| || |
== Motivation ==
== Motivation ==
|−|=== Privacy and Data Security === | |
| || |
|−|* medical data is classified as personal data and therefore demands for protection with respect to confidentiality |+|
medical data is personal datavarious apply to use of medical data different :
|−|* various legal restrictions apply to the use of medical data . These regulations have different motivation: |+|
* protecting the patient's privacy and right to self-determination (e. g. HIPPA in the US and the European privacy directive)
|−|** protecting the patient's privacy and right to self-determination (e. g. HIPPA in the US and the European privacy directive) |+|
* ensuring the integrity and proper handling of health data (e. g. regulations for the handling of radiologic data)
|−|** ensuring the integrity and proper handling of health data (e. g. regulations for the handling of radiologic data) |+|
* enforcing within organizations (e. g. KonTraG in Germany)
|−|** enforcing the prevention of risks (e. g. law suits) within organizations (e. g. KonTraG in Germany) | |
|−|* these regulations can bee seen (and implemented) as sets of rules (policies) that have to be considered whenever patient data is processed either within a medical organization or among a network of medical organizations | |
|−|* the authority for these policies is distributed among the stakeholders (e. g. patient, medical staff, governmental organizations) and policies come with forms (e. g. written consent, laws and regulations, medical treatment contracts, job profiles), but the responsibility for their proper enforcement is always with the organizations that hold and process the data | |
|−|* therefore: Each organization that holds and/or processes medical data has to think about restricting access to this data with respect to the policies that hold for this data | |
| || |
|−|=== Access Control vs. Perimeter Protection === |+|
| || |
|−|* Perimeter protection is the modern form of a medieval city wall: It hinders intruders from entering the city by limiting entry points and thus providing the ability to control every incoming subject. Among the drawbacks of this security means is that it hinders trade because the flow of people and goods into and out of the city is limited by the throughoutput of the city gate and the performance of the gate keepers. | |
|−|* The same holds for medical organizations; as long as patient data is not to be exchanged with external entities, perimeter protection is appropriate as the major and maybe even only security means | |
|−|* As soon as data is to be exchanged among medical organizations, gates have to be provided and the city wall gets porous for co-operating partners as well as for attackers. Therefore in the first run gate passing must be restricted to entities that are assumed to be trustworthy (e. g. by implementing bi-directional node authentication). In most cases it is nevertheless not appropriate to allow any entity that regularly passes the gate to access any resource within the organization's IT infrastructure. Therefore more fine grained restrictions on resource access must be provided in order to implement all policies that hold for resources rather than for the resource managing system (e. g. everybody is allowed to enter a bank building but not everybody is allowed to draw money from every account). | |
|−|* Conclusion: Security can only be obtained by an appropriate mixture of measures: | |
|−|** perimeter protection makes sure that external communication is limited to dedicated gateways which can be observed and where the trustworthiness of incoming requests can be evaluated | |
|−|** node authentication restricts access to resource maintaining systems to parties that are authenticated and assumed to be regular users | |
|−|** access control restricts access to the protected resources itself to authorized users within well defined contexts of use (e. g. for certain purposes) | |
| || |
IHE White Paper on Access Control
The exchange of medical data among enterprises is subject of multiple IHE integration profiles. E. g. XDS allows for sharing data among physicians within an affinity domain while XCA even enables the sharing of medical data across multiple of such domains. As with any processing of personal data, various regulations apply to these data-sharing use cases. These regulations point out different aspects of medical data processing and therefore follow different objectives:
- protecting the patient's privacy and right to self-determination (e. g. HIPPA in the US and the European privacy directive)
- ensuring the integrity and proper handling of health data (e. g. regulations for the handling of radiologic data)
- enforcing an adequate risk management within organizations (e. g. KonTraG in Germany)
With respect to the prevention of illegal disclosure it is crucial that providers of medical data can be sure that data consuming parties enforce the common understanding of the purposes of use that data was originally provided for. Therefore the definition and enforcement of access rules for medical data and services throughout clinical workflows is a precondition for any co-operative patient treatment.
Perimeter protection (e. g. firewalls) and mutual node authentication (e. g. as provided by ATNA) are laying ground for any secure healthcare infrastructure, but they fall short if fine-grained access rules have to be enforced or if the decision on the [Zulässigkeit] of a resource access depends on information that is either encoded within the (potentially encrypted) message payload or even not part of the message at all.
This white paper points out how access control services should be integrated into healthcare IT infrastructures and how IHE can be used to support such policy-aware healthcare solutions.
place issues to be discussed among the editorial team here...
place your change requests here...