Upload
alize
View
37
Download
0
Embed Size (px)
DESCRIPTION
Towards an Integrated Approach to Access Control to Health Information. Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF Lillian Røstad SINTEF Øystein Nytrø NTNU. The iAccess Project. - PowerPoint PPT Presentation
Citation preview
1ICT
Towards an Integrated Approach to Access Control to Health Information
Presented by: Inger Anne Tøndel SINTEFCo-authors: Per Håkon Meland SINTEF
Lillian Røstad SINTEFØystein Nytrø NTNU
2ICT
The iAccess Project
Integrated Access Control for Healthcare Information Systems (iAccess)
Funded by the Norwegian Research Council 2005-2008 (++) Applied research activities + two PhD-students A research partnership between NTNU, SINTEF and UiO
NTNU: Dep. of Computer and Information Science SINTEF: Dep. Software Engineering, Safety and Security UiO: Faculty of law
Participants: Rikshospitalet University Hospital/The Norwegian Radium Hospital Central Norway Regional Health Authority (HEMIT)
3ICT
Background – Access Control Integration
Reality: Not one EHR, many clinical systems! Integration of healthcare information from several system is an
emerging trend Local Regional National
Access control is a key issue in order to share sensitive information Various access control mechanisms Access control in integrated systems
Access control is dependent on the information
Strict legal requirements for information security and patient privacy Challenges related to technology, organization and legislation
4ICT
The iAccess Handbook (Norwegian)
iaccess.idi.ntnu.no
5ICT
The iAccess Handbook – Content (1)
Part 1 – Reference Information A repository of useful information Technical viewpoint Organizational viewpoint Legal viewpoint
6ICT
Overview of Central Laws and Regulations
Regulations related to the access restriction to treatment of health information. Classified according to formal-, factual-, personnel regulations
Regulations related to instructions, permissions and conditions for sending, receiving and exchanging health information
Regulations related to information quality Regulations related to provision of the confidentiality,
integrity and availability of health information Regulations related to internal control Regulations related to particular technical, physical or
organisational methods of treatment
7ICT
The iAccess Handbook – Content (2)
Part 2 – Survey Methods Part 3 – Combining and Presenting Results
The iAccess Method
8ICT
Documentation Study
Examples of relevant information: legislation local policies and routines documentation of existing systems plans and strategies for the future
Our experience: Hard to know what you will get...
9ICT
Process Workshops
Different focus groups Decision makers System developers/maintainers
Process maps Activities, roles,
documentation/tools
Results Process maps Discussions!!
Scenarios A new employee starts working at the hospital, and needs access to the
IT-systems. An employee accesses the patient record of his neighbor, without having
a medical responsibility for this neighbor.
10ICT
Semi-Structured Interviews
Experiences of system users How does the current access control solution influence their
workday?
Interviewees Clinical personnel – physicians, nurses, nutritionists Administrative personnel – secretaries
Questions based on the scenarios used in the process workshops Enables comparison
11ICT
Combining Results
Show results from the different types of surveys in the same diagrams
Domain models Relation between concepts
Use cases/misuse cases Real world shortcomings, conflicts, grey areas
Activity diagrams More structured than process maps Map activities to roles Add comments and information about documentation/tools
12ICT
Example Activity Diagram: The New Employee Scenario
13ICT
Experiences from the use of the methods
Useful for retrieving information related to organizational issues and work processes Are often not described in one single document Information sharing between the participants
The process maps are not ideal for retrieving technical information Too many details Hard to show information flow
Important to combine inputs from different focus groups Grasp the full picture Makes it possible to discover differences in opinions
14ICT
Input from different focus groups
Decision makers Focus on routines, plans for the future
System developers/maintainers Focus on the IT systems
System users How does the system fit their work day
Example1: Routines and responsibilities for auditing of logs Problems with checking huge logs Users have high expectations regarding detection of misuse
Example 2: Routines and forms involved when access is to be assigned to a system How is this done technically in the systems? How is this process experienced by the users?
15ICT
Conclusion
The handbook and the methods
Starting point for working on the challenges of access control in integrated health information systems
Target group PhD students Hospitals (IT departments)
Many challenges Technical Organizational Juridical
16ICT
Further Work
Improve the iAccess handbook Test new methods
Taxonomy for classification of access control Observations, logs, questionnaires???? To be decided... Focus on consent?
PhD students....
We have concentrated on access control within hospitals There are also challenges regarding access to information
between hospitals (and also other care givers)
17ICT
Thank you!