Hi Dr Sam Heard
Thank you for this informative expose.
This is an interesting area. Our approach in the openEHR development
space has been:
* To try and get a set of 'relative roles' accepted (presented
at ISO) across the health environment to enable standardised
policies to be available for people passing health information
to a particular environment. These included concepts such as:
* Guardian
* Trusted clinician
* Clinician
* Administration
* Subject of data (to allow exclusion under special
circumstances)
I am particularly interested in Role-Based Access Control (RBAC)
approaches and methods for healthcare information systems - roles being
a prominent feature of the healthcare environment. I think the fact that
policies could be developed, formalised and made publicly available is
quite important.
* rol to be specified in terms of such roles (or roles
specific to an institution) to whatever level of
granularity is deemed appropriate.
It would be interesting to see role-based security approaches and
methods within the context of existing EHR standards (e.g., opnEHR) and
their implementations.
1. Access control policies must be written at each location in
language that an ordinary person can understand - hence the
five relative roles. This probably needs to be done in terms
of a known standard EHR architecture or it is just words.
To what extent can the RBAC work in SELinux help to inform standard EHR
implementations? Would these be totally different and is this link way
off the mark - SELinux being an OS-level implementation of RBAC
policies?
1. That the EHR is divided into three core folders (openEHR
speak)
1. a public folder that can be accessed without further
patient provided authority (severe allergies or
whatever else the person wants)
2. the normal confidential record that requires specific
access permission (default location)
3. a highly confidential area where patients can put
compositions that require a further authorisation
process.
This would probably be a "EHR zone vs Security level" scheme used in
combination or within the context of the RBAC security scheme. This
would also probably imply definition of system default "zone/level"
access rights. I am wondering whether or why RBAC alone is not enough,
especially, where there is enough flexibility at each level of
granularity of the EHR. Also to what extent would be the "zoning" of the
EHR be that clear-cut in terms of privacy and confidentiality? Is this
not too rigid a structure for the EHR? I was also wondering whether
flexibility and finer granularity could be achieved by having such a
security zone/level scheme in each folder/sub-folder such that for each
folder there are these three levels or altermatively the levels could be
mutually exclusive tags for each item of the EHR.
The mechanism for getting to level 1, 2 or 3 access
will depend on the service environment, and whether
the person carries their own record or it is on a web
site somewhere.
Question: Do security and privacy concerns differ with service
environment and/or physical location of the EHR?
1. Limiting access control within a committed composition
(openEHR speak) or document is of dubious safety and I do not
believe it is acceptable to clinicians. Here we might see a
report from a cardiologist with a bit missing, or a medication
list with one omitted. This will mean clinicians have to ask
everyone they see every time they see them as they will not be
able to rely on the EHR. And automated decision support
becomes a nightmare! So it is important to keep access
coherent and for clinicians to be able to trust what they can
see.
This does shade some light on some of what I said above. Would it help
if access permissions are granted in a durative manner and access rights
are hierachical, prioritised, role-based and scoped such that there is a
scheme for auto-granting of rights that ensures that a cardiologist with
sufficient permissions always gets all the info he needs to create a
full report? however, auto-granting of rights may imply need for
decision support.
Regards