SlideShare a Scribd company logo

Dunedin accessppt

Download as PPT, PDF
E
eyetech

The document discusses developing a model for access to health records that can accommodate diverse cultural perspectives and enable interoperability across jurisdictions. It proposes an "access object" model where metadata objects containing access rules and encryption keys are created alongside health data. A request object containing the requester's identity and reason for access is matched against the access object's rules to determine if access is granted. The goal is a flexible model that respects different cultural views while still allowing secure, global information sharing.

TechnologyHealth & Medicine
1 of 52
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Access to the health record Draft report ISO/TC215/WG1 Prepared by the New Zealand Delegation Wednesday 21 June 2000 Vancouver Canada something we could achieve ...
From the TC215 Scope Statement “ Standardization in the field of information for health, and Health Information and Communications Technology, to achieve compatibility and interoperability between independent systems.”
From the WG1 scope statement The scope of WG1 is to develop standards for the trusted management of information concerning health and the healthcare process. WG1 will address health record standards that are independent of setting and technology. The standards will enable the availability of the appropriate information at the place and time of decision.
From the WG1 scope statement ‘Terms of Reference’ create a framework of standards that enables health information to be created, used and shared across any and all boundaries including systems, jurisdictions, disciplines and professions adopt a consistent modelling approach across all health informatics standardization activities, based on an existing modelling notation. include, but not be limited to, the content, structure and documentation of the health record, integration of patient information, interoperability and decision support
From the resolutions of the WG1 meeting, Tokyo, Nov.’99 The agreed title of the Work Item is “Access to the Health Record” The objectives of this Work Item are to define concepts for modelling access, not to determine a set of rules for access A further recommendation was that the work item should lead to a 'technical report', not a 'specification’, and that it should be done in collaboration with WG4.
Role of WG1 within ISO/TC215 WG1 is the ‘pilot’ committee which should integrate the work of all working groups Interoperability is a key goal of the TC215 process, and of the access item in particular. In our view, this will demand solutions which are both simple and flexible Mention of a ‘shared notation’ indicates we should be developing ‘concepts for modelling access’, ie Models UML was identified as an appropriate notation
Overview The ISO/TC215 process has a strictly defined time span there is an urgent need for an accepted access model, and for its implementation We discuss policy issues and propose a model of/for EHR access An agreed access model would be of relevance to all WGs in the TC215 process
WG4 defined the task 'To define the essential elements of a health care public key infrastructure to support the secure transmission of health care information across national boundaries. The specification must be Internet based if it is to work across national boundaries.’ from the Technical Specification Draft for Secure Exchange of Health Information, February 2000 It seems likely that the public key infrastructure proposed by WG4 will provide the basis for implementation of a global system. The concept of ‘attribute certificates’ would seem to be crucial to the implementation of access control by ‘role’, and our task is to develop a model of the ‘access’ process which will enable that synthesis.
Beyond reviewing current concepts and practices, the ‘access control’ task for WG1 can thus be re-stated: To propose a global policy to both accommodate jurisdictional and national differences in access control and facilitate cross border access To marry these concepts with the evolving work from WG4 (including the Technical Specification Draft for Secure Exchange of Health Information, February 2000)
(a brief anthropological detour…) The Definition of Social Man Different cultures have distinct views of social responsibility and distributive justice Western industrialised societies tend to emphasise individual autonomy Many others regard the concept of 'self' as more socially constituted In order to be truly international, an Access Standard would need to accommodate diverse definitions of self and society
The ISO Access Standard - must contain a framework which permits diverse solutions to the age-old questions of self and society should facilitate exchange of health information between systems with different 'set up' configurations in the networks of rights, obligations, access, and privacy considerations that surround health records
The Concept of Ownership The concept of ‘ownership’, which can be deconstructed into rights and reciprocal obligations, is problematic when viewed cross-culturally A decision was taken by WG1 members at the Tokyo meeting November 1999 to delete the ownership concept from the title of the work item
Review of international literature on access to health records We presented a critical overview of national standards and procedures, including assessment of the extent of international consensus on principles relevant to access(please refer to this in the document on the WG1 web site) www.health.nsw.gov.au/iasd/imcs/iso-215/ many OECD countries have broadly similar rules and restrictions regarding access, but: details vary considerably, and relatively little information is available about practices and procedures in other countries
Types of Access Control Client hostname and IP address restrictions User and password authentication Role based Access Control Strong authentication techniques Digital and Attribute Certificates Public-Private key encryption (eg PGP)
Role Based Access Control (RBAC) The decision to allow access to objects is based on the role of the user, rather than on permission based on another user. The determination of the role membership and the allocation of each role's capabilities are determined by the organisation's security policies.
Developing operational concepts and their interrelationships Roles and Rules Self–defining systems of roles The Role concept in Messaging The Role concept in Security processes
Rules and Roles Cultural concepts regulating access can be considered as sets of ‘roles’, and ‘rules’ relating those roles. Operationalizing is challenging and will show up redundancies, inconsistencies (eg David Jones’ UK scenarios, see Form 4 attachment) Systems of roles and rules are mutually defining. Our task is not to try to evolve some sort of ‘definitive set’ but rather to develop a model that can accommodate different sets of rules and roles yet remain globally interoperable
Self–defining systems The concept of ‘self defining system’ comes from linguistics, cybernetics etc. The game of chess is an example. The concept of ‘roles’ has its own extensive literature in sociology a truly international standard must accommodate and express cultural variation in such systems of roles
Maori concepts in Aotearoa/New Zealand the notion of an extended family group ( whanau ) helps to explain the Maori’s greater collective interest/input bearing on access to personal information infirm or incompetent individuals often have a 'minder' ( Kai Awhina ) consensually assigned by the whanau , who is then responsible for decisions relating to, the individual's health care whanau in practice may overrule the decision of an individual to undergo a medical procedure (e.g., abortion) based on cultural values and extensive social supports.
