Thursday, March 17, 2011

Healthcare Access Controls standards landscape

The following will give an overview of the landscape of Standards development for Access Controls in Healthcare. There is surely more being done in Healthcare Standards, I am sure I have missed something, and there is ongoing work that is not always included here because it is less mature and not really formally published. Given that this is my blog, I have taken license to include more than just access control at times.  I created this as a response to a question by the OASIS PMRM (see below).

The most technically detailed work is happening in a sub-workgroup in OASIS – XSPA. This group has profiles, and works with the SAML and XACML committees to examine the gaps they identify. Please see the XSPA home page on OASIS to understand more.
HL7 -- The healthcare specific standards organization HL7 also has significant work available
IHE -- IHE is only an ‘interoperability’ profiling organization. So they only define interoperability specifications. They don’t get into architecture, services, or implementation details. They have endorsed through their Profiles the use of SAML for identity assertions, and the HL7 XML document for capturing patient privacy consent. They have other more classic security profiles as well. They do have a white paper that examines Access Control space in healthcare explaining how federation and directories are used to bring together the security/privacy context necessary for access control decisions and how that relates to federated enforcement.
  • ATNA - This is a comprehensive yet thin profile that indicates that Access Control, Audit Control, and Network Controls are important
  • PWP - This is a very thin profile that simply says that for user directory, use LDAP
  • EUA - Very thin profile that simply says to use Kerberos protocol for safely authenticating users inside of an enterprise
  • XUA - Very thin profile that simply says to use SAML Identity Assertions for authenticating users on Cross-Enterprise transactions, updated with some options
  • DSG - A profile of XML-Digital Signatures to provide long-term signature across a 'document'
  • BPPC - A profile of a document that represents a patient agreeing to a privacy policy (e.g. Consent)
  • ENC - new profile being worked on this year - Encryption of documents and removable media
  • confidentialityCode - this is NOT a profile, but is a security/privacy concept built into almost all of the healthcare standards.
  • De-Identification handbook - this is NOT a profile, but is a document being written this year.
  • Cookbook: Preparing the IHE Profile Security Section - handbook used when IHE produces profiles to assure that the profile has examined security/privacy
  • HIE Security and Privacy through IHE – white paper explaining how to use the IHE security / privacy profiles to build a health information exchange
  • Access Control - White paper examining access controls in healthcare, specifically in a cross-enterprise federated use-cases.
ISO - TC 215 There is also good foundational work from the Healthcare division of ISO. This work is mostly used as reference material.
  • ISO/TS 13606-4:2009 Health informatics -- Electronic health record communication -- Part 4: Security
  • ISO 17090-1:2008 Health informatics -- Public key infrastructure
  • ISO/TS 21091:2005 Health informatics -- Directory services for security, communications and identification of professionals and patients
  • ISO/TS 21298:2008 Health informatics -- Functional and structural roles
  • ISO/TS 21547:2010 Health informatics -- Security requirements for archiving of electronic health records – Principles
  • ISO/TS 22600-1:2006 Health informatics -- Privilege management and access control -- Part 1: Overview and policy management
  • ISO 22857:2004 Health informatics -- Guidelines on data protection to facilitate trans-border flows of personal health information
  • ISO/TS 25237:2008 Health informatics – Pseudonymization
  • ISO 27799:2008 Health informatics -- Information security management in health using ISO/IEC 27002
  • IEC 80001-1:2010 Application of risk management for IT-networks incorporating medical devices -- Part 1: Roles, responsibilities and activities
  • Etc… 
ASTM E31.25
New development in this group has stopped, but some of the documents are still useful as references.

Government Initiatives

One of the potential areas where there might be more mature modeling done is in specific countries such as Canada or regions like EU. I know people involved in Canada and EU, but the work is not yet fully public. This is expected to be made public soon.

So, that is quite a bit... I still think that the IHE White paper on Access Controls is the best overall introduction to the details of Federated Access Controls. I think then the NHIN-Exchange has the most mature implementation of this using the IHE BPPC, IHE XUA and OASIS XSPA.  This is good work, good-enough to get started on. There are known gaps in the area of perfection and a need to mature the space. I suspect that this will take many more years.

Of course my blog is full of discussion of all of these things. I often find myself using the search bar to find these discussions. It feels good when I find I can reuse an old blog post, which is exactly the reason I started this blog.


  1. Glen,

    Thanks for the softball pitch... There is no formal coordination of any of these. There is about a handful of individuals that cross-participate in these workgroups. I think I am actually alone in participating in all of them.

    There is not much from NEMA on Access Controls (see

    I am not aware of anything from HIMSS Security Steering Committee... I am a HIMSS member, but am unaware of that committee.

    I really don't see too much of a need today for 'interoperable' or 'standards based' access control. Yes we need standards based interoperable user-identity, user-authentication, user-context-assertions, and consent-management; which we have. But the actual access control engine could be anything as long as it actually enforces the policies.

  2. What do you think of the Common Event Expression (CEE™) initative ?

  3. Lmoisan,

    I am monitoring the CEE initiative. I had high hopes when it kicked off, but am not so excited about it now. I have sent them the IHE ATNA work multiple times, but they keep ignoring it. I never figured they would adopt it, but I think they could learn something by pulling it apart.

    Right now they are doing the typical thing for a committee made up of highly funded contractors. They are not focused, nor do they have a goal.