Скачать презентацию De Zorg digitaliseren met XML HL 7 v
769d1e2ed0bea0716bf89f927c743678.ppt
- Количество слайдов: 104
De Zorg digitaliseren met XML, HL 7 v 3 en Web Services Marc de Graauw Informatieketens in de Zorg XL User Group Holland / Zorg & ICT Beurs 18 maart 2009 Marc de Graauw marc@marcdegraauw. com
What we’ll (try to) cover • Standardisation: – AORTA, the Dutch Healthcare Infrastructure – HL 7 v 3, Vocabulary, Identification, Schema’s – Web Services: SOAP, WSDL, WS-Security • Truth, Trust and Belief: – Authentication – Digital Signatures • Versioning Marc de Graauw marc@marcdegraauw. com
AORTA the Dutch Healthcare Infrastructure Marc de Graauw marc@marcdegraauw. com
HIB BSN (“Burger Service Nummer”) Registry UZI (PKI) Registry Messaging Services Patient Registry Provider Registry Act Registry Marc de Graauw marc@marcdegraauw. com Healthcare Information System
The Netherlands • “AORTA” is the national backbone • Healthcare Information Systems at institutions and GP’s will be online 24 x 7 • No clinical data at backbone, only an index of where clinical information resides • Clinical data stays at the source • Only possible with dense infrastructure • Patient, provider registries et cetera Marc de Graauw marc@marcdegraauw. com
NICTIZ • (Dutch EHR Standards Organization) • Timeline – Medication File – Primary Care Summary • • 2003: start 2006: Healthcare Information Broker delivered 2006/7: First HIS qualifications 2009: General availability Marc de Graauw marc@marcdegraauw. com
NICTIZ & Dutch Healthcare • Communication between: – Healthcare Provider (GP, hospital etc. ) – Healthcare Information Broker (HIB) • HIB provides: – index of which parties have patient data – no patient data itself – messaging services – aggregation services • Health Level Seven version 3 (HL 7 v 3) Marc de Graauw marc@marcdegraauw. com
Ministry of Healthcare NICTIZ National Institute for ICT in Care Gov Healthcare Information Broker CIBG Healthcare Professionals Authority SBV-Z Unique Person Id Registry Provider UZI-Register Healthcare Provider Registry Market Hospitals Healthcare System Suppliers GP’s Pharmacists Healthcare Access Marc de Graauw Providers marc@marcdegraauw. com Others Regional Facilities
HIB BSN (“Burger Service Nummer”) Registry UZI (PKI) Registry Messaging Services Patient Registry Provider Registry Act Registry Marc de Graauw marc@marcdegraauw. com Healthcare Information System
HIB BSN (“Burger Service Nummer”) Registry UZI (PKI) Registry Messaging Services Patient Registry Provider Registry Act Registry Marc de Graauw marc@marcdegraauw. com Healthcare Information System
AORTA • all messages go through healthcare information broker • three basic patterns: – HIS sends message to other HIS, HIB just routes – HIS sends message to HIB (mainly for registry updates and queries) – HIS queries several other HISses, HIB does registry lookups, accumulates data Marc de Graauw marc@marcdegraauw. com
HIB Message to HIS Message to HIB Query (to multiple HIS) Healthcare Information System Act Registry Healthcare Information System Marc de Graauw marc@marcdegraauw. com
HIB BSN (“Burger Service Nummer”) Registry UZI (PKI) Registry Messaging Services Patient Registry Provider Registry Act Registry Marc de Graauw marc@marcdegraauw. com Healthcare Information System
UZI Registry • provide Dutch healthcare PKI standards • provide and distribute smartcards with private keys – to all authorized healthcare institutions – to all authorized healthcare personnel • provide smartcard readers, and necessary software • publish and maintain certificate revocation lists • also provides authentication forwarding software Marc de Graauw marc@marcdegraauw. com
HIB BSN (“Burger Service Nummer”) Registry UZI (PKI) Registry Messaging Services Patient Registry Provider Registry Act Registry Marc de Graauw marc@marcdegraauw. com Healthcare Information System
