Towards an integrated approach to access control to health information
Sponsored Links
This presentation is the property of its rightful owner.
1 / 17

Towards an Integrated Approach to Access Control to Health Information PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Towards an Integrated Approach to Access Control to Health Information. Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF Lillian Røstad SINTEF Øystein Nytrø NTNU. The iAccess Project.

Download Presentation

Towards an Integrated Approach to Access Control to Health Information

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Towards an integrated approach to access control to health information

Towards an Integrated Approach to Access Control to Health Information

Presented by: Inger Anne Tøndel SINTEF

Co-authors: Per Håkon Meland SINTEF

Lillian Røstad SINTEF

Øystein Nytrø NTNU

The iaccess project

The iAccess Project

  • Integrated Access Control for Healthcare Information Systems (iAccess)

  • Funded by the Norwegian Research Council

  • 2005-2008 (++)

  • Applied research activities + two PhD-students

  • A research partnership between NTNU, SINTEF and UiO

    • NTNU: Dep. of Computer and Information Science

    • SINTEF: Dep. Software Engineering, Safety and Security

    • UiO: Faculty of law

  • Participants:

    • Rikshospitalet University Hospital/The Norwegian Radium Hospital

    • Central Norway Regional Health Authority (HEMIT)

Background access control integration

Background – Access Control Integration

  • Reality: Not one EHR, many clinical systems!

  • Integration of healthcare information from several system is an emerging trend

    • Local

    • Regional

    • National

  • Access control is a key issue in order to share sensitive information

  • Various access control mechanisms

  • Access control in integrated systems

    • Access control is dependent on the information

  • Strict legal requirements for information security and patient privacy

  • Challenges related to technology, organization and legislation

The iaccess handbook norwegian

The iAccess Handbook (Norwegian)

The iaccess handbook content 1

The iAccess Handbook – Content (1)

  • Part 1 – Reference Information

    • A repository of useful information

    • Technical viewpoint

    • Organizational viewpoint

    • Legal viewpoint

Overview of central laws and regulations

Overview of Central Laws and Regulations

  • Regulations related to the access restriction to treatment of health information. Classified according to formal-, factual-, personnel regulations

  • Regulations related to instructions, permissions and conditions for sending, receiving and exchanging health information

  • Regulations related to information quality

  • Regulations related to provision of the confidentiality, integrity and availability of health information

  • Regulations related to internal control

  • Regulations related to particular technical, physical or organisational methods of treatment

The iaccess handbook content 2

The iAccess Handbook – Content (2)

  • Part 2 – Survey Methods

  • Part 3 – Combining and Presenting Results

     The iAccess Method

Documentation study

Documentation Study

  • Examples of relevant information:

    • legislation

    • local policies and routines

    • documentation of existing systems

    • plans and strategies for the future

  • Our experience:

    • Hard to know what you will get...

Process workshops

Different focus groups

Decision makers

System developers/maintainers

Process maps

Activities, roles, documentation/tools


Process maps


Process Workshops

  • Scenarios

    • A new employee starts working at the hospital, and needs access to the IT-systems.

    • An employee accesses the patient record of his neighbor, without having a medical responsibility for this neighbor.

Semi structured interviews

Semi-Structured Interviews

  • Experiences of system users

    • How does the current access control solution influence their workday?

  • Interviewees

    • Clinical personnel – physicians, nurses, nutritionists

    • Administrative personnel – secretaries

  • Questions based on the scenarios used in the process workshops

    • Enables comparison

Combining results

Combining Results

  • Show results from the different types of surveys in the same diagrams

  • Domain models

    • Relation between concepts

  • Use cases/misuse cases

    • Real world shortcomings, conflicts, grey areas

  • Activity diagrams

    • More structured than process maps

    • Map activities to roles

    • Add comments and information about documentation/tools

Example activity diagram the new employee scenario

Example Activity Diagram: The New Employee Scenario

Experiences from the use of the methods

Experiences from the use of the methods

  • Useful for retrieving information related to organizational issues and work processes

    • Are often not described in one single document

    • Information sharing between the participants

  • The process maps are not ideal for retrieving technical information

    • Too many details

    • Hard to show information flow

  • Important to combine inputs from different focus groups

    • Grasp the full picture

    • Makes it possible to discover differences in opinions

Input from different focus groups

Input from different focus groups

  • Decision makers

    • Focus on routines, plans for the future

  • System developers/maintainers

    • Focus on the IT systems

  • System users

    • How does the system fit their work day

  • Example1:

    • Routines and responsibilities for auditing of logs

    • Problems with checking huge logs

    • Users have high expectations regarding detection of misuse

  • Example 2:

    • Routines and forms involved when access is to be assigned to a system

    • How is this done technically in the systems?

    • How is this process experienced by the users?



  • The handbook and the methods

     Starting point for working on the challenges of access control in integrated health information systems

  • Target group

    • PhD students

    • Hospitals (IT departments)

  • Many challenges

    • Technical

    • Organizational

    • Juridical

Further work

Further Work

  • Improve the iAccess handbook

  • Test new methods

    • Taxonomy for classification of access control

    • Observations, logs, questionnaires???? To be decided...

    • Focus on consent?

  • PhD students....

  • We have concentrated on access control within hospitals

  • There are also challenges regarding access to information between hospitals (and also other care givers)

Thank you

Thank you!

  • Login