SAML for EPCS (Electronic Prescription of Controlled Substances)



Similar documents
Electronic Prescribing of Controlled Substances: Establishing a Secure, Auditable Chain of Trust

A Planning Guide for Electronic Prescriptions for Controlled Substances (EPCS)

VASCO: Compliant Digital Identity Protection for Healthcare

E-Prescribing of Controlled Substances (EPCS) New York State Board for Podiatry

Electronic Prescribing In New York State

Biometric Single Sign-on using SAML

California State Board of Pharmacy and Medical Board of California

SAML SSO Configuration

OpenID & Strong Authentication

Request for Proposals. Statewide Two Factor Authentication Solution. Addendum #2 October 5, Questions and Responses

Electronic Prescribing of Controlled Substances

DEA's New Proposed Regulations For E-Prescribing

Request for Proposals Statewide Two Factor Authentication Solution

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Healthcare Information Security Today

Agenda. How to configure

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

BEYOND IDENTITY PROOFING: How EHRs Can Become More Than Just Vendors

RealMe. Technology Solution Overview. Version 1.0 Final September Authors: Mick Clarke & Steffen Sorensen

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Biometric Single Sign-on using SAML Architecture & Design Strategies

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Identity: The Key to the Future of Healthcare

Enhancing Web Application Security

Multi-Factor Authentication of Online Transactions

Single Sign-On (SSO), Identity Exchange Hub, Remote Identity Proofing

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

The increasing popularity of mobile devices is rapidly changing how and where we

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

TIB 2.0 Administration Functions Overview

Introduction to SAML

How to Optimize Epic Clinical Workflows with Imprivata

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

FREQUENTLY ASKED QUESTIONS FOR ELECTRONIC PRESCRIBING OF CONTROLLED SUBSTANCES

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Privacy, Security, and Trust with Federated Identity Management

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

CoSign by ARX for PIV Cards

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Electronic Prescribing System (EPCS)

NCSU SSO. Case Study

Scalable Authentication

FREQUENTLY ASKED QUESTIONS FOR ELECTRONIC PRESCRIBING OF CONTROLLED SUBSTANCES

A brief on Two-Factor Authentication

T his feature is add-on service available to Enterprise accounts.

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

EPCS FREQUENTLY ASKED QUESTIONS FOR ELECTRONIC PRESCRIBING OF CONTROLLED SUBSTANCES. Revised: January 2016

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

CoSign for 21CFR Part 11 Compliance

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Single Sign On Implementation Guide

The Password Problem Will Only Get Worse

Innovations in Digital Signature. Rethinking Digital Signatures

Server based signature service. Overview

Moving to Multi-factor Authentication. Kevin Unthank

Glossary of Key Terms

HP Software as a Service. Federated SSO Guide

WHITE PAPER Usher Mobile Identity Platform

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

API-Security Gateway Dirk Krafzig

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Why should I report issues directly through my pharmacy management system vendor and not Surescripts?

HP Software as a Service

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Leveraging SAML for Federated Single Sign-on:

Interoperable Provisioning in a Distributed World

Using SAML for Single Sign-On in the SOA Software Platform

How to Implement Enterprise SAML SSO

How do I work with my pharmacy management system vendor to enable my pharmacy for e-prescribing via the Surescripts network?

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Web Based Single Sign-On and Access Control

Authentication Levels. White Paper April 23, 2014

The Top 5 Federated Single Sign-On Scenarios

McKesson Practice Choice TM Electronic Prescribing of Controlled Substances (EPCS) Frequently Asked Questions

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Information Technology Policy

E-Authentication Federation Adopted Schemes

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Vidder PrecisionAccess

Authentication Methods

CryptoNET: Security Management Protocols

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Security protocols

Step-up-authetication as a service

SAML SSO with Healthcare Context

Top 5 Reasons to Choose User-Friendly Strong Authentication

Transcription:

SAML for EPCS (Electronic Prescription of Controlled Substances) Discussion Slides for review in the OASIS Security Services (SAML) TC August, 2014

DEA Regulation Compliance with New York s istop law- requires all prescriptions to be eprescribed in NY by March 27, 2015 Source: http://www.gpo.gov/fdsys/pkg/fr-2010-03-31/pdf/2010-6687.pdf

Excerpt from the EPCS Rule Based on DEA s concerns, certain requirements must exist for any system to be used for the electronic prescribing of controlled substances: Only DEA registrants may be granted the authority to sign controlled substance electronic prescriptions. The approach must, to the greatest extent possible, protect against the theft of registrants identities. The method used to authenticate a practitioner to the electronic prescribing system must ensure to the greatest extent possible that the practitioner cannot repudiate the prescription. Authentication methods that can be compromised without the practitioner being aware of the compromise are not acceptable. The prescription records must be reliable enough to be used in legal actions (enforcing laws relating to controlled substances) without diminishing the ability to establish the relevant facts and without requiring the calling of excessive numbers of witnesses to verify records. The security systems used by any electronic prescription application must, to the greatest extent possible, prevent the possibility of insider creation or alteration of controlled substance prescriptions.

