organization background
DESCRIPTION
PKI in Healthcare Dave Barnett Systems Architect Kaiser Permanente [email protected] (925) 926-3520. Organization Background. Kaiser Permanente Medical Care Program First HMO (founded in 1945) Now in 11 states and District of Columbia 8 Million Members 11,000 Physicians - PowerPoint PPT PresentationTRANSCRIPT
PKI in Healthcare PKI in Healthcare
Dave Barnett Dave Barnett Systems ArchitectSystems ArchitectKaiser PermanenteKaiser Permanente
[email protected]@kp.org(925) 926-3520(925) 926-3520
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 22
Organization BackgroundOrganization Background
Kaiser Permanente Medical Kaiser Permanente Medical Care ProgramCare Program First HMO (founded in 1945)First HMO (founded in 1945) Now in 11 states and District of Now in 11 states and District of
ColumbiaColumbia 8 Million Members8 Million Members 11,000 Physicians11,000 Physicians 90,000 Employees90,000 Employees 30 Medical Centers30 Medical Centers 360 Medical Facilities360 Medical Facilities
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 33
PKI Project Business DriversPKI Project Business Drivers
Move duplicated functions Move duplicated functions (e.g. security) from (e.g. security) from applications to infrastructureapplications to infrastructure
Electronic Healthcare Records Electronic Healthcare Records and Services replacing paper and Services replacing paper based based
Regulatory complianceRegulatory compliance Health Insurance Portability and Health Insurance Portability and
Accountability Act (HIPAA) Accountability Act (HIPAA) http://aspe.os.dhhs.gov/http://aspe.os.dhhs.gov/
admnsimp/admnsimp/
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 44
PKI Project Business DriversPKI Project Business Drivers
Healthcare Community of Healthcare Community of InterestInterest California Medical Association California Medical Association
estimates that each California estimates that each California Physician does business with 50 Physician does business with 50 to 100 healthcare organizationsto 100 healthcare organizations
Considerable opportunity for e-Considerable opportunity for e-businessbusiness Commerce (supplies, Commerce (supplies,
pharmaceuticals, etc.)pharmaceuticals, etc.) Patient servicesPatient services
Benefits (e.g., with Employer)Benefits (e.g., with Employer) Referrals for Medical ServicesReferrals for Medical Services Emergency RoomEmergency Room
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 55
KP PKI Project ScopeKP PKI Project Scope
KP PKI-enabled CIS (Clinical KP PKI-enabled CIS (Clinical Information System)Information System) First 2,500 users in September First 2,500 users in September
20002000 Roll-out to 70,000 usersRoll-out to 70,000 users
VPN/ExtranetVPN/Extranet Applications with AffiliatesApplications with Affiliates EDI and e-businessEDI and e-business
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 66
KP PKI Project ScopeKP PKI Project Scope
Secure E-mail (S/MIME)Secure E-mail (S/MIME) Partner / AffiliatePartner / Affiliate Patient - DoctorPatient - Doctor
Web Web Patient access to medical Patient access to medical
information and servicesinformation and services Partner and Affiliate access to Partner and Affiliate access to
resourcesresources Interoperability demo with Interoperability demo with
California Medical Association California Medical Association and Tunitas Group Healthcare and Tunitas Group Healthcare PKIPKI
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 77
Healthcare PKI Demo ProjectHealthcare PKI Demo Project California Medical AssociationCalifornia Medical Association
CA for California PhysiciansCA for California Physicians See http://www.cmanet.org/ for See http://www.cmanet.org/ for
information on MEDePass programinformation on MEDePass program CMA Bridge CACMA Bridge CA Will interoperate with KP Bridge Will interoperate with KP Bridge
CACA PKI Interoperability Demo PKI Interoperability Demo
WorkshopWorkshop Kaiser Permanente, CMA, Blue Kaiser Permanente, CMA, Blue
Shield of California, Scripps, Hill Shield of California, Scripps, Hill Physicians, Social Security Physicians, Social Security Admin, Pacificare, Catholic Admin, Pacificare, Catholic Healthcare West, Sutter, St. Healthcare West, Sutter, St. Joseph, etc.Joseph, etc. http://www.tunitas.com/pages/PKI/http://www.tunitas.com/pages/PKI/
pki.htmpki.htm
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 88
Interoperability IssuesInteroperability Issues
Healthcare Certificate Policies Healthcare Certificate Policies and Certification Practice and Certification Practice Statements Statements
