Difference between revisions of "Security and Privacy Ontology Use Cases"
| Line 54: | Line 54: | ||
===Analysis=== | ===Analysis=== | ||
Shady Grove Hospital’s security policy allows the primary physician the ability to access clinical reports. Medical history is categorized as a clinical report and thus Dr. Bob can access it. The security policy does not allow a primary physician access to administrative reports without additional authorization. Since a payment history is categorized under administrative reports, Dr. Bob is denied access to it. | Shady Grove Hospital’s security policy allows the primary physician the ability to access clinical reports. Medical history is categorized as a clinical report and thus Dr. Bob can access it. The security policy does not allow a primary physician access to administrative reports without additional authorization. Since a payment history is categorized under administrative reports, Dr. Bob is denied access to it. | ||
| + | |||
| + | |||
| + | =='''Access Control Based on Category of Structural Role'''== | ||
| + | This use case illustrates how an EHR system would control access to an object in a medical record based on the structural role assigned to the user requesting access. In this case a structural role reflects a human or organizational category. A user, with an assigned structural role, attempts to access a number of objects in a medical record for which the system grants or denies access privileges based on the category of the user’s structural role. | ||
| + | ===Actors=== | ||
| + | <ul><li>Shady Grove Hospital – Provider Organization in which the use case takes place.</li> | ||
| + | <li>Shady Grove Hospital’s EHR System – the EHR system which is accessed in the use case.</li> | ||
| + | <li>Shady Grove Hospital’s security policy – the policy that determines how objects are allowed to be accessed in the hospital’s EHR.</li> | ||
| + | <li>Sam Jones – Subject of care - Patient at Shady Grove Hospital.</li> | ||
| + | <li>Dr. Bob – regulated health professional – general practitioner at Shady Grove Hospital.</li> | ||
| + | <li>Dr. Dan – regulated health professional - dermatologist at Shady Grove Hospital.</li> | ||
| + | <li>Betty Smith – admissions clerk at Shady Grove Hospital.</li> | ||
| + | </ul> | ||
| + | ===Precondition=== | ||
| + | Shady Grove hospital has developed an access control system that implements decisions made in its security policy on its EHR system. This access control system can grant or deny the ability to access certain objects in the system. Certain structural roles are assigned permission for certain types of access regardless of which user has been assigned to the structural role. Structural roles have been categorized hierarchically so that sub-roles of a structural role class are granted the same permissions as the parent roles. For example, a dermatologist is categorized as a physician who in turn is categorized as a regulated health professional. | ||
| + | The security policy grants the structural role of physician the ability to read a patient’s progress note. The security policy does not specify the medical specialty of the physician role. | ||
| + | ===Basic Scenario=== | ||
| + | Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob’s initial assessment leads him to refer Mr. Jones to Dr. Dan. Dr. Dan opens Mr. Jones’ medical record and reads his medical history. | ||
| + | ===Post-Condition=== | ||
| + | Dr. Dan can access Mr. Jones’ medical records and proceeds to treat Mr. Jones for his condition. | ||
| + | ===Analysis=== | ||
| + | Both Dr. Bob and Dr. Dan have been assigned the structural role of physician at Shady Grove Hospital. As such, they have been given permission to read the medical records of all patients in the hospital. This is the default policy which may be constrained if other conditions, such as a patient’s consent directive, are present. Dr. Bob and Dr. Dan have different medical specialties, sub-roles of the physician role. Since the security policy grants the access permission to the structural role of physician, all sub-roles, i.e. medical specialties classified under physician, will receive the same access permissions. | ||
| + | ===Alternative Scenario=== | ||
| + | Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Betty Smith attempts to open Mr. Jones’ medical record but is denied access. | ||
| + | ===Post-Condition=== | ||
| + | Mr. Jones’ medical record is protected from unauthorized access. | ||
| + | ===Analysis=== | ||
| + | Betty Smith is assigned the structural role of admissions clerk at Shady Grove. Admissions clerk is not categorized as a physician role at Shady Grove and is not granted the same access permissions as physician and the security policy doesn’t explicitly grant these permissions to the admissions clerk role. Therefore, without additional authority, Betty Smith cannot access Mr. Jones’ medical record. | ||
Revision as of 16:28, 26 April 2010
Back to Security and Privacy Ontology Main Page
Contents
Access Control Based on Category of Action
This use case illustrates an example of how an EHR system would control access to an object in a medical record based on the type of action to be performed on it. A number of access control actions are attempted on a medical record object for which the system grants or denies access privileges.
