1 / 14

22 nd November 2011

Modelling a User Authorisation and Data Access Framework for Multi-Specialty Research Systems in Secondary Health Care. Ire Ogunsina , Sarah N. Lim Choi Keung, Lei Zhao, Gavin Langford, Edward Tyler, Theodoros N. Arvanitis

gaius
Download Presentation

22 nd November 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modelling a User Authorisation and Data Access Framework for Multi-Specialty Research Systems in Secondary Health Care Ire Ogunsina, Sarah N. Lim Choi Keung, Lei Zhao, Gavin Langford, Edward Tyler, Theodoros N. Arvanitis University of Birmingham &Birmingham and Black Country Comprehensive Local Research Network, United Kingdom {i.ogunsina, s.n.limchoikeung, l.zhao, e.tyler, t.arvanitis}@bham.ac.uk, Gavin.Langford@uhb.nhs.uk Presented by JamesRossiter j.rossiter@bham.ac.ukUniversity of Birmingham, UK 22nd November 2011

  2. Context and Scope • Research systems in Secondary Health care • Part of a larger multi-specialty Electronic Healthcare Record (EHR) system • Use cases exclude emergency access to patient data • Access control not authentication James Rossiter| j.rossiter@bham.ac.uk

  3. Introduction • Patient data is: • critical for research purposes • stored in various EHR systems • System must be Caldicott-compliant: • all access should be on ‘need to know’ basis • must adhere to ethical and legal standards • Researchers, our system users: • belong to different specialties • different health organizations • have different research objectives • Interoperable, multi-specialty, Hospital Enterprise Information Management Systems are the key to better research James Rossiter| j.rossiter@bham.ac.uk

  4. Aim: Secure, Interoperable and Collaborative Systems James Rossiter| j.rossiter@bham.ac.uk

  5. Caldicott Guardian’s Stipulation • Access on need to know basis • Enhancements to Role-Based Access Control (RBAC) • Legitimate Relationships (LR) • user can only access data if involved in a patient’s care • Sealed Envelopes (SE) • allow selected data to be accessible by outside specialists • Patient Consent (PC) • indicates patient’s choice on participation in research activities James Rossiter| j.rossiter@bham.ac.uk

  6. Standard RBAC Issues and Alternative Approaches • Standard RBAC problems include • separation of duty – multiple roles and permissions • role precedence – inconsistency with multiple role users • Extend traditional RBAC systems • create/define roles • make roles hierarchical • assign researchers to roles James Rossiter| j.rossiter@bham.ac.uk

  7. Management of Non-Patient Resources • Licensed third party resources • software licenses • algorithms • may have hospital or patient based terms and conditions • Protecting access to licensed resources • use same approach as patient data James Rossiter| j.rossiter@bham.ac.uk

  8. Should researcher B be able to access patient identifiable data of patient A? James Rossiter| j.rossiter@bham.ac.uk

  9. How do you handle licensed resources? James Rossiter| j.rossiter@bham.ac.uk

  10. Our Policy Based Approach • Policy object can be of type: • trust • specialty • patient • researcher • role • action • resource • XML based descriptions of: • permissions • dates • others James Rossiter| j.rossiter@bham.ac.uk

  11. Examples: COPD researcher is member of UHB trust, which has license for HADS resource: Patient consents but wishes to hide HIV status: Composite policy type Patient consent Sealed envelope James Rossiter| j.rossiter@bham.ac.uk

  12. Availability • Availability of data or resource determined by: • policy aggregation model • access decision framework James Rossiter| j.rossiter@bham.ac.uk

  13. Conclusions • EHR systems are critical to research quality • Strict adherence to ethical and legal guidelines is required • Traditional RBAC limited in complexity and scope • New systems must allow for multi-specialty collaboration • Our policy based approach allows for more complex patient and resource based access control James Rossiter| j.rossiter@bham.ac.uk

  14. Thank You • Any questions? Dr James Rossiter School of Electronic, Electrical and Computer EngineeringUniversity of BirminghamUK j.rossiter@bham.ac.uk

More Related