1 / 28

Harmonized Privacy and Security Domain Analysis Model

Harmonized Privacy and Security Domain Analysis Model. Draft for Peer Review http://gforge.hl7.org/gf/project/security/frs/. Overview. http://gforge.hl7.org/gf/project/security/frs/. Draft Document. Peer Review Form. Changes. Harmonization

philip-joyce
Download Presentation

Harmonized Privacy and Security Domain Analysis Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Harmonized Privacy and Security Domain Analysis Model Draft for Peer Review http://gforge.hl7.org/gf/project/security/frs/

  2. Overview http://gforge.hl7.org/gf/project/security/frs/ Draft Document Peer Review Form

  3. Changes • Harmonization • Security and Privacy view points identified and related to each other • Common classes resolved • ProviderOrganization Organization • Removed overlaps • Consolidated Security Privacy Use Cases and class definitions • Alignment with ISO 22600 (Part 2 Formal Models) Health informatics — Privilege Mgmt and Access Control • Reconciliation January 2010 Ballot • To do: • Alignment with ISO/IEC 15816 (SECURITY INFORMATION OBJECTS FOR ACCESS CONTROL)

  4. Security Viewpoint

  5. Privacy Viewpoint

  6. Abstract Consent Directive and Security Policy Implementation

  7. Consent Directive and Security Policy Abstract Class, Base class Concrete Specialization classes Related classes

  8. Role-based Access Control Classes

  9. Business Use Cases

  10. System Interactions

  11. Consent Directive State Machine Identifies business triggers

  12. Based on State Machine

  13. Negotiate

  14. Evaluated Default Policy vs. Consent Directive

  15. Outstanding items • Clinician-centric/business view-point • Security view-point • Privacy view-point • Clarify differences

  16. Use Case: Negotiate Policy • Sam Jones has been provided with a form to register his privacy preferences. He indicates that he does not want Dr. Bob to access his records. Sunnybrook Hospital has a rule that provides access to all patient records to treating physicians. Mr.  Jones is alerted to this rule when he enters his preferences. Although Dr. Bob is not Mr. Jones’ primary physician, there may be occasions when Dr. Bob would be granted access to Mr. Jones’ medical record.  Mr. Jones does not agree to the policy and does not sign the consent form. Because the hospital cannot provide service to Mr. Jones without a signed consent form, a privacy officer at the hospital is alerted to this and contacts Mr. Jones. The privacy officer explains the situation to Mr. Jones and explains the different options that are available and their  consequences. Mr. Jones either selects an option that he is comfortable with or suggests an alternative option. The privacy  officer then complies with Mr. Jones’ decision or evaluates the alternative option. This process continues until a mutually satisfactory option is reached. • All jurisdictional policies are complied with and neither organizational policy nor consent directive has been changed without the stakeholders’ knowledge. One possible resolution to the conflict could be that the hospital and patient have  not come to an agreement and the patient has decided to seek healthcare services at another hospital.

  17. Use Cases Business Technical Interactions elaborated

  18. Interactions

  19. Interactions

  20. Related Information

  21. Associations

More Related