“Burger Service Nummer” • • • Unique Id for every Dutch person Based on social security number Law is amended to permit use in care Maintain BSN Registry Provide access to registry – query for BSN based on name, address, birthdate – query for name, address, birthdate based on BSN – Web Service • direct and through HIB / HL 7 v 3 Marc de Graauw marc@marcdegraauw. com
HIB BSN (“Burger Service Nummer”) Registry UZI (PKI) Registry Messaging Services Patient Registry Provider Registry Act Registry Marc de Graauw marc@marcdegraauw. com Healthcare Information System
HIB (Healthcare Information Broker) • Routing of messages between HIS’s • Act Registry: which HIS has information on which patient for which kind of data – add/change/delete Act Information • • • Patient Registry (partly gateway to BSN) Provider Registry (partly gateway to UZI) Collection of query data Logging, access control VPN based, TCP/IP, HTTP network Marc de Graauw marc@marcdegraauw. com
HIB BSN (“Burger Service Nummer”) Registry UZI (PKI) Registry Messaging Services Patient Registry Provider Registry Act Registry Marc de Graauw marc@marcdegraauw. com Healthcare Information System
Infrastructure example Marc de Graauw marc@marcdegraauw. com
Actually, it’s not that simple. . . Marc de Graauw marc@marcdegraauw. com
Healthcare Information Systems • Must qualify “Well Maintained HIS” – performance, security, maintenance, uptime etc. • Implement National Guidelines • Do logging • Do local authorizations Marc de Graauw marc@marcdegraauw. com
HL 7 v 3, the vocabulary Marc de Graauw marc@marcdegraauw. com
Just enough HL 7 • HL 7 version 2 : currently used • HL 7 v 3: – XML based – Reference Information Model • HL 7 v 3 Message contains: – medical payload – Trigger Event Wrappers (Query Control etc. ) – Transmission Wrapper Marc de Graauw marc@marcdegraauw. com
HL 7 v 3 Layered Model HTTP, SSL SOAP / Web Services HL 7 Transmission Wrapper HL 7 Query Control Wrapper HL 7 Medical Data TCP lower protocol layers Marc de Graauw marc@marcdegraauw. com
HL 7 Development Framework (HDF) Determine scope Determine parties and processes Information Model Storyboards Class Diagram Determine classes, attributes & associations Spec Restrict domains State Diagram Write storyboards Storyboard Determine state transitions Determine trigger events Interaction Model Determine interactions Determine application roles Interaction Diagram Message Design 2 -nd Order 1 choice of 0 -n Drug 0 -1 Nursing Marc de Graauw marc@marcdegraauw. com TYPE MPSLOC CONTAINS { id[id]. TYPE IID nm[name]. TYPE ST ad[addr]. TYPE XAD ph[phon]. TYPE XTN email_address [eml. Adr]. TYPE XTN [eml. Adr]. TYPE } Develop R-MIM Specificy HMDs Determine conformance claims
Storyboard Mevrouw Jansen komt langs bij apotheek ‘De Gulle Gaper’ met een handgeschreven recept van haar huisarts Dr. van Beek. Het recept is voor 2 x daags 1 tablet Diazepam 250 mg, gedurende 4 weken. De apotheker van de Gulle Gaper, Dr. Poeder, pakt een doosje met 5 strips van 10 tabletten en voegt daar een 6 e strip van tabletten aan toe. Het geheel van 60 tabletten Diazepam 250 mg wordt overhandigd aan mevr. Jansen, inclusief een bijsluiter en met het gebruiksvoorschrift (van de huisarts) op de verpakking. Marc de Graauw marc@marcdegraauw. com
RIM (Reference Information Model) Marc de Graauw marc@marcdegraauw. com
RIM (Reference Information Model) Backbone Act Relationship 0. . * 1 Entity Organization Living Subject Material Place Health Chart 0. . * 1 0. . * Role 1 Participation Patient Guarantor Healthcare provider Insurer Practitioner Marc de Graauw marc@marcdegraauw. com 1 0. . * 1 Act Referral Transportation Supply Procedure Condition Node Consent Observation Medication Act complex Financial act
Medication D-MIM Marc de Graauw marc@marcdegraauw. com
Interaction diagram Marc de Graauw marc@marcdegraauw. com
Refinement through ‘Constraints’ Marc de Graauw marc@marcdegraauw. com
XML fragment Marc de Graauw marc@marcdegraauw. com
Person Healthcare Marc de Graauw marc@marcdegraauw. com
