Secure Retrieve (SeR)

Introduction

This supplement defines new functionalities for an XDS environment with a unique and centralized Access Control system. As a Trial Implementation Supplement, this profile is limited to those deployment models and their policies where a central authorization authority can make complete and definitive decisions, yet support federated identity/authentication. These use-cases specifically mean that neither XDS Document Source nor XDS Document Repository Actors need to have any more fine-grain policies to enforce. The supplement describes how to create a “system of trust” between the actor that can perform Access Decisions (on behalf of Consent Docs, Policies and Creation/Access/Disclosure rules) and XDS Actors that actually store clinical data and documents. Access decisions are often based on metadata (e.g., document types, practiceSetting); therefore the source of truth for metadata (i.e., the XDS Document Registry) is the best place to make the decisions. With the objective to keep the data close to the decision point, the XDS Document Registry in many implementations, is a good candidate to perform access control decisions (Authorization Decisions Manager or Policy Decision Point). In a typical XDS environment, there are many XDS Document Repositories that store documents. These systems are not aware of Consent Documents published by patients, and cannot apply Access/Creation/Disclosure Policies to requests for Document retrieval; then the replication of Access Control functionalities is unfeasible and/or too expensive (due to integration burdens and total cost of ownership). The objective of the Secure Retrieve Profile is the definition of a mechanism to convey Authorization Decisions between XDS Actors, attesting that the reliable Policy Decision Point (PDP) has already made an access decision. The starting requirements/constraints upon which this profile is developed are described below:

• A unique PDP performs access decision for all XDS Document Consumer and all XDS Document Repositories involved in the Affinity Domain.

• XDS Document Repositories cannot manage the whole set of information needed to perform access decisions (XDS Document Repositories are not required to store metadata. If the Repository stores metadata, the metadata might be insufficient to perform an access decision).

• The XDS infrastructure is not fully federated; a clear separation of duties and responsibilities between PDP and XDS Document Repositories is needed (Repositories store clinical documents; PDP evaluates access rights to those contents).

• The XDS Document Repositories must enforce access decision made by the Policy Decision Point.

• A technical pattern that reduces behavioral and transactional changes for the Consumer side is clearly preferred (lower costs for deployment and for security reasons).

This supplement is a standalone profile because it defines a flexible pattern that could be used by any Service Provider that queries for Authorization Decisions already granted by a trusted Authorization Decisions Manager (or PDP). However, the focus is to add Access Control functionalities to the XDS environment. This profile introduces two new actors (Authorization Decisions Manager and Authorization Decisions Verifier) and one new transaction (Authorization Decisions Query). This profile does not describe how Authorization Decisions are performed. However, this profile relies on XACM-SAML framework, so these standards could be good candidates to implement Authorization Requests. This profile describes how a Service Provider (e.g., Document Repository) can discover the existence of Authorization Decisions granted to an entity and for specific documents.

Actors and Transactions