Security & Privacy with openEHR

Hi All,

I'm just beginning a research project on
security/privacy/confidentiality in EHRs. I will greatly appreciate any
pointers to any material on this topic, especially with respect to
openEHR.

I've just noted that in the US, HIPAA is driving
security/privacy/confidentiality implementations in existing EHR systems
and it seems its is turning out to be a policy/framework-level security
standard for EHRs in the US that does not prescribe implementation
issues. I am not sure whether or not EHR standards that incorporate
HIPAA compliance have emerged yet.

In the EU region, the situation seems different in the absence of
HIPAA-type punitive legislation for enforcing healthcare information
security and privacy. A number of EHR standards generally incorporate
security and privacy considerations. I am not sure whether there are any
security and privacy compliance requirements spec standards and
implementation (incl. openEHR) in the EU region. I will appreciate any
pointer to material in this regard.

Thank you in advance

Regards

Greetings

How, specifically, can we help you. We maintain an open copy of our distribution so you can look to see how privacy is maintained. Security and privacy are not the same. What sort of project are you doing?

I hope we can help you..

Dear colleague,

In Europe there is a European Directive (law) on privacy.

The European standard for the EHR (CEN/tc251 EN13606 and also an ISO standard by now) has incorporated several other European and ISO standards:

  • ISO 18308: requirements for EHR architectures
  • ISO 22600 Privilege Management and Access Control
  • CEN EN 13606 part 4

It is for these reasons that European based EHR standards are unique because Patient Safety and Privacy are part of the design requirements from the start.

For more information search the CEN and ISO standardization organisation websites.
To few people from the USA do that.

Gerard Freriks

Hi All,

I’m just beginning a research project on
security/privacy/confidentiality in EHRs. I will greatly appreciate any
pointers to any material on this topic, especially with respect to
openEHR.

I’ve just noted that in the US, HIPAA is driving
security/privacy/confidentiality implementations in existing EHR systems
and it seems its is turning out to be a policy/framework-level security
standard for EHRs in the US that does not prescribe implementation
issues. I am not sure whether or not EHR standards that incorporate
HIPAA compliance have emerged yet.

In the EU region, the situation seems different in the absence of
HIPAA-type punitive legislation for enforcing healthcare information
security and privacy. A number of EHR standards generally incorporate
security and privacy considerations. I am not sure whether there are any
security and privacy compliance requirements spec standards and
implementation (incl. openEHR) in the EU region. I will appreciate any
pointer to material in this regard.

Thank you in advance

Regards

Kuda

– –
Gerard Freriks, MD
Huigsloterdijk 378
2158 LR Buitenkaag
The Netherlands

T: +31 252544896
M: +31 620347088
E: gfrer@luna.nl

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Dr. Irving Buchbinder,

The long-term goal of the project is to develop a standards-based EHR
system and a patient-maintained EPR system such that the two will be
able to interact with each other. We are at the initial point where we
are reviewing existing EHR/EPR systems and standards around the world
with the aim of making informed choices. My specific responsibility at
this point happens to be investigating security, privacy and
confidentiality aspects of healthcare information management. I am new
to both computer security and healthcare information security, privacy
and confidentiality - I'm just taking my initial steps in these domains.

True, security and privacy are not the same. I have noted that in
literature on EHR/EPR, there is reference to "security and privacy" and
sometimes to "privacy and confidentiality". I am not sure whether these
references refer to the terms' meaning in computer security or in
healthcare profession/domain or whether or not the terms mean the same
in both domains. We welcome technical clarification of these concepts
(security, privacy and confidentiality) in the context of healthcare
information management and/or EHRs.

I am currently studying your distribution.

Thank you

Regards

Hi Gerard Freriks,

Thank you for your informative response.