Actors
- Shady Grove Hospital – Provider Organization in which the use case takes place.
- Shady Grove Hospital’s EHR System – the EHR system which is accessed in the use case.
- Shady Grove Hospital’s security policy – the policy that determines how objects are accessed in the hospital’s EHR.
- Sam Jones – Patient at Shady Grove Hospital.
- Dr. Bob – Physician at Shady Grove Hospital, primary physician for Sam Jones.
- Dr. Dan – Physician at Shady Grove Hospital, who also treats Sam Jones.
Precondition
Shady Grove hospital has developed an access control system that implements decisions made in its security policy on its EHR system. This access control system can grant or deny the ability to perform certain actions on objects in the system. The actions have been categorized hierarchically so that if a user has been granted access to a category of actions, he or she is granted access to all actions categorized by that action. The security policy grants the primary physician access to create and update a patient’s progress note. The system does not explicitly grant the primary physician the privilege to append a patient’s progress note, however, append is categorized as an access control action under update.
Basic Scenario
Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob notices a transcription error in a progress note he had made for Mr. Jones’ last hospital visit. Dr. Bob corrects the error and updates the progress note. Dr. Bob opens a new progress note, enters his observations of Mr. Jones’ condition and appends the results of a recent blood test to the progress note.
Post-Condition
A progress note regarding a past visit Mr. Jones’ made to the hospital has been updated and a new progress note has been created and appended to. This updated progress note becomes a part of his medical record.
Analysis
Shady Grove Hospital’s security policy grants the primary physician access to create and update a patient’s progress note. The append action is categorized by the system as an update operation thus granting the primary physician the privilege to append the object.
Alternative Scenario
Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob notices a transcription error in a progress note Dr. Dan had made for Mr. Jones’ last hospital visit. Dr. Bob attempts to correct the error but is denied this privilege by the EHR system.
Post-Condition
The progress note regarding Mr. Jones’ last hospital visit remains unchanged.
Analysis
Shady Grove Hospital’s security policy denies a physician the ability to update a progress note if he or she is not the author of that progress note without additional authority.
Access Control Based on Category of Object
This use case illustrates how an EHR system would control access to an object in a medical record based on the type of object it is. A user attempts to access a number of objects in a medical record for which the system grants or denies access privileges based on the category of object.
Actors
- Shady Grove Hospital – Provider Organization in which the use case takes place.
- Shady Grove Hospital’s EHR System – the EHR system which is accessed in the use case.
- Shady Grove Hospital’s security policy – the policy that determines how objects are allowed to be accessed in the hospital’s EHR.
- Sam Jones – Patient at Shady Grove Hospital.
- Dr. Bob – Physician at Shady Grove Hospital, primary physician for Sam Jones.
- Dr. Dan – Physician at Shady Grove Hospital, who also treats Sam Jones.
Precondition
Shady Grove hospital has developed an access control system that implements decisions made in its security policy on its EHR system. This access control system can grant or deny the ability to access certain objects in the system. The objects have been categorized hierarchically so that if a user has been granted access to a category of objects, he or she is granted access to all objects in that category. For example, an initial assessment is categorized as an assessment which in turn is categorized as a clinical report, while payment history is categorized as an administrative report.
The security policy grants the primary physician access to create and read a patient’s assessment. The system does not explicitly grant the primary physician the privilege to access a patient’s initial assessment, however, as initial assessment is categorized as an assessment, access to the initial assessment would be inherited from assessment. Dr. Bob has previously completed assessments of Mr. Jones’ health.
