Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Red Hat OpenShift / OpenShift Commons Gathering 2021 Kubecon EU / 4 May 2021
Red Hat OpenShift / OpenShift Commons Gathering 2021 Kubecon EU / 4 May 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: HealthOS: Enabling Standards-Based Healthcare Interoperability w/ Cloud Native & Zero Trust - Anthem

Description

OpenShift Commons Gathering at Kubecon/EU 2021
May 4th, 2021

Title:
HealthOS: Enabling Standards-Based Healthcare Interoperability with Cloud Native and Zero Trust

Speakers:
Frederick Kautz (Doc.ai) | Bobby Samuel (Anthem)

Abstracl:

A

Hi, my name is bobby samuel and I've got frederick coutts here with me and we're going to talk to you today about health os and enabling standards-based health care interoperability using cloud native and xero trust. So, first of all, I'm bobby I work at anthem. I lead up the health os development as well as precision insights frederick. Would you like to introduce yourself.

B

Hello, I'm frederick koetz. I am a director of software engineering at sharecare and I collaborate with bobby and anthem on xero trust and a variety of architectures and systems.

A

So the way we're going to walk through this today is we'll start with the business case or the business challenge and then we'll we'll move into the technology um and then be here to answer any questions. So, first of all, you know: what's what's the challenge?

A

What's the what's the point of all this, so health os um is something that we've created internally here within anthem and payers are seen as the middleman pain point across the ecosystem and causing abrasion across various user segments, whether it's provider, member or even to other payers, but we also sit in a position where we have the richest longitudinal view of data and that's whole health data about the person.

A

So health os helps us operationalize, our health health data to drive, improved outcomes and reduce costs and, overall, you know, increases efficiency. So we'll talk to you about how we do that, but at the foundation of it all health os is a platform. It's a hub whose primary emphasis is interoperability um and then driving world-class experiences um and and uses machine learning um and ai to drive insights and also actions.

A

So, just to talk about the business architecture and how the pieces fit together, the at the bottom we've got the data layer and that data layer it focuses on integrations with ehrs, it's got payer and clinical data, and then our data about members or our constituents is based on fire or the fire standard on top of that layer- and this is where we'll get into um cloud native and zero trust, but in in that space in the security layer in our platform layer, we've got a number of things that are running and happening.

A

So insights and action apps live here and are are created here. We've got tool sets or ides and tool sets to rapidly build, validate and or deploy health apps, um and then this is where we'll talk about, where we're implementing zero trust uh to do workload, identity, management and then, on top of that, we've got interaction layer. So the the cool thing about health os is that or one of the many things about health os?

A

uh Is that whether it's a ui ux that health os manages or a ui ux, that someone else manages whether it's another ehr or a homegrown app that we have those all plug into and have the benefit of connecting back into all of these help apps and back into the place where we've got the the rich data stores. So this is the ecosystem that we've been putting together with our client, endpoint um client application endpoints to connect, as well as sdk our sdks to build and rapidly deploy apps.

A

So in our ecosystem, what's the? What are we trying to do this? For and um at anthem? We have a number of partners we work with. We have a number of partners that we connect with in various lines of business, but the big problem is: is they're not connected, anthem's connected to them, but they're not connected to each other, and what this allows us to do is to connect all the apps to each other.

A

So healthos allows us to connect to anthem's data ocean. It allows health, apps insights and actions to run and connect all these different apps. So we bring our digital ecosystem together and we bring our emr systems together that we connect with as well as internal systems that exist within anthem.

A

All of these things working together focused on better outcome for the for the member, and so let me like zoom back out into what's our ecosystem and where xero trust uh kind of fits in. So we've put health os in the center once again. Action apps and inside apps. So an example of an inside app would be uh what benefits are covered by for bobby or does bobby have this in his formulary this this particular drug in his formula or treatment in his formulary. An action could be um scheduling uh um an appointment.

