This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Security and Privacy Ontology Use Cases

From HL7Wiki
Revision as of 19:26, 10 May 2010 by Sconnolly (talk | contribs)
Jump to navigation Jump to search

Back to Security and Privacy Ontology Main Page

Access Control Based on Category of Action

This use case illustrates an example of how an EHR system would control access to an object in a medical record based on the type of action to be performed on it. A number of access control actions are attempted on a medical record object for which the system grants or denies access privileges.

Actors

  • Shady Grove Hospital – Provider Organization in which the use case takes place.
  • Shady Grove Hospital’s EHR System – the EHR system which is accessed in the use case.
  • Shady Grove Hospital’s security policy – the policy that determines how objects are accessed in the hospital’s EHR.
  • Sam Jones – Patient at Shady Grove Hospital.
  • Dr. Bob – Physician at Shady Grove Hospital, primary physician for Sam Jones.
  • Dr. Dan – Physician at Shady Grove Hospital, who also treats Sam Jones.

Precondition

Shady Grove hospital has developed an access control system that implements decisions made in its security policy on its EHR system. This access control system can grant or deny the ability to perform certain actions on objects in the system. The actions have been categorized hierarchically so that if a user has been granted access to a category of actions, he or she is granted access to all actions categorized by that action. The security policy grants the primary physician access to create and update a patient’s progress note. The system does not explicitly grant the primary physician the privilege to append a patient’s progress note, however, append is categorized as an access control action under update.

Basic Scenario

Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob notices a transcription error in a progress note he had made for Mr. Jones’ last hospital visit. Dr. Bob corrects the error and updates the progress note. Dr. Bob opens a new progress note, enters his observations of Mr. Jones’ condition and appends the results of a recent blood test to the progress note.

Post-Condition

A progress note regarding a past visit Mr. Jones’ made to the hospital has been updated and a new progress note has been created and appended to. This updated progress note becomes a part of his medical record.

Analysis

Shady Grove Hospital’s security policy grants the primary physician access to create and update a patient’s progress note. The append action is categorized by the system as an update operation thus granting the primary physician the privilege to append the object.

Alternative Scenario

Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob notices a transcription error in a progress note Dr. Dan had made for Mr. Jones’ last hospital visit. Dr. Bob attempts to correct the error but is denied this privilege by the EHR system.

Post-Condition

The progress note regarding Mr. Jones’ last hospital visit remains unchanged.

Analysis

Shady Grove Hospital’s security policy denies a physician the ability to update a progress note if he or she is not the author of that progress note without additional authority.


Access Control Based on Category of Object

This use case illustrates how an EHR system would control access to an object in a medical record based on the type of object it is. A user attempts to access a number of objects in a medical record for which the system grants or denies access privileges based on the category of object.

Actors

  • Shady Grove Hospital – Provider Organization in which the use case takes place.
  • Shady Grove Hospital’s EHR System – the EHR system which is accessed in the use case.
  • Shady Grove Hospital’s security policy – the policy that determines how objects are allowed to be accessed in the hospital’s EHR.
  • Sam Jones – Patient at Shady Grove Hospital.
  • Dr. Bob – Physician at Shady Grove Hospital, primary physician for Sam Jones.
  • Dr. Dan – Physician at Shady Grove Hospital, who also treats Sam Jones.


Precondition

Shady Grove hospital has developed an access control system that implements decisions made in its security policy on its EHR system. This access control system can grant or deny the ability to access certain objects in the system. The objects have been categorized hierarchically so that if a user has been granted access to a category of objects, he or she is granted access to all objects in that category. For example, an initial assessment is categorized as an assessment which in turn is categorized as a clinical report, while payment history is categorized as an administrative report.

The security policy grants the primary physician access to create and read a patient’s assessment. The system does not explicitly grant the primary physician the privilege to access a patient’s initial assessment, however, as initial assessment is categorized as an assessment, access to the initial assessment would be inherited from assessment. Dr. Bob has previously completed assessments of Mr. Jones’ health.

Basic Scenario

Dr. Bob interviews Mr. Jones upon his admission into the hospital. Dr. Bob creates an initial assessment on Mr. Jones’ health after the interview.

Post-Condition

An initial assessment on Mr. Jones’ health has been entered into the system.

Analysis

Shady Grove Hospital’s security policy grants the primary physician access to create a patient’s assessment. The initial assessment is categorized by the system as an assessment thus granting the primary physician the privilege to create an initial assessment on the patient.

