100 likes | 114 Views
Data Segmentation Model. 17 Jan 2012. John (Mike) Davis HL7 Security Co-Chair. Security Domain. B. A. Data/Workflow. Domain Users. Information Objects. Security Policy. Data Segmentation.
E N D
Data Segmentation Model 17 Jan 2012 John (Mike) Davis HL7 Security Co-Chair
Security Domain B A Data/Workflow Domain Users Information Objects Security Policy
Data Segmentation Technologies that protect the privacy of health information and promote security in a qualified electronic health record, including for the segmentation and protection from disclosure of specific and sensitive individually identifiable health information with the goal of minimizing the reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns, in accordance with applicable law, and for the use and disclosure of limited data sets of such information.
Security and Privacy Classification Scheme • Definition: A system of classification, declassification, and handling of health care and health care related information • The desired degree of secrecy about such information is known as its sensitivity. Sensitivity is based upon a calculation of the damage to an individual that the release (leakage) of the information would cause.
Security and Privacy Classification Scheme • Seven levels of classification: Unrestricted, low, medium, normal, restricted and very restricted. • Compartments, defined by coding systems which define specific information object attributes that can be logically used for data segmentation into projects or groups of information object sensitivities (e.g. HIV, Sickle Cell, Drug/Alcohol Abuse) • Handling caveats, defined by coding system restrictive caveats that can be added to a document: these can include (in abbreviated form) a requirement that the document not be shared in specific ways such as with a specific individual, role or not be re-disclosed (e.g. NOREDISCLOSURE) without consent.
Security and Privacy Assertion Model Data Sharing trust relationship [SOA-style security!]
Attribute Assertion Components Assertions by Requestor to Provider (e.g. SAML Attribute Assertion) Need to Know Refer to HL7 Confidentiality Codes
Definitions • Access Control Information (ACI). Any information used for access control purposes, including contextual information. ISO 10181-3 Access Control defines classes of access control ACI. Classes of access control decision information (ACI) include: Initiator, Target, Access request, Operand, Contextual, Initiator-bound, Target-bound, Access-request bound. • Access Control Decision Information (ADI). The portion (possibly all) of the ACI made available to the Access Control Decision Function in making a particular access control decision. ISO 10181-3 • Attribute – Characteristic of a subject, resource, action or environment that may be referenced in a predicate (attribute statement that can be evaluated) or target. OASIS eXtensible Access Control Markup Language (XACML) • Permission. An approval to perform an operation on one or more RBAC protected objects. . ANSI-INCITS 359-2004 • Security Domain. A set of users, a set of protected objects and the security policy that binds the two. ISO/IEC 15816 (ITU X.841) • Segment (General). A subset of the information objects within a security domain whose members share one or more access control decision information attributes (e.g. all records with Target ADI=”VIP”, all records with Contextual ADI=”Psychiatric Ward”, all records with Target bound ADI=”Care Team AND patient record =”Smith”). • Segment (HITECH). A subset of specific and sensitive individually identifiable health information within a security domain whose members share one or more access control decision information attributes. • Target. The set of decision requests, identified by definitions for resource, subject and action, that a rule, policy or policy set is intended to evaluate. OASIS eXtensible Access Control Markup Language (XACML)
Access Control System Modes The following modes of access control system operation are defined based upon possession or lack of possession of access control attributes. a) those who have authorization to access the resource (e.g., ANY Authorization that grants access) b) those who are denied access to the resource (e.g., possess NO Authorization for the resource) c) those who are normally denied access but may choose to BTG and gain access if they deem it appropriate (e.g. they break the barrier by "choice" rather than by asserting any further/special authorizations). d) those who are normally denied access but may gain access by elevating authorizations e) Bypass. Insecure system state in which access control decision/enforcement is intentionally disabled or circumvented by authorized users.