Hi everyone,
In the openEHR documentation, in section 7.3.2.2. Access Control of the Architecture Overview, it states “Access logging - read accesses by application users to EHR data should be logged in the EHR system. Currently, openEHR does not specify models of such logs, but might do so in the future. {…}” Is this security principle being considered? How could it be implemented? This access control is important to us in order to comply with the GDPR.
Thanks.
To my knowledge, in practical terms, that would be something like IHE ATNA, since openEHR itself doesn’t have that.
Yes, I can confirm that we are using ATNA logs in our platform (see in the feature matrix under “Security”): HIP CDR: The open SaaS platform - vitagroup HIP
This part of the Spec really needs updated.
As others have said, Access logging is best handled outside the context of the EHR by ATNA which os the industry standard .
In practice also , most implementers appear to handle other parts of access control outside the EHR e.g by an ABAC server, albeit that control of access to granular parts of the record can be applied by using AQL paths as part of the ABAC rules.