140 likes | 374 Views
Modelling a User Authorisation and Data Access Framework for Multi-Specialty Research Systems in Secondary Health Care. Ire Ogunsina , Sarah N. Lim Choi Keung, Lei Zhao, Gavin Langford, Edward Tyler, Theodoros N. Arvanitis
E N D
Modelling a User Authorisation and Data Access Framework for Multi-Specialty Research Systems in Secondary Health Care Ire Ogunsina, Sarah N. Lim Choi Keung, Lei Zhao, Gavin Langford, Edward Tyler, Theodoros N. Arvanitis University of Birmingham &Birmingham and Black Country Comprehensive Local Research Network, United Kingdom {i.ogunsina, s.n.limchoikeung, l.zhao, e.tyler, t.arvanitis}@bham.ac.uk, Gavin.Langford@uhb.nhs.uk Presented by JamesRossiter j.rossiter@bham.ac.ukUniversity of Birmingham, UK 22nd November 2011
Context and Scope • Research systems in Secondary Health care • Part of a larger multi-specialty Electronic Healthcare Record (EHR) system • Use cases exclude emergency access to patient data • Access control not authentication James Rossiter| j.rossiter@bham.ac.uk
Introduction • Patient data is: • critical for research purposes • stored in various EHR systems • System must be Caldicott-compliant: • all access should be on ‘need to know’ basis • must adhere to ethical and legal standards • Researchers, our system users: • belong to different specialties • different health organizations • have different research objectives • Interoperable, multi-specialty, Hospital Enterprise Information Management Systems are the key to better research James Rossiter| j.rossiter@bham.ac.uk
Aim: Secure, Interoperable and Collaborative Systems James Rossiter| j.rossiter@bham.ac.uk
Caldicott Guardian’s Stipulation • Access on need to know basis • Enhancements to Role-Based Access Control (RBAC) • Legitimate Relationships (LR) • user can only access data if involved in a patient’s care • Sealed Envelopes (SE) • allow selected data to be accessible by outside specialists • Patient Consent (PC) • indicates patient’s choice on participation in research activities James Rossiter| j.rossiter@bham.ac.uk
Standard RBAC Issues and Alternative Approaches • Standard RBAC problems include • separation of duty – multiple roles and permissions • role precedence – inconsistency with multiple role users • Extend traditional RBAC systems • create/define roles • make roles hierarchical • assign researchers to roles James Rossiter| j.rossiter@bham.ac.uk
Management of Non-Patient Resources • Licensed third party resources • software licenses • algorithms • may have hospital or patient based terms and conditions • Protecting access to licensed resources • use same approach as patient data James Rossiter| j.rossiter@bham.ac.uk
Should researcher B be able to access patient identifiable data of patient A? James Rossiter| j.rossiter@bham.ac.uk
How do you handle licensed resources? James Rossiter| j.rossiter@bham.ac.uk
Our Policy Based Approach • Policy object can be of type: • trust • specialty • patient • researcher • role • action • resource • XML based descriptions of: • permissions • dates • others James Rossiter| j.rossiter@bham.ac.uk
Examples: COPD researcher is member of UHB trust, which has license for HADS resource: Patient consents but wishes to hide HIV status: Composite policy type Patient consent Sealed envelope James Rossiter| j.rossiter@bham.ac.uk
Availability • Availability of data or resource determined by: • policy aggregation model • access decision framework James Rossiter| j.rossiter@bham.ac.uk
Conclusions • EHR systems are critical to research quality • Strict adherence to ethical and legal guidelines is required • Traditional RBAC limited in complexity and scope • New systems must allow for multi-specialty collaboration • Our policy based approach allows for more complex patient and resource based access control James Rossiter| j.rossiter@bham.ac.uk
Thank You • Any questions? Dr James Rossiter School of Electronic, Electrical and Computer EngineeringUniversity of BirminghamUK j.rossiter@bham.ac.uk