Presentation - ICMCC

icmcc.org

Presentation - ICMCC

Access control management in

practical settings

Kees Louwerse

ICMCC / EHR Security / 03-06-2004 CPL / 1


contents

• Access control

• related services

• practical issues

• definition ?

• aims

• Electronic Health Record

• ideal situation (?)

• emergency access

• normal access: but to what parts ?

ICMCC / EHR Security / 03-06-2004 CPL / 2


organisation

• technical measures are not sufficient

• thousands of persons

• different roles (static, dynamic)

• authorisations

• changing tasks

• link with HRM system essential

• preferably automated,

• but needed even if not automated

ICMCC / EHR Security / 03-06-2004 CPL / 3


access control; related services

• identification and authentication of person

who wants access

• identification of data subject (patient)

• rules to guide the process

• authorisation rules

• profiles

• protocols

ICMCC / EHR Security / 03-06-2004 CPL / 4


access control; what EHR ?

• collection of data

• definitions

• importance of context

• need to know

• emergency access

• regular access

ICMCC / EHR Security / 03-06-2004 CPL / 5


EHR: ‘ideal situatiuon’ (?)

• well defined

• structure accepted by all concerned

• quality of input

• procedures

• where are we ?

ICMCC / EHR Security / 03-06-2004 CPL / 6


EHR: emergency access

• clear example of need

to break formal rules

• (but hopefully in a well-regulated way)

ICMCC / EHR Security / 03-06-2004 CPL / 7


EHR: access to what ?

• many data are

• well-defined,

• can be measured unambiguously

• can be used elsewhere

• (without very much information about context)

• examples:

• drug prescription

• laboratory result

• blood pressure

• etc. etc.

ICMCC / EHR Security / 03-06-2004 CPL / 8


EHR: access to what ?

• but many other data are

• not well-defined,

• can not be measured unambiguously

• and thus: can not simply be used elsewhere

• (unless extensive information about context is

given)

• examples:

• diagnosis

• considerations about treatment

• interpretation of images

ICMCC / EHR Security / 03-06-2004 CPL / 9


types of information

• working notes

• information to care providers

• (e.g. between day and night shift)

• accountability, justification

• communication of orders,

reporting of results

• information to other care providers

• (e.g. other discipline, which becomes involved)

• information to other care providers

• (e.g. involved with a different problem)

ICMCC / EHR Security / 03-06-2004 CPL / 10


equirements

• interpretation does not introduce extra risks

• availability necessary for good treatment

• no harm to privacy

• type of use of information

gives requirements on quality of input

• if information will be used elsewhere, these

requirements are much higher

(lack of context!)

ICMCC / EHR Security / 03-06-2004 CPL / 11


types of information

• “soft”:

• conclusions from examinations

• results of thinking

• justification of some conclusions

• “hard”:

• procedures performed

• drugs administered

• letters, supporting transfer of treatment,

or informing others concerned

ICMCC / EHR Security / 03-06-2004 CPL / 12


new requirements

• authorised persons should be able to take

note of the fact that “soft”information is

available elsewhere

• support facility for communication between

care providers about this “soft” information

is more important than general automated

access

ICMCC / EHR Security / 03-06-2004 CPL / 13

More magazines by this user
Similar magazines