The Role concept in Messaging the concept of role is defined (Hinchley CEN "A role of a healthcare agent is undertaken in the context of their relationship with another agent". the ‘messaging’ standard role appears to comprise an agent , a context and an action . Thus a role can be considered a simple syntactic structure
The Role concept in WG4 The WG4 paper uses the concept of ‘role’ in relation to ‘attribute certificates’. control decisions about request and disclosure can be rule-based, role-based and rank based . ‘ attribute certificate’ supply role information bound to a health professional’s public key. a health professional may have many of these, which reflect multiple roles. attribute certificates are typically more short lived than the identity certificates
Minimum ‘Access’ Concept Set Four Related Concepts Access Failure of Access Rights Obligations
Three irreducible outcomes Access - Access Criteria Matched, information identified and and available Failure of Access - information identified, access denied - PRIVACY Failure of Access - information not identified to requester - SECRECY Failure of Access may also occur because of system failure or because the information simply does not exist
The Access Control Matrix The level of rules and roles can be modelled at a higher level, and triggering one of three outcomes This would depend on the match between the reasons for access offered by the request and the criteria required to access the target data. The computations involved can be modelled with an Access Control Matrix (ACM). This can have as many dimensions or variables as are found necessary.
The Generic ACM A generic ACM would specify the dimensionality of the variable space on which roles can be defined. It would not specify any particular role or rule set. Each jurisdiction would need to define this, although much is shared, eg OECD The generic ACM is EMPTY.
Jurisdictional boundaries Part of the scope is to develop concepts and models of EHR access control across jurisdictional and national boundaries. . Differences in access control policies are one of the defining parameters separating jurisdictions. . A jurisdictional boundary is not necessarily the same as a national boundary, and could be as small as a single provider Some big companies ignore present jurisdictional boundaries, or want to!
Requirements for EHR Access Availability Data Integrity Auditablility Confidentiality Accessibility
Availability What : there should some indexing system for classification and retrieval. (It is the task of WG3 to determine this) When : a method should be defined for regulating access to health information with respect to time. Who : personal identity information, regulating ‘who’ can access a demarcated segment of information, based on their role and the situation (e.g., urgent medical need for records). Where : there should be a location of source identifying system applied to health information, which determines where information can be accessed Why : there should be a ‘reason for obtaining’ information applied to demarcated segments of health information
Auditablility EHR should be auditable, with regard to content and by an ‘audit trail’ of access (an ‘access history’ for health information should be traceable) It should be possible to discern modification/updating of EHR using version control
Data Integrity There should be processes which verify data as unchanged when communicated
Confidentiality Procedures should be in place which restrict access to health information by defined criteria (e.g. the ‘what’ ‘when’ ‘who’ ‘where’ and ‘why’ list above) The criteria, which may be culture- or jurisdiction-specific, must be able to be locally defined according to ethical precepts current in that jurisdiction. These may or may not include individual consent, depending on the situation
Interoperability There should be a process or processes mediating the exchange of health information at jurisdictional boundaries This should allow EHR to interoperate in a way that is truly global yet respects local customs and culture. It follows that the process should be both simple and be amenable to customisation in different jurisdictions
Accessibility There should be open access to a EHR standard for suitably credentialled workers. Like a currency, the interoperable standard should not be owned or privately controlled ISO-compatible records should be able to be ‘open source’ in principle (if only because some record systems are!)
Policy or Model? Should this draft technical report on Access proceed further? Was the ‘Technical Report’ to be limited to WG1? We understood that it was to be collaborative with WG4 In the absence of their input, we developed the matter further ourselves We believe that further progress depends on active collaboration
The Access Object Model Axiom 1: Data collection in medical practice occurs at the clinical interview and other clinical encounters. Axiom 2: Access to EHR and other health resources will be significant determinants of how medical and personal narratives develop. Axiom 3: There is a need for a generic technique to de-identify data. This facility must be built in to any global system.
Access Objects 1 We propose a class of metadata (data about data) objects, which are created alongside health data at the clinical encounter or interview These contain the referent to the data. They are “proxy” data objects Access to data is through them, employing public/private key encryption The audit trail is kept with the data.
Access Objects 2 Access Objects could serve different schemata for data structure and architecture. (USAM, CEN,GEHR etc) They would also be functional for linkage to data objects with little formal structure, e.g. word processed documents, this would serve technologically unsophisticated environments
Access Object attributes Patient ID Content definition / index Access Rules and Roles (ACM) Reference (address) to data Encryption keys
Request Object attributes Patient ID Request content template User ID User Role Reason for Access Consent (if applicable)
To Summarise the process The collection of clinical objects formed at the clinical encounter has an access object assigned to it. These contain a key to the data contained –(patient ID), a content definition, indicating the type of information contained in the object, the ACM applicable to the object, a reference by which the data can be located, encryption keys The definition and grain of the clinical objects is not defined by the access system
Summary 2 The Request Object made by the request manager would also contain encryption keys verifying ID and role of requesting agency, and the access rules for that role (what classes of data can be accessed, as well as a content template, and a statement of ‘reasons for request’). If the ACM of the access object, and the roles and reason for request as well as the content search criteria from the request object are met, the requesting agency gets access to the referent in the access object
Summary 3 There is a final verification stage for the source of the requested data using the encryption key which is part of the access object, and then a ‘secure socket’ connection is established which permits exchange of data. This concept might bridge the work of WG1,2 and 4, but WG3 would need to address content coding. The access objects might be web-based, stored on smart cards or other mobile media (WG5)
Integration with WG4 model The proposed model would work by authentication of identities and roles occurring like 'welds' or 'rivets' in the ongoing process of medical work. In UML models of the access process, we can now identify where these ‘rivets occur’.
The ‘Access Object’ model in UML notation These diagrams use this notation to express the concepts, and are not intended to specify an implementation the diagrams are incomplete because they do not specify the cardinality and multiplicity of the classes displayed this is corrected in the latest version (19 June 2000
 
