Personnel White Pages (PWP) and Healthcare Provider Directory (HPD) are covered by a different Webinar. These profiles are primarily focused on delivering attributes about Individual Healthcare Providers, Healthcare Provider Organizations, and the workforce inside a Healthcare Provider organization. These profiles are based on a widely deployed Directory standard used in all industries, LDAP v3, specializing them only where healthcare have special needs. These profiles can assist Security and Privacy through their ability to uniquely and positively identify an individual, provide attributes about an individual, and can be used to authenticate users.
A new profile under development is the Document Encryption (DEN) Supplement. This supplement contains a comprehensive analysis of encryption needs and identifies two gaps in existing Profiles. It then fills these gaps through creating a transport agnostic document encryption and adds encryption on XDM media.
IHE Governance that considers security during profile developmentIHE has instantiated a process to be used by all IHE domains when they develop new Profiles. This process utilizes risk assessment methodology to identify unique security and privacy risks that would need to be mitigated by the profile through some requirements or are identified to be addressed by system development or system deployment. The profile should include "Security Considerations" sections in Volume 1 that are profile wide, and in Volume 2/3 to cover technical requirements at the transaction level.
For example some profiles will recommend the use of the Audit Trail and Node Authentication (ATNA) profile, others will require it. Often times the profile will include specific instructions for accurately encoding the Audit Message.
IHE profiles that leverage De-Identification and Pseudonymization
IHE is developing a handbook that will instruct IHE profile writers that want to leverage De-Identificationa and/or Pseudonymization. These instructions leverage existing standards and existing knowledge, and set up a specific process to follow when developing a profile. There has not yet been a public comment on this paper.
Additional Comments
Additional Comments
- Document Encryption (DEN) - new profile being worked on this year - Encryption of documents and/or XDM
- Because this is under development the details are yet to be written
- Document encryption has favor as it would be transport agnostic, but is unclear the usefulness of this for long-term-storage usecases like XDS and XCA.
- XDM encryption would likely leverage the e-Mail option that exists today
- The e-Mail option uses S/MIME to secure the ZIP of the XDM file-system
- The modification from existing profile would be to explain how to save the S/MIME message as a file rather than delivering it over SMTP
- This file would simply be a S/MIME message, thus protected with whatever the S/MIME protections used.
- De-Identification handbook - this is NOT a profile, but is a document being written this year.
- Will be a procedure document that explains how one would evaluate the requirements for a De-Identification scheme specific to a desired use-case
- Would leverage De-Identification and Pseudonymization
- See De-Identification is highly contextual and Redaction and Clinical Documentation
- Directories
- A broadly usable HIE Directory
- Healthcare Provider Discoverability and building Trust
- Healthcare Provider Directories Profile
- Healthcare Provider Directories -- Lets be Careful
- Authentication and Level of Assurance
- Healthcare use of Identity Federation
- Federated ID is not a universal ID
- Risk Assessment
Back links
This is part of a blog presentation of the IHE Privacy and Security Profiles Overview:
- Introduction to IHE impact on Meaningful Use
- IHE - Privacy and Security Profiles - Introduction
- IHE - Privacy and Security Profiles - Consistent Time
- IHE - Privacy and Security Profiles - Audit Trail and Node Authentication
- IHE - Privacy and Security Profiles - Enterprise User Authentication
- IHE - Privacy and Security Profiles - Cross-Enterprise User Assertion
- IHE - Privacy and Security Profiles - Document Digital Signature
- IHE - Privacy and Security Profiles - Basic Patient Privacy Consents
- IHE - Privacy and Security Profiles - Document Encryption
- IHE - Privacy and Security Profiles - Access Control
- This Page
- IHE - Privacy and Security Profiles - Conclusion
No comments:
Post a Comment