Clinical Information Security - The norm EN ISO 13606 Unidad de Investigación en Telemedicina y esalud Instituto de la Salud Carlos III Madrid - Spain
Clinical information and security Non-repudiation Integrity Anonymity Auditory Access control
Norm EN ISO 13606 Objective: to provide semantic interoperability for the transmission of Electronic Health Records. Developed by the EHRCom Task Force inside the TC 251 (WG1) of CEN. Very sound background (ISO 18308 Dual Model Approach ENV 13606 Research projects - )
Norm EN ISO 13606 EN13606 has 5 parts: 1. Reference model 2. Archetype interchange specification 3. Reference Archetypes and term lists 4. Security 5. Interface specification
Policies There are several sources: National policies. Legislation Professional policies. Scientific Associations Organization policies. Health care areas, hospitals Software policies. Applications From an international point of view (normalization) it is very difficult to establish common policies so an international norm can t prescribe the policies. It should provide a consistent framework to develop them.
13606: Reference Model
Archetypes The reference model doesn t guarantee semantic interoperability Archetypes model the domain concepts by constraining the reference model determining the reference model classes to be used fixing names and meanings restricting the value range fixing default values. Archetypes are a formal mechanism to interchange knowledge
Double model approach Information Knowledge Reference model Archetypes model Based on... Instances Instances Data Restrict in run time Archetypes
Security in EN13606 The norm doesn t impose policies The norm provide tools The norm supposes that the environment is, in some way, compatible with ISO 22600 (PMAC Privilege Management and Access Control functional roles), that communications are encrypted, that the physical access to the systems is controlled,
Clinical information and security Non-repudiation Integrity Anonymity Auditory Access control
Non-repudiation, Integrity All clinical classes derive from RECORD_COMPONENT any data can be signed and autenticated
Clinical information and security Non-repudiation Integrity Anonymity Auditory Access control
Anonymity Demographic information is in a separated model ID s (that could be privated) are used in all references to entities
EN13606: Demographic model -id used in the extract -set of id s Identifies: -persons - organizations - devices and SW - professionals -patients
Clinical information and security Non-repudiation Integrity Anonymity Auditory Access control
EN13606: Auditory model Identification of the log entry Identification of parties involved Audit log information. Filter used (sensitivity, archetypes, etc.) to obtain the log entry
Clinical information and security Non-repudiation Integrity Anonymity Auditory Access control
13606: Access control Ideally: each single piece of data should have a dynamic access control list managed by the patient but it is not possible nor practical EN13606 defines two levels of access control: concordance of functional role(of user requesting access) and information sensitivity access policies
EN13606: Access control Communications model Requester can be different from recipient Data sent must be filtered Warning: denies could disclose information
EN 13606: Access control - Roles The models from ISO TS 22600 (PMAC) are used Two kind of roles: structural and functional
EN13606: Access control Level 1 an atribute present in all data 5 degrees: 1. Care management 2. Clinical management 3. Clinical care 4. Privileged care 5. Personal care Functional roles: 1. Administrator 2. Health-related professional 3. Healthcare professional 4. Privileged Healthcare professional 5. Personal Healthcare professional 6. Subject of care agent 7. Subject of care
EN13606: Access control Level 1 Sensitivity Care management Clinical management Clinical care Privileged care Personal care Functional role Subject of care X X X X X Subject of care agent X X X X X Personal healthcare professional Privileged healthcare professional Healthcare professional Health-related professional Administrator X X X X X X X X X* X X X X X X * access will be granted if the EHR Recipient is a member of the same speciality or clinical service as that in which the RECORD_COMPONENT was created
EN13606: Access control Level 2 Access policies Are modeled by an archetype: they can be sent and shared Travel integrated in the extract as compositions (one per policy) in a dedicated folder Section: registry components to which the policy applies Composition: access policy Access policy archetype Section: policy auditory Section: access rules Section: request information
EN13606: Access control Example From EN13606-4 EHR id = Joanna Jones Asthma contact Archetype = GP contact Normal clinical [3] ID = 1230 Depression Archetype = Outpatient contact ID = 1231 Chlamydia infection Archetype = Lab test ID = 1232 HIV Test Archetype = Lab test ID = 1233 (Gr: mental health) (Gr: sexual health) (Gr: sexual health) Exclude: - Brian9876 Role: Guardian (parent) Exclude: - Archetype = Lab test
EN13606: Access control Example 1 From EN13606-4 EHR id = Joanna Jones Asthma contact Archetype = GP contact Normal clinical [3] ID = 1230 Fred (Fred2714): GP Personal clinician Depression Archetype = Outpatient contact ID = 1231 Chlamydia infection Archetype = Lab test ID = 1232 HIV Test Archetype = Lab test ID = 1233 (Gr: mental health) (Gr: sexual health) (Gr: sexual health) Exclude: - Brian9876 Role: Guardian (parent) Exclude: - Archetype = Lab test
EN13606: Access control Example 2 From EN13606-4 EHR id = Joanna Jones Asthma contact Archetype = GP contact Normal clinical [3] ID = 1230 John (John2349): Practice nurse Clinical care Depression Archetype = Outpatient contact ID = 1231 Chlamydia infection Archetype = Lab test ID = 1232 HIV Test Archetype = Lab test ID = 1233 (Gr: mental health) (Gr: sexual health) (Gr: sexual health) Exclude: - Brian9876 Role: Guardian (parent) Exclude: - Archetype = Lab test
EN13606: Access control Example 3 From EN13606-4 EHR id = Joanna Jones Asthma contact Archetype = GP contact Normal clinical [3] ID = 1230 Helen (Hele8956): Sexual health nurse Priviliged clinician Depression Archetype = Outpatient contact ID = 1231 Chlamydia infection Archetype = Lab test ID = 1232 HIV Test Archetype = Lab test ID = 1233 (Gr: mental health) (Gr: sexual health) (Gr: sexual health) Exclude: - Brian9876 Role: Guardian (parent) Exclude: - Archetype = Lab test
EN13606: Access control Example 4 From EN13606-4 EHR id = Joanna Jones Asthma contact Archetype = GP contact Normal clinical [3] ID = 1230 Brian (Brian9876): Sexual health nurse Priviliged clinician Depression Archetype = Outpatient contact ID = 1231 Chlamydia infection Archetype = Lab test ID = 1232 HIV Test Archetype = Lab test ID = 1233 (Gr: mental health) (Gr: sexual health) (Gr: sexual health) Exclude: - Brian9876 Role: Guardian (parent) Exclude: - Archetype = Lab test
EN13606: Access control Example 5 From EN13606-4 EHR id = Joanna Jones Asthma contact Archetype = GP contact Normal clinical [3] ID = 1230 Mary (Mary6723): Joanna s mother Guardian Depression Archetype = Outpatient contact ID = 1231 Chlamydia infection Archetype = Lab test ID = 1232 HIV Test Archetype = Lab test ID = 1233 (Gr: mental health) (Gr: sexual health) (Gr: sexual health) Exclude: - Brian9876 Role: Guardian (parent) Exclude: - Archetype = Lab test
THANK YOU VERY MUCH FOR YOUR ATTENTION