 
Conclusion Our legitimate task is modelling the Access Process for the ISO standard Fair concordance is found in some models of the process, enough to start from. We have suggested a particular model, but it is not a specification, and the policy part of our document can be considered a ‘stand alone’ We advocate that the matter be explored further with WG2,3,4, and 5.
Policy or Implementation The comment has been made that we have presented an implementation rather than a policy statement. We remain convinced that a report which did not point the way toward an implementable standard would be a waste of time. Our work in pursuing the standard is preliminary, and is more in the domain of proposed policy than technical detail. Our hoped for collaboration with WG4 is thus a logical necessity
Dangers of ‘de facto’ standards Small players excluded Culturally insensitive Interoperability problematic Inefficient use of resources (human, time)
The reality of cultural differences there is broad sympathy among Western industrialised nations in access policies but.. many cultures including some with ISO representation and others not well represented in TC215 see things differently. We require a solution which is flexible enough to allow for these cultural differences in roles and rules for ‘access’
Global interoperability is the goal. What would it be like? It should be possible for health care workers, with the minimum of resources or technical sophistication other than their skills in health care to create and use ISO compatible and conformant records. The standard should not be a barrier to healthcare, but should facilitate it. The simple process model described is argued to be in some sense to be necessary.
We should work to facilitate global healthcare But it will not happen of itself, we would need to decide to do it...

