Digital Trust

Healthcare PKI in Denmark

October 2, 2009 · Leave a Comment

In this post, I muse on Denmark’s implementation of a country-wide system for secure, up-to-date sharing of EMRs and patient identity federation. But I primarily want to share a links  for those interested in what they are doing:

A Cute Introduction

Last week Barack Obama visited Copenhagen to support his home city’s bid to have the 2016 Olympics hosted in Chicago. Later this year the U.S. President will meet with international leaders in Copenhagen for a UN summit, negotiating the successor to the Kyoto protocol.

In U.S. political news, the international happenings in Denmark have offered a nice break from the ongoing, rancorous national debate over reforming the U.S. health care system. Political events have stirred a broader conversation about the overall state of American health care, such as the cost and effectiveness of the current system. In a moment of free association, the events in Denmark reminded me of some interesting things about that nation’s health care system: the Danes are rather progressive—no, not because they’ve socialized, I’ll entirely leave this matter aside—in regards to they’re health care IT infrastructure.

What is Denmark Doing?

Denmark’s system is interesting so I’ll share what I’ve learned of the nation’s overall approach to health care IT and, in greater detail, discuss their implementation of PKI.

There are many Danish organizations involved with the reform of health care IT. Foremost are MedCom, the Danish Centre for Health Telematics, who is the coordinating organization for health care in Denmark and manager of the Danish Health Data Network; the National Board of Health for Denmark, who developed the data model and terminology server for the system, and leads the country’s overall health IT stragegy; and the Ministry of Science, Technology and Innovation (MTVU) in Denmark, who develops most of Denmark’s technical standards and recommended a standard for Service-Oriented Architecture (SOA) identity federation to be used in various Danish systems.

The National Board of Health’s stated goal for the reformed system was “to provide a connected health care sector in which health professionals have access to all relevant EHR data regardless of where citizens seek treatment and no matter where or when this information was registered.” Lofty, indeed 1. Unlike most countries, though, Denmark has robust broadband access in most of the country. And most general practices and hospitals already use electronic medical records (EMRs). The National Board of Health knew it would need to implement a nationwide SOA for the secure web sharing of data.

Implementation of PKI

Denmark built it’s PKI on top of it’s existing virtual private network (VPN) architecture, which is made available to all health care providers in the country, and it was already in use by many for remote collaboration. At the behest of  MVTU,  SAML was selected as the framework for identity federation and the exchange of authentication assertions. Health care professionals are issued DanID, a X.509 certificate from the Danish OECS CA. The following step explain how authentication is performed between Danish health systems 2:

  1. User authenticates as part of login to local EHR system and a digitally signed, SAML assertion is created.
    - this is a SAML security token, referred to as a virtual health professional identity card.
  2. A direct request is made to a central security token service (STS), which checks the validity of the local system’s digital signature, the user’s signature, certificate validity and revocation status, and core certificate attributes3.
  3. STS signs the SAML token and sends a response to the local system.
  4. The SAML security token can be used until it expires (after 24 hours).

Denmark PKI

I’m not sure what plans Denmark has for the authentication of everyday citizens to health care services and portals4. The foundations are certainly in place. The infrastructure for the clinical exchange of medical records, which utilizes the Danish Central Person Registry (number), provides a unique identifier for all national patients. Sundhed.dk is a public portal for Danish citizens where patients can access (some) of their health information, receive online consultation, schedule health services, and renew prescriptions/treatments. While Denmark does not issue electronic ID cards, each citizen is given a digital certificate, which is automatically derived from that citizen’s CPR number. With a combination of these parts, each Danish citizen could use their digital certificate for authentication to sundhed.dk and for the signing of health documents.

Lesson from Denmark’s System?

What can be learned from Denmark? Well, one could try to point out the things Denmark has done right, as Gartner did in their study, which will be either unmissable or made up: Denmark used a “[g]radual approach with realistic time frames”; they gave “Incentives to vendors”; they used a “project-based approach”; they “[kept] an appropriate balance between central coordination and local leadership.”; the country has a “culture of consensus”.

