ICT 1 Towards an Integrated Approach to Access Control to Health Information Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF.

Slides:

Advertisements

Similar presentations

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Advertisements

Policy & Peer Permission (PPP) System Project: Development of User-Friendly Access Control Policy Statements For Use with Electronic Health Records Maryann.

Identifying enablers & disablers to change

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

Overview of trauma systems in Uganda: Current state and potential for development Dr. Isaac Alidria - Ezati Accident and Emergency Department Mulago hospital.

Workshop 501 and 505 Review barriers to communication

Policy recommendations for wider implementation of telemedicine Peeter Ross, MD, PhD e-Health expert, Estonian eHealth Foundation, Estonia.

Interoperability in the Collaborative Medical Information Systems Dragan Janković, Ivica Marković Faculty of Electronic Engineering University of Niš.

Ethnography and Evaluation Dr. K. Neil Jenkings DuDEHR.

SWE Introduction to Software Engineering

Information and Communication Technology Research Initiative Supporting the self management of obesity: The role of ICTs University.

Health Data Flows: Where PETs Can Help PORTIA Workshop on Sensitive Data July 8, 2004 Anna Slomovic, PhD Electronic Privacy Information Center.

Management of Communication and Information Chapter -MCI

DR EBTISSAM AL-MADI Management of Information in health care organizations.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 7 Slide 1 Requirements Engineering Processes 1.

Patients as Partners: at the Forefront of Service Redesign An Introduction to Patient Focus Public Involvement.

Experiences from establishing a national Centre for Information Security in Norway TERENA Networking Conference 2003 Maria Bartnes Dahl &

Preliminary Survey Lectured by Dr. Siriluck Sutthachai Accounting Department Faculty of Management Science Khon Kaen University Khon Kaen, Thailand.

QESTRAIN –project Personnel training model for integrated quality-environment-safety managements system in hospitals and public health services 1st Internal.

Current Situation and CI Requirements OOI Cyberinfrastructure Integrated Observatory Management Workshop San Diego May 28-29, 2008.

1 Federal Health IT Ontology Project (HITOP) Group The Vision Toward Testing Ontology Tools in High Priority Health IT Applications October 5, 2005.

Chapter 5: Requirement Engineering Process Omar Meqdadi SE 2730 Lecture 5 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

SINTEF ICT Martin Gilje Jaatun, Daniela S. Cruzes, Karin Bernsmed, Inger Anne Tøndel, and Lillian Røstad 1 Software Security Maturity in Public Organisations.

Switch off your Mobiles Phones or Change Profile to Silent Mode.

Exit Presentation University of Miami School of Medicine Industrial Engineering’s Role in Health Care.

Standard of Electronic Health Record

Essence of Care and Links to Care Standards Jennifer Holmes.

Chapter 4 – Requirements Engineering Lecture 3 1Chapter 4 Requirements engineering.

PhD seminar A case study of the mentoring approach in a SPIKE company By Finn Olav Bjørnson.

1 European Lifelong Guidance Policy Network National Guidance Forum of the Czech Republic Open Session Career Guidance Council in Lithuania Aleksandra.

MINISTRY OF SOCIAL AFFAIRS AND HEALTH 1 The Finnish National Electronic Patient Record Archive

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Whose Responsibility is it? Karen Korb TELUS Health Solutions November 24, 2009 Privacy and Confidentiality in the EHR:

Lessons learned from IT-projects in the health care sector In search of excellence.

HIPAA LAWS.  Under the privacy rule, the patient must give consent to use his or her Protected Health Information.  Examples in which consent must be.

Inf-Qual November Elisabeth Jakobsen. “All I want is a system that works” Evaluation of the health information system in Cape Town, South Africa.

Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.

Summary FACT Trajectory & preparatory Workshop FACT lessons learnt Workshop Agriterra.

Physicians and Health Information Exchange (HIE) The Value of HIE to a Physician’s Practice and Consumers.

Care Transitions: Challenges and Opportunities for Medication Reconciliation Kaija Saranto, Professor, PhD, RN, Eija Kivekäs Doctoral –student, MHSc Department.

Chapter 19 Manager of Information Systems. Defining Informatics Process of using cognitive skills and computers to manage information.

1 IHE ITI White Paper on Authorization Rough Cut Implementation Opportunities for BPPC Dr. Jörg Caumanns, Raik Kuhlisch, Olaf Rode Berlin,

ISAM Spring 2007 Patient Care Online A New Approach to Quality Patient Care Prepared by Hani Bismar.

Unit 7 Seminar.  According to Sanderson (2009), the problems with the current paper-based health record system have been well documented. The author.

Academic Year 2014 Spring Academic Year 2014 Spring.

This material was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information.

Requirements Engineering Process

Educational Template Chapter 11 Data Privacy and Security Ross Fraser Chapter 11 Data Privacy & Security.

EUNetPaS is a project supported by a grant from the EAHC. The sole responsibility for the content of this presentation lies with the author(s). The EAHC.

Arindam Bose, Moses Moreri, Thari Pheko1 ICT INDICATORS Botswana Case Study Joint ITU/ECA regional workshop on Information and Communication Technologies.

California Department of Public Health / 1 CALIFORNIA DEPARTMENT OF PUBLIC HEALTH Standards and Guidelines for Healthcare Surge during Emergencies How.