More Related Content

PPT
Researching Networks and Collaboration – reflections of a novice
Tarry Asoka
 
PPTX
A trip to new zealand
Antonio Serrano Montenegro
 
PPTX
2012 Random Student Insights from New Zealand
Spencer Willis
 
PDF
New zealand presentation 1.2
J. Carlos Martínez
 
PPTX
NEW ZEALAND Country presentation
Amit Kumar
 
DOC
The empty box
eyetech
 
PPT
Standardization and Interoperability
Francisco J Grajales III
 
PDF
ICEGOV2009 - Tutorial 4 - E-Health Standards in Practice: Challenges and Oppo...
ICEGOV
 
Researching Networks and Collaboration – reflections of a novice
Tarry Asoka
 
A trip to new zealand
Antonio Serrano Montenegro
 
2012 Random Student Insights from New Zealand
Spencer Willis
 
New zealand presentation 1.2
J. Carlos Martínez
 
NEW ZEALAND Country presentation
Amit Kumar
 
The empty box
eyetech
 
Standardization and Interoperability
Francisco J Grajales III
 
ICEGOV2009 - Tutorial 4 - E-Health Standards in Practice: Challenges and Oppo...
ICEGOV
 

Similar to Dunedin accessppt (20)

PPTX
Healthcare Exchange Interoperability
Tomislav Milinović
 
PDF
National Health Care Systems: A Research Program on Globalization and Virtual...
Ann Séror
 
PPTX
Consumer health informatics for people who use AAC: Views on e-health records...
Bronwyn Hemsley
 
PDF
2. GajanayakeEtAl_PrivacyOrientedAccessControlForEHealth_2012.pdf
vemiri6305
 
PDF
In Electronic Health Records We Trust - IPPOSI Outcome Report - March 2017
ipposi
 
PPT
People, health professionals and health information Working together in 2014
Health Informatics New Zealand
 
PDF
WSIS Action Line C7 eHealth lead facilitator: WHO
KROTOASA FOUNDATION
 
PDF
Collaboration 2011
Bob Singletary
 
PDF
Marufs ICT Care.pdf
Ernest K
 
PPTX
Data colonization
e-Marefa
 
DOCX
TOPIC 2AnthonyThe movie that I watched for this week, Cons.docx
turveycharlyn
 
DOCX
Advances in Health informatics and telemedicine are providing greater access....
write22
 
PPTX
Soap opera genre target audience
whennegan1
 
DOCX
Health care vertical open standards
Kumar
 
PPTX
Soap opera genre target audience
whennegan1
 
PDF
The National EHR Imperative: the Ways to Success
Plan de Calidad para el SNS
 
PPT
Community Info
samsa8
 
PPT
Towards Building a Person-Centred and Provider-Friendly Health System
Health Informatics New Zealand
 
PPT
eHealth_Bulgaria
tobyo_init
 
PDF
ICT4D Principle 6 - Open Standards, Open Data, Open Source, & Open Innovation
msissine
 
Healthcare Exchange Interoperability
Tomislav Milinović
 
National Health Care Systems: A Research Program on Globalization and Virtual...
Ann Séror
 
Consumer health informatics for people who use AAC: Views on e-health records...
Bronwyn Hemsley
 
2. GajanayakeEtAl_PrivacyOrientedAccessControlForEHealth_2012.pdf
vemiri6305
 
In Electronic Health Records We Trust - IPPOSI Outcome Report - March 2017
ipposi
 
