Overview: This project improves the quality of healthcare information systems by designing distributed models and architectures for healthcare information systems, developing reference implementations for these models and architectures, and participating in the development of standards for healthcare information systems. A significant aspect of this project is technology transfer of NIST Role Based Access Control (RBAC) work. This project is supported by funding from the Department of Veterans Affairs (VA) and the NIST Advanced Technology Program.
Need: Healthcare is a particularly challenging environment for information systems. Healthcare information systems must be distributed and interactively accessible, and must provide interoperability between new and legacy technologies. Healthcare information systems have unique access control requirements defined by Federal, State, and local regulations, as well as industry standards. Access control models which are capable of supporting complex access control policies are needed to meet these requirements. The VA, one of the nation’s largest healthcare providers, needed unbiased technical expertise in order to assess technology. NIST was consulted to provide this unbiased expertise.
Approach: A Remote Procedure Call (RPC) Broker which enables remote access to individual large hospital servers was designed. The RPC Broker allows a client workstation to request services from a hospital server. The RPC Broker design uses the client/server model and includes a protocol specific to hospital environments.
An authentication proxy, the Enterprise Single Sign-On Facility (ESSO), was designed. A reference implementation of this design was developed. With ESSO, users are able to access inter-enterprise legacy systems without having to re-authenticate to each legacy system. A paper describing this work was presented at the Second Workshop on the Role of Distributed Objects in Healthcare (http://www.itl.nist.gov/div897/sqg/va/papers/appaper.html).
In conjunction with Object Management Group (OMG) members from IBM, 2AB, and Baptist Health Systems of South Florida, the Resource Access Decision (RAD) specification was developed (ftp://ftp.omg.org/pub/docs/formal/01-04-01.pdf). RAD is an authorization framework and interface specification for healthcare distributed processing environments. RAD enables complex access decisions to be defined, managed, and enforced. A paper describing RAD was presented at the Annual Computer Security Applications Conference (
An authorization mechanism, the Inter-Organizational Role Based Access Control (IORBAC) Facility, has been designed and a reference implementation developed using LDAP (Lightweight Directory Access Protocol). IORBAC compliments ESSO by providing an inter-enterprise wide authorization system. A prototype integrating RAD with IORBAC is being developed.
The National (smart)Card Management Directory (NCMD) manages the process of issuing Patient ID smart cards to veterans. NIST infrastructure software and tools are being used by VA contractors who are responsible for application software.
The Secure Screen Saver is a security-oriented Windows desktop and screen saver which supports requirements unavailable in off-the-shelf produces. It enforces a set of security policies that are consistent with the public locations of VA workstations.
Impact: The NIST RPC Broker has been implemented by the VA and is in use in all (approximately 170) VA hospitals. Application software using the NIST RPC Broker has been and continues to be implemented by VA contractors. The ESSO reference implementation has been installed in two VA hospitals for testing. The RAD specification has been adopted by the OMG and is part of the family of OMG CORBA Specifications. RAD is being implemented by 2AB and DASCOM, and is within the process of becoming an ASTM standard. The NCMD currently manages 30K cards with plans to increase ten fold. NIST designs are a permanent part of the VA HIS Architecture. Bill Majurski of NIST is a permanent consultant to the VA Architecture Design Group.
Healthcare
Information Systems