Hi,
What is needed are several scenario's or use cases.
I think we need those for two situations at least:
- within an organisation
- between organisations
And then we need to take into account variations in possible architectures.
? With or without an Authorisation server
? The situation where information is polled from a system containing all
possible information
? The situation where information is published from a system containing all
information
Without a series of accepted restrictions the problem will be intractable.
(N persons, O Roles, P Participations, Q types of information, R exceptions
and S Contexts)
Gerard
On 2003-04-25 21:53, Thomas Beale thomas at deepthought.com.au wrote:
Hi Bill,
good questions
Security has been thought about, and is still being thought about!
Essentially there are a number of aspects:
A - what is the model of access control - the main problem here is
different definitions of roles in different bricks-and-mortar
institutions at which the one patient might appear (I shouldn't really
say bricks-and-mortar, since we include emergency health workers, social
workers, mobile nurses etc)
B - what is needed in the EHR architecture (i.e. what we call the
openEHR reference models) to support security/privacy requirements?
What is the granularity of privacy control required
C - how is information to be protected when it moves?
D - the related issues of encryption, notarising (for legal protection
or investigation of previous clinical acts)
E - who sets the privacy settings which control how secure access occurs
at runtime?
We have not yet written a comprehensive document on this. However, we
think we know a fair few things, mainly based on the ideas of other
people. Work has been done at the DSTC in Australia on many aspects of
security, including a national PKI proposal. Bernd Blobel has probably
described security and health information in the most detail that I know
of, in his various papers and recent book. The US GCPR project probably
made more progress on security in the CPR than it did elsewhere.
So. What do we know?
- role-based access control is required. To make it work properly in a
shared care community context (e.g. a hospital, 50 GPs, aged care homes,
nursing care, social workers etc etc) then the roles need to be defined
congruently. I seem to remember some Canadian project coming to the
conclusion that really the roles need to be defined the same across the
entire (national) health care system. I think this is both correct and a
the same time unrealistic. I think we will be able to find ways of
having diversely defined roles without every health care facility having
incompatible definitions of consultant, treating physician etc.
Bernd's work on this area is pretty detailed.
- the EHR architecture does not need too much complexity added to
support consent-based secure access. We currently think it needs to have
the ability to store something like 'sensitivity' and access control
group id(s) at each 'significant' (i.e. not the smallest) node, the
lowest being the openEHR Entry. The access control groups will
themselves be defined in their own service.
- when the decision is being made at runtime to grant or deny access to
a certain part of the EHR to a certain user, the user role (already
authenticated etc etc) and access group ids in the piece of EHR
requested are compared to the access group definitions. Further, some
way of establishing _relevance_ of this user accessing that bit of the
EHR is required - i.e. the link between the patient and the user who is
a treating physician, or on a team providing care. Other users who are
not providing care would probably be treated differently. Certificates
would be created if access is granted; these might be time-limited
(again I think Bernd has experience in time-limited access); they might
be more like keys if we are talking about sending the data outside the
secure environment in the form of an encrypted extract.
- the patient or competent guardian must be the setter of consent, but
most likely with the professional advice of the physician.
- the problem of what categories or ways a patient could set consent is
hard to define - I don't think anyone has worked it out. If a patient
wants to say exclude family from access to my mental health EHR items
- which items are mental health? Some obviously are, but if other
mundane items are useful to mental health clinical professionals, do we
exclude them or not? Or do we allow the patient to set consent just
on individual items? THis will not be realistic for most patients - they
would have to trawl the record after every addition setting consent all
over the place. Could it be set on the basis of problem? How does
exclude all users except treating physicians from accessing HIV/ADIS
information. WHat information is HIV/AIDS related? Certain drug
prescriptions clearly are, but