ACWP Motivation

From IHE Wiki
Jump to navigation Jump to search

IHE White Paper on Access Control

Motivation

Privacy and Data Security

  • medical data is classified as personal data and therefore demands for protection with respect to confidentiality
  • various legal restrictions apply to the use of medical data. These regulations have different motivation:
    • protecting the patient's privacy and right to self-determination (e. g. HIPPA in the US and the European privacy directive)
    • ensuring the integrity and proper handling of health data (e. g. regulations for the handling of radiologic data)
    • enforcing the prevention of risks (e. g. law suits) within organizations (e. g. KonTraG in Germany)
  • these regulations can bee seen (and implemented) as sets of rules (policies) that have to be considered whenever patient data is processed either within a medical organization or among a network of medical organizations
  • the authority for these policies is distributed among the stakeholders (e. g. patient, medical staff, governmental organizations) and policies come with forms (e. g. written consent, laws and regulations, medical treatment contracts, job profiles), but the responsibility for their proper enforcement is always with the organizations that hold and process the data
  • therefore: Each organization that holds and/or processes medical data has to think about restricting access to this data with respect to the policies that hold for this data

Access Control vs. Perimeter Protection

  • Perimeter protection is the modern form of a medieval city wall: It hinders intruders from entering the city by limiting entry points and thus providing the ability to control every incoming subject. Among the drawbacks of this security means is that it hinders trade because the flow of people and goods into and out of the city is limited by the throughoutput of the city gate and the performance of the gate keepers.
  • The same holds for medical organizations; as long as patient data is not to be exchanged with external entities, perimeter protection is appropriate as the major and maybe even only security means
  • As soon as data is to be exchanged among medical organizations, gates have to be provided and the city wall gets porous for co-operating partners as well as for attackers. Therefore in the first run gate passing must be restricted to entities that are assumed to be trustworthy (e. g. by implementing bi-directional node authentication). In most cases it is nevertheless not appropriate to allow any entity that regularly passes the gate to access any resource within the organization's IT infrastructure. Therefore more fine grained restrictions on resource access must be provided in order to implement all policies that hold for resources rather than for the resource managing system (e. g. everybody is allowed to enter a bank building but not everybody is allowed to draw money from every account).
  • Conclusion: Security can only be obtained by an appropriate mixture of measures:
    • perimeter protection makes sure that external communication is limited to dedicated gateways which can be observed and where the trustworthiness of incoming requests can be evaluated
    • node authentication restricts access to resource maintaining systems to parties that are authenticated and assumed to be regular users
    • access control restricts access to the protected resources itself to authorized users within well defined contexts of use (e. g. for certain purposes)

Discussion

place issues to be discussed among the editorial team here...

Change Requests

place your change requests here...