As all observers have pointed out, its too early to tell what improvements the reformed IT changes have made. What Denmark seems to have done right is to start with a basic, but sound architecture that makes use of existing infrastructure and technologies. They have similarly, worked to make the systems simple, affordable, and feasible for all of the country’s health providers, using open standards and technologies.

Beyond the broader success of the program, I was interested to understand how adoption and use of the PKI has been. But, it seem too early to ascertain the problems with the reformed system or understand the parts of the systems that will need to be improved. From TrustBearer’s perspective, we are interested in problems experienced while deploying and using PKI,  issues such as interoperability between relying systems, certificate policies, certificate validation, and renewal, distinguishing between levels of identity assurance, and usability for end-users. I could not find much information in regard to these issues in the Danish system, so this will be a topic left for future blog posts. One thing of note was that developers involved in the Danish project found some things lacking in the the SAML/XML schema, because its was not possible to express certain types of requirements and policies as part of an authentication/authorization assertion5. (This is related, rather loosely, to a problem TrustBearer was trying to solve in another context, signifying the strength of an authentication method in the OpenID Provider Authentication Policy Extension.)

1. A Federation of Web Services for Danish Health Care

2. As outlined in A Federation of Web Services for Danish Health Care.

3. Exchange of tokens over SOAP. http://docs.oasis-open.org/ws-sx/ws-trust/v1.3/ws-trust.html

4. There is a least one pilot of software-certificate-based PKI access for out patients. http://nortelemed.custompublish.com/healthnets-and-new-services-electronic-patient-records.47966-5213.html?id=48665&cat=5385

5. http://www.ecom.jp/report/Study_on_PKI_2006_in_EUROPE-FINAL.pdf

→ Leave a CommentCategories: healthcare · public key infrastructure
Tagged: , , , , , , , ,

Recap of the August 2009 Government Smart Card IAB Meeting

September 28, 2009 · Leave a Comment

It’s been awhile. I’ve had a few posts queued up to write, and this was one of the first. I try to attend the IAB meetings when possible, but this past August meeting was the first that I’ve been to since March. As most people in our niche identity+smart card government industry know, these meetings are a good opportunity to catch-up with colleagues and hear updates about progress at various agencies. I think all future IAB meetings should be hosted at the American Institute of Architect’s second floor conference room. The concentric circle seating layout with desks is excellent.

GSC IAB bannerSlides and audio from the afternoon’s presentations are available from FIPS 201.com. (Thanks, Avisian)

This August’s meeting kicked off with a wholehearted update from USDA’s Owen Unangst. Owen started with a historical overview of USDA’s Identity and Access Management Vision. I liked his inverted pyramid diagram that outlined this vision. Everything begins at the base with Identity. Identity has existed long before HSPD-12 was announced. HSPD-12 namely addressed the second layer, Credentials, with the PIV specification. USDA has been busy implementing the Accounts, Authorization, and Access Control layers atop credentials. It’s impressive that they’ve made progress with both logical and physical access systems, and tUSDA IAM Vision Pyrmaidhat these two historically disparate systems appear to be tightly integrated. I also found it interesting that the topmost layer, Application Integration, is only in the earliest planning stages. Implementation is far from complete.

My biggest take-away from Owen’s presentation was the method and time that went into each of their strategic planning cycles. While a lot of this is classic PMP stuff, what was interesting is that Owen said one of these cycles (Business Reqs Analysis, Gap Analysis, Portfolio Selection, and Portfolio Assessment) should never take more than 3 months. The output of a cycle is a biz case, roadmap, architecture and project plan. Three months should be more than enough time to make a decision and layout a plan to execute it. In my mind, this is why USDA will be successful in implementing their Identity and Access Management vision.

