Access and Privacy Rights using Web Security Standards ... - ICMCC

Access and Privacy Rights using Web Security Standards ... - ICMCC

Access and Privacy Rights using

Web Security Standards to

increase Patient Empowerment

By Filipa Falcão Reis

Access and Privacy Rights using Web Security

Standards to increase Patient Empowerment

This presentation provides the

audience with some

considerations regarding patients

privacy rights and Electronic

Health Records’(EHR)

confidentiality in a patient

empowerment perspective.

Hopefuly this will be such as

interesting for you as it is

for me!


Privacy can be readily

defined as our ability as

an individual or as group

to seclude ourselves or

information about

ourselves, allowing it to

be revealed selectively

and in a controlled way.


Privacy’s Right

• The Article 12 of the Universal Declaration of Human

Rights, established by the United Nations in 1948 (G.A.

res. 217A (III), U.N. Doc A/810 at 71 ) states: “No one

shall be subjected to arbitrary interference with his

privacy, family, home or correspondence, not to attacks

upon his honor and reputation. Everyone has the right to

the protection of the law against such interference or


Privacy’s Right

• The awareness of privacy’s right is often

forgotten and society by itself does little to

improve individual

awareness of this

basic right.

Privacy’s perception

• How can an individual contest access to his private

information from a third party, when he is not aware of

who wants it, for what purpose and for how long?

• Only by empowering each individual with the

ability to know in a precise way who and when

some entity accesses his private data can this

situation start to be remedied.

Privacy Audits

Privacy audits can be defined as

a systematic inspection and

review of an entity data ”

Some of the evaluation questions can be:

What kind of data are

you collecting?

How the data is


The audit consists on gathering

information through a series of

questions and then pursuing with its

evaluation. Conducting privacy audits

and collecting all of this information is

one big step towards assuring secure

privacy principles and individual


For what purpose the

data is collected?

Who owns the data?

Where is it stored?

Is it secure?



Doctor-Patient Confidentiality

• Medical records are one of

society's most valuable and tightly

held personal records

• Confidentiality of medical records

is an ethical obligation of the

medical professional

• The EHR systems are becoming

more and more sophisticated and

include numerous applications,

which are not only accessed by

medical professionals, but also by

accounting, informatics and

administrative personnel …

Doctor-Patient Confidentiality

• With so many different groups of people having the

ability to access our own EHRs it is in our best interest to

know who is accessing our medical records and for what


• Information is power and each individual should be

entitled to the right to manage comprehensible access

rights to his own EHRs.

European Union Standards: Confidentiality

and Privacy in Healthcare

• Project EuroSOCAP (QRLT-2002-00771): an European

Commission funded project (2003-2006) established to

confront and attend to the challenges and pressures

created within the healthcare sector between the

information or knowledge-based society and the

fundamental legal and ethical constraints of privacy and

confidentiality that must rule the flow and dissemination

of healthcare information.

Access Control

Access control can be defined as the process of granting

certain subjects access to a specific resource and

denying access to others

• So it should be easy to establish in a

Hospital who access what, when,

for how long and what purpose,

perhaps by implementing a Role

Based Access Control (RBAC)

model like the European Union’s

project EuroSOCAP sugested.

• UFF!!

Doctors vs Nurses

Let the patient decide!



• Health care should promote a partnership among practitioners,

patients, and their families (when appropriate) to ensure that

decisions respect patients' wants, needs, and preferences and that

patients have the education and support they need to make

decisions and participate in their own care.

• After all the patients have the choice to act on their own behalf!

But how?

Patient Empowerment

•I’ve got the power

• By granting patients the role of pro-active consumers that have the

right to make their own choices as well as the ability to act and be

responsible for them. Indeed who is better entitled to have access to

his own EHRs than the patient himself?

• Patients should have the right to know who accessed and modified

his own EHRs, when and for what purposes.

Patient Empowerment

• By given patients the knowledge

about the new technologies as

well as their rights

• By developing EHRs systems that

provide tools that allow patients to

effective control the flow of their

own data

• By promoting a close relationship

between patients and medical


• By envolving both patients and

medical professionals with

interactive health systems thus

improving healthcare services



Increasing patient empowerment with

Information Technologies

Web service can be defined as

"a software system designed

to support interoperable

Machine to Machine

interaction over a network"

• This interoperability is assured

by using XML as the data

representation layer for all web

services protocols and

technologies that are created

Increasing patient empowerment with

Information Technologies

• XML (or eXtensible Markup Language) is the universal language for data

exchange between machines

• XML allows computing machines to share data regardless of the operating

system or programming languages used by their peers

• As XML is an open standard supported by all major operating systems,

development tools, and platforms, XML Web services enable

communication between previously disparate systems: a Linux server

application can interact with a Windows Server application, a Pocket PC

device can programmatically access services hosted by a Solaris server …


Increasing patient empowerment with

Information Technologies

Web Services Description Language (WSDL) is a XML-based

language that provides a model for describing web services

• We can define WSDL goals as: describing the services that

are provided, presenting how the requests are processed by

clients and service providers and pointing out the format of

how the service sends information to a client

Increasing patient empowerment with

Information Technologies

• In order to define access control policies within the context of web

services the Organization for the Advancement of Structured

Information Standards (OASIS) developed the eXtensible Access

Control Markup Language (XACML) based on XML standards.

• The request/response language expresses queries about whether a

particular access should be allowed (requests) and portrays

answers to those queries (responses).

Increasing patient empowerment with

Information Technologies

• OASIS committee have approved in September 2004 a RB-XACML

profile, which implements core and hierarchical components of ANSI

standards such as roles and role hierarchies, permission-role

assignment relation and user-role assignment relation

• There is an open source implementation of the OASIS XACML

standard, written in the Java programming language, developed by

Sun Microsystems

But why use Web services?

The benefits of this distributed


• Easy application maintenance

Web Services are discoverable

Web Services are self-describing

Web Services conceal complexity

Web Services are very independent

Web Services are nimble and can be used in a lot of


Clearing up misconceptions

• A website is NOT a Web service

Web services are not JUST for Web applications

OK. So what is the solution ?

A web service for increasing

patient empowerment

• This will be a functionality present by an online e-Health

area dedicated to manage EHRs stored in a national

database for that specific purpose

• The security of the service should be implemented in a

low level as possible – the database level by encrypting

all the data, allowing access to the its contents only for

the owner of the data or someone else assigned as long

as they have the key

A web service for increasing

patient empowerment

• The proposed web service could

provide patients with the ability to

access audit records that track the

access flow of their own EHRs

• They can determine not only who

accessed their EHR, but also which

information, for how long and for

what purpose

A web service for increasing

patient empowerment

• Other functionalities include events history and an alert system to

help the patient focus his attention on potentially illegal access to his


• The system could mark entities or users that accessed the patient

data and were defined by the patient to be suspicious or at least

some attention should be given to them

• Monthly reports as well as statistics should appear as options in the

service interface menu

• Nevertheless all features implemented in this service should be

customized by the patient, if he so desires


• In general, patients are

concerned that their EHRs fall

into the hands of employers or

government agencies without

their permission and their

knowledge. It should be a

matter for the individual to

decide whether he wants to

share its private information



• A technical solution complying with the guidelines thus presented

will most definitely help patients to become much more aware of this

delicate health care and privacy issues

• Governments must promote this initiatives, not only to provide

better health care services, but also to allow the interoperability of

systems and tighten the doctor-patient relationship with it

Give power to the Patients!

More magazines by this user
Similar magazines