A

It could be uh one-click prescriptions or uh you know painless, prior auth, one-click, prior authorizations, and so those things run together and then using zero trust connections.

A

We connect to various clients like the desktop or it could be, and I'm going counter clockwise right now, but like the desktop, it could be on aiml, tooling, that we've got running, that we can make insights available third-party health solutions um and then even to clients like third-party clients like telehealth os, which telehealth has seen a huge rise in popularity and usage due to the pandemic and then emr, apps or um or apps that that do payment acceleration, um as well as just traditional emr platforms like in large hospital systems.

A

Epic cerner, athena, health and all of these connected together, working together once again focused on our members, health and improving the health of humanity, and so what we'll do is we'll dive a bit more into how we're putting all of these things together on a cloud native, zero trust foundation to deploy this ecosystem so frederick. Let me turn it to you.

A

Thank you.

B

Bobby so before we jump into zero trust, let's talk a little bit about some security basics. Very often, when you speak with a security or information security person, you'll often hear about the cia triad. We actually look at four things now, but the first three in the cia is is what traditionally people would look at. Those three are confidentiality.

B

Is the information protected against unauthorized, viewing or access? We look at integrity? Has the information been modified in a way that was unauthorized? How do we protect it from being modified? We also look at availability. Is the information available when you need it to be and there's a fourth thing that has been added in more recent times called non-repudiation, which is how can you ensure that a entity that has performed a transaction cannot back out of that transaction and there's multiple reasons for this, which could include at the business layer? How do you prevent fraud?

B

How do you perce? How do you ensure that you can observe the system and know that that's what the state was uh likely to be? It could also be based upon uh trying to make sure that the uh that, when you're looking at security systems that you know exactly who you're connecting with and that it hasn't been swapped out with with someone else, so in general, there's now four main categories that people tend to look at there's a couple, others that people will bring in as well.

B

But these are the the main four that you that you tend to see so using this particular framework. We then take a look at uh what are the business requirements? What is the?

B

What is it that we're trying to to protect what has changed so when we look at uh at the zero trust space and why it's important?

B

One of the things that we want to look at is what is what is the? What are the previous assumptions that we've made and what is the reality that we're seeing today? What is what has changed and the differences between that assumption and reality can be seen in the form of cyber attacks where people will perform data breaches will run ransomware denial, service attacks, uh forging identities or so on, and the policies that we tend to apply in uh from a regulatory or policy perspective may also end up ossifying.

B

Some of those assumptions that end up entrenching those assumptions in such a way that they can be difficult to respond to so zero trust is about realizing that we have these gaps and then building up a new framework that is more flexible in order to allow for response to these type of of conditions and to allow for additional controls to be put in in such a way that it enables other organizat other parts of your organization, your digital organization or your developers, to be able to make the changes necessary to meet your mission, but at the same time, still maintain that control to hit your confidentiality, your integrity, your availability and your non-recreation goals.

B

So what is zero trust? I I try to distill it down into a into a small image, and this is the simplest I was able to find in the very in in the top half of this. You have perimeter defense, which is the common gold standard that you see within many environments.

B

That is where you have a trusted network in that network. You have your services. If you need to connect to another network, you may have a firewall that you put in between them in order to protect entities in one network in from entities in another network, but the problem is that, if you end up in attack with an attacker in one of these networks, then there's a lot that they can do there a lot of damage that can that can be done in the zero trust model.

B

Instead, what we say is well what, if that network was not trusted? No, it's not implicitly trusted that doesn't mean the firewalls go away. It doesn't mean that you're that you're not trying to protect the network, but it means you're no longer saying this network is the implicit thing in which we base our trust. So once you no longer trust your network, then you have to look at where you push the controls and the controls end up being at the services themselves.

