UMA in Health Care: Providing Patient Control or Creating Chaos?

Similar documents
An Introduction to User-Managed Access (UMA)

OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt. Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

How to Extend Identity Security to Your APIs

Cloud-based Identity and Access Control for Diagnostic Imaging Systems

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Axway API Gateway. Version 7.4.1

Enterprise Access Control Patterns For REST and Web APIs

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

Globus Auth. Steve Tuecke. The University of Chicago

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Mastering health IT complexity with Fine-Grained REST APIs

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

OAuth 2.0. Weina Ma

ACR Connect Authentication Service Developers Guide

Comparative analysis - Web-based Identity Management Systems

Open Platform. Clinical Portal. Provider Mobile. Orion Health. Rhapsody Integration Engine. RAD LAB PAYER Rx

PRIVACY AWARE ACCESS CONTROL FOR CLOUD-BASED DATA PLATFORMS

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

APIs The Next Hacker Target Or a Business and Security Opportunity?

OpenID Connect 1.0 for Enterprise

Use Cases for Argonaut Project. Version 1.1

Building Secure Applications. James Tedrick

API-Security Gateway Dirk Krafzig

Interoperability for Mobile applications: New IHE profiles

EHR OAuth 2.0 Security

Onegini Token server / Web API Platform

OpenID Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Secure Cloud Computing Concepts Supporting Big Data in Healthcare. Ryan D. Pehrson Director, Solutions & Architecture Integrated Data Storage, LLC

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

A Standards-based Mobile Application IdM Architecture

Identity: The Key to the Future of Healthcare

Enabling SSO for native applications

Physician Champions David C. Kibbe, MD, & Daniel Mongiardo, MD FAQ Responses

How To Build A Digital Business From The Ground Up

Can We Reconstruct How Identity is Managed on the Internet?

Introduction to SAML

IBM WebSphere Application Server

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity

API Management: Powered by SOA Software Dedicated Cloud

G Cloud 6 CDG Service Definition for Forgerock Software Services

OPENIAM ACCESS MANAGER. Web Access Management made Easy

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals

Authentication Strategy: Balancing Security and Convenience

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Applying Cryptography as a Service to Mobile Applications

OAuth 2.0 andinternet Standard. Torsten Lodderstedt Deutsche Telekom AG

Architecture, Implementations, Integrations, and Technical Overview

API Architecture. for the Data Interoperability at OSU initiative

SAML and OAUTH comparison

Cloud Security. Let s Open the Box. Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research

The increasing popularity of mobile devices is rapidly changing how and where we

efolder White Paper: HIPAA Compliance

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information

Key Enablers for the Cloud Service Broker: Identity, Privacy, and Security

Privacy & Security Requirements: from EHRs to PHRs

An Oracle White Paper Dec Oracle Access Management OAuth Service

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

Cloud-Security: Show-Stopper or Enabling Technology?

OpenLogin: PTA, SAML, and OAuth/OpenID

OAuth Guide Release 6.0

Securing Content: The Core Currency of Your Business. Brian Davis President, Net Generation

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Cloud Security: Is It Safe To Go In Yet?

Glinda Cummings World Wide Tivoli Security Product Manager

CAS s IDP system and resources in Education Cloud

PRODUCT BRIEF OpenAM. Delivering secure access for customers, applications, devices and things

Presented by Philippe Bogaerts Senior Field Systems Engineer Securing application delivery in the cloud

Clinical Document Exchange

Copyright Pivotal Software Inc, of 10

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK

Mashery OAuth 2.0 Implementation Guide

Transcription:

SESSION ID: IDY-F03 UMA in Health Care: Providing Patient Control or Creating Chaos? David Staggs JD, CISSP Technologist / IP Attorney Staggs PLLC

UMA Value Proposition User Managed Access (UMA) brings granular control to the health care ecosystem scalable, secure, and provides uninterruptible consent patient control encourages trust and participation extends electronic workflow: reduces paper simplifies audit and compliance multi-use workflows possible 2

Making Possible Real unlock access to electronic health records (EHR) and personal health records (PHR) develop an ecosystem that opens entrepreneurial opportunities and accelerates progress establish publicly available APIs to the software ecosystem and share vast stores of data the solution must respect individuals privacy and guard against data breaches 3

The Future is RESTful RESTful Health Exchange (RHEx) links to specific EHR data not just moving entire record allows app providers to address small practices adds capabilities that are missing in secure email uses OAuth 2 and OpenID Connect (OIDC) profiles 4

