towards an integrated approach to access control to health information
Skip this Video
Download Presentation
Towards an Integrated Approach to Access Control to Health Information

Loading in 2 Seconds...

play fullscreen
1 / 17

Towards an Integrated Approach to Access Control to Health Information - PowerPoint PPT Presentation

  • Uploaded on

Towards an Integrated Approach to Access Control to Health Information. Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF Lillian Røstad SINTEF Øystein Nytrø NTNU. The iAccess Project.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Towards an Integrated Approach to Access Control to Health Information' - alize

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
towards an integrated approach to access control to health information

Towards an Integrated Approach to Access Control to Health Information

Presented by: Inger Anne Tøndel SINTEF

Co-authors: Per Håkon Meland SINTEF

Lillian Røstad SINTEF

Øystein Nytrø NTNU

the iaccess project
The iAccess Project
  • Integrated Access Control for Healthcare Information Systems (iAccess)
  • Funded by the Norwegian Research Council
  • 2005-2008 (++)
  • Applied research activities + two PhD-students
  • A research partnership between NTNU, SINTEF and UiO
    • NTNU: Dep. of Computer and Information Science
    • SINTEF: Dep. Software Engineering, Safety and Security
    • UiO: Faculty of law
  • Participants:
    • Rikshospitalet University Hospital/The Norwegian Radium Hospital
    • Central Norway Regional Health Authority (HEMIT)
background access control integration
Background – Access Control Integration
  • Reality: Not one EHR, many clinical systems!
  • Integration of healthcare information from several system is an emerging trend
    • Local
    • Regional
    • National
  • Access control is a key issue in order to share sensitive information
  • Various access control mechanisms
  • Access control in integrated systems
    • Access control is dependent on the information
  • Strict legal requirements for information security and patient privacy
  • Challenges related to technology, organization and legislation
the iaccess handbook content 1
The iAccess Handbook – Content (1)
  • Part 1 – Reference Information
    • A repository of useful information
    • Technical viewpoint
    • Organizational viewpoint
    • Legal viewpoint
overview of central laws and regulations
Overview of Central Laws and Regulations
  • Regulations related to the access restriction to treatment of health information. Classified according to formal-, factual-, personnel regulations
  • Regulations related to instructions, permissions and conditions for sending, receiving and exchanging health information
  • Regulations related to information quality
  • Regulations related to provision of the confidentiality, integrity and availability of health information
  • Regulations related to internal control
  • Regulations related to particular technical, physical or organisational methods of treatment
the iaccess handbook content 2
The iAccess Handbook – Content (2)
  • Part 2 – Survey Methods
  • Part 3 – Combining and Presenting Results

 The iAccess Method

documentation study
Documentation Study
  • Examples of relevant information:
    • legislation
    • local policies and routines
    • documentation of existing systems
    • plans and strategies for the future
  • Our experience:
    • Hard to know what you will get...
process workshops
Different focus groups

Decision makers

System developers/maintainers

Process maps

Activities, roles, documentation/tools


Process maps


Process Workshops
  • Scenarios
    • A new employee starts working at the hospital, and needs access to the IT-systems.
    • An employee accesses the patient record of his neighbor, without having a medical responsibility for this neighbor.
semi structured interviews
Semi-Structured Interviews
  • Experiences of system users
    • How does the current access control solution influence their workday?
  • Interviewees
    • Clinical personnel – physicians, nurses, nutritionists
    • Administrative personnel – secretaries
  • Questions based on the scenarios used in the process workshops
    • Enables comparison
combining results
Combining Results
  • Show results from the different types of surveys in the same diagrams
  • Domain models
    • Relation between concepts
  • Use cases/misuse cases
    • Real world shortcomings, conflicts, grey areas
  • Activity diagrams
    • More structured than process maps
    • Map activities to roles
    • Add comments and information about documentation/tools
experiences from the use of the methods
Experiences from the use of the methods
  • Useful for retrieving information related to organizational issues and work processes
    • Are often not described in one single document
    • Information sharing between the participants
  • The process maps are not ideal for retrieving technical information
    • Too many details
    • Hard to show information flow
  • Important to combine inputs from different focus groups
    • Grasp the full picture
    • Makes it possible to discover differences in opinions
input from different focus groups
Input from different focus groups
  • Decision makers
    • Focus on routines, plans for the future
  • System developers/maintainers
    • Focus on the IT systems
  • System users
    • How does the system fit their work day
  • Example1:
    • Routines and responsibilities for auditing of logs
    • Problems with checking huge logs
    • Users have high expectations regarding detection of misuse
  • Example 2:
    • Routines and forms involved when access is to be assigned to a system
    • How is this done technically in the systems?
    • How is this process experienced by the users?
  • The handbook and the methods

 Starting point for working on the challenges of access control in integrated health information systems

  • Target group
    • PhD students
    • Hospitals (IT departments)
  • Many challenges
    • Technical
    • Organizational
    • Juridical
further work
Further Work
  • Improve the iAccess handbook
  • Test new methods
    • Taxonomy for classification of access control
    • Observations, logs, questionnaires???? To be decided...
    • Focus on consent?
  • PhD students....
  • We have concentrated on access control within hospitals
  • There are also challenges regarding access to information between hospitals (and also other care givers)