People, health professionals and health information Working together in 2014
Health Informatics New Zealand
 
WSIS Action Line C7 eHealth lead facilitator: WHO
KROTOASA FOUNDATION
 
Collaboration 2011
Bob Singletary
 
Marufs ICT Care.pdf
Ernest K
 
Data colonization
e-Marefa
 
TOPIC 2AnthonyThe movie that I watched for this week, Cons.docx
turveycharlyn
 
Advances in Health informatics and telemedicine are providing greater access....
write22
 
Soap opera genre target audience
whennegan1
 
Health care vertical open standards
Kumar
 
Soap opera genre target audience
whennegan1
 
The National EHR Imperative: the Ways to Success
Plan de Calidad para el SNS
 
Community Info
samsa8
 
Towards Building a Person-Centred and Provider-Friendly Health System
Health Informatics New Zealand
 
eHealth_Bulgaria
tobyo_init
 
ICT4D Principle 6 - Open Standards, Open Data, Open Source, & Open Innovation
msissine
 
Ad

More from eyetech (20)

DOC
Timeless
eyetech
 
PPT
Ranzo2010cataract audit
eyetech
 
PPT
Over the rim version 2
eyetech
 
PPT
Acupulco cda access v3-1
eyetech
 
DOC
Access report final iso format 29 mar 2000
eyetech
 
DOC
Revised electronic medical record data model
eyetech
 
DOC
Model of the text generator
eyetech
 
DOC
Mirth measurement
eyetech
 
DOC
The eye in the control of attention
eyetech
 
PPT
Sydney 2002 plenary final
eyetech
 
PPT
Sight, truth and videotape final 12.8.05
eyetech
 
PPT
Health leaders conference (2)
eyetech
 
PPT
Melody of the text2
eyetech
 
PPT
Sydney 2002
eyetech
 
PPT
Over the rim version 3
eyetech
 
PPTX
Cataract audit as part of workflow
eyetech
 
PPT
April2010cataract audit
eyetech
 
PPT
Acupulco cda access (2)
eyetech
 
PPT
Access standard fppt
eyetech
 
PPT
Reduced acupulco cda access for bellagio
eyetech
 
Timeless
eyetech
 
Ranzo2010cataract audit
eyetech
 
Over the rim version 2
eyetech
 
Acupulco cda access v3-1
eyetech
 
Access report final iso format 29 mar 2000
eyetech
 
Revised electronic medical record data model
eyetech
 
Model of the text generator
eyetech
 
Mirth measurement
eyetech
 
The eye in the control of attention
eyetech
 
Sydney 2002 plenary final
eyetech
 
Sight, truth and videotape final 12.8.05
eyetech
 
Health leaders conference (2)
eyetech
 
Melody of the text2
eyetech
 
Sydney 2002
eyetech
 
Over the rim version 3
eyetech
 
Cataract audit as part of workflow
eyetech
 
April2010cataract audit
eyetech
 
Acupulco cda access (2)
eyetech
 
Access standard fppt
eyetech
 
Reduced acupulco cda access for bellagio
eyetech
 
Ad

Recently uploaded (20)

PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
The various Industrial Revolutions .pptx
bandileshozi3
 

