XSPA Profile of SAML and XSPA Profile of XACML approved as OASIS Standards for Healthcare

Dec 19 2009

The OASIS international consortium today announced two new information standards that give hospitals, insurers, and others in the healthcare community much-needed mechanisms for exchanging privacy policies, evaluating consent directives, and determining authorizations. The Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of the Security Assertion Markup Language (SAML) for Healthcare and the XSPA Profile of the eXtensible Access Control Markup Language (XACML) for Healthcare have both been approved as OASIS Standards, a status that signifies the highest level of ratification.

“SAML and XACML are well established standards for security,” said David Staggs of the U.S. Veterans Health Administration, and Anil Saldhana of Red Hat, co-chairs of the OASIS XSPA Technical Committee. “These XSPA profiles ensure that the use of SAML and XACML is consistent with the U.S. Healthcare Information Technology Standards Panel (HITSP)'s Access Control Transaction Package (TP 20).”

The XSPA profile of SAML enables hospitals and other service providers to validate requests for information access. “The profile allows user attributes to be matched against the security policies related to user location, role, purpose of use, data sensitivity, and other relevant factors,” explained Hal Lockhart of Oracle and Thomas Hardjono of the Massachusetts Institute of Technology, co-chairs of the OASIS Security Services (SAML) Technical Committee. “The SAML profile also includes a Privacy Policy that enforces patient preferences and consent directives.”

The XSPA profile of XACML describes mechanisms for authenticating, administering, and enforcing authorization policies that control access to protected information residing within or across enterprise boundaries. Lockhart and Bill Parducci, co-chairs of the OASIS XACML Technical Committee, added, “The XACML profile promotes interoperability within the healthcare community by providing common semantics and vocabularies for policy enforcement.”

The XSPA SAML and XACML profile standards are offered for implementation on a royalty-free basis. Participation in the OASIS Committees is open to all companies, non-profit groups, governments, academic institutions, and individuals. As with all OASIS projects, archives of the Committees' work are accessible to both members and non-members, and OASIS hosts an open mail list for public comment.

Support for XSPA SAML and XACML Profiles

HITSP
“Privacy and Security standards are foundational to patients trusting EHRs. The XSPA profiles were developed in response to gaps identified by HITSP and will provide the support needed in realizing a robust security and privacy framework.”
--John D. Halamka, MD, MS, Chair of the US Healthcare Information Technology Standards Panel (HITSP)/Co-Chair of the HIT Standards Committee, and a practicing Emergency Physician

Oracle
“Approval of these XSPA specifications marks an important milestone and demonstrates the standards' synergies between the security and healthcare communities. By implementing requirements from healthcare standards such as HL7 and ASTM, OASIS XSPA enables secure access to electronic health records via the use of widely accepted security standards.”
--Prateek Mishra, director, Identity Standards, Oracle

Sun Microsystems
“A fully functional Nationwide Healthcare Information Network needs to have a robust security eco-system. Privacy must extend to the many stakeholders involved including patients, providers, payers and promoters (such as the Centers for Disease Control). Sun Microsystems has embraced and implemented XSPA, a fine grained entitlement functionality within Identity Management, as it provides our healthcare customers with added security in the exchange of clinical records.”
--Bill Vass, President and COO, Sun Microsystems Federal, Inc. & CTO, Global Accounts and Industries of Sun Microsystems Inc.

U.S. Department of Veterans Affairs
“The Department of Veterans Affairs is pleased to have led the creation of two new important OASIS healthcare profile standards supporting the national needs of the U.S. Healthcare Information Technology Standards Panel. OASIS members, by creating this standard, are bringing the vision of secure electronic health information exchange closer to reality.”
-- John (Mike) Davis of the Department of Veterans Affairs