The OASIS international consortium today announced two new information
standards that give hospitals, insurers, and others in the healthcare
community much-needed mechanisms for exchanging privacy policies,
evaluating consent directives, and determining authorizations. The
Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of
the Security Assertion Markup Language (SAML) for Healthcare and the
XSPA Profile of the eXtensible Access Control Markup Language (XACML)
for Healthcare have both been approved as OASIS Standards, a status that
signifies the highest level of ratification.
“SAML and XACML are well established standards for security,” said David
Staggs of the U.S. Veterans Health Administration, and Anil Saldhana of
Red Hat, co-chairs of the OASIS XSPA Technical Committee. “These XSPA
profiles ensure that the use of SAML and XACML is consistent with the
U.S. Healthcare Information Technology Standards Panel (HITSP)'s Access
Control Transaction Package (TP 20).”
The XSPA profile of SAML enables hospitals and other service providers
to validate requests for information access. “The profile allows user
attributes to be matched against the security policies related to user
location, role, purpose of use, data sensitivity, and other relevant
factors,” explained Hal Lockhart of Oracle and Thomas Hardjono of the
Massachusetts Institute of Technology, co-chairs of the OASIS Security
Services (SAML) Technical Committee. “The SAML profile also includes a
Privacy Policy that enforces patient preferences and consent directives.”
The XSPA profile of XACML describes mechanisms for authenticating,
administering, and enforcing authorization policies that control access
to protected information residing within or across enterprise
boundaries. Lockhart and Bill Parducci, co-chairs of the OASIS XACML
Technical Committee, added, “The XACML profile promotes interoperability
within the healthcare community by providing common semantics and
vocabularies for policy enforcement.”
The XSPA SAML and XACML profile standards are offered for implementation
on a royalty-free basis. Participation in the OASIS Committees is open
to all companies, non-profit groups, governments, academic institutions,
and individuals. As with all OASIS projects, archives of the Committees'
work are accessible to both members and non-members, and OASIS hosts an
open mail list for public comment.
Support for XSPA SAML and XACML Profiles
HITSP
“Privacy and Security standards are foundational to
patients trusting EHRs. The XSPA profiles were developed in response to
gaps identified by HITSP and will provide the support needed in
realizing a robust security and privacy framework.”
--John D.
Halamka, MD, MS, Chair of the US Healthcare Information Technology
Standards Panel (HITSP)/Co-Chair of the HIT Standards Committee, and a
practicing Emergency Physician