Alternative Scenario

Dr. Bob interviews Mr. Jones upon his admission into the hospital. Dr. Bob reviews Mr. Jones’ medical history for relevant clinical information. Dr. Bob then attempts to access Mr. Jones’ payment history with Shady Grove Hospital and is denied access.

Post-Condition

Dr. Bob can read Mr. Jones’ medical history but he cannot access Mr. Jones’ payment history.

Analysis

Shady Grove Hospital’s security policy allows the primary physician the ability to access clinical reports. Medical history is categorized as a clinical report and thus Dr. Bob can access it. The security policy does not allow a primary physician access to administrative reports without additional authorization. Since a payment history is categorized under administrative reports, Dr. Bob is denied access to it.


Access Control Based on Category of Structural Role

This use case illustrates how an EHR system would control access to an object in a medical record based on the structural role assigned to the user requesting access. In this case a structural role reflects a human or organizational category. A user, with an assigned structural role, attempts to access a number of objects in a medical record for which the system grants or denies access privileges based on the category of the user’s structural role.

Actors

  • Shady Grove Hospital – Provider Organization in which the use case takes place.
  • Shady Grove Hospital’s EHR System – the EHR system which is accessed in the use case.
  • Shady Grove Hospital’s security policy – the policy that determines how objects are allowed to be accessed in the hospital’s EHR.
  • Sam Jones – Subject of care - Patient at Shady Grove Hospital.
  • Dr. Bob – regulated health professional – general practitioner at Shady Grove Hospital.
  • Dr. Dan – regulated health professional - dermatologist at Shady Grove Hospital.
  • Betty Smith – admissions clerk at Shady Grove Hospital.

Precondition

Shady Grove hospital has developed an access control system that implements decisions made in its security policy on its EHR system. This access control system can grant or deny the ability to access certain objects in the system. Certain structural roles are assigned permission for certain types of access regardless of which user has been assigned to the structural role. Structural roles have been categorized hierarchically so that sub-roles of a structural role class are granted the same permissions as the parent roles. For example, a dermatologist is categorized as a physician who in turn is categorized as a regulated health professional. The security policy grants the structural role of physician the ability to read a patient’s progress note. The security policy does not specify the medical specialty of the physician role.

Basic Scenario

Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob’s initial assessment leads him to refer Mr. Jones to Dr. Dan. Dr. Dan opens Mr. Jones’ medical record and reads his medical history.

Post-Condition

Dr. Dan can access Mr. Jones’ medical records and proceeds to treat Mr. Jones for his condition.

Analysis

Both Dr. Bob and Dr. Dan have been assigned the structural role of physician at Shady Grove Hospital. As such, they have been given permission to read the medical records of all patients in the hospital. This is the default policy which may be constrained if other conditions, such as a patient’s consent directive, are present. Dr. Bob and Dr. Dan have different medical specialties, sub-roles of the physician role. Since the security policy grants the access permission to the structural role of physician, all sub-roles, i.e. medical specialties classified under physician, will receive the same access permissions.

Alternative Scenario

Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Betty Smith attempts to open Mr. Jones’ medical record but is denied access.

Post-Condition

Mr. Jones’ medical record is protected from unauthorized access.

Analysis

Betty Smith is assigned the structural role of admissions clerk at Shady Grove. Admissions clerk is not categorized as a physician role at Shady Grove and is not granted the same access permissions as physician and the security policy doesn’t explicitly grant these permissions to the admissions clerk role. Therefore, without additional authority, Betty Smith cannot access Mr. Jones’ medical record.


Access Control Based on Category of Functional Role

This use case illustrates how an EHR system would control access to an object in a medical record based on the functional role assigned to the user requesting access. Functional roles are bound to the performance of actions carried out by an entity. A user, with an assigned functional role, attempts to access a number of objects in a medical record for which the system grants or denies access privileges based on the category of user’s functional role.

Actors

  • Shady Grove Hospital – Provider Organization in which the use case takes place.
  • Shady Grove Hospital’s EHR System – the EHR system which is accessed in the use case.
  • Shady Grove Hospital’s security policy – the policy that determines how objects are allowed to be accessed in the hospital’s EHR.
  • Sam Jones – Subject of care - Patient at Shady Grove Hospital.
  • Dr. Bob – Privileged healthcare professional - Physician at Shady Grove Hospital, assigned to Sam Jones by Shady Grove to fill this functional role.
  • Dr. Bill – Healthcare professional - Physician at Shady Grove Hospital, privileged healthcare professional to Sam Jones when Dr. Bob is not available.
  • Dr. Dan – Health-related professional - Physician at Shady Grove Hospital, indirectly involved with the treatment of Sam Jones.