The Future is SMART Substitutable Medical Applications Reusable Technologies opens up the EMR system silo open-source, developer-friendly API gives application ecosystem access to data encourages innovation uses OAuth 2 and OpenID Connect (OIDC) profiles 5

The Future is on FHIR Fast Healthcare Interoperability Resources data formats and elements with an API for exchanging EHR uses an HTTP-based RESTful protocol uses OAuth 2 for authentication to APIs adopted by RHEx and SMART supported by Health Level Seven (HL7) 6

OAuth 2 Authorization (Real Time) Code Grant Resource Owner B User- Agent Client ID and Redirection URI User Authentication Authorization Code AuthZ Server A Client C Authorization Code & Redirection URI OAuth Access Token 7

OAuth 2 Framework replaces the anti-password pattern resource owner OKs token for client s access HTTP-based RESTful protocol includes scopes / TTL that manage access rights permits service chaining (token that can be passed) Privacy by Design (PbD) 8

Security and Privacy Protected Health Information (PHI) and HIPAA patients should have control over their PHI need an extension to OAuth 2 / OIDC profiles use OAuth to protect APIs and OIDC to get credentials enforce patient s consent directives, even when the patient is not available (uninterrupted consent) User Managed Access (UMA) provides a solution 9

Introduction to UMA manage Resource Owner control Resource Server protect Protection API AuthZ Server Protected Resource PAT AuthZ API RPT access ATT Client authorize Requesting Party 10

UMA OAuth Tokens Authorization API (AAT) authorization server, requesting party, and client Request API (RPT) requesting party, client, resource server, and authorization server (not resource owner) Protection API (PAT) resource server, authorization server, and resource owner resource owner (e.g. patient) sets access policy and scope 11

UMA Spiral Slide 12

UMA s Chaotic Potential if patients pick their resource servers (personal cloud) how do they keep track of where everything is? will health care providers allow you to use any authorization server to control access to records they create? will treatment by multiple providers cause conflicts on which authorizations server is used to control? provider/custodian A requires using only authorization server X provider/custodian B requires using only authorization server Y 13

UMA Health Ecosystem Deep Dive Patient Resource Owner ACS Custodian Authorization Server Doctor Protection Client PAT Received Reg. Resources and Scopes Protection API GUI (one time) Acquire Protection Access Token (PAT) Authorization API ACS Authorization Client Set Resource Authorization Policy Request for Data Redirect to Authorization Server Verify Token, Invoke Privacy Protective Service (one time) Acquire Authorization API Token (AAT) Request Requesting Party Token (RPT) Receive RPT Request for Data with Authorization Token Return Data 14

Scopes scopes provide finer grained control scopes have the following: name of the resource that can be displayed to owner human-readable string describing some extent of access for example, scope involving reading or viewing resources: { "name" : "View", "icon_uri" : "http://www.example.com/icons/reading-glasses" } 15

Scope Description Documents scope description documents have the following: name, type, scopes, icon_uri { "name" : "Photo Album", "icon_uri" : "http://www.example.com/icons/flower.png", "scopes" : [ "http://photoz.example.com/dev/scopes/view", "http://photoz.example.com/dev/scopes/all" ], "type" : "http://www.example.com/rsets/photoalbum" } 16

More Potential Chaos token introspection by resource server at authorization server need to understand semantics of the token OpenID OAuth profile ID Token a signed and optionally encrypted JWT containing identity and attribute claims about the user UserInfo Endpoint a protected resource where the relying party can request additional claims about the user OAuth scopes are used to request individual user attributes 17

Can We Just Get Along health records in a personal cloud spread across resource servers should have uniform scope syntax authorization servers scope description documents simplify resource set registration mechanism prevent scope names from revealing PHI is a pointer to standard scope descriptions politically possible? consider HEART (Health Relationship Trust) 18

OpenID HEART health-related profiles layering: OAuth 2.0, OpenID Connect, FHIR, OAuth 2.0 scopes, and UMA HEART WG is defining use cases and requirements expect an implementation guide soon demonstration of current capabilities Eve Maler, ForgeRock, HEART WG Co-Chair Demo 19

Apply Slide identify your use cases requiring uninterrupted consent use HEART open source code for a test bed mitigate token vulnerabilities audience parameter, state parameter, signed JWTs, redirection URIs identify what resources need protection and define terminology identify your role in the ecosystem patient UX, authorization server, EHR custodian, OpenID claims provider, organization offering standard scope descriptions 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information