THE IMMUNOLOGICAL MODEL FOR ACCESS CONTROL TO CDAMike Mair and Stephen Chu New Zealand Acupulco 22.10.2004

The Clinical Data Architecture (CDA) is proposed as a common currency for electronic healthcare. It might also be complemented by a single global technique for access control. Gunnar Klein (who chairs CEN 251 and ISOTC/215 WG4 Security) recently said:

Do not expect quick solutions to the dream for a universal shared record which takes privacy concerns seriously

He suggests that security is the forgotten requirement for interoperability.

In order to fulfill the dream of a universal shared record standard, there must also be a shared technique for discriminating legitimate from illegitimate sharing. That technique must be endlessly customizable because of the great diversity of access practices in global healthcare. It also needs to work on a shared definition of data.

A New Zealand team prepared an Access Proposal to WG1 of ISOTC/215.We called for the creation of a universal healthcare packet, which we termed the attestable unit. It was paired with an access lock for a universal access mechanism. This was modeled on the bifunctional immunoglobulin family of molecules of immunological science.

In the immune system.a single class of molecules, the immunoglobulin, exhibits bi-functionality in that each molecule has a recognition end and a business end. The recognition end which is highly variable, targets antigen, which is usually but not always material foreign to the organism. The business end, which is not variable, determines what action the molecule performs when the template match to antigen is made.

The effector end of the IGG molecule The recognition ends of the IGG

IGM, the IGG pentameter

The universal role for immunoglobulinIn the body the immunoglobulin molecule is pervasiveActs as a transmitter, a hormone, an activator, a switch, it can be extremely specific in its target, or very generalNature has implemented a single design, If we can get a universal access control process for the CDA, could it do the same for health informatics?

Detachable Header

The access lock concept for the attestable unit was to act as a pointer to the attestable unit. We suggested that a search object should activate it. We evoked dual key cryptography for the actual retrieval of the unit. The data would remain with the system of origin, along with the audit trail of the 5 WH of instances of access to the dataISOTC/215 Seoul 2000: Access Proposal

6.5.5 Sequence Diagram of the Request Patient Information Usecase.

At the presentation to WG1 meeting in March 2001, Seoul, Korea, I mentioned that the CDA might function as the attestable unit, and the access lock might derive from a detachable header for the CDA.

The Health Event Summary derived originally from the Australian Health Connect organization It is a summary package of healthcare data in standard format to be created with every health event, and is planned as a shortcut to interoperability of healthcare data. Its implementation was one of the recommendations of the NZ Ministry of Health Wave project (Working to Add Value to Electronic Medicine)

The Clinical Document ArchitectureThe CDA is designed to be just such an attestable global unit of healthcare. Its definition includes:Persistence WholenessStewardship Potential for authentication.

For communications over public media, cryptographic techniques for source/recipient authentication and secure transport of encapsulated documents may be required, and should be addressed with commercially available tools outside the scope of this standard.Bob Dolin, CDA release 1

Is Access Control out of scope for the CDA?

We are proposing an extension of the standard to cover those areasGlobalization and international travel are inevitable and increasing trends. CDAs as integral components of a universal shared EHR system will reside within an increasingly distributed environment. The immunoglobulin model for access control suggests a mechanism to address information access security issues in such a distributed environment.

checkDocInfo( ) - object operation/method defined for the CDA Header/Access Object to get the meta-data information about the document as part of the matching function required to determine whether there is a match between the document requestor wants and the CDA header stored checkServeTarget( ) - also object operation/method defined for the CDA Header/Access Object to get the patient identified by the requestor for the CDA document required is the target patient for whom the CDA header (in the regional server list) was created forgetOriginatingOrgNetID( ) is an operation/method defined for the the CDA Header/Access Object stored on the regional server. This operation will interrogate the CDA Header List stored in the regional server which should hold the Network ID/address of where the original attestable CDA data/documents are held - the Provider Organisation that created and stores the data/document, or the regional server itself.

Access process proposalAn 'Access-Lock' Object is created when the clinician creates attestable clinical data and specifies the data's access right level(s). This can be done at the clinical interview, directly on the instructions of the patient, although it is likely that default access behaviour will apply in most implementations unless specifically countermanded. The lock object is stored with the data on the provider system.

matchReq&DataAccessRole( ) - an object operation defined for the 'Access Lock' object to detemine whether the 'Role for Access' supplied by the 'Request Object' is of the legal role for access the data for which the 'Role for Access' attribute has been defined.

Access Process ProposalThe CDA header is detachable as in the suggestion from Finland, The body can be virtual, that is only the header need actually be created at the time of data creation, which can be on any system whatsoeverA copy of the CDA header plus referent to the data is also sent to the regional server.

Stage OneThere is a Login stage to gain access to the regional network, which includes presentation of a digital certificate. with role and ID information.This is core role only, and login enables attribute certificates to be generated binding the identity to the core role.

Stage TwoA request/search object is constructed which contains this user role information, along with the id of the target patient, and an index of the information required. It also contains the public key of the requestors institution. It is used to search the CDA header lists on the network of regional serversrole for access is a complex(defined locally) of original or delegated attribute certificates and a grain filter

Stage ThreeWhen a match is made, including the access lock role match, the searcher gets access to the referent of the stored or virtual CDA. The digital signature/certificate and public key certificate enclosed within the (SOAP) envelope authenticate the identity of the requestor and the public key that he/she sends with the request.

Regional Server data storeList of CDA Headers(or Access Objects)Provider Server data storeLocatesCDA documentsourceEncrpytionkey transfer

Stage FourThe holder of the CDA data/document can then use the public key from the sender to encrypt the data/document, which can then only be decrypted by the requestor, ensuring confidentiality and integrity of the data transmitted across the Internet.

SSLSOAP securitySOAP EnvelopeDigital signaturePublic key certificateSOAP encryptionRole-base access controlSSLSSL

If the regional server that received the request for the CDA document cannot find a match on its CDA header list, it will pass on the request to a neighboring server, which will pass onto the next ...... until a match is found and the procedure of the previous paragraph will be performed, or it returns a no find result.

NB: This model assumes continuous on line availability of data from providers.

Role WordsRole words in a language, like most other words, are language specific.Is Verstehen the same as UnderstandingIs Spirituel the same as SpiritualMost role words simply do NOT translateThe Chess analogy for language: SaussureThe concept of autopoiesis : Varela

Roles as self defining autopoietic sets

Diagram to summarize how an autopoietic (self defining) set, whose values are internally derived, can nevertheless trigger a finite list of access options/attributes in the body

Access Ontology

C,D,I,N,R,S,T.. CHESS

The ROLE Ontology Role, Task, and Model

ACCESS PROCESS ACTIVITY DIAGRAM

CROSS BORDER ROLE MANAGMENTWhere there has been policy bridging and a role inventory for mapping , this can simply be appliedWhere no such work has been done, we suggest that proxy role key search object is assigned by an authority in the host realm.All other aspects of the process deliver interoperable results.

Provider Regional Network RequestorRetrieving CDAs from the network...they might cling to the search, like termites

The end dream.A single pervasive device, the CDAA simple shared access processendlessly customizable, can act as a stand alone, a component, an EHR extract (GEHR), a fix for now, a stage in a global evolutionJust let it go, release it in global healthcarefacilitate the emergence of implicate ordergive Gaia an immune system, maybe she will heal...