Basic Scenario
Dr. Bob interviews Mr. Jones upon his admission into the hospital. Dr. Bob creates an initial assessment on Mr. Jones’ health after the interview.
Post-Condition
An initial assessment on Mr. Jones’ health has been entered into the system.
Analysis
Shady Grove Hospital’s security policy grants the primary physician access to create a patient’s assessment. The initial assessment is categorized by the system as an assessment thus granting the primary physician the privilege to create an initial assessment on the patient.
Alternative Scenario
Dr. Bob interviews Mr. Jones upon his admission into the hospital. Dr. Bob reviews Mr. Jones’ medical history for relevant clinical information. Dr. Bob then attempts to access Mr. Jones’ payment history with Shady Grove Hospital and is denied access.
Post-Condition
Dr. Bob can read Mr. Jones’ medical history but he cannot access Mr. Jones’ payment history.
Analysis
Shady Grove Hospital’s security policy allows the primary physician the ability to access clinical reports. Medical history is categorized as a clinical report and thus Dr. Bob can access it. The security policy does not allow a primary physician access to administrative reports without additional authorization. Since a payment history is categorized under administrative reports, Dr. Bob is denied access to it.
Access Control Based on Category of Structural Role
This use case illustrates how an EHR system would control access to an object in a medical record based on the structural role assigned to the user requesting access. In this case a structural role reflects a human or organizational category. A user, with an assigned structural role, attempts to access a number of objects in a medical record for which the system grants or denies access privileges based on the category of the user’s structural role.
Actors
- Shady Grove Hospital – Provider Organization in which the use case takes place.
- Shady Grove Hospital’s EHR System – the EHR system which is accessed in the use case.
- Shady Grove Hospital’s security policy – the policy that determines how objects are allowed to be accessed in the hospital’s EHR.
- Sam Jones – Subject of care - Patient at Shady Grove Hospital.
- Dr. Bob – regulated health professional – general practitioner at Shady Grove Hospital.
- Dr. Dan – regulated health professional - dermatologist at Shady Grove Hospital.
- Betty Smith – admissions clerk at Shady Grove Hospital.
Precondition
Shady Grove hospital has developed an access control system that implements decisions made in its security policy on its EHR system. This access control system can grant or deny the ability to access certain objects in the system. Certain structural roles are assigned permission for certain types of access regardless of which user has been assigned to the structural role. Structural roles have been categorized hierarchically so that sub-roles of a structural role class are granted the same permissions as the parent roles. For example, a dermatologist is categorized as a physician who in turn is categorized as a regulated health professional. The security policy grants the structural role of physician the ability to read a patient’s progress note. The security policy does not specify the medical specialty of the physician role.
Basic Scenario
Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Dr. Bob’s initial assessment leads him to refer Mr. Jones to Dr. Dan. Dr. Dan opens Mr. Jones’ medical record and reads his medical history.
Post-Condition
Dr. Dan can access Mr. Jones’ medical records and proceeds to treat Mr. Jones for his condition.
Analysis
Both Dr. Bob and Dr. Dan have been assigned the structural role of physician at Shady Grove Hospital. As such, they have been given permission to read the medical records of all patients in the hospital. This is the default policy which may be constrained if other conditions, such as a patient’s consent directive, are present. Dr. Bob and Dr. Dan have different medical specialties, sub-roles of the physician role. Since the security policy grants the access permission to the structural role of physician, all sub-roles, i.e. medical specialties classified under physician, will receive the same access permissions.
Alternative Scenario
Dr. Bob examines Mr. Jones as part of an episode of care. Dr. Bob opens Mr. Jones’ medical record and reads his medical history. Betty Smith attempts to open Mr. Jones’ medical record but is denied access.
Post-Condition
Mr. Jones’ medical record is protected from unauthorized access.
Analysis
Betty Smith is assigned the structural role of admissions clerk at Shady Grove. Admissions clerk is not categorized as a physician role at Shady Grove and is not granted the same access permissions as physician and the security policy doesn’t explicitly grant these permissions to the admissions clerk role. Therefore, without additional authority, Betty Smith cannot access Mr. Jones’ medical record.
