Name: Audit Trail and Node Authentication (IHE ATNA)
Identifier: IHE ATNA
Issuing Organisation: Integrating the Healthcare Enterprise (IHE)
Country: International
Language: English
Organization website (opens in new window): https://www.ihe.net/
Link to standard (opens in new window): https://wiki.ihe.net/index.php/Audit_Trail_and_Node_Authentication
Availability: Free to Access
Type: IHE Profile
Issue Year: unknown
Forward Review Date: Not known
Fields: Communication and Information Digital Health Health and Wellbeing
Intended Audiences: Third (Voluntary) Sector Bodies, Private Sector Bodies, Professional and Trade Bodies, and Governmental and Public Sector Bodies
Abstract:
The Audit Trail and Node Authentication (ATNA) Integration Profile establishes security measures which, together with the Security Policy and Procedures, provide patient information confidentiality, data integrity and user accountability. ATNA contributes to access control by limiting network access between nodes and limiting access to each node to authorized users. Network communications between secure nodes in a secure domain are restricted to only other secure nodes in that domain. Secure nodes limit access to authorized users as specified by the local authentication and access control policy.
User Authentication
The Audit Trail and Node Authentication Integration Profile requires only local user authentication. The profile allows each secure node to use the access control technology of its choice to authenticate users. The use of Enterprise User Authentication is one such choice, but it is not necessary to use this profile.
Connection Authentication
The Audit Trail and Node Authentication Integration Profile requires the use of bi-directional certificate-based node authentication for connections to and from each node. The DICOM, HL7, and HTML protocols all have certificate-based authentication mechanisms defined. These authenticate the nodes, rather than the user. Connections to these machines that are not bi-directionally node-authenticated shall either be prohibited, or be designed and verified to prevent access to PHI.
Audit Trails
User Accountability is provided through Audit Trail. The Audit Trail needs to allow a security officer in an institution to audit activities, to assess compliance with a secure domain’s policies, to detect instances of non-compliant behavior, and to facilitate detection of improper creation, access, modification and deletion of Protected Health Information (PHI).
Relevance to Active and Healthy Ageing: Medium
Older Person Specific: No
Usage / Adoption status: IHE Profile endorsed by European Commission for Public Procurement
Comments:
This IHE Profile is an essential building block in establishing interoperable digital tools in support of healthcare, thereby supporting seamless integrated healthcare for all generations incl. the elderly. This IHE Profile is mentioned in COMMISSION DECISION (EU) 2015/1302 of 28 July 2015 on the identification of ‘Integrating the Healthcare Enterprise’ profiles for referencing in public procurement (see Official Journal of the European Union, L199/43): (7) On 2 October 2014, the European multi-stakeholder platform on ICT standardisation evaluated 27 ‘Integrating the Healthcare Enterprise’ (IHE) profiles against the requirements set out in Annex II to Regulation (EU) No 1025/2012 and gave a positive advice to their identification for referencing in public procurement. The evaluation of the 27 IHE profiles was subsequently submitted to consultation of the eHealth network established by Article 14 of Directive 2011/24/EU of the European Parliament and of the Council (2) that confirmed the positive advice to their identification. (8) IHE develops ICT technical specifications in the field of healthcare information technology. The 27 IHE profiles are detailed specifications developed over a period of 15 years within the committees of IHE that optimise the selection of well-established standards describing the different layers of interoperability (i.e. protocol communication, technical, syntactical, semantic and application levels) with a view to find interoperability solutions for exchanging or sharing medical data. (9) The 27 IHE profiles have the potential to increase interoperability of eHealth services and applications to the benefit of patients and medical community. The 27 IHE profiles should therefore be identified as ICT technical specifications eligible for referencing in public procurement.