Trust and Assurance Models

From IHE Wiki
Jump to navigation Jump to search


1. Proposed Workitem: Trust and Assurance Models

  • Proposal Editor: Financial Services Technology Consortium and HIMSS
  • Editor: N/A
  • Date: N/A (Wiki keeps history)
  • Version: N/A (Wiki keeps history)
  • Domain: IT Infrastructure

2. The Problem

The healthcare and financial industry share a business and a regulatory requirement to maintain the security and privacy of identity-related data. While the regulatory regimes for these industries are separate and distinct, they place similar requirements across industries to address the risks of conducting business with personal information. There is a trend towards deeper integration of public key techniques and digital identities into e-commerce solutions to comply with regulatory requirements. However, there are a number of issues that limit the effectiveness of these technologies that often make them cumbersome and costly to implement and manage. For example, financial institutions, healthcare providers/payors, consumers and patients are confronted with a diversity of digital identities of varying confidence levels that operate under differing standards, rules and procedures governing the identity. Too often the implementation is tightly embedded in customized applications, making it difficult to enforce a common set of principles and technical standards that could deliver varying degrees of identity assurance (such as authenticating you are at a trusted website; that the person you are providing medical decisions and advise to is the correct individual; that the electronic records being presented are authentic and binding). This lack of a standard set of processes and rules increase compliance process costs for these industries, and inhibits connectivity and the interoperable exchange data among industry providers, patients and customers, partners and suppliers. These cost inefficiencies and lack of uniform policies, processes and rules, also inhibit the wider application of technology, resulting in a complex, unfamiliar, and painful user experience, limitations in service adoption, the potential exposure of sensitive information, and the lack of effective solutions to electronic threats. They also inhibit the introduction of future Web 2.0 applications and service oriented architectures that at are built on distributed trust models.

3. Key Use Case

[need to expand and explain, but this is one core use case] Common trust models to allow for the sharing of digital credentials across the healthcare and financial services industries and provide secured access and use of industry-regulated information.

4. Standards & Systems

Public key infrastructure-based and SOA-based systems supporting identity authentication and data sharing applications within and between the financial and healthcare services industries. Applications include those at the infrastructure level (e.g., file transfer and database access) and those at the user level (e.g., payments)

IETF, W3C ISO TC68 ISO TC215

5. Discussion

The FSTC and HIMSS/IHE have a unique opportunity to collaborate on the challenge of identity assurance and secure data sharing for the financial and healthcare industries. Cross-industry collaboration is necessary in recognition of the fact that

• Identity assurance functions are not productively confined to a single industry
• Levels of assurance particularly, and metrics for determining the acceptability of this assurance, may have many common attributes across these industries
• Both industries share existing trusted relationships and regulatory responsibilities for the protection of sensitive information
• PKI technologies are core to existing industry infrastructures
• Identity assurance interoperability is desirable across identity producers and identity consumers to realize the cost/efficiency benefits
• Cyber crime threats are common to both

The goal of this effort would be to develop common trust models to allow for the sharing of digital credentials across the healthcare and financial services industries and provide secured access and use of industry-regulated information. Business opportunities are available as the financial and healthcare industries leverage their strengths and needs to deliver cross-industry solutions

Retrieved from "http://wiki.ihe.net/index.php?title=Trust_and_Assurance_Models&oldid=10064"