Appendix I – Sources of Security Standards and Security Patterns

Printer Friendly, PDF & Email

Comment

IHE - Cybersecurity Standards

The link under the text "IHE Cybersecurity Standards" does not  reference an IHE specification.  For IHE the following link would be the most comprehensive https://wiki.ihe.net/index.php/Category:Security

Missing IHE specifications

The following IHE specifications on the Privacy and Security topic are missing
  • The IHE IT Infrastructure technical white paper, Template for XDS Affinity Domain Deployment Planning outlines some of the issues that should be evaluated for inclusion in the local Policy creation and Risk Management decisions. 
  • The APPC Profile adds to the BPPC functionality the ability to include deviations from the base policy in a structured and coded format. Where BPPC is limited to agreement or not to a pre-defined policy, APPC allows for more fluid patient privacy consent function.
  • organization directory (mCSD), 
  • user authentication/authorization (IUA)
  • Consistent Time (CT). 
  • Secure Retrieve https://wiki.ihe.net/index.php/Secure_Retrieve
See the following section in the IHE HIE whitepaper https://profiles.ihe.net/ITI/HIE-Whitepaper/index.html#7-security-and-privacy  

End-to-End security

IHE provides two solutions for End-to-End Security. Where End-to-End security enables an ultimate consuming system to confirm security of data regardless of the pathway the data took. SOAP end-to-end security -- In this model the communications of the medical sensitive data are protected for confidentiality, integrity, and availability using WS-Security or AS4 security. This model is well suited when Intermediaries are needed to support cross-boarder policies. The AS4 configuration is mandated in the EU for cross-boarder flows.
  • The WS-Security model is integrated into the XDS/XCA/XCPD infrastructure as a named option
  • The AS4 Option is defined in a Trial Implementation supplement 
Document Encryption (DEN) and Document Digital Signatures (DSG) -- In this model the document may be protected from the source to the ultimate destination using Document Encryption and Document Digital Signatures.  This model does not require a single transport type, such as XDS or XCA end-to-end.
  • The Document Digital Signature (DSG) would protect the document regardless of the transitions between transports, using Digital Signature standards. The DSG standard is normative. The DSG  profile can sign any kind of document including CDA and FHIR-Documents. The DSG profile includes support for signatures, counter-signatures, and co-signatures. 
    • https://profiles.ihe.net/ITI/TF/Volume1/ch-37.html
  • The Document Encryption (DEN) would protect the document for confidentiality. The DEN standard is Trial-Implementation, based on highly used encryption standards. The DEN profile can encrypt any kind of document including CDA and FHIR-Documents. The DEN profile includes encryption methods using  Digital Certificate and Password. The DEN profile can also encrypt XDM content.
    • https://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_Suppl_DEN.pdf 
Importantly the use of DEN and DSG can be used together or independently. Where only Digital Signature is needed, one would only use DSG.