Overview of GP APACHIIE access to IAHS

This document is designed to give a laypersons overview of how Illawarra Based GPs access IAHS information through the Internet. This is achieved by utilising the APACHIIE network. APACHIIE stands for Access Portal Authenticated Computerised Health Illawarra Information Exchange. The IDGP acts as a secure authentication gateway for IDGP GP members to gain access the IAHS held information. The design has a number of dependencies and hardware and software components.

Dependencies:

To access information through APACHIIE a GP needs the following;

  • HeSA generated I-key with digital certificate, password required to access the I-key to allow communication with stored digital certificate

  • Internet access, preferably ADSL

  • Web browser with 128bit-encryption capability.

  • USB port

  • I-key driver software (I-keys developed by rainbow soft)

 

Securing access, and forward authenticating users the IDGP have setup the following;

  • Database that stores user id, digital certificate serial No., users authentication details. (stored on a local SQL database with access limited to IT administrator and programmer)

  • Apache Web server with digital server certificate signed by thwart Certificate Authority for encryption of pages.

  • Redirector program (designed internally)

  • 2.3Mb HDSL link between the IDGP and Wollongong Hospital

  • Firewall at the Hospital end (managed by Rod Cummins)

  • Internet link (ADSL)

IDGP user database

The user database stores a GPs;

  • userid

  • IAHS e-mail account details

  • CI username, password

  • I-path username, password

  • PACS username, password

  • I-key serial number

GP Process

For a GP to access IAHS stored information through APACHIIE first they need to access the IDGP member's page. To enter the members only page they need to logon with their digital certificate for authentication, certificates are required by the web server. This is not a guarantee that they can access the site, they must have previously informed us that they have received their digital certificate and I-key, they also need to give us their I-key serial number. Once they have entered their I-key password they enter the members page. This page has predefined link to the CI interface. The GP's web browser requests Apachiie web pages from the IDGP web server – for example, https://www.idgp.org.au/apachiie/ci/page1.html. The request is received by the redirector program on that web server. The redirector looks up the address in a map of Apachiie web sites, and determines that the actual URL required is http://ci.iahs.nsw.gov.au/ci/page1.html. While the GP’s browser waits for a response, the redirector program requests this page from the IAHS web server. This request also includes the username and password of the user, which the redirector looks up in the IDGP’s database. As the response is received from the IAHS, the redirector returns it to the GP’s browser. The returned page is also modified slightly, so that hyperlinks are translated from links to the IAHS (eg http://ci.iahs.nsw.gov.au/ci/images/pic.gif) to links to Apachiie (eg https://www.idgp.org.au/apachiie/ci/images/pic.gif).

To the GP’s browser, it looks as if the CI pages are all located on the IDGP server. This process is necessary because the IAHS web servers are not visible from the Internet.

In short the steps for a GP are;

  • Access IDGP members page

  • Enter I-key password for authentication

  • Select link to CI "with consent form"

  • Search for patient, open record, complete consent form

  • Use CI, I-path and PACS as normal

IDGP setup

The IDGP has a hardware firewall (Netscreen 10 VPN/Firewall) installed. Access is controlled through the use of policies. The Netscreen has 3 ports;

  • UN-trusted (Internet)

  • DMZ

  • Trusted (Local network)

The Web and e-mail server are located on the DMZ port of the Netscreen. Each of these ports has a distinctive IP address configuration, the

  • The un-trusted address range is 202..*

  • The DMZ address range id 192.*

  • The trusted address range is 10.*

 Network address translation is used to access the DMZ servers from the Internet. Server access is restricted to ports 80, 443, 25 and 110. Access to the local network is only possible from the DMZ IP range and is limited to specific ports also

IDGP process

Access to the members net is secured through a 128bit ssl connection, it is also restricted to access with digital certificates only. Once the user is authenticated and requests any data from the CI, I-path or PACS systems, the request is redirected from the IDGP web server to the IAHS server as described in GP process. Routing of the packets goes through the internal HDSL link between the IDGP and Wollongong hospital.

All access to the IAHS data is logged through redirector program and displays the web request and the internal request, it also displays the user's ikey information