healthcare privacy and security classification system (hcs) guide
DESCRIPTION
Healthcare Privacy and Security Classification System (HCS) Guide. Mike Davis Security Architect Department of Veterans Affairs. Data Segmentation for Privacy 23 Jan 2013. HCS Security Domain. Ontology of Clearances and Security Labels. OASIS XACML Policy Model. - PowerPoint PPT PresentationTRANSCRIPT
Healthcare Privacy and Security Classification System (HCS) Guide
Mike Davis Security Architect
Department of Veterans Affairs
Data Segmentation for Privacy 23 Jan 2013
2
Access AllowedY/N?
Security Domain
ConfidentialityClearanceSecurity Policy::
Do User Clearances match Information Object Confidentiality
Security Labels?
User Information
Data Object
HCS Security Domain
3
Ontology of Clearances and Security Labels
4
OASIS XACML Policy Model
Security label field values equate to the access control information (ACI) used by an Access Control System to match a user’s request for permissions to perform certain actions on a particular resource. OASIS XSPA profiles provide a health care specific approach to using ACI.
PolicyRule
Target
ResourceAction Subject Environment Effect Condition ObligationRule
Combining Algorithm
JMD
Adapted from Organization for Advancement of Structured Information Standards (OASIS) eXtensible Access Control Markup Language (XACML) version 2.0
5
Mapped ClinicalFacts
SecurityRisk
Assessment /Policy
LabelingRules
Label Rules GenerationRules Engine
Clinical Administration--------------------Clinician
Security/PrivacyAdministration
-----------------------------• Privacy Office• Release of Information
Office• Business Stakeholder• Security Administration
• SNOMED-CT• RxNORM• ICD• LOINC• HL7 Vocabularies
• Patient Restrictions• Jurisdictional Policy• Organizational Policy• HL7 Security and
Privacy Vocabulary
Security Labeling
Service (SLS)Decomposed Clinical Document(CLINICAL FACTS)
DocumentOrchestration Raw CDA Document
AuthorizationObligations
Electronic Health Record Document RequestAccess ControlAuthorization
Decisions
Transform Template(s)
Transform ActionsRedact, Annotate,
Mask(Encrypt)
Document Packaging(Encrypt)
Annotated (classified)Document
Annotated (classified)Composite Documents
-OR-
1
23
4
1. Clinical Facts extracted from source documentation2. Clinical Facts mapped to EHR objects e.g., Lab Report{HIV…}3. Label Rules created based on Risk Assessment 4. Label Rules installed in SLS Rules Engine5. Clinical Facts extracted from source document6. SLS applies labeling rules and document transforms7. Authorization Decision made based on Security Label8. Package forwarded for delivery
6
External Authority5
7
8
6
NIST FIPS PUB 188 Standard Security Label
General structure of the NIST label structure consists of a set of fields
Each field comprises a globally unique Tag Set Name, plus a set of security tags
Field 1 Field nField i
Tag Set Name Tag bTag a Tag m
Security Label
7
HCS Security Label To support privacy metadata, the HCS defines a quadruplet (4-tuple)
of resource label fields, which are security attributes about clinical facts
Confidentiality Sensitivity Integrity and, Compartment
HCS Security Label includes a security policy-based label (privacy mark) for handling caveat label field to convey Purpose of Use, Obligations, and Refrain Policies to which custodians and recipients of clinical facts must comply.
Handling Caveat These labels define the classification of each item and constituent
components (inner envelope, cover sheet, body, and section(s) and sub-sections or segments)
8
Security Label Field
Label Definition Notes
Confidentiality
Security label metadata classifying an IT resource (data, information object, service, or system capability) according to its level of sensitivity, which is based on an analysis of applicable privacy policies and the risk of financial, reputational, or other harm to an individual that could result from unauthorized disclosure.
Only one classification value is permitted on the header of an IT resource. It must be high water mark (most restrictive). In order to access a classified (tagged) IT resource, the user must possess rights greater than or equal to the IT resource classification. [ISO/TS 22600-3:2009(E) A.3.2]
9
Security Label Field
Label Definition Notes
Sensitivity Security label metadata categorizing the value, importance, and vulnerability of an IT resource perceived as undesirable to share.