There is indeed an EU Directive on Privacy w.r.t processing of personal
data which I found here
http://www.cdt.org/privacy/eudirective/EU_Directive_.html (unofficial)
and
http://eur-lex.europa.eu/LexUriServ/site/en/oj/2001/l_008/l_00820010112en00010022.pdf (official). Any pointers on how this directive has been translated into privacy requirements for EHRs standards and systems within the EU?

I got the CEN/tc251 EN13606 from
http://www.chime.ucl.ac.uk/resources/CEN/EN13606-1/ That patient safety
and privacy as well as input from openEHR and other European standards
were part of its design is quite attractive! I will now take a close
look at it.

Thank you for these useful pointers.

Regards

Hi Kudawashe,

I'm finishing up my PhD is a similar area. You might find the following
publications of use:

Fernando, J. & Dawson, L. (2008) Clinician assessments of workplace
security training- an informatics perspective, /electronic Journal of
Health Informatics (eJHI)/, (forthcoming Privacy and Security issue)

Fernando, J. (2004) Factors that have contributed to a lack of
integration in health information system security, /Journal of
Information Technology in Healthcare /(2)5 pp.313-328

A third publication is currently under consideration and I have a few
conference presentations on IT security for healthcare too- I'm happy to
send the PPTs if they might be useful to you.

Cheers

Juanita

Kudakwashe Dube wrote:

Hi Kuda

This is an interesting area. Our approach in the openEHR development space has been:

  • To try and get a set of ‘relative roles’ accepted (presented at ISO) across the health environment to enable standardised policies to be available for people passing health information to a particular environment. These included concepts such as:
  • Guardian
  • Trusted clinician
  • Clinician
  • Administration
  • Subject of data (to allow exclusion under special circumstances)
  • To allow access control to be specified in terms of such roles (or roles specific to an institution) to whatever level of granularity is deemed appropriate.
  • To be involved in ongoing discussions in this area.
    My present position is:
  1. Access control policies must be written at each location in language that an ordinary person can understand - hence the five relative roles. This probably needs to be done in terms of a known standard EHR architecture or it is just words.

  2. That the EHR is divided into three core folders (openEHR speak)

  3. a public folder that can be accessed without further patient provided authority (severe allergies or whatever else the person wants)

  4. the normal confidential record that requires specific access permission (default location)

  5. a highly confidential area where patients can put compositions that require a further authorisation process.

The mechanism for getting to level 1, 2 or 3 access will depend on the service environment, and whether the person carries their own record or it is on a web site somewhere.

  1. Limiting access control within a committed composition (openEHR speak) or document is of dubious safety and I do not believe it is acceptable to clinicians. Here we might see a report from a cardiologist with a bit missing, or a medication list with one omitted. This will mean clinicians have to ask everyone they see every time they see them as they will not be able to rely on the EHR. And automated decision support becomes a nightmare! So it is important to keep access coherent and for clinicians to be able to trust what they can see.
    Cheers, Sam

Kudakwashe Dube wrote:

(attachments)

OceanCsmall.png

You might find IHE's paper on this of interest:

http://www.ihe.net/Technical_Framework/upload/IHE_ITI_Whitepaper_Security_and_Privacy_2007_07_18.pdf

If you are interested in grid services for healthcare,
perhaps also the caBIG security technology evaluation at:

https://cabig.nci.nih.gov/workspaces/Architecture/Security_Tech_Eval_White_Paper

David

Hi ,

Thank you for these useful links, especially the IHE white paper.

Regards

Juanita,

I will be looking forward to your PhD Thesis once it becomes publicly
avaliable!!

Regards

Hi Dr Sam Heard

Thank you for this informative expose.

This is an interesting area. Our approach in the openEHR development
space has been:
      * To try and get a set of 'relative roles' accepted (presented
        at ISO) across the health environment to enable standardised
        policies to be available for people passing health information
        to a particular environment. These included concepts such as:
              * Guardian
              * Trusted clinician
              * Clinician
              * Administration
              * Subject of data (to allow exclusion under special
                circumstances)

I am particularly interested in Role-Based Access Control (RBAC)
approaches and methods for healthcare information systems - roles being
a prominent feature of the healthcare environment. I think the fact that
policies could be developed, formalised and made publicly available is
quite important.

