200 likes | 304 Views
Security Infrastructure and National Patient Summary. Mats Hagner. Project Manager Carelink AB Mats.hagner@carelink.se. Carelink. A national association in Sweden, promoting eHealth Currently owned by the county councils and local authorities. Development
E N D
Security Infrastructure and National Patient Summary Mats Hagner. Project Manager Carelink AB Mats.hagner@carelink.se
Carelink • A national association in Sweden, promoting eHealth • Currently owned by the county councils and local authorities. Development Manage and coordinate national projects to develop common solutions – ICT support for health and social care System maintenance Maintain and further develop functionality and quality in already existing common ICT solutions.
BIP Basic services for Information Provision ”An important current development is the removal of individual functions from a large number of e-Health solutions and the development of general or national common solutions.” National Strategy for eHealth
Vision • A unified way to handle patient data with full information security within and between organisations.
Rules and regulations • Legislation • New Patient Data Act • Regulations • National Board on Health and welfare (Socialstyrelsen) • Data Inspection Board • Patient data • Each health care principal is responsible for controlling access to patient data
Prerequisites • Securely identified user • eID + HealthCare Certificate • Need for patient data • Engagement in care activity • Consent • Log –follow up
Current security solutions • Users in every system • Heavy administration • Non dynamic Care professional
Tools • Service Oriented ArchitectureSOA Service (provider) Service (consumer) Request Response Message Information exchange between separated services in a standardized, secure and controlled manner.
BIP • Web services • Authentication • Access control - ABAC • Consent • …… • Based on OASIS-standards as XACML, SAML • Builds on national security solution (SITHS) • Specified in national ”standard” • Developed in cooperation with IT-industry • First official version of the technical specifications ready in june 2007
ABAC - Attribute Based Access Control Resource(Patient data) Actor(Healthcare professional) Control Apply rules Actor attributes Resource attributes ID Organization Medicalspeciality Date Patient ID Organization Medical speciality Date Rules
Example of rule for patient data access • Rule-ID=1 • Actor • Profession=Orthopedist • Organizational unit=Division 3 • Classification=Orthopaedia • Activity • Read • Write • Resource • Organizational unit=Division 3 • Classification=Orthopaedia • Criteria • Valid=2004-11-01 • Decision by • Unit manager NN
Authentication Access Control IT-service Log Log in Client TicketIDAttributes Organizational boundaries
Private Care prov. County Council B County Council A e-Health application e-Health application Local access decisions e-Health application Patient data transfer BIP BIP e-Health application BIP
BIP – Summary • Service Oriented Architecture • Strong authentication – PKI • Attribute Based Access Control – ABAC • Procurement process starts in june 2007 • Planning to start implementation 3Q 2008
Swedish National Patient Summary A summary of important patient information warning, medication, lab tests etc. Viewing only – no updating. Integrated into care applications or used via separate client
Basic conditions Big sunk investment in electronic medical record Decentralized health-care and decision rights Highly diversified IT systems High level of computer literacy • 21 county councils/regions run hospitals and primary care • 290 local authorities provide at home services and ”special accommodations” • Large number of private care companies • Early adapters of electronic medical records • Limited coordination resulting in a highly diversified IT landscape with solitaire systems, many brands and limited ability to communicate • Almost all hospitals, primary care units and home care units fully digitalized • User computer literacy is high
Why a National Patient Summary? Patients • Increased wish to manage own healthcare and care processes • Increased Internet literacy Enhanced efficiency and healthcare quality Regional use • Exchange between county councils and municipalities. • Highly demanded from municipalities. • Enhanced healthcare security • Improved decision support and processes • Reduced admin and testing costs • Improved clinical outcomes Need for interoperability and access to patient data Increased mobility between regions and nations • Healthcare guarantees • Healthcare clusters
Design considerations • Constraints • Legal restrictions to transfer patient data across organizational borders • Need for scalability and performance • Minimize changes in existing systems • Coordinate with other national initiatives • A federated and distributed model • Data remains at the source • Local data repositorites on the network rim • Existing local clinical systems and standards remain largely intact • Less legal and no ownership issues • High scalability and performance • No single point of failure • Fast implementation
Based on industrial solution • Based on industrial solution • Utilization of thoroughly tested components • Established base of existing reference installations • Adapt to information model, security infrastructure and legislation • Established methods and tools for implementation • Prime contractor with clear service deliverables • Prime contractor with strong balance sheet and R&Dstrengths • Competence redundancy • Adherence to industrial standards • Reduced costs • Reduced risk – won’t become test bed for new technology • Improved stability • Continuous improvements with reduced R&D costs • Faster and simpler implementation Enable us to focus on using the solution to improve quality and clinical results
Key success factors 1 Build and develop for the healthcare profession Don’t reinvent the wheel – look for what you can copy/buy from your neighbor and upcoming EU standards Coordinate with other national initiatives such as security infrastructure, information model etc. Develop step-wise rather than go for a big bang – there is a lot of learning on the way 2 3 4