Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security models for medical information Eduardo B. Fernandez and Tami Sorgente.

Published bySuzanna Holt Modified over 9 years ago

Similar presentations

Presentation on theme: "Security models for medical information Eduardo B. Fernandez and Tami Sorgente."— Presentation transcript:

1 Security models for medical information Eduardo B. Fernandez and Tami Sorgente

2 Medical information Patient information is very sensitive; its misuse could seriously affect the life of the patient In the past this information was kept in paper in doctors’ offices and hospitals Most medical information now is being put online and accessible from the Internet There is more information available, e.g., genetic information

3 Security problems There are many benefits by having information online but also new threats Access to patients’ records is now possible from remote locations, illegal access also! Access to many patients’ records makes blackmail, spam, and theft identity more lucrative

4 Patient data protection laws The UK had a law in 1996 Germany, France, Iceland, and others already have laws In the US we have now HIPAA, not as effective as the British laws

5 Access control models There are several models for access control to information The most common are: multilevel, Access matrix, and Role-Based Access Control These are general models, independent of the application However, the model must fit the application or it will not be used

6 Group User PatientEmployee MedicalRole MedicalRecord ** SessionAdminRoleAdminRight Right A Pattern for RBAC in Medical Application * * * * * * MemberOf AuthorizationRule Activated From * * 1 WorksOn Subset

7 Policies for medical information Patients can see their records, consent to their use, must be informed of their use A doctor or other medical employee is responsible for use of record (custodian) Records of patients with genetic or infectious diseases must be related One or more medical records per patient

8 > Doctor > Patient read authorizeUse MedicalRecord read modify Custodian InChargeOf MedicalRelation informPatient * * * 1..* 1 1 Right for own Record Medical Record Authorization Model

9 Level of formalism Models can be formal, semi-formal, and descriptive Purely formal models are hard to use, cannot describe well structural properties, and hard to extend Descriptive models are not precise enough Object-oriented design and UML are a semi- formal intuitive approach, that can be made more formal using OCL

10 New model Proposal to NSF: E. Fernandez, PI M. Larrondo-Petrie, Co-PI Tami Sorgente, Grad student Others later Cooperation with College of Nursing Based on RBAC, represented using UML and OCL

11 1. Requirements A Patient Treatment Pattern describes the treatment or stay history of a patient in a hospital. The hospital may be a member of a medical consortium. Each patient has a medical history which contains insurance information and a record of all treatments within the medical consortium. Each patient has a primary physician, an employee of the hospital. Upon admission the patient is created as new or information is updated from previous visit(s). A treatment history is created for each patient admitted and updated throughout the patient’s stay. Inpatients are assigned a room, nurse team and consulting doctors. An Analysis Pattern for Patient Treatment

12 insurance treatment history insurance treatment history MedicalHistory 1 Figure 1 Class Diagram for Patient Record medications procedures medications procedures TreatmentHistory * name address patient number name address patient number Patient Outpatient specialty Inpatient 2. Patient Record

13 create do:updateTreatmentHistory() do:updateMedications() UnderTreatment start treatment Suspend suspend treatment return to treatment Figure 2 State chart for: Treatment(Stay) History do: closeTreatmentHistory ( ) Discharged complete treatment discontinue treatment or death Created begin stay do:updateTreatmentlHistory() UnderDiagnosis 2. Patient Record

14 Figure 3 Class Diagram for Consortium Assets 3. Consortium Assets Consortium name main location name address name address * Hospital number size number size name location name location Building * Room * 1… * name ss number address name ss number address Employee Nurse specialty Doctor specialty * works at

15 Doctor specialty * 1 assigned to primary Nurse specialty * * assigned to * * consulting Inpatient name address patient number name address patient number Patient Outpatient specialty number size number size Room 1 assigned to 1...2 Figure 4 Class Diagram for Asset Assignment 4. Asset Assignment

16 Figure 5 Class Diagram for Patient Treatment * * assigned to 1...2 1 assigned to Asset Assignment 5. Patient Treatment Patient Record medications procedures medications procedures insurance treatment history insurance treatment history MedicalHistory 1 TreatmentHistory * Inpatient name address patient number name address patient number Patient Outpatient specialty 1 * assigned to primary.* * assigned to consulting * number size number size name location name location name address name address name main location name main location Consortium Building name ss number address name ss number address Employee Nurse specialty Hospital Room * * Doctor specialty * 1… * works at Consortium Assets