              * rol to be specified in terms of such roles (or roles
                specific to an institution) to whatever level of
                granularity is deemed appropriate.

It would be interesting to see role-based security approaches and
methods within the context of existing EHR standards (e.g., opnEHR) and
their implementations.

     1. Access control policies must be written at each location in
        language that an ordinary person can understand - hence the
        five relative roles. This probably needs to be done in terms
        of a known standard EHR architecture or it is just words.

To what extent can the RBAC work in SELinux help to inform standard EHR
implementations? Would these be totally different and is this link way
off the mark - SELinux being an OS-level implementation of RBAC
policies?

     1. That the EHR is divided into three core folders (openEHR
        speak)
             1. a public folder that can be accessed without further
                patient provided authority (severe allergies or
                whatever else the person wants)
             2. the normal confidential record that requires specific
                access permission (default location)
             3. a highly confidential area where patients can put
                compositions that require a further authorisation
                process.
                
This would probably be a "EHR zone vs Security level" scheme used in
combination or within the context of the RBAC security scheme. This
would also probably imply definition of system default "zone/level"
access rights. I am wondering whether or why RBAC alone is not enough,
especially, where there is enough flexibility at each level of
granularity of the EHR. Also to what extent would be the "zoning" of the
EHR be that clear-cut in terms of privacy and confidentiality? Is this
not too rigid a structure for the EHR? I was also wondering whether
flexibility and finer granularity could be achieved by having such a
security zone/level scheme in each folder/sub-folder such that for each
folder there are these three levels or altermatively the levels could be
mutually exclusive tags for each item of the EHR.

                The mechanism for getting to level 1, 2 or 3 access
                will depend on the service environment, and whether
                the person carries their own record or it is on a web
                site somewhere.

Question: Do security and privacy concerns differ with service
environment and/or physical location of the EHR?

     1. Limiting access control within a committed composition
        (openEHR speak) or document is of dubious safety and I do not
        believe it is acceptable to clinicians. Here we might see a
        report from a cardiologist with a bit missing, or a medication
        list with one omitted. This will mean clinicians have to ask
        everyone they see every time they see them as they will not be
        able to rely on the EHR. And automated decision support
        becomes a nightmare! So it is important to keep access
        coherent and for clinicians to be able to trust what they can
        see.

This does shade some light on some of what I said above. Would it help
if access permissions are granted in a durative manner and access rights
are hierachical, prioritised, role-based and scoped such that there is a
scheme for auto-granting of rights that ensures that a cardiologist with
sufficient permissions always gets all the info he needs to create a
full report? however, auto-granting of rights may imply need for
decision support.

Regards

Kudakwashe Dube wrote:

It would be interesting to see role-based security approaches and
methods within the context of existing EHR standards (e.g., opnEHR) and
their implementations.

this is happenin in openEHR. You will note that the current version of
openEHR has an EHR_ACCESS class in it (see
http://www.openehr.org/uml/release-1.0.1/Browsable/_9_0_76d0249_1109004889781_854011_47Report.html)
whose settings are defined by another class ACCESS_CONTROL_SETTINGS (see
http://www.openehr.org/uml/release-1.0.1/Browsable/_9_5_1_76d0249_1155650882301_836618_5314Report.html).
In a future release, this latter class will be specialised into classes
representing the CEN EN13606-4 security model, the ISO PMAC model and
other access control models that the EHR community wants to use. Because
of the use of versioning in openEHR, a given EHR can start using one
kind of Access control, and switch to a different model later on.

The actual implementation of this in a real system of course requires
some security trickery, i.e. to prevent software or users bypassing the
access control settings. It will require at least partial encryption of
the data, based on keys that are provided to certain individuals or
groups according to the access control list.