Precondition

Shady Grove hospital has developed an access control system that implements decisions made in its security policy on its EHR system. This access control system can grant or deny the ability to access certain objects in the system. Certain functional roles are assigned permissions for certain types of access regardless of which user has been assigned to the functional role. Functional roles have been categorized hierarchically so that sub-roles of a functional role are granted the same permissions as the parent roles. For example, an alternate privileged healthcare professional, under certain conditions, is categorized as a privileged healthcare professional who in turn is categorized as a healthcare professional. The security policy grants the functional role of privileged healthcare professional the ability to access to all of a patient’s medical record, including sensitive medical records, while that healthcare professional is assigned to the patient. The period of the assignment is limited to the privileged access time interval. A sub-role of the privileged healthcare professional is the alternate privileged healthcare professional; a healthcare professional that fills the role of the privileged healthcare professional during periods when the primary is unavailable. Dr. Bob has taken a week off to go on vacation.

Basic Scenario

Mr. Jones enters the hospital with a medical complaint. Dr. Bill can access all of Mr. Jones’ medical record, including those which indicate Mr. Jones’ alcohol abuse condition.

Post-Condition

Dr. Bill has complete access to all of Mr. Jones’ medical record, including sensitive medical information, until Dr. Bob returns from vacation after which he has only limited access to Mr. Jones’ medical record without additional authorization.

Analysis

The time interval in which Dr. Bill is assigned the functional role of alternate privileged healthcare professional begins when Dr. Bob departs on vacation and ends when Dr. Bob returns. During this time period, Dr. Bill is the alternate privileged healthcare professional, a sub-role of the privileged healthcare professional, and is granted all the access privileges of the privileged healthcare professional.

Alternative Scenario

Mr. Jones enters the hospital with a medical complaint. Dr. Dan attempts to access Mr. Jones’ medical record but is denied access to objects within Mr. Jones’ record that are considered sensitive.

Post-Condition

The sensitive information within Mr. Jones’ medical record is kept confidential except to privileged healthcare professionals.

Analysis

Dr. Dan’s functional role of health-related professional is not a sub-role of privileged healthcare professional and thus he is not granted access to all of Mr. Jones’ medical record without additional authorization.

Access Control Based on Multiple Role Values

This use case illustrates how an EHR system would control access to an object in a medical record based on a user being assigned more than one role attribute value. A user, with one or more assigned roles, attempts to access an object in a medical record for which the system grants or denies access privileges based on the combination of the user’s roles.

Actors

  • Shady Grove Hospital – Provider Organization in which the use case takes place.
  • Shady Grove Hospital’s EHR System – the EHR system which is accessed in the use case.
  • Shady Grove Hospital’s security policy – the policy that determines how objects are allowed to be accessed in the hospital’s EHR.
  • Sam Jones – Subject of care - Patient at Shady Grove Hospital.
  • Dr. Bob –Physician on the staff at Shady Grove Hospital.
  • Dr. Dan – Physician with access privileges at Shady Grove Hospital but not on the staff.
  • Precondition

    Shady Grove hospital has developed an access control system that implements decisions made in its security policy on its EHR system. This access control system can grant or deny the ability to access certain objects in the system. Certain types of access require that a user be assigned to more than one role, i.e. that access is not assigned to a single role but a combination of roles.

    The security policy grants the combination role of staff physician the ability to update a patient’s care plan.

    Basic Scenario

    Mr. Jones is a patient of Dr. Bob’s and has not been responding to his treatment. Dr. Bob decides to change Mr. Jones’ care plan and updates the plan in his medical record.

    Post-Condition

    Mr. Jones’ care plan is updated and his treatment is changed.

    Analysis

    Shady Grove’s security policy requires that in order to update a patient’s care plan a user must have the roles of both physician and of member of the hospital staff. Since Dr. Bob has been assigned both roles, he is able to change Mr. Jones’s care plan.

    Alternative Scenario

    Dr. Dan has treated Mr. Jones at a clinic and has noted that Mr. Jones has not been responding to treatment. Dr. Dan decides to change Mr. Jones’ care plan at Shady Grove hospital. He has access privileges at Shady Grove and can read Mr. Jones’ care plan. He attempts to change the care plan to reflect the desired changes but is denied the ability to make the changes.

    Post-Condition

    Mr. Jones’s care plan is not updated and his treatment remains unchanged.

    Analysis

    Dr. Dan is a physician at a clinic associated with Shady Grove hospital but is not on the staff at Shady Grove. Therefore he does not have the combination of both roles required to update a patient’s care plan at Shady Grove and is denied permission to do so.