During the "Healthcare of the Future" workshop, held at the HPCN'99 event in Amsterdam last April, Professor Bernd Blobel from the Medical Faculty at the University of Magdeburg presented a smart toolset for security analysis and design of health care information systems. The solutions for efficient systematization and support of aspects, views, and different user groups are based on a general conceptual security model, and a concepts-services-mechanisms-algorithms-data scheme with use of UML or Unified Modelling Language. The toolset has been developed within the European Commission (EC) funded ISHTAR project for the Implementation of Secure Health Telematics Applications in Europe.
Sensitive patient data need to be fully secured when transmitted across institutional, regional, national, and possibly international networks. The UML methodology allows the security model to be described with use of several diagrams, such as logical diagrams, use case diagrams, scenario and activity diagrams, collaborations and distribution diagrams, class and class structure diagrams, as well as component and sequence diagrams. As such, various views of the overall model are made available. Through the analysis of different occurring health care scenarios, Professor Blobel and his team were able to define only seven use case types, applying the appropriate UML diagrams.
The scenarios as sequences of vital interactions between objects as instances of classes within concrete application environments, serve to represent all critical requirements. They are used to depict the action of key mechanisms and to determine the necessary ranges of operational cases. Particularly, the use case, sequence, and activity diagrams are needed to establish all desired security services and mechanisms. The use case defines a specific framework for the health care information system. Departing from an abstract use case type, health care data processes as well as the communication or interaction with health professionals, patients, and related parties are described in the light of medical information protection.
The seven abstract administrative and medical use case types distinguished by the ISHTAR team consist of the establishment of contact between patient and health care professional; the assessment or conclusion by the physician; the creation of a specific care and treatment plan for the patient; initiation, performance and control of activities; access to patient data; record of health care information; and conclusion. In his presentation for the workshop, Dr. Blobel introduced one concrete example of this security solution for a real-world Electronic Health Record system, implemented at the Clinical Cancer Registry in Magdeburg. A typical scenario in the shared care environment constitutes the physician's request for specific data of an individual patient needing immediate care.
The doctor as information requester may either want to obtain information from a former diagnosis or treatment, as well as ask for a second opinion. The requested party or information provider can be a medical expert or an electronic archiving system. Within a telemedicine framework, this kind of request is considered as a remote transaction, although the two parties may be located on the same server. In this real-world scenario, it is possible to define a range of abstract use case types that have to be combined with the required security-related use cases afterwards. The first one concerns the users management with relation to the security policy, which specifies the users' roles and rules, also deals with the rights and duties of individuals and organizations involved, and controls general compliance to the agreement.
The second constitutes the mutually offered user authentication through cryptographic algorithms. The user's identity certificate is handled by the TTP or Trusted Third Party and lies at the basis of specific protocols, such as authorization, access control, accountability, and so on. Sensitive data collection for recording, processing, storage or distribution cannot be allowed without the patient consent. The initialization of communications involves mutual identification and authentication of the different partners, which is verified by the certificates, issued by the TTP. Next, the information request has to be specified. According to the functional and organizational roles of the communication partners, the data access rights are defined in correspondence with the rules agreed in the underlying mandatory and discretionary access control models.
The information provision use case defines the selection of the permitted patient data for information transfer to the requesting party. The application and communication security services which handle the issues of integrity, confidentiality, and accountability have equally been integrated into the model. In order to respond to the policy rules, both users and information have to be classified and grouped. The project partners have developed a layered extension of this security model, which is based on the UML approach. The complex and generic methodology is able to support the comprehensive analysis, design and installation of secure health information systems. You can visit the ISHTAR home page for more details on the project.