Engineering View of the EPCS Rules TFA (Two Factor Authentication) for 2 workflows Provisioning process and assigning EPCS capability to designated individuals Prescribing of controlled substances TFA with strong authentication One-time password Biometric (i.e. fingerprint) Smartcard with PIN NIST FIPS 140-2 Security Level 1 (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) Auditing: Setting/changes to access controls, eprescription signed/created/transmitted eprescription transmission failures Digital signing of the prescriptions Secure transmission

Vendors Electronic Medical Records (EMR) & Clinical Information Systems (CIS) Provide functionality for use by clinicians to maintain and manage a patient medical record Provide ordering functionality for medications Single Sign-On (SSO) and Security Systems Support for various authentication factors Used in many industries, including Healthcare

Solution for EPCS Leverage SAML Web SSO Profile/HTTP Post Binding EMR or CIS Prescribe Narcotics Security Solution With TFA <AuthnRequest> In HTML form POST <AuthnRequest> TFA user SAML SP Initiated (Source: SAML Technical Overview)

EPCS Request/Response Specifics SAML SP requests a TFA for a controlled substance prescription Needs to be certified to perform this function EMR/CIS does not know what the devices are that are used within a particular environment; it requests an EPCS DEA compliant workflow SAML IdP performs a TFA and responds with a success if a DEA EPCS compliant authentication can be performed Needs to be certified to perform this function Performs the TFA from devices conforming to the DEA requirements Responds with the authentication modalities used Various existing SAML constructs are used to express the subject and other metadata on the request and response; these are not discussed here since they use the standards as-is

Additional Context Info (1) The AuthnRequest uses the following RequestedAuthnContext / AuthnContextDeclRef information to request an EPCS workflow: urn:oasis:names:draft:saml:2.0:ac:workflows:epcs This value indicates to the SAML Identity Provider that a two factor authentication is required that conforms to the DEA requirements. ForceAuthn is set to true, which should force an authentication request (and NOT leverage existing context).

Additional Context Info (2) The SAML Response shall contain the actual used modalities of authentication in AuthnStatement/AuthnContext/AuthnContextClassRef elements. The SAML Response shall contain an AuthnStatement/AuthnContext/AuthnContextDeclRef element containing the RequestedAuthnContext/AuthnContextDeclRef from the authentication request. The following authentication mechanisms are identified for EPCS: PIN (if complexity is high enough) urn.oasis:names:draft:saml:2.0:ac:classes:pin Fingerprint urn.oasis:names:draft:saml:2.0:ac:classes:biometric:fingerprint ID Token urn.oasis:names:draft:saml:2.0:ac:classes:onetimepassword Smart Card urn.oasis:names:tc:saml:2.0:ac:classes:x509

Other Considerations (1) How to model multifactor authentication in SAML? suggestion: to use a separate authentication statement in the assertion for each auth. factor, e.g. one for fingerprint and one for smart card which results in 2- factor authentication biometrics fingerprint+sc Definition of AuthnContextClasses for biometric modalities fingerprint,palm, iris, face, etc. if biometrics are used for authentication it is important to distinguish verification (1:1) and identification (1:n) definition of AuthnContextClass for Verification and one for Identification and adding it to the assertion like the authentication factors? How to express the need of a certain authentication need in the SAML request? either by requesting a specific workflow -> like EPCS or by requesting authentication of certain strength which would need concept to categorize the different authentication methods into a certain strength factor in the SAML standard e.g. categorization by Know, Have, Have One Time, Be [biometrics] biometrics need to be distinguished by their strength again and verify, identify was applied

Other Considerations (2) More specific definition of the subject In the EPCS use case, the Subject is a clinician identified by a username Many customers use Active Directory (UPN or samaccount) or an application specific username More specific definition of username mapping Use of the SPProvidedID construct How to exchange certificates Manual setup or automated setup? Self-signed or CA?

Questions & Next Steps Contact: Alex DeJong (alex.dejong@siemens.com)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information