SAML SSO with Healthcare Context

Transcription

1 SAML SSO with Healthcare Context IHE Proposal October, 2014

2 Use Case Typical Use Case: User navigates to a patient medical record in an EMR and selects information in the record maintained in another system by following a link Examples: Select an image result in a PACS Select a scanned document in a document management system Select documents made available in an HIE

3 Problem Lack of UI Interoperability and SSO between products Many different protocols and solutions Inconsistent parameter names and processing rules Various security flavors or lack of security (e.g. proprietary sessions based, shared secrets, various argument passing mechanisms with hashing options, hard-coded passwords) HL7 CCOW standard solution tends to be expensive and complex SAML without guidance is not interoperable; too many options

4 Profile Benefits Leverages SAML industry standard and middleware software support for this standard Provides guidance for use of the SAML SSO and UI Interoperability within healthcare Provides mechanisms for expressing healthcare domain attributes (e.g. patient information, image accession and study information).

5 Proposed Solution Leverage SAML Web SSO Profile/HTTP Post Binding Document System EMR SAML SP Initiated (Source: SAML Technical Overview)

6 Key Deployment Profile Elements SAML Web SSO Profile Leverage security built-into the SAML standards supported by many middleware vendors SAML HTTP Post Binding only Simplify adoption and interoperability Context passed via SAML Attributes Attributes are integrity protected in SAML assertion Rules: All attribute names are case insensitive (i.e. Patient.Id.MRN is the same as patient.id.mrn). If SP required attributes are not provided by the IdP, the SP shall report an error. Attributes provided by the IdP but not recognized by the SP shall be ignored by the SP. Names per Subjects defined in HL7 CCOW

7 SAML Attribute Names (examples) Patient.Id.MPI Patient.Id.MRN Patient.Id.MRN.AssigningAuthority Encounter.Id.AccountNumber Encounter.Id.VisitNumber Patient.Co.PatientName Patient.Co.Sex Patient.Co.DateTimeOfBirth DICOMStudy.Id.InstanceUID DICOMSeries.Id.InstanceUID Patient s medical record number, per PID-2. Master Patient Index (MPI) or Patient Number (PN). MPI can be used to uniquely identify a patient across an enterprise. Patient s medical record (MR) number, per HL7 PID-2. Patient s medical record number's location, per HL7 PID-2.4 Assigning Authority, Hierarchic Designator (HD) datatype. The recommended content includes both the authority name and ISO identifier. The value of the attribute would be set to the assigning authority of the Patient.Id.MRN. This is the mechanism to specify the assigning authority (or location) of a patient with a fixed attribute name. Examples: Patient.Id.MRN.AssigningAuthority=Westchester_Clinic indicates that the MRN is assigned for the Westchester location. Patient.Id.MRN.AssigningAuthority=Westchester_Clinic^ ^ISO indicates that the MRN is assigned for the Westchester_Clinic that has an identifier assigned by ISO. Patient Account number (AN). Patient Visit Number (VN). Patient s legal name, per HL7 PID-5. Examples: Lastname^Firstname^Middle^Suffix^Prefix, Marchant^Olin^^^^ Patient s gender, per HL7 PID-8. Patient s Date and time of birth, per HL7 PID-7. The value of the DICOMStudy.Id.InstanceUID item corresponds to either: The DICOM Study Instance UID (0020,000D) attribute of a composite DICOM object The DICOM SOP Instance UID (0008,0018) attribute of a normalized DICOM object of the Detached Study Management SOP Class. Can only be used with a valid MRN or MPI. The DICOM series subject is an identity subject that represents a specific DICOM series object for a specific patient. Can only be used with a valid MRN or MPI. This list should be reviewed and validated by the IHE community to ensure the common Healthcare context attributes are defined.

8 Contributors Proposal Authors Many people in Siemens Healthcare have contributed to the content Proposal Editors Alex DeJong, Siemens Healthcare Jim McInnis, Siemens Healthcare