Table of Contents:
- Security/Privacy Bloginar: IHE - Privacy and Security Profiles - Introduction
- Consent/Privacy
- FHIR/mHealth
- Provenance
- Patient Identity
- User Identity and Authentication
- Directories
- Access Control (including Consent Enforcement)
- Audit Control
- Secure Communications
- Signature - Digital, Electronic
- De-Identification, Anonymization, Pseudonymization
- Security/Privacy Risk Assessment/Management
- Document Sharing Management (Health Information Exchange - HIE)
- mHealth
- Blockchain
- GDPR
- Other
updated: August 12, 2024
mHealth (FHIR) --> See FHIR Topic
Provenance
Patient Identity
- VIP Patients in #FHIR
- IHE conflicting Patient Identity Feed patterns
- Updates to IHE foundational #FHIR profiles MHD, PDQm, and PIXm
- Patient ID is critical to Enabling Privacy
- Patient Matching as a Science
- PDQm - Patient Demographics Query for Mobile API
- Policy needs to get out of the way of good Patient Identity management
- HIE Patient Identity problem
- Identity Proofing and Authentication -- Patient vs Provider
- Patient Identity Matching
- Universal Health ID -- Enable Privacy
- The Basics of Cross-Community Patient Discovery (XCPD)
- NwHIN-Exchange use of XCPD for Patient Discovery
- Direct addresses- Trusted vs Trustable
User Identity and Authentication
- User Management on FHIR
- Healthcare use of Identity level of assurance
- Is IUA (OAuth) useful in Service-to-Service http REST (#FHIR)?
- Is XUA useful in service-to-service?
- User Account abandonment policy
- Patient as a User - becoming "known to a practice"
- HEART profiles for review, comment, and approval
- mHealth Identities using trusted intermediary
- getting to mHealth solutions - real People
- getting to mHealth solutions - Users
- Internet User Authorization: why and where
- IHE efforts in RESTful security
- IHE-IUA - Internet User Authentication for HTTP profiles
- Identity Proofing and Authentication -- Patient vs Provider
- Level setting on Level of Assurance
- Advanced Access Controls to support sensitive health topics – a simple solution to sensitive health.
- Direct addresses- Trusted vs Trustable
- Identity - - Proofing
- The Emperor has no clothes - De-Identification and User Provisioning
- What User Authentication to use?
- IHE - Privacy and Security Profiles - Enterprise User Authentication
- IHE - Privacy and Security Profiles - Cross-Enterprise User Assertion
- Healthcare use of Identity Federation
- Federated ID is not a universal ID
- Separation of Layers: Security Error Codes
- Authentication and Level of Assurance
Directories
- A broadly usable HIE Directory
- Healthcare Provider Discoverability and building Trust
- Healthcare Provider Directories Profile
- Healthcare Provider Directories -- Lets be Careful
Patient Privacy controls (aka Consent, Authorization, Data Segmentation)
- See Consent topic
Access Control (Consent enforcement)
- Teaching an AI/ML/LLM should be a distinct PurposeOfUse
- Break-Glass
- RESTful search using POST vs GET on #FHIR
- RelatedPerson Consent - how to record the #FHIR Consent that authorizes a #FHIR RelatedPerson
- Patient data embargo management
- Explaining #FHIR Consent examples
- API Security conference -- on #FHIR
- Basic DS4P - How to set the confidentialityCode
- What is DS4P?
- Segmenting Sensitive Health Topics
- Guidance on HTTP Access Denied
- FHIR Oauth Scope
- Break-Glass on FHIR
- Don't disassemble ATNA, what you are looking for is there.
- Why Mutual-Authorized-TLS?
- What does the SAML assertion mean in a XDS/XCA query/retrieve?
- Healthcare Privacy and Security Classification System (HCS)
- Define Atom -- Too many definitions in use today
- Healthcare access control scope constraints on OAuth tokens
- Advanced Access Controls to support sensitive health topics
- Policy Enforcing XDS Registry
- Healthcare Metadata
- Texas HIE Consent Management System Design
- IHE - Privacy and Security Profiles - Access Control
- Data Classification - a key vector enabling rich Security and Privacy controls
- Healthcare Access Controls standards landscape
- Handling the obligation to prohibit Re-disclosure
- Access Controls: Policies --> Attributes --> Implementation
- IHE - Privacy and Security Profiles - Document Encryption
Audit Control
- Standards for Accounting of Disclosures
- IHE Basic Audit Log Patterns using #FHIR AuditEvent
- IHE Basic Audit Implementation Guide
- #FHIR Basic AuditEvent for generic RESTful actions
- Patient Engagement - Access Log
- IHE Audit Log Specifications
- Extra software/transaction details in FHIR AuditEvent / ATNA Audit Message
- Big audit entries
- Break-Glass on FHIR
- Guest Post: Use-Case - Security Audit Prompts Investigation
- Provenance vs AuditEvent - It is not a competition
- Don't disassemble ATNA, what you are looking for is there.