Dunedin accessppt

  • 1. Access to the health record Draft report ISO/TC215/WG1 Prepared by the New Zealand Delegation Wednesday 21 June 2000 Vancouver Canada something we could achieve ...
  • 2. From the TC215 Scope Statement “ Standardization in the field of information for health, and Health Information and Communications Technology, to achieve compatibility and interoperability between independent systems.”
  • 3. From the WG1 scope statement The scope of WG1 is to develop standards for the trusted management of information concerning health and the healthcare process. WG1 will address health record standards that are independent of setting and technology. The standards will enable the availability of the appropriate information at the place and time of decision.
  • 4. From the WG1 scope statement ‘Terms of Reference’ create a framework of standards that enables health information to be created, used and shared across any and all boundaries including systems, jurisdictions, disciplines and professions adopt a consistent modelling approach across all health informatics standardization activities, based on an existing modelling notation. include, but not be limited to, the content, structure and documentation of the health record, integration of patient information, interoperability and decision support
  • 5. From the resolutions of the WG1 meeting, Tokyo, Nov.’99 The agreed title of the Work Item is “Access to the Health Record” The objectives of this Work Item are to define concepts for modelling access, not to determine a set of rules for access A further recommendation was that the work item should lead to a 'technical report', not a 'specification’, and that it should be done in collaboration with WG4.
  • 6. Role of WG1 within ISO/TC215 WG1 is the ‘pilot’ committee which should integrate the work of all working groups Interoperability is a key goal of the TC215 process, and of the access item in particular. In our view, this will demand solutions which are both simple and flexible Mention of a ‘shared notation’ indicates we should be developing ‘concepts for modelling access’, ie Models UML was identified as an appropriate notation
  • 7. Overview The ISO/TC215 process has a strictly defined time span there is an urgent need for an accepted access model, and for its implementation We discuss policy issues and propose a model of/for EHR access An agreed access model would be of relevance to all WGs in the TC215 process
  • 8. WG4 defined the task 'To define the essential elements of a health care public key infrastructure to support the secure transmission of health care information across national boundaries. The specification must be Internet based if it is to work across national boundaries.’ from the Technical Specification Draft for Secure Exchange of Health Information, February 2000 It seems likely that the public key infrastructure proposed by WG4 will provide the basis for implementation of a global system. The concept of ‘attribute certificates’ would seem to be crucial to the implementation of access control by ‘role’, and our task is to develop a model of the ‘access’ process which will enable that synthesis.
  • 9. Beyond reviewing current concepts and practices, the ‘access control’ task for WG1 can thus be re-stated: To propose a global policy to both accommodate jurisdictional and national differences in access control and facilitate cross border access To marry these concepts with the evolving work from WG4 (including the Technical Specification Draft for Secure Exchange of Health Information, February 2000)
  • 10. (a brief anthropological detour…) The Definition of Social Man Different cultures have distinct views of social responsibility and distributive justice Western industrialised societies tend to emphasise individual autonomy Many others regard the concept of 'self' as more socially constituted In order to be truly international, an Access Standard would need to accommodate diverse definitions of self and society
  • 11. The ISO Access Standard - must contain a framework which permits diverse solutions to the age-old questions of self and society should facilitate exchange of health information between systems with different 'set up' configurations in the networks of rights, obligations, access, and privacy considerations that surround health records
  • 12. The Concept of Ownership The concept of ‘ownership’, which can be deconstructed into rights and reciprocal obligations, is problematic when viewed cross-culturally A decision was taken by WG1 members at the Tokyo meeting November 1999 to delete the ownership concept from the title of the work item
  • 13. Review of international literature on access to health records We presented a critical overview of national standards and procedures, including assessment of the extent of international consensus on principles relevant to access(please refer to this in the document on the WG1 web site) www.health.nsw.gov.au/iasd/imcs/iso-215/ many OECD countries have broadly similar rules and restrictions regarding access, but: details vary considerably, and relatively little information is available about practices and procedures in other countries
  • 14. Types of Access Control Client hostname and IP address restrictions User and password authentication Role based Access Control Strong authentication techniques Digital and Attribute Certificates Public-Private key encryption (eg PGP)
  • 15. Role Based Access Control (RBAC) The decision to allow access to objects is based on the role of the user, rather than on permission based on another user. The determination of the role membership and the allocation of each role's capabilities are determined by the organisation's security policies.