     1. Access control policies must be written at each location in
        language that an ordinary person can understand - hence the
        five relative roles. This probably needs to be done in terms
        of a known standard EHR architecture or it is just words.
    
To what extent can the RBAC work in SELinux help to inform standard EHR
implementations? Would these be totally different and is this link way
off the mark - SELinux being an OS-level implementation of RBAC
policies?
  

well the roles won't match, and in a distributed environment, it could
easily be the case that some users who access patient X's record at
location B are not known as users at all at location A, where a copy of
patient X's record exists as well.

  

     1. That the EHR is divided into three core folders (openEHR
        speak)
             1. a public folder that can be accessed without further
                patient provided authority (severe allergies or
                whatever else the person wants)
             2. the normal confidential record that requires specific
                access permission (default location)
             3. a highly confidential area where patients can put
                compositions that require a further authorisation
                process.
                
This would probably be a "EHR zone vs Security level" scheme used in
combination or within the context of the RBAC security scheme. This
would also probably imply definition of system default "zone/level"
access rights. I am wondering whether or why RBAC alone is not enough,
especially, where there is enough flexibility at each level of
granularity of the EHR. Also to what extent would be the "zoning" of the
EHR be that clear-cut in terms of privacy and confidentiality? Is this
not too rigid a structure for the EHR? I was also wondering whether
flexibility and finer granularity could be achieved by having such a
security zone/level scheme in each folder/sub-folder such that for each
folder there are these three levels or altermatively the levels could be
mutually exclusive tags for each item of the EHR.
  

many people have thought of schemes like this. The problem is not that
they won't work, it's just that they won't work for patients or
physicians. If EHR security is not a) comprehensible to both patients
and carers and b) designed so that it is efficiently settable (i.e.
without wasting much time during consultations) then it just won't be used.

                The mechanism for getting to level 1, 2 or 3 access
                will depend on the service environment, and whether
                the person carries their own record or it is on a web
                site somewhere.
    
Question: Do security and privacy concerns differ with service
environment and/or physical location of the EHR?
  

not really; the model should allow a patient to regard all health carers
and users of her EHR as just belonging to the one 'health system'. If
local models of access control are going to be used, it won't work for a
distributed patient record.

This does shade some light on some of what I said above. Would it help
if access permissions are granted in a durative manner and access rights
are hierachical, prioritised, role-based and scoped such that there is a
scheme for auto-granting of rights that ensures that a cardiologist with
sufficient permissions always gets all the info he needs to create a
full report? however, auto-granting of rights may imply need for
decision support.

or Artificial INtelligence :wink: See what I said above.

- thomas beale

Hiya Kuda,
One of the articles I mentioned has been published and may provide some
useful background. It is from a clinician's perspective and concerns
workplace informatics privacy and security training with regard to
e-health:
Juanita Fernando, Linda Dawson.
Clinician assessments of workplace security training- an informatics
perspective.
electronic Journal of Health Informatics, 2008; 3(1): e7.
http://www.ejhi.net <blocked::blocked::http://www.ejhi.net/&gt;\.

It is a special issue of the open source publication, focusing on
Privacy and Security and guest-edited by Peter Croll.

Cheers

Juanita

Kudakwashe Dube wrote:

Juanita,

Thank you, I got the paper.

Regards

Hi Beale,

Thanks for these useful comments.

That openEHR is flexible enough to allow versions of the EHR that can
each allow a different access control approach/mechanism is quite
interesting.

Regards

Dear Mr Kudakwashe,
you might find the standard ISO/FDIS 27799 under development,
Health informatics -- Information security management in health using
ISO/IEC 27002
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=41298

Best Regards,

Anna Medve

medve@almos.vein.hu
www.irt.vein.hu/medve
T:+36 88 62 48 14
F:+36 88 62 45 26
M: 30/322-9923
University of Pannonia
Faculty of Information Technology
Department of Information Systems
Egyetem u. 10. H-8201 Veszprém
Hungary