Marc de Graauw marc@marcdegraauw. com
Person Healthcare De klasse Person heeft de volgende attributen: PSN (Person) class. Code Een persoon (mens) determiner. Code INSTANCE Een specifiek persoon (individu) id Persoonsnummer name Naam administrative. Gender. Code Geslacht birth. Time Geboortedatum (en evt. –tijd) deceased. Ind Overlijdensindicatie deceased. Time Overlijdensdatum (en evt. –tijd) multiple. Birth. Ind Meerlingindicatie multiple. Birth. Order. Number Meerlingvolgnummer marital. Status. Code Burgerlijke staat education. Level. Code Opleidingsniveau Marc de Graauw marc@marcdegraauw. com
Person Healthcare De klasse Person heeft de volgende associaties: Employment Beroep 0. . 1 0. . * Contact. Party Contactpers(o)n(en) 0. . 1 Patient. Of. Other. Provider Relatie met de huisarts 0. . 1 Birthplace Geboorteplaats 0. . * Covered. Party Zorgverzekering(en) Marc de Graauw marc@marcdegraauw. com
Identification Marc de Graauw marc@marcdegraauw. com
Identification in HL 7 • HL 7 v 3 datatype Instance Identifier
HL 7 in the OID tree Marc de Graauw marc@marcdegraauw. com
A root OID • 2. 16. 840. 1. 113883 – HL 7. org • 2. 16. 840. 1. 113883. 2 – HL 7 international affiliates • 2. 16. 840. 1. 113883. 2. 4 – HL 7 Netherlands • 2. 16. 840. 1. 113883. 2. 4. 6 – external id’s • 2. 16. 840. 1. 113883. 2. 4. 6. 6 – AORTA application-id’s • 2. 16. 840. 1. 113883. 2. 4. 6. 6. 1215432 – root node app in hospital X • 2. 16. 840. 1. 113883. 2. 4. 6. 6. 1215432. 4 Marc de Graauw marc@marcdegraauw. com – prescription number within PIS
Identification in HL 7 Marc de Graauw marc@marcdegraauw. com
Identification in HL 7 Marc de Graauw marc@marcdegraauw. com
Schema Issues Marc de Graauw marc@marcdegraauw. com
Schema's serve multiple masters • Schema’s serve more than one purpose – design – validation – contract – code generation • those purposes often need different Schema’s Marc de Graauw marc@marcdegraauw. com
Schema's serve multiple masters • design + reuseability, composability, simplicity - performance • validation + performance, strictness, error messages, completeness - reuseability, composability, simplicity, readability • contract + readability, strictness, completeness - performance • code generation + simplicity, readability - reuseability, composability Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s • • Let’s look at an example Get Person Demographics Query Send in person id Get name, address, birthdate et cetera Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s QUPA_101102_V 01 • MCCI_MT 000300 UV 01 – COCT_MT 040203 UV 01 • • • COCT_MT 150003 UV 03 COCT_MT 030203 UV 02 MFMI_MT 700711 – COCT_MT 090300 UV 01 • COCT_MT 150000 UV 02 – • • COCT_MT 150003 UV 03 COCT_MT 070000 UV 01 – – COCT_MT 070000 UV 01 » COCT_MT 710000 UV 01 COCT_MT 090100 • COCT_MT 150000 UV 02 – • • COCT_MT 070000 UV 01 » COCT_MT 710000 UV 01 COCT_MT 150003 UV 03 COCT_MT 070000 UV 01 – COCT_MT 710000 UV 01 – COCT_MT 090003 – MCAI_MT 900001 • • • COCT_MT 150003 UV 03 QUPA_MT 101102_V 01 QUPA_MT 101101_V 01 Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s • The XML document, though abbreviated, isn’t difficult – – (SOAP omitted here. . . ) Transmission Wrapper: message-id, creation date Act Wrapper: query issuer etc. Payload: person-id • The Schema is very simple – 5 includes and 1 element – but not very readable! – the schema inclusion tree is very complex Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s • Schema’s should be readable – tools can solve this – but they make you dependent on the tool • Therefore: flatten the Schema’s – remove all includes – put included schema’s where they belong • For readability: make the Schema resemble the instance • Readable Schema’s generate readable code! Marc de Graauw marc@marcdegraauw. com
