XSPA Profile of WS-Trust for Healthcare Receives Approval as OASIS Standard

IBM, Avaya, Cisco, Jericho Systems, Red Hat, U.S. Department of Veterans Affairs, and Others Define Profile to Enable Interoperable Exchange of Healthcare Privacy Policies and Consent Directives

Boston, MA, USA; 16 December 2010 – The OASIS open standards consortium today announced approval of the Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of WS-Trust for Healthcare, version 1.0. The profile enables healthcare organizations to appropriately authorize access to healthcare information by leveraging the WS-Trust open standard. The XSPA Profile of WS-Trust is now an official OASIS Standard, a status that signifies the highest level of ratification.

WS-Trust is the latest in the XSPA suite of security standard profiles for healthcare; other XSPA profiles include the Security Assertion Markup Language (SAML) and the Extensible Access Control Markup Language (XACML). The need for these XSPA profiles was identified by the security and privacy working group of the U.S. Healthcare Information Technology Standards Panel (HITSP), which is administered by the American National Standards Institute (ANSI).

Mike Davis of the U.S. Department of Veterans Affairs noted, "This new profile, in conjunction with XPSA SAML and XACML, completes the effort undertaken by OASIS in support of the HITSP Access Control construct and the Nationwide Health Information Network. We are pleased to see OASIS now extending this effort to the international community."

"An extension of WS-Security, WS-Trust is widely used as an effective method for issuing security tokens, establishing trust relationships, and allowing information to be exchanged reliably. The XSPA Profile tailors WS-Trust for the specific needs of the healthcare industry by providing common semantics and vocabularies for fine-grained access control," said David Staggs, co-chair of the OASIS XSPA Technical Committee.

"We're giving healthcare providers the mechanisms they need to authenticate, administer, and enforce the authorization policies that control access to protected information, such as consent directives and privacy policies," added Anil Saldhana of Red Hat, co-chair of the OASIS XSPA Technical Committee. "Using the XSPA Profile of WS-Trust, administrators can manage the accessibility of protected information, regardless of whether that information resides within their healthcare facility or with another provider."

Duane DeCouteau of Ascenda Healthcare noted, "The XSPA Profile of WS-Trust will allow a personal health record (PHR) application to easily communicate a user's privacy settings to multiple organizations using trusted credentials appropriate to each organization specified by the PHR owner."

Participation in the OASIS XSPA Technical Committee is open to all companies, non-profit groups, governments, academic institutions, and individuals. As with all OASIS projects, archives of the Committees' work are accessible to both members and non-members, and OASIS hosts an open mailing list for public comment.

Support for XSPA Profile of WS-Trust

Jericho Systems
"As the healthcare industry moves toward establishing health information exchanges, Jericho Systems remains steadfast in its dedication toward developing and supporting standards that address patient privacy and security needs. With the introduction of XSPA, OASIS has taken a critical step toward defining the way healthcare constituents exchange privacy policies, consent directives, and authorizations. Jericho Systems firmly believes in the benefits provided by XSPA and is excited to be part of this industry-reforming authorization standard." --Imran Chaudhari, Director of Projects and Integration, Jericho Systems

Oracle
"Oracle is pleased to have worked with the healthcare community to develop the XSPA Profile of WS-Trust. By providing a standard model for managing access to healthcare data, the specification will aid the creation of healthcare information systems which are both secure and open." -- Prateek Mishra, director, Identity Standards, Oracle

Additional information:
OASIS XSPA Technical Committee

About OASIS:
OASIS (Organization for the Advancement of Structured Information Standards) drives the development, convergence, and adoption of open standards for the global information society. A not-for-profit consortium, OASIS advances standards for SOA, security, Web services, documents, e-commerce, government and law, localisation, supply chains, XML processing, and other areas of need identified by its members. OASIS open standards offer the potential to lower cost, stimulate innovation, grow global markets, and protect the right of free choice of technology. The consortium has more than 5,000 participants representing over 600 organizations and individual members in 100 countries. http://www.oasis-open.org

Press contact:
Carol Geyer
OASIS Senior Director, Communications
carol.geyer@oasis-open.org
+1 (781) 425-5073 x209