IHERO UseCase User Authentication

From IHE Wiki
Jump to: navigation, search

1. Proposed Workitem: User Authentication and Authorization

  • Proposal Editor: C.Field
  • Editor: C.Field
  • Date: N/A (Wiki keeps history)
  • Version: N/A (Wiki keeps history)
  • Domain: Radiation Oncology and IT

2. The Problem

User Authentication (e.g. username and password) is becoming increasingly difficult to manage both from a user perspective because of the requirement to have multiple usernames and passwords for a variety of systems and applications; and for administrators who must maintain these various systems and applications.
User Authorization is the assignment of privileges allowing the user to perform certain functions (e.g. calculate dose, override an interlock, generate a CT scan). The assigned privileges depend upon the authenticated user and the system or application being accessed. The granularity of these functions is very poorly defined and is not standardized across systems.

3. Key Use Case

The problem: A radiation therapist comes in to work and turns on the treatment workstation computer, username1/password1 is required. Another general purpose computer is turned on: username2/password2 is required. A treatment application (e.g. scheduling, charting, …) is started up, username3/password3 is required. The first patient is treated and an interrupt occurs, username4/password4 is required to clear the interlock. The user switches to the general purpose computer to read email: usernname5/password5 is required. During the day, the therapist moves to another treatment unit to cover coffee breaks and must clear another interlock; username6/password6 is required.

The solution: The radiation therapist arrives at each workstation and either scans a fingerprint, iris, ID card, or provides a username/password and is identified by a user authentication / authorization servers. This system either grants or denies the ability to perform specific tasks on requested systems and applications depending upon the authenticated user. Backup (or distributed) authentication / authorization servers are required in case the primary server fails.

4. Standards & Systems

The IHE-IT Enterprise User Authentication (EUA) profile already in place may provide some standards. All systems and applications inside and outside the Radiation Oncology domain could utilize the user authentication / authorization server.

5. Discussion

All existing and new actors, transactions, profiles would authenticate / authorize with a common authentication / authorization server.

ID systems such as OpenID for web logins, and PGP and other similar products for encrypting and decrypting data, may provide additional ideas.