Assurance of IdentityAssurance of Identity Certificate ProfilesCertificate Profiles Privilege Management Privilege Management
(Future)(Future)
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 99
CP and CPSCP and CPS Existing CP / CPS examples Existing CP / CPS examples
not usefulnot useful Policy and legal requirements of
an organization that sells certificates and CA services different from Healthcare provider requirements
Healthcare Model Policy Creation and Support is Critical ANSI HISB Meeting March 1 - 2
2000(http://www.ansi.org/rooms/room_41/(http://www.ansi.org/rooms/room_41/
default.htm)default.htm) ASTM E31.20 Healthcare Model ASTM E31.20 Healthcare Model
Policy only work in progress under Policy only work in progress under ANSIANSI See E31 Committee at See E31 Committee at
http://www.astm.org http://www.astm.org See draft Healthcare Model Policy at See draft Healthcare Model Policy at
http://www.tunitas.com/pages/PKI/docs/http://www.tunitas.com/pages/PKI/docs/
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 1010
Assurance of IdentityAssurance of Identity
Assurance of Identity is one of Assurance of Identity is one of the considerations for the considerations for Assurance Level in CPAssurance Level in CP
Healthcare Provider Healthcare Provider Certificate is a high value Certificate is a high value targettarget Allows impersonation of Allows impersonation of
physician electronicallyphysician electronically Identity assurance and Identity assurance and
authentication must be authentication must be acceptable to industry and acceptable to industry and regulatorsregulators
e.g., what would the DEA require for a e.g., what would the DEA require for a digital signature for electronic digital signature for electronic prescriptions?prescriptions?
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 1111
Profile ProliferationProfile Proliferation Tendency for each Tendency for each
organization, vendor, organization, vendor, application, and community of application, and community of interest to create a certificate interest to create a certificate profileprofile
Need to converge on smallest Need to converge on smallest number of profiles required number of profiles required (e.g., vertical industry (e.g., vertical industry community of interest)community of interest)
Need to develop an X.509 v3 Need to develop an X.509 v3 profile for Healthcare based on profile for Healthcare based on RFC 2459 and ASTM E31.20RFC 2459 and ASTM E31.20
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 1212
Privilege ManagementPrivilege Management Access control and Access control and
authorization can become very authorization can become very complex in Healthcarecomplex in Healthcare
RolesRoles Appointment Clerk, Billing, Physician, Appointment Clerk, Billing, Physician,
Radiologist, Lab, Psychiatric Social Radiologist, Lab, Psychiatric Social Worker, etc. Worker, etc.
ContentContent HIV, Substance Abuse, Mental Health HIV, Substance Abuse, Mental Health
National and State RegulationsNational and State Regulations Policy (organizational and Policy (organizational and
departmental)departmental) Context (Emergency Dept.)Context (Emergency Dept.) Privilege changes may be frequentPrivilege changes may be frequent Multiple roles not uncommonMultiple roles not uncommon
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 1313
Privilege ManagementPrivilege Management ITU and IETF proposing ITU and IETF proposing
Attribute Certificates (X.509) Attribute Certificates (X.509) for PMI for PMI
Open Group just approved Open Group just approved Authorization API (aznAPI) as Authorization API (aznAPI) as a standard for authorizationa standard for authorization
Not mutually exclusiveNot mutually exclusive aznAPI can use Attribute aznAPI can use Attribute
Certificates as well as other Certificates as well as other approaches (e.g., rule or role approaches (e.g., rule or role based “authorization engine”)based “authorization engine”)
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 1414
Privilege ManagementPrivilege Management Standards not stabilized yet, Standards not stabilized yet,
products are very newproducts are very new PMI can be very useful in PMI can be very useful in
HealthcareHealthcare Healthcare industry interest Healthcare industry interest
likely to grow in this arealikely to grow in this area
March 6, 2000 March 6, 2000 © Kaiser Permanente Medical Care Program© Kaiser Permanente Medical Care Program 1515
Thank you!Thank you!