Wednesday, July 14, 2010

Healthcare use of Identity Federation

This is exciting times in Identity Federation. I have written about Identity Federation as a critical technology in : Federated ID is not a universal ID  Specifically I think that SAML is a specifically useful protocol for Identity Federation for the purpose of identifying users requesting cross-enterprise based transactions. This is specifically the purpose behind the IHE Cross-Enterprise User Assertion Profile. This profile does not fully leverage all of the power of SAML, but tries to constrain SAML just enough to get Healthcare going at using this technology. IHE is now extending this profile with some more attributes about the user. Specifically adding a descriptive string for the user, their organization, identifier of their organization, their National Provider Identifier, and such. Also adding their role and the purpose of their request, values that might be used for access control and/or audit logging (such as I describe in Accountability using ATNA Audit Controls).

There is also the recent release from the Whitehouse of "The National Strategy for Trusted Identities in Cyberspace".  From my read of this their goals are in the right place, they do seem to understand the potential miss-use, and they do seem to understand that the only way we can move forward today is to force the issue. This force is not to force a solution, but rather to force the discussion and encourage specific reasonable use-case developments. I think that Healthcare could be a very useful use-case, inclusive of Health Information Exchanges (HIE) and Personal Health Records (PHR).  My biggest concern with this initiative is that they seem to be leaning toward a Certificate (PKI) based solution, and may not see the power of SAML.

There have been many articles and blogs that discuss the issues, solutions, benefits, and risks.  I have specific concerns around any mandate, I certainly recognize that any one human truly does have many identities and has good reason to make sure that some of these identities are never cross-referenced. I understand that the Whitehouse initiative is not looking to a nation wide mandate on all citizens, but rather wants an open discussion to help inform how the federal government continues to evolve their use of trusted identities in cyberspace, essentially they understand that first they must 'eat their own dog food'. This is a good approach but they must recognize that the federal government infrastructure hits upon the non-federal infrastructure in many ways. For Healthcare this is very specifically the HIE.

There are some other solutions that are getting lots of press, and well deserved attention. Keith Boone blogged about his success at leveraging the OpenID mechanism to allow him to offload the user account management (including provisioning, de-provisioning, and such) from his purpose for having an internet present service. OpenID is a good tool to get started in this topic. Open ID is very low barrier to entry is very helpful, and the abiltiy to offload the user account management is a big plus. It however is not as formal on how to carry attributes and authorization decisions. This is not a good excuse to not start with OpenID.

I think the power of how OpenID and SAML can be used together is showed by a Clinical Trials project that Medtronic was involved with. Their solution is documented nicely on the Kim Cameron's Identity Blog. This is a project that offered their solutions to open-source and used both OpenID and SAML when the specific tools were the right tool to use. This is the kind of Healthcare use-case that I think should be encouraged by the Whitehouse initiative.