Difference between revisions of "ACWP Typical AC Scenarios in Healthcare"
Jump to navigation
Jump to search
| Line 25: | Line 25: | ||
:TC090213 (input): further scenarios might be found in [[http://hssp-security.wikispaces.com/file/view/PASS+Access+Control+working+document+2009+02+05.doc PASS AC]] | :TC090213 (input): further scenarios might be found in [[http://hssp-security.wikispaces.com/file/view/PASS+Access+Control+working+document+2009+02+05.doc PASS AC]] | ||
| − | :TC090213 (add): use case with opt-out of a single identity should be added ( | + | :TC090213 (add): use case with opt-out of a single identity should be added (1:1 relationship of subject and patient). |
Revision as of 15:25, 13 February 2009
IHE White Paper on Access Control
Typical Access Control Scenarios in Healthcare
- Internal Resource Security: Within a hospital access to a patient's medical data is restricted to personnel who are involved with the patient's acute medical treatment and the corresponding administrative activities (e. g. billing). Access to certain sensitive information is further limited to certain functional roles in order to ensure that this information is only disclosed to people who need to know it for a dedicated purpose.
- Treatment Contract: When signing the treatment contract the patient grants access right to certain administrative and medical data to a commercial organization that provides billing services for the hospital.
- Patient Privacy Consent: Within a regional healthcare network the ability is provided to exchange medical patient data among the participating medical organizations (e. g. using IHE XDS). When signing to this network a patient may determine which organizations are allowed to request his medical data from other organizations within the network on a regular base.
- Application Policy: A hospital offers its patients the opportunity to use a medication record where all dispensed pharamceutical products are recorded in order to discover potential interactions. To ensure the consistence and a proper use of this record a policy is agreed upon which states that only pharmacists and the patient itself may add entries to the record while only physicians and the patient itself are allowed to run a check against a new medication against the record.
- Secondary Use: A patient grants access to certain of his medical data to a medical study provided that all data is pseudonymized before use.
- Breaking Glass: In case of an emergency access restrictions from patient provided policies and internal security regulations are overwritten by a dedicated emergency policy which allows any physician to access all medical data of the patient. Part of this emergency policy is that the physician has to legitimate his access following the first aid treatment by filling an emergency access form.
Discussion
Is the level of detail appropriate? Joerg.caumanns 16:10, 27 January 2009 (UTC)
Change Requests
- I am not very happy with the Treatment Contract scenario. The szenario itself should be kept with another title/motivation and another example for a treatment contract should be given. Joerg.caumanns 16:08, 27 January 2009 (UTC)
- An example related to patient safety, public health, or quality management should be added Joerg.caumanns 16:08, 27 January 2009 (UTC)
- TC090213 (suggestion): The introduction to this section should make clear that the following use cases are just samples that were used as a help to develop the WP
- TC090213 (input): further scenarios might be found in [PASS AC]
- TC090213 (add): use case with opt-out of a single identity should be added (1:1 relationship of subject and patient).