Flatten the Schema’s Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s • HL 7 datatypes – TS: Point in Time – CS: Simple Coded Value – ST: Character String • Translate to XSD – datetime, string • HL 7 datatypes predate XSD datatypes • With a lot of HL 7 datatypes, nothing happens except translation to XSD datatypes • Do this in the source, generates much more readable code Marc de Graauw marc@marcdegraauw. com
Simplify the Schema’s Marc de Graauw marc@marcdegraauw. com
Layering Marc de Graauw marc@marcdegraauw. com
Responding Application Initiating Application Medical Layer Control Query Layer Transmission Layer Web Services Layer HTTP Layer Marc de Graauw marc@marcdegraauw. com
HL 7 Medical Application HL 7 v 3 Medical Content HL 7 Control Query Processing Application HL 7 v 3 Acts HL 7 Transmission Wrapper Adapter HL 7 v 3 Messages HL 7 web services Messaging Adapter SOAP Messages HTTP Client / Server Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s • layer the Schema’s • anonimyze with xs: any –
SOAP Transmission Wrapper Control Wrapper Medical Data Marc de Graauw marc@marcdegraauw. com
SOAP ANY Transmission Wrapper ANY Control Wrapper ANY Medical Data Marc de Graauw marc@marcdegraauw. com
Layer the Schema’s Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s flatten simplify Marc de Graauw marc@marcdegraauw. com layer
The HL 7 v 3 Schema’s James Clark: “validity is a relationship between a document and a schema, not a property of a document” Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s schema’s can be equivalent: when two schema’s consider the same set of documents valid the schema’s are equivalent Marc de Graauw marc@marcdegraauw. com
The HL 7 v 3 Schema’s don’t think of THE schema, but the SCHEMAS Marc de Graauw marc@marcdegraauw. com
VARIANTS The HL 7 v 3 Schema’s V 1 b V 1 a V 1 Marc de Graauw V 2 marc@marcdegraauw. com V 3 TIME
Truth, Trust and Belief Marc de Graauw marc@marcdegraauw. com
Authentication Marc de Graauw marc@marcdegraauw. com
Authentication • Smartcard (UZI pass) with: – private key (RSA) – X. 509 certificate (includes public key) • PKI-Government • Personal pass – guard safely – no sharing – PIN protected Marc de Graauw marc@marcdegraauw. com
Sender Receiver “Hello world” SHA-1 hash: Public key: 5 ll. ABa. WYz x. Cr. KIdj. S. . . MIICHz. CCAY yg. Aw. IBAg. I. . . Private key: shhhh. . . RSA sig value: c 9 f. VK 7 v. YAdv s 2 DRZVt. S. . . Marc de Graauw marc@marcdegraauw. com OK
Marc de Graauw marc@marcdegraauw. com
Security Services (X. 800) • • • Authentication Authorization Data Confidentiality Data Integrity Non-repudiation Marc de Graauw marc@marcdegraauw. com
Secure connection Marc de Graauw marc@marcdegraauw. com
Secure data Marc de Graauw marc@marcdegraauw. com
Security services Secure Authentica Digital connection Token Signature Authentication √ √ √ Authorization Confidentiality √ Integrity √ Nonrepudiation √ √ Marc de Graauw marc@marcdegraauw. com
Authentication with SSL Marc de Graauw marc@marcdegraauw. com
Marc de Graauw marc@marcdegraauw. com
Marc de Graauw marc@marcdegraauw. com
Marc de Graauw marc@marcdegraauw. com
Security with SSL • • Works well only in simple scenario’s There is no HL 7 v 3 XML at the client The client is (relatively) unsecure SSL lays an impenatrable tunnel across the instution’s secure zone • SSL from server to server is fine, but: • provides no care provider authentication Marc de Graauw marc@marcdegraauw. com
Context: clients • all hospitals, GP’s, pharmacists, other healthcare pros • clients: any kind of client • latest. NET / Java • older dev environments (Delphi, BV, etc. ) • thin client/browser • XSLT heavy • XML / no XML • WS-* / no WS-* • HL 7 v 3 / no HL 7 v 3 Marc de Graauw marc@marcdegraauw. com
Context: HL 7 v 3 • no HL 7 v 3 at client (HL 7 v 2, OZIS, other) • not all data at client – Act. id – medication codes – patient id (BSN) not yet, is reasonable demand • destination not always known at client • either: require all data available at client • or: sign subset of data Marc de Graauw marc@marcdegraauw. com
