Proposed Technical Architecture for California HIE Services Walter Sujansky Sujansky & Associates, LLC Presentation to NHIN-Direct Security and Trust Work

Proposed Technical Architecturefor California HIE Services

Walter SujanskySujansky & Associates, LLC

Presentation to NHIN-DirectSecurity and Trust Work Group

April 29, 2010

2

Enterprise-A

Principal-3

Principal-4

Enterprise-A

Principal-3

Principal-4

Enterprise-B

Principal-5

Principal-6

Enterprise-B

Principal-5

Principal-6

Principal-1

Principal-2

Principal-1

Principal-2

CoreCooperative

SharedHIE

Services

Entity RegistryService

Provider DirectoryService

Provider IdentityService

Identity management forlegal entities

Laboratory

Physician

Physician

IPA

Physician

IDN

Hospital

Legal Entity

Solo Practice

Hospital

IDN

Group Practice

Proposed Technical Architecture

Physician

3

Entity Registry Service

1. A Certificate Authority that provisions legal entities in a widely trusted manner• Certifies legitimacy of the entity and its conformance to

security/privacy policies• “Revokes” certification for entities when appropriate • Legal Entity = Physician practice, hospital, pharmacy, lab,

immunization registry, etc.• Not individual physicians, administrative staff, or consumers

2. Repository of valid, active certificates for legal entities that wish to exchange health information using the CS-HIE resources

4


HIE CERTIFICATE AUTHORITY (C.A.)Public Key: 3D78EB4A58F2

Meaning: The Certificate Authority has validated that this legal entity:• Legitimately exists and has the attributes listed• Complies with the designated policies for provisioning and authenticating its

users and safeguarding electronic health information• Has possession of a private key that corresponds to the listed public key

Entity CertificateMontrose Internist Group746 Professional CircleLa Jolla, CAType: Outpatient Med FacilityPublic Key: H58GKXF894D8




Entity Registry

C.A. Signs

http://www.clker.com/clipart-15836.html


5

Responsibilities of a Registered Legal Entity (1)

Maintain internal registry of its providers, including minimum descriptive attributes (name, location, type, role, etc.)• I.e., Providers may be provisioned locally by their entities => no

requirement for a centralized user registry

Reliably authenticate these providers when they “log in” within the entity’s domain• I.e., Providers may be authenticated locally by their entities

When providers exchange health information outside of the entity’s domain, include the following with each transaction:1. An “authentication assertion” signed by the legal entity that (a) validates

the identity of the provider and (b) substantiates that the provider was authenticated appropriately

2. An “authorization assertion” signed by the legal entity that documents (a) the role of the provider with respect to the patient and (b) the purpose of the health information exchange

3. Copy of payload signed by the legal entity to confirm data integrity




6



Entity Registry

C.A. Signs Authentication Assertion

AuthenticatedNPI 5893859073Jacob HillMD – Internal MedicineLogin: 2010-03-28 14:35:50Credential: password-only

Entity: Montrose Internist Group

EntitySigns

Authorization Assertion

AuthorizedNPI 5893859073Jacob HillMD – Internal MedicineRole: Patient’s PCPPurpose: Transfer of CareEntity: Montrose Internist Group

EntitySigns

Sent to recipient in the transaction

Payload

Joe Patient, DOB, Gender, etc…

Problem List, Med List, etc…

EntitySigns




7

Provide an electronic directory of the providers within the legal entity• The directory must be accessible in a standard format as a “web

service”, available to all other entities with access to the Entity Registry Service

• The directory need contain only those providers whose information the legal entity wishes to publish

• Each directory entry must include– The provider’s descriptive attributes (to enable lookups)– The HIE transactions that the provider supports

(to determine whether a transaction is supported)– For each supported transaction, the electronic address(es) and protocol(s)

(to determine how a transaction is supported)

Responsibilities of a Registered Legal Entity (2)

8

Provider Directory Entries

Entity + Provider + Transaction Type => Network Address + Protocol• E.g., Dr. Hill at Montrose Internist Group can be sent hospital discharge

summaries at ehr.montrose.com/InBox/DischargeSummary using the Level-2 CCD document format

Network address may be provider’s own EHR or it may be a 3rd party system• E.g., an HIO routing service, an EHR hosted by an IPA, an HISP, etc.

Entries are created and certified (signed) by legal entities, which are responsible for their veracity




9




Entity Registry

C.A. Signs

Retrieved by potential sender of a transaction

Directory EntryMontrose Internist GroupJacob Hill, MDTrans: Discharge SummaryAddr: montroseIG.com/hie/discharge

Protocol: Level 2 CCD





Directory EntryEntity: Montrose Internist GroupProvider: Jacob Hill, MDTransaction: Receive Discharge SummaryAddr: ehr.montrose.com/Inbox/DcSummary


Entity SignsProvider Directory

For looking up the recipient

For formulating the transaction



Sujansky & Associates, LLC

10

CoreCooperative

SharedHIE

Services




LegalEntity

providers*

* Physicians, other providers, clerical users, departments, data repositories, etc.