Tim Baldridge of NASA followed Owen’s talk. Tim gave a brief presentation about how a single PIV card will eventually be trusted across multiple domains and agencies, not just by the agency that issued the card. Today, some individuals are being issued cards from each domain to which they need access. Tim uses an example of a doctor from HHS who has both an HHS and DoD PIV card. Federal PKI Trust Anchors such as the Common Policy (Federal Root CA) and Federal Bridge CA (FBCA) will provide the technical infrastructure that will enable this to happen. There is still quite a bit of work to be done here, but it’s good to see that it is on the radar of leaders in the HSPD-12 space. By the October IAB meeting, Tim hopes to be able to demonstrate certificate interoperability in person. I’m looking forward to seeing this demonstration.

Bill MacGregor, an IAB regular from NIST, gave status updates on a few projects and publications. The NIST SP 800-73-3 draft is open for public comment (Actually, looks like comments were due on 13 September). This isn’t a huge update to 800-73. Looks like some good things for PIV-Interoperable cards (UUID definition consistent with NFI spec). Also, some card lifecycle stuff, “on-card retention of historical keys”. The important news is that this update should have no impact on already-issued cards.

NIST IR 7611 24727 piv stackNIST also has released an Interagency Report on the Use of ISO/IEC 24727 (NIST IR 7611). ISO/IEC 24727 helps desktop applications discover and talk to the growing number of types of identity smart cards. In the introduction of NIST IR 7611, the Transportation Worker Identity Credential is noted as similar but technically different than a PIV smart card. “The ISO/IEC 24727 framework allows any client-application to communicate with any card-application.” The document describes the structure of the NIST-developed 24727 middleware stack that was developed to communicate with PIV cards. Much of this work was based on the exisiting NIST PIV middleware demo. If possible, the source code will be released. What does “If possible” mean, Bill? Interesting stuff for folks like us.

Bill then offered a reminder in light of some recent press about RFID skimming – “Are they talking about PIV?” Probably not. Not all RFID skimming is the same – not everything can be skimmed. He suggests re-reading SP 800-116, Secton 4, Appedix A to help decided the right authentication assurance level. e.g. If you’re just reading the CHUID from a card, you don’t have a very high assurance that the card was not copied. Verify the CHUID signature, or even better, perform a mutual challenge-response with the card to have a much higher assurance that it was not copied.

Chris Lounden finished the day by giving an update on what GSA’s ICAM group has been up to. He spoke about the ICAM’s goals of making Government more transparent to citizens by making it easier to access government websites and leveraging various Web 2.0 technologies. Chris made it very clear that the ICAM’s current focus is on portable identity for non-PKI, OMB Level of Assurance 3 and below. The concepts introduced are not attempting to redefine or replace what PIV or CAC provide. When implemented correctly, applications can reach a Level of Assurance 4 with PIV or CAC.

ICAM’s approach to allowing portable citizen identities in the federal government is to “Adopt technologies in use by industry (Scheme Adoption)” and “Adopt industry Trust Models (Trust Framework Adoption)”. To assist in Scheme Adoption, ICAM is developing Identity Scheme profiles for OpenID, Information Card, and SAML (WS-Federation is to follow). To assist in Trust Framework Adoption, ICAM has published the “Federal ICAM Trust Framework Provider Adoption Process” on IDManagement.gov. The big deal here is that participation is expected from InCommon, the OpenID Foundation, Information Card Foundation and Liberty Alliance / Kantara.

This is old news now, but ICAM and the participating bodies menitoned above made a big splash about this earlier in the month at the Gov 2.0 conference. I’ll be sharing my thoughts on Open Identity for Open Governement in an upcoming blog post. As mentioned at the beginning of the post, all of the presentations (from which I’ve heavily referenced) and audio recordings (hot) from the IAB meeting are available on FIPS 201.com. I’ll look forward to seeing more familiar faces next month at the in-person IAB meeting at the Smart Card Alliance’s Smart Cards in Government conference (Oct. 27-30).

