100 likes | 221 Views
Proposed Health Care Security and Privacy Classification System Ballot. Kathleen Connor VA (ESC) June 12, 2012. Health Care Security and Privacy Classification System - Status.
E N D
Proposed Health Care Security and Privacy Classification System Ballot Kathleen Connor VA (ESC) June 12, 2012
Health Care Security and Privacy Classification System - Status • HL7 Security and CBCC Confidentiality Code Refactoring Project 798 provides for an opportunity to ballot outcomes from the project • The project’s multiple Privacy and Security Vocabulary proposals have been approved in Harmonization process • A few technical corrections and augmentations are in play for July Harmonization
Outcome of Project • HL7 Privacy and Security Vocabulary restructuring and participation in ONC Data Segmentation for Privacy Project have led to realization that this vocabulary is the healthcare analog to the Classification and Control Marking Systems utilized by other industries • Balloting HL7 Healthcare Classification and Control Marking System guidance culminates that project and provides alignment with industry practices
Purpose and Scope • This paper describes a Health Care Security and Privacy Classification System suitable for automated “tagging” and segmentation of protected health care information for security and privacy logical access purposes. • Information classification provides the means to apply information about information (information metadata) so that rights of access can be established, and access control decisions can be made at each layer of security services • This includes access control governing access by intermediaries such as health information exchanges, health information service providers, clearinghouses, and gateways; and access and use by end users within the Receiver’s System. • This applies to Access Control on the payload by an enterprise ACS as well as controlling access to metadata appropriate to transport, security, and business envelopes, as well as payload metadata (e.g., in a federated Registry).
Description of Use • The health care security and privacy classification and control marking metadata is used to classify (“tag”) protected health information with security and privacy attributes in accordance with jurisdictional, organizational and individual needs to identify and segment specific categories of information so that access control rules can be applied. • Users requiring access to this information are given corresponding attributes, which define their “entitlement” with respect for the information • A positive access control decision is made when the attributes possessed by the requestor are equal to or greater than the attribute tags on the protected information • Control markings add additional security and privacy related Obligations (mandated actions) and Refrain policies (prohibitions such as Intelligence Community “dissemination control markings”).
Classification System Components Based on the Intelligence Community use of “Classification” metadata, HL7 has developed seven levels of the core classification metadata “Confidentiality” for application to healthcare information: • Unrestricted, low, moderate, normal, restricted and very restricted • Each level of classification indicates an increasing degree of risk for unauthorized access to increasingly sensitive information • Thus, if a security principal is one holds restricted level of authorization to access information with confidentiality level of restricted, one that principal is allowed to handle information up to the confidentiality levels of unrestricted, low, moderate, normal, and restricted, but of restricted, including normal, medium and low information. If one holds a restricted level of authorization, one may not handle very restricted information, which is a (higher level of confidentiality than restricted.), but may handle information classified restricted and lower. • In accordance with the Intelligence Community use of “Classification”, there can only be one “high watermark” Classification value for a given information resource, which is the most restrictive classification, although some subparts may be marked with less restrictive classifications.
Subordinate Classification Metadata • Having “entitlement” to information tagged with core classification attributes such as “restricted” does not necessarily allow one to view all restricted • Data classification categories are further sub-divided on the basis of specific fine-grained tagged data attributes applied to the information and the operations possible on it • Information categories are defined by operation-data pairs (permissions) such as create, read, update, delete and execute applied to any available information object • The user of the information must establish, in addition to the authorization level necessary for the sensitivity of the informationrequested, a specific entitlement for access by possession of a credential equivalent or dominating the information tagged attribute • For example, clinicians who are part of a patient’s health care team may be allowed to see information on a specific patient while other clinicians, not part of the team, may not, even though they all have the same rights to information marked “restricted” and below • Without the ability to assert the additional subordinate classification metadata, access is not allowed to this type of information • The situation is analogous to the situation in a movie theater. • No rights are required to park in “free” public parking. However, a ticket holder is required to enter the theater and access the lobby and its services (normal access) • A different ticket attribute would be required to visit the projection room (restricted access) or perhaps to sit in special area other than the theater (box office seat) • The movie name printed on the ticket allows access to “view” a specific movie, but no others • Access is controlled by checkpoints and ushers • Subordinate classification metadata is equivalent to the attributes of the specific movie printed on the ticket
Categories that are not classifications (Compartments)(ActPrivacyPolicyType (and subordinates)) • There are information compartments, defined by coding systems, which pertain to specific projects and are used to more easily manage which individuals require certain access to these projects • Code words are not levels of classification themselves, but a person working on a project may have the code word for that project added to his file, and then will be given access to the relevant documents • For example, persons working on a research project for “Agent Orange” may possess the access category “Agent Orange” • Other examples include records for “Very Important Persons” (VIP) or employee records of the health care organization
Dissemination Control Handling Caveats(ActSecurityPolicy/ ActRefrainPolicy) • The Healthcare Classification System also classifies restrictive caveats that can be added to an information artifact • These may include (in the abbreviated form) a requirement that the document not be shared in specific ways such as with a specific individual, role or not leave a specific room • These restrictions are not classifications in and of themselves; rather, they restrict the dissemination of information within those who have the appropriate clearance level and possibly the need to know the information • Remarks such as "Pharmacy Personnel Only" also limit the restriction. • Handling caveats describe “rules” for access independent of authorizations possessed by the recipient • For ease of use, caveats and abbreviations can be included within the summary classification marking (header/footer) or on an outer wrapper or “envelope” to enable the restrictions to be identified at a glance. • Note that handling caveats do not describe metadata about the information (no assumptions or inferences regarding information sensitivity can be made). • Handling caveats may also provide a useful way to transmit conditions that apply to opening and accessing information inside the outer wrapper • In this case, information has been provided in response to a request and determination of a positive access control decision • The handling rule, however, requires that the recipient agree to additional terms of use as a condition or “obligation”. The act of opening the wrapper (“breaking the seal”) is understood agreement to the conditions expressed in the handling caveat
Balloting Timelines The Ballot Schedule outlines the 5-week Ballot Countdown Schedule indicating important deadline dates for all ballot-able submissions. For the September 2012 Ballot Cycle, the next deadline is the Notification of Intent to Ballot Form deadline on Sunday, June 24. The on-line Notification of Intent to Ballot form (off of the TSC page Special Uploads page) is available at: http://www.hl7.org/special/committees/tsc/ballotmanagement/index.cfm. Please note that a few New Projects have NOT YET had their starting NIB records set up, although most should be available. If you need a NIB set up for a new project, please contact me and I will set it up for you. As a heads up, the next important deadline following the NIB deadline is the Initial Content Deadline. Any initial content for the V3 Ballot Web site should be submitted to Headquarters (HQ) by end-of-day (midnight) eastern time on Sunday, July 1st.