  • 16. Developing operational concepts and their interrelationships Roles and Rules Self–defining systems of roles The Role concept in Messaging The Role concept in Security processes
  • 17. Rules and Roles Cultural concepts regulating access can be considered as sets of ‘roles’, and ‘rules’ relating those roles. Operationalizing is challenging and will show up redundancies, inconsistencies (eg David Jones’ UK scenarios, see Form 4 attachment) Systems of roles and rules are mutually defining. Our task is not to try to evolve some sort of ‘definitive set’ but rather to develop a model that can accommodate different sets of rules and roles yet remain globally interoperable
  • 18. Self–defining systems The concept of ‘self defining system’ comes from linguistics, cybernetics etc. The game of chess is an example. The concept of ‘roles’ has its own extensive literature in sociology a truly international standard must accommodate and express cultural variation in such systems of roles
  • 19. Maori concepts in Aotearoa/New Zealand the notion of an extended family group ( whanau ) helps to explain the Maori’s greater collective interest/input bearing on access to personal information infirm or incompetent individuals often have a 'minder' ( Kai Awhina ) consensually assigned by the whanau , who is then responsible for decisions relating to, the individual's health care whanau in practice may overrule the decision of an individual to undergo a medical procedure (e.g., abortion) based on cultural values and extensive social supports.
  • 20. The Role concept in Messaging the concept of role is defined (Hinchley CEN "A role of a healthcare agent is undertaken in the context of their relationship with another agent". the ‘messaging’ standard role appears to comprise an agent , a context and an action . Thus a role can be considered a simple syntactic structure
  • 21. The Role concept in WG4 The WG4 paper uses the concept of ‘role’ in relation to ‘attribute certificates’. control decisions about request and disclosure can be rule-based, role-based and rank based . ‘ attribute certificate’ supply role information bound to a health professional’s public key. a health professional may have many of these, which reflect multiple roles. attribute certificates are typically more short lived than the identity certificates
  • 22. Minimum ‘Access’ Concept Set Four Related Concepts Access Failure of Access Rights Obligations
  • 23. Three irreducible outcomes Access - Access Criteria Matched, information identified and and available Failure of Access - information identified, access denied - PRIVACY Failure of Access - information not identified to requester - SECRECY Failure of Access may also occur because of system failure or because the information simply does not exist
  • 24. The Access Control Matrix The level of rules and roles can be modelled at a higher level, and triggering one of three outcomes This would depend on the match between the reasons for access offered by the request and the criteria required to access the target data. The computations involved can be modelled with an Access Control Matrix (ACM). This can have as many dimensions or variables as are found necessary.
  • 25. The Generic ACM A generic ACM would specify the dimensionality of the variable space on which roles can be defined. It would not specify any particular role or rule set. Each jurisdiction would need to define this, although much is shared, eg OECD The generic ACM is EMPTY.
  • 26. Jurisdictional boundaries Part of the scope is to develop concepts and models of EHR access control across jurisdictional and national boundaries. . Differences in access control policies are one of the defining parameters separating jurisdictions. . A jurisdictional boundary is not necessarily the same as a national boundary, and could be as small as a single provider Some big companies ignore present jurisdictional boundaries, or want to!
  • 27. Requirements for EHR Access Availability Data Integrity Auditablility Confidentiality Accessibility
  • 28. Availability What : there should some indexing system for classification and retrieval. (It is the task of WG3 to determine this) When : a method should be defined for regulating access to health information with respect to time. Who : personal identity information, regulating ‘who’ can access a demarcated segment of information, based on their role and the situation (e.g., urgent medical need for records). Where : there should be a location of source identifying system applied to health information, which determines where information can be accessed Why : there should be a ‘reason for obtaining’ information applied to demarcated segments of health information
  • 29. Auditablility EHR should be auditable, with regard to content and by an ‘audit trail’ of access (an ‘access history’ for health information should be traceable) It should be possible to discern modification/updating of EHR using version control
  • 30. Data Integrity There should be processes which verify data as unchanged when communicated
  • 31. Confidentiality Procedures should be in place which restrict access to health information by defined criteria (e.g. the ‘what’ ‘when’ ‘who’ ‘where’ and ‘why’ list above) The criteria, which may be culture- or jurisdiction-specific, must be able to be locally defined according to ethical precepts current in that jurisdiction. These may or may not include individual consent, depending on the situation
  • 32. Interoperability There should be a process or processes mediating the exchange of health information at jurisdictional boundaries This should allow EHR to interoperate in a way that is truly global yet respects local customs and culture. It follows that the process should be both simple and be amenable to customisation in different jurisdictions
