1ICT

Towards an Integrated Approach to Access Control to Health Information

Presented by: Inger Anne Tøndel SINTEFCo-authors: Per Håkon Meland SINTEF

Lillian Røstad SINTEFØystein Nytrø NTNU

2ICT

The iAccess Project

Integrated Access Control for Healthcare Information Systems (iAccess)

Funded by the Norwegian Research Council 2005-2008 (++) Applied research activities + two PhD-students A research partnership between NTNU, SINTEF and UiO

NTNU: Dep. of Computer and Information Science SINTEF: Dep. Software Engineering, Safety and Security UiO: Faculty of law

Participants: Rikshospitalet University Hospital/The Norwegian Radium Hospital Central Norway Regional Health Authority (HEMIT)

3ICT

Background – Access Control Integration

Reality: Not one EHR, many clinical systems! Integration of healthcare information from several system is an

emerging trend Local Regional National

Access control is a key issue in order to share sensitive information Various access control mechanisms Access control in integrated systems

Access control is dependent on the information

Strict legal requirements for information security and patient privacy Challenges related to technology, organization and legislation

4ICT

The iAccess Handbook (Norwegian)

iaccess.idi.ntnu.no

5ICT

The iAccess Handbook – Content (1)

Part 1 – Reference Information A repository of useful information Technical viewpoint Organizational viewpoint Legal viewpoint

6ICT

Overview of Central Laws and Regulations

Regulations related to the access restriction to treatment of health information. Classified according to formal-, factual-, personnel regulations

Regulations related to instructions, permissions and conditions for sending, receiving and exchanging health information

Regulations related to information quality Regulations related to provision of the confidentiality,

integrity and availability of health information Regulations related to internal control Regulations related to particular technical, physical or

organisational methods of treatment

7ICT

The iAccess Handbook – Content (2)

Part 2 – Survey Methods Part 3 – Combining and Presenting Results

The iAccess Method

8ICT

Documentation Study

Examples of relevant information: legislation local policies and routines documentation of existing systems plans and strategies for the future

Our experience: Hard to know what you will get...

9ICT

Process Workshops

Different focus groups Decision makers System developers/maintainers

Process maps Activities, roles,

documentation/tools

Results Process maps Discussions!!

Scenarios A new employee starts working at the hospital, and needs access to the

IT-systems. An employee accesses the patient record of his neighbor, without having

a medical responsibility for this neighbor.

10ICT

Semi-Structured Interviews

Experiences of system users How does the current access control solution influence their

workday?

Interviewees Clinical personnel – physicians, nurses, nutritionists Administrative personnel – secretaries

Questions based on the scenarios used in the process workshops Enables comparison

11ICT

Combining Results

Show results from the different types of surveys in the same diagrams

Domain models Relation between concepts

Use cases/misuse cases Real world shortcomings, conflicts, grey areas

Activity diagrams More structured than process maps Map activities to roles Add comments and information about documentation/tools

12ICT

Example Activity Diagram: The New Employee Scenario

13ICT

Experiences from the use of the methods

Useful for retrieving information related to organizational issues and work processes Are often not described in one single document Information sharing between the participants

The process maps are not ideal for retrieving technical information Too many details Hard to show information flow

Important to combine inputs from different focus groups Grasp the full picture Makes it possible to discover differences in opinions

14ICT

Input from different focus groups

Decision makers Focus on routines, plans for the future

System developers/maintainers Focus on the IT systems

System users How does the system fit their work day

Example1: Routines and responsibilities for auditing of logs Problems with checking huge logs Users have high expectations regarding detection of misuse

Example 2: Routines and forms involved when access is to be assigned to a system How is this done technically in the systems? How is this process experienced by the users?

15ICT

Conclusion

The handbook and the methods

Starting point for working on the challenges of access control in integrated health information systems

Target group PhD students Hospitals (IT departments)

Many challenges Technical Organizational Juridical

16ICT

Further Work

Improve the iAccess handbook Test new methods

Taxonomy for classification of access control Observations, logs, questionnaires???? To be decided... Focus on consent?

PhD students....

We have concentrated on access control within hospitals There are also challenges regarding access to information

between hospitals (and also other care givers)

17ICT

Thank you!