Presentation - ICMCC

icmcc.org

Presentation - ICMCC

High level security

policies for health

care establishments

Socratis KATSIKAS, Spyros KOKOLAKIS

University of the Aegean, Dept. of Information & Communication

Systems Engineering, Karlovassi, Samos, , Greece.

{ska,sak}@aegean.grgr


Policy conflicts in shared

care environments

• A variety of security requirements that

depend on common functionalities

(e.g. auditing)

• Role Based Access Control

– Pluralism of roles

• Conceptual ambiguities

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (2)


Achieving

interoperability

• Always involves some sort of

negotiation

– Common policies

– Compatible mechanisms

• What are the chances of reaching a

workable agreement through

negotiations?

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (3)


High level security

policies

• To reach consensus, or at least some

settlement, you should have a

common frame of reference.

• HLSPs provide a set of principles and

guidelines that form the basis for

specific security policies.

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (4)


The policy pyramid (top)

• Generic principles: society and culture

dependent.

• Principles: result when generic

principles are considered under a

specific administrative/government/

state environment.

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (5)


The policy pyramid (base)

• Guidelines: specific operational steps

aiming to fulfil specific principles;

they are technology-dependent.

•Measures: result when guidelines are

considered within a specific

installation environment; they are

installation-dependent.

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (6)


Focus: principles and

guidelines

• HLSPs consist of Principles and

Guidelines.

• They define the general approach that

a health care establishment should

have towards implementing security.

• Various organisations have developed

such HLSPs.

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (7)


HLSPs from the

academia

• SEISMED and MEDSEC: two EU-funded

research projects that have proposed

comprehensive HLSPs for European

health care establishments.

Allaert F-A, Blobel B., Louwerse K., Barber B. (Eds)

“Security Standards for Healthcare Information

Systems”, IOS Press, Amsterdam 2002.

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (8)


HLSPs from medical

associations

• British Medical Association: Security in

Clinical Information Systems.

• Swedish Medical Association: Policy

Program on IT.

• German federal medical association

(Bundesärztekammer)

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (9)


Government initiatives

• USA’s HIPAA Privacy Rule and Security

Rule

– Standards for Privacy of Individually

Identifiable Health Information

– Health Insurance Reform: Security

Standards

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (10)


Standardisation

organisations

• CEN/ENV12924: Security

Categorisation and Protection for

Healthcare Information Systems.

but also…

• ISO/IEC 17799: Code of practice for

information security management.

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (11)


HLSPs in practice

• HLSPs have not gain much support.

• Vendors have not been involved in the

process.

• They don’t eliminate policy conflicts.

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (12)


New tools

• New tools to achieve interoperability

– XML-based policy representation.

– Solutions from other fields, e.g. e-

Commerce.

• However, tools alone don’t make

solutions.

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (13)


The road ahead…

• Standard ontology to enable common

understanding and representation of

security policies in HIS.

• Standards on security policy

representation.

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (14)


…the road ahead

• Standards for HIS Security Management

similar to ISO/IEC 17799, but specific

for Healthcare Information Systems

– Principles to be incorporated in standards

– … but to go beyond HLSPs

– Certification-oriented.

ICMCC Electronic Health Record

Security Workshop – The Hague 2004 (15)


Discussion

High Level Security Policies for Health

Care Establishments:

Current practices and the road ahead

Spyros Kokolakis,

University of the Aegean

More magazines by this user
Similar magazines