  • 33. Accessibility There should be open access to a EHR standard for suitably credentialled workers. Like a currency, the interoperable standard should not be owned or privately controlled ISO-compatible records should be able to be ‘open source’ in principle (if only because some record systems are!)
  • 34. Policy or Model? Should this draft technical report on Access proceed further? Was the ‘Technical Report’ to be limited to WG1? We understood that it was to be collaborative with WG4 In the absence of their input, we developed the matter further ourselves We believe that further progress depends on active collaboration
  • 35. The Access Object Model Axiom 1: Data collection in medical practice occurs at the clinical interview and other clinical encounters. Axiom 2: Access to EHR and other health resources will be significant determinants of how medical and personal narratives develop. Axiom 3: There is a need for a generic technique to de-identify data. This facility must be built in to any global system.
  • 36. Access Objects 1 We propose a class of metadata (data about data) objects, which are created alongside health data at the clinical encounter or interview These contain the referent to the data. They are “proxy” data objects Access to data is through them, employing public/private key encryption The audit trail is kept with the data.
  • 37. Access Objects 2 Access Objects could serve different schemata for data structure and architecture. (USAM, CEN,GEHR etc) They would also be functional for linkage to data objects with little formal structure, e.g. word processed documents, this would serve technologically unsophisticated environments
  • 38. Access Object attributes Patient ID Content definition / index Access Rules and Roles (ACM) Reference (address) to data Encryption keys
  • 39. Request Object attributes Patient ID Request content template User ID User Role Reason for Access Consent (if applicable)
  • 40. To Summarise the process The collection of clinical objects formed at the clinical encounter has an access object assigned to it. These contain a key to the data contained –(patient ID), a content definition, indicating the type of information contained in the object, the ACM applicable to the object, a reference by which the data can be located, encryption keys The definition and grain of the clinical objects is not defined by the access system
  • 41. Summary 2 The Request Object made by the request manager would also contain encryption keys verifying ID and role of requesting agency, and the access rules for that role (what classes of data can be accessed, as well as a content template, and a statement of ‘reasons for request’). If the ACM of the access object, and the roles and reason for request as well as the content search criteria from the request object are met, the requesting agency gets access to the referent in the access object
  • 42. Summary 3 There is a final verification stage for the source of the requested data using the encryption key which is part of the access object, and then a ‘secure socket’ connection is established which permits exchange of data. This concept might bridge the work of WG1,2 and 4, but WG3 would need to address content coding. The access objects might be web-based, stored on smart cards or other mobile media (WG5)
  • 43. Integration with WG4 model The proposed model would work by authentication of identities and roles occurring like 'welds' or 'rivets' in the ongoing process of medical work. In UML models of the access process, we can now identify where these ‘rivets occur’.
  • 44. The ‘Access Object’ model in UML notation These diagrams use this notation to express the concepts, and are not intended to specify an implementation the diagrams are incomplete because they do not specify the cardinality and multiplicity of the classes displayed this is corrected in the latest version (19 June 2000
  • 45.  
  • 46.  
  • 47. Conclusion Our legitimate task is modelling the Access Process for the ISO standard Fair concordance is found in some models of the process, enough to start from. We have suggested a particular model, but it is not a specification, and the policy part of our document can be considered a ‘stand alone’ We advocate that the matter be explored further with WG2,3,4, and 5.
  • 48. Policy or Implementation The comment has been made that we have presented an implementation rather than a policy statement. We remain convinced that a report which did not point the way toward an implementable standard would be a waste of time. Our work in pursuing the standard is preliminary, and is more in the domain of proposed policy than technical detail. Our hoped for collaboration with WG4 is thus a logical necessity
  • 49. Dangers of ‘de facto’ standards Small players excluded Culturally insensitive Interoperability problematic Inefficient use of resources (human, time)
  • 50. The reality of cultural differences there is broad sympathy among Western industrialised nations in access policies but.. many cultures including some with ISO representation and others not well represented in TC215 see things differently. We require a solution which is flexible enough to allow for these cultural differences in roles and rules for ‘access’
  • 51. Global interoperability is the goal. What would it be like? It should be possible for health care workers, with the minimum of resources or technical sophistication other than their skills in health care to create and use ISO compatible and conformant records. The standard should not be a barrier to healthcare, but should facilitate it. The simple process model described is argued to be in some sense to be necessary.
  • 52. We should work to facilitate global healthcare But it will not happen of itself, we would need to decide to do it...