In order to access sensitivity tagged IT resource, the user must possess rights corresponding to the sensitivity tag(s).
10
Security Label Field
Label Definition Notes
Integrity Security label metadata conveying the completeness, veracity, reliability, trustworthiness, and provenance of an IT resource.
Distinguish from assurance that information has not been modified in unauthorized way (subset)
11
Security Label Field
Label Definition Notes
Compartment
Security label metadata that "segments" an IT resource by indicating that access and use is restricted to members of a defined community or project.
12
Security Label Field
Label Definition Notes
Handling Caveat
Security label metadata conveying dissemination controls, information handling caveats, purpose of use, refrain policies, and obligations to which an IT resource custodian or receiver must comply.
Applies to all information within scope of the caveat
13
W3C PROV Data Model & Ontology
14
W3C Provenance Class PropertieswasAttributedTo: Attribution is the ascribing of an entity to an agentwasDerivedFrom: A derivation is a transformation of an entity into another, a construction
of an entity into another, or an update of an entity, resulting in a new one.wasGeneratedBy: Generation is the completion of production of a new entity by an activity.
This entity did not exist before generation and becomes available for usage after this generation.
wasInformedBy: Communication is the exchange of an entity by two activities, one activity using the entity generated by the other.
wasInfluencedBy: Influence is the capacity of an entity, activity, or agent to have an effect on the character, development, or behavior of another by means of usage, start, end, generation, invalidation, communication, derivation, attribution, association, or delegation.
hadPrimarySource: A primary source for a topic refers to something produced by some agent with direct experience and knowledge about the topic, at the time of the topic's study, without benefit from hindsight. Because of the directness of primary sources, they 'speak for themselves' in ways that cannot be captured through the filter of secondary sources. As such, it is important for secondary sources to reference those primary sources from which they were derived, so that their reliability can be investigated. A primary source relation is a particular case of derivation of secondary materials from their primary sources. It is recognized that the determination of primary sources can be up to interpretation, and should be done according to conventions accepted within the application's domain.
wasInvalidatedBy: Invalidation is the start of the destruction, cessation, or expiry of an existing entity by an activity. The entity is no longer available for use (or further invalidation) after invalidation. Any generation or usage of an entity precedes its invalidation.
wasQuotedFrom: quotation is the repeat of (some or all of) an entity, such as text or image, by someone who may or may not be its original author. Quotation is a particular case of derivation.
wasRevisionOf: A revision is a derivation for which the resulting entity is a revised version of some original. The implication here is that the resulting entity contains substantial content from the original. Revision is a particular case of derivation.
15
HCS Clinical Fact Metadata TemplateClinical Fact
Clinical Attribute Provenance Security Label
Clinical Fact Name
Clinical Attribute Name
Clinical attribute provenance including:
Clinical attribute metadata including:
· wasAttributedTo · Classification,
· wasDerivedFrom · Sensitivity,
· wasGeneratedBy · Integrity,
· wasInformedBy · Category,
· wasInfluencedBy· Handling Instructions
· hadPrimarySource
· wasInvalidatedBy
· wasQuotedFrom
· wasRevisionOf
16
HCS Clinical Fact Metadata ExampleClinical Fact Clinical Attribute Provenance
Security Label(HL7*)
Diagnosis
<Patient Name > NSource=<Organization> N
042 (HIV) hadPrimarySource: ICD-9 Code
Restricted, HIV
wasAttributedTo: <Attending>
Medications
<Patient Name > N756209 (AZT) hadPrimarySource: RxNorm
wasDerivedFrom: Diagnosis Restricted, HIV
Allergies<Patient Name > wasDerivedFrom: Encounter N
91936005 (Penicillin) hadPrimarySource: SNOMED CT N
Laboratory Report
8053 (Lipid Panel)
hadPrimarySource: LOINC N
8320 Total Cholesterol
8316 Triglyceride8429 HDL7973 LDL
Procedure 86689.Z7 (HIV-1 Western Blot) hadPrimarySource: CPT Restricted,
HIV