‘Lightweight’ authentication token • X. 509 style – message id • nonce • provides unique identification of message • (if duplicate removal has already taken place) – time to live • security semantics can expire • time to store & check nonce – addressed. Party • replay against other receivers Marc de Graauw marc@marcdegraauw. com
SSL security • premises: – healthcare pro keeps smartcard + pin safe – software to establish SSL tunnel not corrupted – PKI, RSA etc. not broken • assertion: – healthcare pro sets up SSL tunnel • assumption: – messages going over SSL tunnel come from healthcare pro • weakness: – insertion of fake messages in SSL tunnel • measures: – abort SSL tunnel after period of inactivity, refresh regularly Marc de Graauw marc@marcdegraauw. com
Lightweight token security • premises: – healthcare pro keeps smartcard + pin safe – software to sign token not corrupted – PKI, RSA etc. not broken • assertion: – healthcare pro signed auth token • assumption: – message and auth token belong together • weakness: – fake message attached to valid token Marc de Graauw marc@marcdegraauw. com
Lightweight token security • signed. Data: – message id – not. Before / not. After – addressed. Party • co. Signed. Data – patient id (BSN) – message type (HL 7 trigger event id) • only possible to retrieve same kind of data for same patient at same time from same destination • weakness: tampering with other message parameters • for queries: acceptable (privacy not much more broken) • for prescription: use full digital signature Marc de Graauw marc@marcdegraauw. com
Hospital workflow • • • doctor makes round 360 seconds per patient nurse has file ready retrieval times are not acceptable pre-signing tokens and pre-fetching data just in time • possible with auth tokens, not (so much) with SSL Marc de Graauw marc@marcdegraauw. com
Authentication alternatives SOAP Envelope SOAP Header Auth Token SOAP Body HL 7 payload Marc de Graauw marc@marcdegraauw. com
Authentication alternatives SOAP Envelope SOAP Header Auth Token SOAP Body HL 7 payload Marc de Graauw marc@marcdegraauw. com
HL 7 Medical Application HL 7 v 3 Medical Content HL 7 Control Query Processing Application HL 7 v 3 Acts HL 7 Transmission Wrapper Adapter HL 7 v 3 Messages HL 7 Web Services Messaging Adapter SOAP Messages HTTP Client / Server Marc de Graauw marc@marcdegraauw. com
Authentication alternatives • Authentication tokens in SOAP Headers separate them from the content • HL 7 sometimes allows multiple payloads, making this problem worse • The token has to travel across layers with the paylaod • This violates layering principles Marc de Graauw marc@marcdegraauw. com
WS-* • WS-* is confused about whether it is a document format or a message format • document: relevant to the end user • message: relevant to the mailman • keep metadata with the document • putting document metadata in SOAP headers violates layering design principles Marc de Graauw marc@marcdegraauw. com
Digital Signatures Marc de Graauw marc@marcdegraauw. com
Some philosophy • “The President of the United States is John Mc. Cain” • “Karen believes ‘the President of the United States is John Mc. Cain’ ” • “John says that ‘the President of the United States is John Mc. Cain’ ” • “Dr. Jones says: ‘Mr. Smith has the flu’ ” Marc de Graauw marc@marcdegraauw. com
Signed Data Marc de Graauw marc@marcdegraauw. com
Digitally signed token Marc de Graauw marc@marcdegraauw. com
What You See Is What You Sign Marc de Graauw marc@marcdegraauw. com
Token & XML Signature Componenten XML Signature Met WSS In SOAP Headers SOAP envelope
Meerdere Signatures, 1 certificaat Bericht + handtekening Certificate A
What we’ve (tried to) cover • Standardisation: – AORTA, the Dutch Healthcare Infrastructure – HL 7 v 3, Vocabulary, Identification, Schema’s – Web Services: SOAP, WSDL, WS-Security • Truth, Trust and Belief: – Authentication – Digital Signatures • Versioning Marc de Graauw marc@marcdegraauw. com
Marc de Graauw marc@marcdegraauw. com