B

So if you look at the bottom half of this, you can see every service when it connects to something else, has some form of a of something resembling a firewall, something that is a control that uh that allows you to determine what do you want to send over those links to those other to those other devices if an attacker enters into your network again, that doesn't mean you're no longer at risk, but it's a yet another layer of security that you have that doesn't allow for implicit access to things simply because they're on the network, so to build our zero trust framework, we started with three main foundations: this is identity, policy and automation.

B

Identity is what is it that identifies your service? What does it identify as your user or identifies your data? How do you know that what you're looking at is the thing that you are that you're? Looking for how do you attest that identity policy is? How do you develop the rules and apply those rules and then force those rules across the across identity from the automation perspective is how do we take this from?

B

Let's say you have a single system and you can put a person on that system to defend it when you say when you start to try to scale this out to a large number of systems, hundreds of systems, thousands of systems, tens of thousands of systems, you need to have automation in place that is able to help you assign the identity and enforce the policy, but also bring in things like observability.

B

So you can audit what's going on and to have controls over well what the automation is capable of doing or what it's not able to do so it ends up being three intertwined primary pillars that that have to be put together in order to build a zero trust framework.

B

So we've been working on a reference implementation for this in a in the cloud native environment and we focus around three primary things. So, if you notice I in the triangle, I actually make them link up, so you can see identity.

B

We're using spiffy inspire for policy we're using open policy agent for automation, we're relying heavily on things like network service mesh. Now these aren't the only things in the infrastructure, but they're they're, representative of the type of things that we're trying to accomplish so we'll go over each of these in more detail soon. We also build this on top of kubernetes.

B

We build it on top of systems like open shift. We build it. We we build in automation on the infrastructure side, we have get off style processes that we're bringing in and underpinning all of this, you still need observability across the whole stack. You still need control over the over the whole stack, so it ends up becoming this. This model that that this particular thing represents that all works in coordination to deliver the infrastructure that is part of health os.

B

So what spiffy and spire are? Is they provide identities to your workloads? So most people are familiar with user identity. You put in your password you log into a online service. You have that user identity in this scenario we're looking at workload identities. So every workload receives an x519 certificate.

B

This is the same type of certificate that when you log into your bank, your bank will use an x5109 certificate to identify who it is so we're relying on the same type of primitives and principles in order to secure the workloads when the workload connects to another.

B

They use a new feature within tls that is available in tls, 1.3 and presumably, above as those are released, and that is mutual tls tls is where your client is able to validate your server, like you typically can from a web browser.

A

Validating.

B

Your bank, but simultaneously the server, is capable of validating the identity of the client. So you have this two-way validation that occurs within a trust domain, so we're able to create these identities that live within a trust domain that allow them to establish their identities, and these identities are constantly rotated out every hour they get rotated out and by default, if you're, using spiffy inspire and every time that you assign a new certificate, you perform a verifiable attestation.

B

What we mean by that is that the system will ask for an identity. We will look at the properties of that system. You might have a tpm module that you're working with you might have a a identity document that is within aws or within gcp or other similar systems that have some cryptographic material inside of them. That help prove something about that system.

B

We are able to build our spiffy identities without the station that is rooted in these cryptographic materials from from these type of systems. This also has a very nice effect because, since we're performing this mutual attestation and validation between systems in many scenarios, it reduces or also eliminates the need for long living bearer tokens. So, in other words, you don't need to pass in a secret.

B

The fact you're, connecting in with a specific identity, is enough for the system to recognize what type of system it is and what type of policies need to be applied in terms of policy. We're looking at things like open policy agent and open policy agent allows you to to consume the identities that are produced by a system like spiffy inspire and allows you to decide. What is this system allowed to do?

B

What is what are, what are its capabilities that uh that it is able to fulfill, and when, when you, when you create these particular systems, what were the properties we're looking for, and that led us to open policy agent is, it has to be something? That's human readable has to be something that is that meets the look and shape of common policy. So, in other words, you could have. How do you classify data? How do you classify workloads? How can you say this system has phi and create defaults?

