Towards an integrated approach to access control to health information
1 / 17

Towards an Integrated Approach to Access Control to Health Information - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Towards an Integrated Approach to Access Control to Health Information. Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF Lillian Røstad SINTEF Øystein Nytrø NTNU. The iAccess Project.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Towards an Integrated Approach to Access Control to Health Information

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Towards an Integrated Approach to Access Control to Health Information

Presented by: Inger Anne Tøndel SINTEF

Co-authors: Per Håkon Meland SINTEF

Lillian Røstad SINTEF

Øystein Nytrø NTNU

The iAccess Project

  • Integrated Access Control for Healthcare Information Systems (iAccess)

  • Funded by the Norwegian Research Council

  • 2005-2008 (++)

  • Applied research activities + two PhD-students

  • A research partnership between NTNU, SINTEF and UiO

    • NTNU: Dep. of Computer and Information Science

    • SINTEF: Dep. Software Engineering, Safety and Security

    • UiO: Faculty of law

  • Participants:

    • Rikshospitalet University Hospital/The Norwegian Radium Hospital

    • Central Norway Regional Health Authority (HEMIT)

Background – Access Control Integration

  • Reality: Not one EHR, many clinical systems!

  • Integration of healthcare information from several system is an emerging trend

    • Local

    • Regional

    • National

  • Access control is a key issue in order to share sensitive information

  • Various access control mechanisms

  • Access control in integrated systems

    • Access control is dependent on the information

  • Strict legal requirements for information security and patient privacy

  • Challenges related to technology, organization and legislation

The iAccess Handbook (Norwegian)

The iAccess Handbook – Content (1)

  • Part 1 – Reference Information

    • A repository of useful information

    • Technical viewpoint

    • Organizational viewpoint

    • Legal viewpoint

Overview of Central Laws and Regulations

  • Regulations related to the access restriction to treatment of health information. Classified according to formal-, factual-, personnel regulations

  • Regulations related to instructions, permissions and conditions for sending, receiving and exchanging health information

  • Regulations related to information quality

  • Regulations related to provision of the confidentiality, integrity and availability of health information

  • Regulations related to internal control

  • Regulations related to particular technical, physical or organisational methods of treatment

The iAccess Handbook – Content (2)

  • Part 2 – Survey Methods

  • Part 3 – Combining and Presenting Results

     The iAccess Method

Documentation Study

  • Examples of relevant information:

    • legislation

    • local policies and routines

    • documentation of existing systems

    • plans and strategies for the future

  • Our experience:

    • Hard to know what you will get...

Different focus groups

Decision makers

System developers/maintainers

Process maps

Activities, roles, documentation/tools


Process maps


Process Workshops

  • Scenarios

    • A new employee starts working at the hospital, and needs access to the IT-systems.

    • An employee accesses the patient record of his neighbor, without having a medical responsibility for this neighbor.

Semi-Structured Interviews

  • Experiences of system users

    • How does the current access control solution influence their workday?

  • Interviewees

    • Clinical personnel – physicians, nurses, nutritionists

    • Administrative personnel – secretaries

  • Questions based on the scenarios used in the process workshops

    • Enables comparison

Combining Results

  • Show results from the different types of surveys in the same diagrams

  • Domain models

    • Relation between concepts

  • Use cases/misuse cases

    • Real world shortcomings, conflicts, grey areas

  • Activity diagrams

    • More structured than process maps

    • Map activities to roles

    • Add comments and information about documentation/tools

Example Activity Diagram: The New Employee Scenario

Experiences from the use of the methods

  • Useful for retrieving information related to organizational issues and work processes

    • Are often not described in one single document

    • Information sharing between the participants

  • The process maps are not ideal for retrieving technical information

    • Too many details

    • Hard to show information flow

  • Important to combine inputs from different focus groups

    • Grasp the full picture

    • Makes it possible to discover differences in opinions

Input from different focus groups

  • Decision makers

    • Focus on routines, plans for the future

  • System developers/maintainers

    • Focus on the IT systems

  • System users

    • How does the system fit their work day

  • Example1:

    • Routines and responsibilities for auditing of logs

    • Problems with checking huge logs

    • Users have high expectations regarding detection of misuse

  • Example 2:

    • Routines and forms involved when access is to be assigned to a system

    • How is this done technically in the systems?

    • How is this process experienced by the users?


  • The handbook and the methods

     Starting point for working on the challenges of access control in integrated health information systems

  • Target group

    • PhD students

    • Hospitals (IT departments)

  • Many challenges

    • Technical

    • Organizational

    • Juridical

Further Work

  • Improve the iAccess handbook

  • Test new methods

    • Taxonomy for classification of access control

    • Observations, logs, questionnaires???? To be decided...

    • Focus on consent?

  • PhD students....

  • We have concentrated on access control within hospitals

  • There are also challenges regarding access to information between hospitals (and also other care givers)

Thank you!

  • Login