→ Leave a CommentCategories: government
Tagged: , , , , , , , ,

Zittrain on Privacy and Security in the Chrome OS

July 21, 2009 · Leave a Comment

What happens to  consumers’ privacy and security when the web is their operating system?

In the New York Times this week, Jonathan Zittrain, professor of Internet Law at Harvard Law School, co-director of the stopbadware.org effort, and author of The Future of the Internet— and How to Stop It, offers a forward-looking, non-technical review of the Google Chrome OS, which was officially announced last week.

Many people consider this development to be as sensible and inevitable as the move from answering machines to voicemail. With your stuff in the cloud, it’s not a catastrophe to lose your laptop, any more than losing your glasses would permanently destroy your vision. In addition, as more and more of our information is gathered from and shared with others — through Facebook, MySpace or Twitter — having it all online can make a lot of sense.

The cloud, however, comes with real dangers.

Zittrain's 2008 book about the transformation of PCs to portable, web appliances.

Zittrain's 2008 book about the transformation of PCs to portable, web appliances.

The danger Zittrain foresees is manifold. As he expressed in The Future of the Internet, Zittrain worries that we-as-users will hastily adopt portable, ‘connected’ computers, like Apple’s iPhone, potentially forgoing much of the software and services offered by today’s Internet.

To further facilitate glitch-free operation, devices are built to allow no one but the vendor to change them. Users are also now able to ask for the appliancization of their own PCs, in the process forfeiting the ability to easily install new code themselves. In a development reminiscent of the old days of AOL and CompuServe, it is increasingly possible to use a PC as a mere dumb terminal to access Web sites with interactivity but with little room for tinkering. (“Web 2.0” is a new buzzword that celebrates this migration of applications traditionally found on the PC onto the Internet. Confusingly, the term also refers to the separate phenomenon of increased user-generated content and indices on the Web—such as relying on user-provided tags to label photographs.) New information appliances that are tethered to their makers, including PCs and Web sites refashioned in this mold, are tempting solutions for frustrated consumers and businesses.

But we have to expect that the Chrome OS will a fundamentally open system, allowing user’s to install any software and get pretty much anywhere on the web. The danger then, in Zittrain’s view, with the Chrome OS, is more an issue with the current state internet: The Internet was not designed with privacy and security in mind:

Some [dangers] are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody as a compact disc or an MP3 file on your hard drive, you can lose your music if you fall behind on your payments — or if the vendor goes bankrupt or loses interest in the service. Last week Amazon apparently conveyed a publisher’s change-of-heart to owners of its Kindle e-book reader: some purchasers of Orwell’s “1984” found it removed from their devices, with nothing to show for their purchase other than a refund. (Orwell would be amused.)

Worse, data stored online has less privacy protection both in practice and under the law. A hacker recently guessed the password to the personal e-mail account of a Twitter employee, and was thus able to extract the employee’s Google password. That in turn compromised a trove of Twitter’s corporate documents stored too conveniently in the cloud. Before, the bad guys usually needed to get their hands on people’s computers to see their secrets; in today’s cloud all you need is a password.

Thanks in part to the Patriot Act, the federal government has been able to demand some details of your online activities from service providers — and not to tell you about it. There have been thousands of such requests lodged since the law was passed, and the F.B.I.’s own audits have shown that there can be plenty of overreach — perhaps wholly inadvertent — in requests like these.

Now, Zittrain points out that consumer laws can regulate many of these sort of problems. But he’s arguing the gate-keepers of the net (i.e. Mircrosoft, Amazon, Google), will improve security and privacy for only select applications, leaving the rest of the web in the dust.

→ Leave a CommentCategories: Uncategorized
Tagged: , , , ,

Emerging Technology Presentation from CTST

May 7, 2009 · 3 Comments

Earlier this week I gave a presentation on an Emerging Technology panel at Card Tech Secure Tech (CTST) in New Orleans. Much of the content was taken from the Virginia Security Summit presentation given a week prior, but I elaborated on using smart cards for strong authentication. A couple of the slides got into using digital certificates to prove someone’s “real” identity to a relying party using OpenID extensions and digital certificate path discovery & validation.