17 General requirements of Health Insurance Portability and Accountability Act (HIPAA) security standards: 1.Ensure the confidentiality, integrity and availability of all electronic protected health information the hospital creates, receives, maintains or transmits. 2.Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3.Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations. 4.Ensure compliance of this subpart by the hospital workforce. Patient Treatment with HIPAA Security standards

18 admit an outpatient patient admissions clerk doctor administrative clerk admit a new patient admit an inpatient admit a patient > treat a patient close a patient > nurse Figure 6 Use Case diagram for roles in Patient Treatment A variation of the Role Based Access Control model will be used to assign rights to the users according to their roles in patient treatment. discharge a patient Patient Treatment with Authorization

19 name address name address name main location name main location name patient number Patient create update TreatmentHistory medications procedures TreatmentHistory medications procedures update * > Doctor specialty > HospitalAuditor. AdministrativeClerk MedicalHistory insurance treatmentHistory MedicalHistory insurance treatmentHistory 1 name ss number address name ss number address Employee Consortium * Hospital * > Nurse specialty > GovernmentAuditor Right governmentAudit Right hospitalAudit Right closePatient billPatient Right treatPatient dischargePatient Right treatPatient Right admitPatient. AdmissionsClerk Figure 7 Patient Treatment with RBAC Patient Treatment with Authorization

20 - medications -procedures - medications -procedures - newPatient - openPatient - patientNumber - patientInformation - treatmentHistory - medicalHistory - inpatient - outpatient - newPatient - openPatient - patientNumber - patientInformation - treatmentHistory - medicalHistory - inpatient - outpatient - insurance -treatmentHistory - insurance -treatmentHistory MedicalHistory 1 TreatmentHistory * Inpatient - name - address -patient number - name - address -patient number Patient Outpatient - specialty * + create(patient info) + update(patient info) + close( ) + open ( ) + create( ) + update ( ) + close ( ) + create ( ) + update ( ) + close ( ) Model Observer AdmitPatientController + handleEvent( ) + update( ) +admit_patient() Admit a Patient New Patient Create Treatment History Medical History Open Patient Patient Number: Patient Information: OutpatientInpatient. AdmissionsClerk 1 admit_patient Right Patient Treatment Admit a Patient with Authorization AdmitPatientView

21 Applicability Most security models attempt to protect the assets of an institution Medical models are centered on the rights of the patient Other applications have similar objectives: financial systems, student records, banking,… Model can be extended to those cases

22 Secure software development Specialize methodology to apply in medical systems Specialized use cases Specialized application (analysis) patterns Enforced through distributed system architecture Use of web services

23 Future work Complete the proposal Define typical roles and use cases Select policies to be covered Develop specific patterns Extend RBAC to cover policies Test in real system (hospital or medical lab)

Download ppt "Security models for medical information Eduardo B. Fernandez and Tami Sorgente."

Similar presentations

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Confidentiality and HIPAA

Confidentiality and HIPAA
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Westbrook Technologies from Document Management’s Role in HIPAA.

Westbrook Technologies from Document Management’s Role in HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA Health Insurance Portability and Accountability Act 1.

HIPAA Health Insurance Portability and Accountability Act 1.
SLIDE 1 Westbrook Technologies from Fortis: A Healthcare Solution for Medical Records, Billing and HIPAA.

SLIDE 1 Westbrook Technologies from Fortis: A Healthcare Solution for Medical Records, Billing and HIPAA.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
The University of Kansas Medical Center Shadow Experience Training.

The University of Kansas Medical Center Shadow Experience Training.
Security models for medical and genetic information Eduardo B. Fernandez, María M. Larrondo Petrie, Tami Sorgente, Alvaro Escobar, and Andrei Bretan.

Security models for medical and genetic information Eduardo B. Fernandez, María M. Larrondo Petrie, Tami Sorgente, Alvaro Escobar, and Andrei Bretan.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Similar presentations

Ads by Google