- Where do I record the Reason that an auditable event happened?
- Searching for an ATNA Audit Record Repository
- IHE-ATNA and HL7-FHIR.SecurityEvent -- recording a Disclosure
- Simplifying Security Audit Standards
- Testing your ATNA Audit Log implementation
- MU Patient Engagement - Activity History Log
- Patient Data in the Audit Log
- IHE - Privacy and Security Profiles - Audit Trail and Node Authentication
- Accountability using ATNA Audit Controls
- ATNA and Accounting of Disclosures
- ATNA audit log recording of Query transactions
- How granular does an EHR Security Audit Log need to be?
- Document Submission: Audit requirements under error conditions
- ATNA + SYSLOG is good enough
Secure Communications
- Is IUA (OAuth) useful in Service-to-Service http REST (#FHIR)?
- Is XUA useful in service-to-service?
- War against TLS 1.0
- Certificate validation - use of CN
- Don't disassemble ATNA, what you are looking for is there.
- Why Mutual-Authorized-TLS?
- Testing ATNA Secure Communications
- Direct addresses- Trusted vs Trustable
- Identity - - Proofing
- Securing RESTful services
- IHE Encryption choices
- Healthcare use of X.509 and PKI is trust worthy when managed
- SSL is not broken, Browser based PKI is
- Meaningful Use Stage 2 :: SHA-1 vs SHA-2
- Trusting e-Mail
- S/MIME vs TLS -- Two great solutions for different architectures
- Healthcare Provider Discoverability and building Trust
- Using both Document Encryption and Document Signature
- Document Encryption
- IHE - Privacy and Security Profiles - Document Encryption
Signature - Digital, Electronic
- FHIR Digital Signatures
- Sign all the FHIR IPS
- FHIR Document Digital Signatures
- Blockchain Provenance Service
- IHE Document Digital Signature (DSG) Profile approved for Final Text
- Extending the FHIR standard to handle provenance
- On-Behalf-Of - FHIR Signature datatype update
- IHE MHD and DSG now open for Public Comment
- Digital Signatures on FHIR
- CDA Digital Signatures inside
- IHE - Privacy and Security Profiles - Document Digital Signature
- Signing CDA Documents
- Using both Document Encryption and Document Signature
- Non-Repudiation is a very old art
De-Identification, Anonymization, Pseudonymization
- #FHIR and Bulk De-Identification
- IHE: Analysis of Optimal De-Identification Algorithms for Family Planning Data Elements
- Apple makes a difference with targeted use of Differential Privacy
- De-Identification for Family Planning
- FHIR does not need a deidentify=true parameter
- NIST seeks comments on De-Identification
- Is it really possible to anonymize data?
- PCAST - Big Data: A Technological Perspective
- De-Identifying free-text
- De-Identification: process reduce risk of identification of entries in a data-set
- Fake it properly
- De-Identification - Data Chemistry
- Guidance Regarding Methods for De-identification of Health Information
- The Emperor has no clothes - De-Identification and User Provisioning
- De-Identification is highly contextual
- Redaction and Clinical Documentation
Security/Privacy Risk Assessment/Management
- Mantras for Secure FHIR Development
- Please secure your #FHIR API and Apps
- Security of #FHIR implementations concerns
- InScope podcast: #FHIR security
- Privacy Principles
- Why Mutual-Authorized-TLS?
- Failure of Privacy due to Performance vs Privacy
- Healthcare: Fail Open vs Fail Closed
- Safety vs Privacy
- IEC 80001 - Risk Assessment to be used when putting a Medical Device onto a Network
- More Webinars on Basics of IEC 80001
- IEC 80001 - Security Technical Report presentation
- How to Write Secure Interoperability Standards
- How to apply Risk Assessment to get your Security and Privacy and Security requirements
Document Sharing Management (Health Information Exchange - HIE)
- Enhancement of Patient Demographics Query for Mobile (PDQm) with FHIR $match operation
- Why does IHE-XDS not have a Delete Document?
- Why does IHE-MHDS not have a Document Repository?
- Sharing IPS (sIPS)
- Transitioning Federated HIE from XCA to FHIR Query
- Where do I get 'the' IPS?
- Are there open-source implementations of IHE XCA and XCPD?
- MHD Document Responder: patient.identifier chaining
- Why use current Exchange infrastructure rather than starting over?
- Set of documents that are very focused #FHIR
- When is a document not a Document but still a document?