Where do we go from here? I would like to see some of the identity verification concepts that I touched on in the presentation be tested in a pilot. There are also opportunities here to evolve the OpenID specs and extensions, such as PAPE. TrustBearer would like to continue this discussion and explore some pilot ideas. Contact me if you are interested.

→ 3 CommentsCategories: government
Tagged: , , , , , , ,

The TrustBearer Roadshow Moves from San Francisco to New Orleans

May 1, 2009 · Leave a Comment

Last week TrustBearer was at the RSA Conference. Next week, we will be in New Orleans, at Card Tech Secure Tech 2009: The Americas (CTST).

TrustBearer Poker Tables

We had a righteous time at RSA. We showed off our latest engineering accomplishments. We had a party, sponsoring poker tables at Verisign’s casino night. And, we observed the apparent themes of this years conference.

Overheard, here and there, in the Moscone Center at the RSA conference was an adage— something like “nothing is new at such an industry conference”. You could also add that the difference between a new technology and a one that is re-packaged to look new is hard to distinguish.

At RSAC, there were many product claims contemporaneous with the world we live in. For several years now, many companies have bragged about the ‘greenness’ of their products. This year, adapting to economic realities, many businesses have marketed their products as pedestrian and cost-effective—the later, a trusted stand-by for marketers. There was also a natural swarm of companies towards health care and government verticals due to presidential directives, economic stimulus packages, and the admission that these are more vibrant parts of the current economy.

Just as with economic factors, broader technological trends have found a place in the messaging of security and identity companies. There is virtualization, for one. Consider also smart phones and mobile communications. There were dozens of companies at RSA showing mobile products; several of these are singularly devoted to two-factor authentication with mobile phones. Perhaps, the most permeable marketing meme, in this regard, was the talk of cloud computing and services— “security in the cloud”.

You might say ‘TrustBearer is Moving PKI to the Cloud’

With anxiety, I write that we’re moving PKI to the cloud in order to improve credential management and end-user authentication. But this is a tiresome, clichéd way to say it.

A core philosophy of TrustBearer products is the simplification of using credentials with PKI. We use modern web technologies, what you might call Web 2.0 or cloud services, to achieve this. However, the principle of our approach is actually to relocate the gears of PKI from the client to a dynamic, centrally managed service. We want to free the end-user of PKI from burdensome tasks and decisions.

What’s New

Our latest products and features are continuing to simply the issuance, management, usage, and renewal of identity credentials. At RSA, we showed how we’ve integrated TrustBearer technology with Verisign Managed PKI, the improve the user experience here:

Improved Installation
We’ve reduced the steps required to install our cross-platform browser add-on. The installation does not require administrative rights and does not require the browser to be restarted, or even refreshed.

2-Click Issuance; 0-Click Renewal
With two clicks, users are issued a pin-protected, federally-validated certificate, which is linked to a an existing account for two-factor authentication.

2-Click Enrollment

When a certificate is going to expire, it can be auto-renewed. This is managed by a policy, but in the simplest sense a user’s certificate is automatically updated, without user interaction.

Auto Certificate Renewal

The case of renewal, illustrates the work we’ve been doing to make PKI easier to administer. At the server, TrustBearer provides a central place to manage policies for keys; certificate issuance and renewal; whitelisting and blacklisting authentication factors (e.g. software tokens); and delegating trust.

Newly Supported Devices
We now support Trusted Platform Modules, a built-in crypto-processor on almost all business PCs. We’ve also developed a software token, encrypted with AES-128 or AES-256, for users that don’t have a hardware token.

If you are interesting in a demo, contact us.

→ Leave a CommentCategories: central authentication · multi-factor auth · new feature! · trustbearer · two-factor auth
Tagged: , , ,