B

That say, don't allow them to connect the systems that don't have phi or vice versa, and then from there we can carve out patterns that the system is allowed to perform. In this example, we took this from openpolicyagent.org, it's one of their it's one of their examples. They have on their front web page, and you can see a request that says pet owners are allowed with a specific id that is verified by the jwt, which, which is something that identifies the user.

B

Cryptographically is allowed to receive information or not to make a request against against this api in a specific way. If, and only if the request comes from like say, this is in front of a database if and only if, the request comes from a client that we that or a workload that we have identified.

B

So it gives us a lot of flexibility to define the exact type of shape and policies that that we want in a human, readable way that also allows us to get this policy into git. It allows us to to have code reviews on these policies to share them with uh with other stakeholders, so we can get their opinions on whether this policy meets their requirements or not and gives us that that change over time. So we can see how policies has changed. When did it change, because it's all checked into into git.

B

We also rely on a new technology called network service. Mesh network service mesh is another cncf project that is looking to automate low-level networking systems, so we're looking at if you're familiar with the osi model, we're looking at layer, two layer, three we're looking at frames in ethernet and ip and other similar level areas and what it does is. It facilitates the underlay to services. So typically, when you're running in kubernetes you'll often have multiple clusters.

B

You want to connect together in some way and when you connect them, the assumption is: there's are there's already connectivity established between both systems. What network service mesh allows you to do is to acknowledge that there may not be a connection, that's there, and you may need certain things in place in order to make that connection work. So this allows the operator to say in order for this connection to occur, I needed to have a firewall. An intrusion detection system needs to go through a certain vpn gateway.

B

A certain vpn concentrator, so network service mesh allows you to automate these processes through a cloud-native api, with native support from spiffy, inspire and open policy agent, and it provides you a cryptographic, non reputation of that connection change, so, in other words, in this example, we have on the left health os app going through a specific vpn gateway to a specific vpn concentrator to a specific health app. We can get the cryptographic identity of everything in between and see. What is a system connecting through? Is it connecting to systems that we trust?

B

Is it connecting to systems that that are required to do? We have everything in here that we need in order to establish the connection by policy and enforce it on an ongoing basis.

B

Finally, we look at get ops and re from a git ops perspective, the workflow. This is more of a process side that is then committed in as a as a service.

B

So from the process you have a developer developer will make some form of a commit into the source code system such as git, then the ci cd system, your continuous integration system, will see those changes that have been put into git and will then render them into your your test: environments into your staging environment, your production environment, the every change goes through source through source control.

B

Every change goes through git, which gives us that audit ability it gives us that chain as to who made that we made the change, we also have control from the qa side. So in fact, when you're looking at regulatory concerns in this space, it's it's important that your developers are not allowed to push into production.

B

You have to have a separate group of people, a separate team that is able to look at what changes are there and decide whether or not those changes should hit production?

B

So when you start looking at things that are pci compliance or hipaa compliance systems, you tend to see this pattern quite common, so that you don't have a single place or a single person who is able to push these type of things in so the qa team is then able to determine at what rate and when something is promoted from testing the staging or staging to to production.

B

A really great example of a system that you can use to achieve this in your own infrastructure is flux, so highly recommended you go look at flux and give it a try. It hooks up to github and gives you that initial path towards automating in in this style.

B

So with that, I want to thank you all for joining us and learning a little bit about health, os and xero trust. You please consider that these are the type of technologies that we're using we're using openshift with kubernetes we're using spiffy fire of the policy agent network service mesh envoy. Please join these particular communities.

B

There's a lot of things that you can work on in those particular spaces and if you're interested in the type of things that we're working on please reach out to either bobby or I and we'll help you navigate the uh the path, whether it's coming to work with us directly or whether it's trying to work in the same area in your own industry. So please please, come and join us with that. We have time for questions and thank you very.

B

Much.

B

You.