XDS Security ITI Technical Committee May, XDS Security Use Cases Prevent Indiscriminate attacks (worms, DOS) Normal Patient that accepts XDS participation.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Vanessa Lalaine Fuentes, BSN, RN. The development and evaluation of applications, tools, processes and structures which assist nurses with the management.

EHealth Development Vision. eHealth ojectives Healthcare systems and network focused on the patient: Not patient runs between institutions but the patients’

Chapter 1 Introduction to Electronic Health Records Copyright © 2011 by Saunders, an imprint of Elsevier Inc.

CIS 170 MART Teaching Effectively/cis170mart.com FOR MORE CLASSES VISIT HCS 430 OUTLET Inspiring Minds/hcs430outlet.com FOR MORE CLASSES.

© 2016 Chapter 6 Data Management Health Information Management Technology: An Applied Approach.

eHealth Standards and Profiles in Action for Europe and Beyond

Research using Registries

Dorota Kilańska RN, PhD European Nursing Research Foundation (ENRF)

Monitoring and Evaluation Systems for NARS Organisations in Papua New Guinea Day 3. Session 8. Routine monitoring.

SNS College of Engineering Coimbatore

Move this to online module slides 11-56

Standard of Electronic Health Record

Advancing Telemedicine Adoption in Europe – Developing capacities

A Policy-Based Security Mechanism for Distributed Health Networks

Pam Matthews, FHIMSS Director of Business Information Systems Business Information Systems is focused around administrative and financial information.

TRINITY UNIVERSITY HOSPITAL

18734: Foundations of Privacy

Presentation transcript:

ICT 1 Towards an Integrated Approach to Access Control to Health Information Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF Lillian Røstad SINTEF Øystein Nytrø NTNU

ICT 2 The iAccess Project Integrated Access Control for Healthcare Information Systems (iAccess) Funded by the Norwegian Research Council (++) Applied research activities + two PhD-students A research partnership between NTNU, SINTEF and UiO NTNU: Dep. of Computer and Information Science SINTEF: Dep. Software Engineering, Safety and Security UiO: Faculty of law Participants: Rikshospitalet University Hospital/The Norwegian Radium Hospital Central Norway Regional Health Authority (HEMIT)

ICT 3 Background – Access Control Integration Reality: Not one EHR, many clinical systems! Integration of healthcare information from several system is an emerging trend Local Regional National Access control is a key issue in order to share sensitive information Various access control mechanisms Access control in integrated systems Access control is dependent on the information Strict legal requirements for information security and patient privacy Challenges related to technology, organization and legislation

ICT 4 The iAccess Handbook (Norwegian) iaccess.idi.ntnu.no

ICT 5 The iAccess Handbook – Content (1) Part 1 – Reference Information A repository of useful information Technical viewpoint Organizational viewpoint Legal viewpoint

ICT 6 Overview of Central Laws and Regulations Regulations related to the access restriction to treatment of health information. Classified according to formal-, factual-, personnel regulations Regulations related to instructions, permissions and conditions for sending, receiving and exchanging health information Regulations related to information quality Regulations related to provision of the confidentiality, integrity and availability of health information Regulations related to internal control Regulations related to particular technical, physical or organisational methods of treatment

ICT 7 The iAccess Handbook – Content (2) Part 2 – Survey Methods Part 3 – Combining and Presenting Results  The iAccess Method

ICT 8 Documentation Study Examples of relevant information: legislation local policies and routines documentation of existing systems plans and strategies for the future Our experience: Hard to know what you will get...

ICT 9 Process Workshops Different focus groups Decision makers System developers/maintainers Process maps Activities, roles, documentation/tools Results Process maps Discussions!! Scenarios A new employee starts working at the hospital, and needs access to the IT-systems. An employee accesses the patient record of his neighbor, without having a medical responsibility for this neighbor.

ICT 10 Semi-Structured Interviews Experiences of system users How does the current access control solution influence their workday? Interviewees Clinical personnel – physicians, nurses, nutritionists Administrative personnel – secretaries Questions based on the scenarios used in the process workshops Enables comparison

ICT 11 Combining Results Show results from the different types of surveys in the same diagrams Domain models Relation between concepts Use cases/misuse cases Real world shortcomings, conflicts, grey areas Activity diagrams More structured than process maps Map activities to roles Add comments and information about documentation/tools

ICT 12 Example Activity Diagram: The New Employee Scenario

ICT 13 Experiences from the use of the methods Useful for retrieving information related to organizational issues and work processes Are often not described in one single document Information sharing between the participants The process maps are not ideal for retrieving technical information Too many details Hard to show information flow Important to combine inputs from different focus groups Grasp the full picture Makes it possible to discover differences in opinions

ICT 14 Input from different focus groups Decision makers Focus on routines, plans for the future System developers/maintainers Focus on the IT systems System users How does the system fit their work day Example1: Routines and responsibilities for auditing of logs Problems with checking huge logs Users have high expectations regarding detection of misuse Example 2: Routines and forms involved when access is to be assigned to a system How is this done technically in the systems? How is this process experienced by the users?

ICT 15 Conclusion The handbook and the methods  Starting point for working on the challenges of access control in integrated health information systems Target group PhD students Hospitals (IT departments) Many challenges Technical Organizational Juridical

ICT 16 Further Work Improve the iAccess handbook Test new methods Taxonomy for classification of access control Observations, logs, questionnaires???? To be decided... Focus on consent? PhD students.... We have concentrated on access control within hospitals There are also challenges regarding access to information between hospitals (and also other care givers)

ICT 17 Thank you!