Upload
eyetech
View
209
Download
1
Tags:
Embed Size (px)
Citation preview
Mike Mair and Stephen Chu New Zealand Acupulco 22.10.2004The Immunological Model for CDA Access Revisited
AgendaHistoryImmunological model revisitedReview of Berlin proposalCDA as the empty boxand the CDA box revampedRole and role definition Role, tasks, and the division of labourExpression of local rolesSome examplesQuestions and discussions
The History ..At the ISO TC/215 WG1 in 1998 at Orlando, New Zealand team agreed to develop a work item on access for the ISO committee for delivery at the Seoul meeting in March 2001We called for the creation of a universal healthcare packet, which we termed the attestable unit. It was paired with an access lock for a universal access mechanism. It was modeled on the bifunctional immunoglobulin family of molecules of immunological science.
The Immunoglobulin MoleculeThe effector end of the IgG molecule The recognition ends of the IgG
The universal role for immunoglobulinIn the body the immunoglobulin molecule is pervasiveActs as a transmitter, a hormone, an activator, a switch, it can be extremely specific in its target, or very generalNature has implemented a single design, If we can get a universal access control process for the CDA, could it do the same for health informatics?
An example of AB-AG binding the HLA B27 antigenThe HLA antigen has many typesAn antibody can target all of them, or a sub class, or a single typeThis feature of the immune system, to be able to target a whole class, or a subset of a class is a good metaphor for a searchA class of meta-data is depicted as an Antibody binding site.
A Class of meta-data is like an antibody binding site. A search can match all members of a class, or any subset of the class hierarchy.
ISO-TC215 Seoul 2001: Access Proposalyour only find what you are meant to findThe access lock concept for the attestable unit was to act as a guard and pointer to the attestable unit. It contained the role required for access to the unit. It was matched by a search object containing a searchers public key (PKI), and attribute certificate. We evoked dual key cryptography for the actual retrieval of the unit. The data would remain with the system of origin, along with the audit trail of the 5 WH of instances of access to the data
ISO-TC215 Seoul 2001: Access ProposalAt the presentation to WG1 meeting in March 2001, Seoul, Korea, I mentioned that the CDA might function as the attestable unit, and the access lock might derive from a detachable header for the CDA.The concept was further developed and presented at the First International CDA Conference at Berlin in October 2002
The Detachable CDA HeaderDetachable Header
The Detachable CDA Header
Role WordsRole words in a language, like most other words, are language specific.Is Verstehen the same as UnderstandingIs Spirituel the same as SpiritualMost role words simply do NOT translateThe Chess analogy for language: SaussureThe concept of autopoiesis : Varela
Roles constitute self-defining autopoietic sets
Regional Server data storeList of CDA Headers(or Access Objects)Provider Server data storeLocatesCDA documentsourceEncrpytionkey transfer
SSLSOAP securitySOAP EnvelopeDigital signaturePublic key certificateSOAP encryptionRole-base access controlSSLSSL
The Proposal from Finland at BerlinFrom Timo Itala et alThere was already an implementation from Finland using the CDA headers as a referentWhen the doctor wants to look at the patient data the regional system looks up the entry from the list of pointersThis search and retrieval system does not include an index to the clinical data in the header, to preserve patient confidentiality
Refining the Berlin ProposalsTo allow this concept to be used as a searchable clinical repositoryTo allow role for access to be entirely locally defined To expand the concept to cover repositories of all types of health data
Problems with a Role-Registry .. It shall be possible to identify realm specific variations for vocabularies where this is permitted by existing HL7 rules. Each such variation shall be subject registration From Dr Guilliermo Reynosos presentation(5th International Affiliate Conference)This may not be true of local role setsSince role definition is a function of division of labour, the number of potential roles is limitlessWe could never track them all, and should NOT even try
Implementing Local Role Definition a Starter ModelWe propose a division of the domain up into four basic data types:ClinicalAdministrativeDemographicPersonal
And the CDA into four basic compartments
The Revamped CDA not quite emptyNOTE: The CDA repository can have the same structure
Implementing Local Role Definition a Starter ModelWe suggest that these are accessed by 4 core rolesClinicianAdministrativeResearcherSelf (subject of care addressed in record)
The Division of Labour
Local roles can be expressed by:A segregation of data into 4 compartmentsThe identification of 4 core rolesThe use of a grain filterNeed to know targeting of a subset of the CDA repository which is defined by task
The Hierarchical Organisation of Knowledge
The Theory of Granular PartitionsThe coarser the grain, the more the down stream informationFine grain search delivers limited knowledge (or information)The single CDA is the finest grain entity in this model
Grain range can be generalised across domains(Bittner, B. Smith, Granular Spatio-Temporal Ontologies, in A Theory of Granular Partitions. Foundations of Geographic Information Science, M. Duckham, M. F. Goodchild and M. F. Worboys (eds.), London:Taylor & Francis, (2003) 117151. )
A Class of meta-data is like an antibody binding site. A search can match all members of a class, or any subset of the class hierarchy.
How does this work in practice?A subset of the CDA repository is targeted by the need-to-know defined by the taskA requester role-key is configured and applied locally. It contains attribute certificates. If a search request is inconsistent with the requesters role-key, then permission is deniedThe accredited institution is responsible for the integrity and security of the records it handles
+checkRoleBasedSearchGrain()+generateSearc()+rejectSearch()
-permittedSearchGrain
AccessControl_Object
-roleBasedSearchGrainPermission
SearchGrain_Object
accesses
+sendSearchRequest()+getAttributeCertificate()
-requesterID-roleValue-searchParameters
Request_Object
sends-request
Method checks whether grain of searchis within range permitted for the role.IF NOT - step search, ELSE find andreturn CDA(s) that match(es) request
+logsAccessAttempt()
-requesterID-requesterRole-accessDateTime-requestParameters-requestOutcome
Audit_Object
sends-access-attempt-details
+findCDA()
-requesterID-attributeCertificate-requesterPublicKey-requestParameters
RoleKey_Object
activates
+getCDABody()
-documentInfo-encounterInfo-providerInfo-serviceTargetInfo-referenceToData
CDA_Object
1
1
includes base role valuefor access control
HealthData [CDA-Body]
searches-&-retrieves
ClinicalData
AdminData
DemongraphicData
SecretData
sends-search-result
accept-or-Reject()
searchResult()
RequestObject
CertificateObject
AccessControl
SearchGrain
RoleKeyObject
CDAObject
HeadData
AuditObject
requestSearch(userID; srchCriteria)
getGrainFilter()
returnsSrchGrainPermission()
getCDA()
getBody()
returnBody()
returnCDA()
returnCDA()
requestCDA(attribCert; digitalCert; searchCriteria)
searchAttempt()
sendAttrCert()
requestAttribCert()
CROSS BORDER ROLE MANAGMENTWhere there has been policy bridging and a role inventory for mapping , this can simply be appliedWhere no such work has been done, we suggest that proxy role key search object is assigned by an authority in the host realm.All other aspects of the process deliver interoperable results.
The end dream.A single pervasive device, the CDAA simple shared access processendlessly customizable, a stand alone, a component, an EHR extract a fix for now, a stage in a global evolutionJust let it go, release it in global healthcarefacilitate the emergence of implicate order
Lets give Gaia an immune system, maybe she will heal...
Questions?