assets. The classification of information should be guided by: The views of the owners of the data and representatives and advocates for such owners. State and national and in some cases international laws (eg Archives Acts, Privacy and Data Protection Acts). Contractual requirements. National and international standards and best practices. Economics / costs (subject to the above criteria taking precedence). Leading organisations now implement Information Lifecycle Management (ILM) that depends critically on data classification. In order to manage the v1.0 Public Release Final 23