RegistryEntry

Self-HostedProvider Directory

(Web Service)

3rd-Party-HostedProvider Directory

(Web Service)

PublishDirectoryEntries

OR

OR

Pointer toDirectory

OR

OR


Publishing Provider Directory Entries

11

Enterprise-A

Principal-3

Principal-4

Enterprise-A

Principal-3

Principal-4

Enterprise-B

Principal-5

Principal-6

Enterprise-B

Principal-5

Principal-6

Principal-1

Principal-2

Principal-1

Principal-2

CoreCooperative

SharedHIE

Services





Addressing and formattinginformation for intendedrecipients of HIE transactions

Laboratory

Physician

Physician

IPA

Physician

IDN

Hospital

Legal Entity

Solo Practice

Hospital

IDN

Group Practice


Physician

12

Enterprise-A

Principal-3

Principal-4

Enterprise-A

Principal-3

Principal-4

Enterprise-B

Principal-5

Principal-6

Enterprise-B

Principal-5

Principal-6

Principal-1

Principal-2

Principal-1

Principal-2

CoreCooperative

SharedHIE

Services





Identity management andauthentication for principalsin HIE transactions

Laboratory

Physician

Physician

IPA

Physician

IDN

Hospital

Legal Entity

Solo Practice

Hospital

IDN

Group Practice



Physician

13

Provider Identity Service

Centralized, trusted service for provisioning and authenticating providers involved in HIE transactions• Intended for entities that are not trusted to authenticate their own providers,

despite blessing of certificate authority Use of Provider Identity Service is entirely optional

• Entities may provision and authentication their own providers

May or may not prove to be needed…

14

Enterprise-A

Principal-3

Principal-4

Enterprise-A

Principal-3

Principal-4

Enterprise-B

Principal-5

Principal-6

Enterprise-B

Principal-5

Principal-6

Principal-1

Principal-2

Principal-1

Principal-2

Transactions involving CS-HIE Services and usingthe protocols and standards required by these services

Transactions not involving CS-HIE Services and notnecessarily using theprotocols and standards required by these services

Legend

CoreCooperative

SharedHIE

Services






Identity management andauthentication for principalsin HIE transactions

Laboratory

Physician

Physician

IPA

Physician

Hospital

Legal Entity

Solo Practice

Hospital

IDN

Group Practice


IDN

Physician

*

* with TLS encryption and authentication

15



Legend

CoreCooperative

SharedHIE

Services




Dr. Beth Cramer Dr. Jonah Hill

Valley IPA

Legal Entity

Seaview Hospital Montrose Internist Group

Example: Hospital Discharge Summary

John Smith’s PCP is Dr. Jonah Hillat Montrose InternistGroup

Look upMontrose Internist

Group

Look upDr. Jonah Hill

Legal Entity Principal Transaction Address Protocol

Montrose Internist Group Dr. Jonah Hill Receive Hospital Discharge Summary www.valleyIPA.org/InBox/DcSummary CCD Level 2

Pointer

Formulate and SendTransaction

*


16



Legend

CoreCooperative

SharedHIE

Services




Dr. Beth Cramer Dr. Jonah Hill

Valley IPA

Legal Entity

Seaview Hospital

Example: Hospital Discharge Summary

Formulate and SendTransaction

Certificate forSeaview Hospital(with public key)

Authentication Assertionfor Dr. Beth Cramer

(Signed by Seaview Hospital)

Authorization Assertionfor Dr. Beth Cramervis-à-vis John Smith


Discharge Summary as CCDwith patient identifiers for John Smith


Transaction:

Deliver toRecipient’s

EHR

InspectTransactionHeader and

Payload

ValidateSeaview Hosp’s

Certificate

Makeaccess-control

decision based onHeader & Payload

contents

Header

Payload

Montrose Internist Group

*


17

Summary

The Core CS-HIE Services are intended to provide• 1. A trust infrastructure in which parties can determine the

authenticity of HIE transactions that they receive from arbitrary counterparties

• 2. A directory infrastructure in which parties can determine where and how to direct HIE transactions intended for specific recipients via the internet

Much technical and policy work remains to flesh out the design of these services• Define the policies surrounding the HIE certificate authority and the

granting of Entity Registry entries• Define the technical design of Entity Registry entries and Provider

Directory entries• Define the technical design of authentication and authorization

assertions• More…

Questions

Sujansky & Associates, LLC

www.sujansky.com

http://www.sujansky.com/

Documents

Proposed Technical Architecture for California HIE Services Walter Sujansky Sujansky & Associates, LLC Presentation to NHIN-Direct Security and Trust Work