- Agile improvements toward #FHIR
- IHE whitepaper on Health Information Exchange models
- FHIR data in existing Nationwide Health Information Exchange
- Book: IHE Profiles for Health Information Exchange
- Controlled Exchange Architecture Models for Scale on #FHIR
- Nationwide Health Information Exchange on #FHIR
- FHIR Scaling to a Nation
- Treatment based interop is best publishing Documents
- XDS sha-1 is still okay
- Webinars on MHD and mXDE available from IHE
- Timebound XDS queries done right
- IHE Document Sharing (XDS) Metadata management Handbook
- Modes of patient centric communication
- Basics of Healthcare Data access rights in USA
- De-Duplicating the received duplicate data
- Basics of doing Document Sharing Query right
- Patient Centered HIE
- HIE from Manual ==> Automated
- HIE from Provider-Centered ==> Patient-Centered
- HIE from Multiple Point-to-Point Connections ==> Single Connection to Hub
- HIE from Updated @ Next Encounter with Patient ==> Notifications When Patient Has Encounter Elsewhere
- HIE from Providers & Payers Working Separately ==> Shared Responsibility for Managing Care
- HIE from Enterprise class API ==> FHIR API to Document Sharing
- Future of HIE is bright
- FormatCode granularity
- Granularity of FormatCode
- Multiple formats of the same Document content
- FHIR documents in XDS
- IHE #FHIR profiles - MHD, PDQm, and PIXm
- MHD - Why use of FHIR Contained?
- IHE FormatCodes are mandatory
- In Wisconsin we have Interoperability
- What is MHD beyond XDS-on-FHIR?
- Health Information Exchange: Centralized, Federated, or Distributed
- Define Atom -- Too many definitions in use today
- Eating an Elephant -- How to approach IHE documentation on Health Information Exchange (HIE)
- Distinction between Documents and Messages
- Understanding XDS metadata - IHE re-documentation effort
- XDS Notifications
- HIE Patient Identity problem
- Healthcare Metadata
- Minimal Metadata
- What is the benefit of an HIE
- Karen's Cross or just Minimal Metadata
- HIE using IHE
- Texas HIE Consent Management System Design
- The French Health Information Systems Interoperability Framework -- Now available in English
- One Metadata Model - Many Deployment Architectures
- Critical aspects of Documents vs Messages or Elements
- Using both Document Encryption and Document Signature
- Document Encryption
- XDS/XCA testing of Vocabulary Enforcement
- Where in the World is CDA and XDS?
- Universal Health ID -- Enable Privacy
- HIE/HIO Governance, Policies, and Consents
- IHE - Privacy and Security Profiles - Document Encryption
Blockchain in Healthcare
- Blockchain Provenance Service
- Healthcare use of Blockchain on FHIR
- Blockchain for Patient to sell their data to Clinical Research
- Blockchain as a platform for Supply Chain
- Healthcare use of Blockchain thru creative use of Smart-Contracts
- Healthcare Blockchain use?
- Blockchain and Smart-Contracts applied to Evidence Notebook
- Healthcare Blockchain - Big-Data Pseudonyms on FHIR
GDPR
Other
- Test Interactions in a Production Environment
- Test Data - in production
- References to Standards need to recognize that Standard's Governance about Errata
- A good hot beverage on #FHIR (April 1st)
- Elitism is Vaccine Credentials Passport
- COVID-19 Immunization Summary Document - use-case analysis
- From Implementation-Guide to IHE-Connectathon
- Introduction to IHE
- The Graying, Retirements, and Renewal at Integrating the Healthcare Enterprise (IHE)
- Maturing FHIR Connectathon without confusing the marketplace
- MDS2 -- Revision Comment Opportunity
- HHS Fact sheet on Ransomware and HIPAA
- Privacy-by-Design Data-Analytics Platform on FHIR
- FHIR - Input Validation and End-to-end FHIR testing
- I
needfound a job
- FHIR Security and Privacy - tutorial outline
- Response to Keith's ask on my theory of Interoperability
- Applying CyberSecurity Standards to Medical Device Design
- Murky Research Award
- Testing - governance
- Constrained Vocabulary and Schema are good and needed - But Robustness must rule the longitudinal HIE
- I feel BlueButton advancement
- What is a Connectathon?
- Vocabulary Standards make poor User Interfaces
- Major upgrade to MDS2 to align with IEC-80001
- I contributed a chapter to a Book published on Healthcare Information Technology
- IHE - Privacy and Security Profiles - Document Encryption
- Encryption is like Penicillin
- Healthcare is not secure - trust suffers
- Creating and using Unique ID - UUID - OID
- Distributed Active Backup of Health Record
- Workflow Automation Among Multiple Care-Providing Institutions
- Effective Standards Evaluation - Guest blog from Karen
- Are Documents Dead?
- Medical Device Security and Privacy
No comments:
Post a Comment