Introduction
This document has been prepared in response to two circumstances:
- To help bring the ISO/TC215 WG1 Access exercise to an agreed conclusion in the context of the ISO/TC215 aim of achieving a global healthcare standard. Despite the absence of promised collaboration from WG4, the Access work item is still active, registered as a technical report but now re-defined as a 'requirements' document.
- To respond to the new document from John Lewis developing the ISO/TC215 WG4 PKI infrastructure. (Lewis, Jan 2001.)1 He asserts that the purpose of the WG4 technical specification is to "create a platform for global interoperability."
This is consistent with the overall scope statement of ISO/TC215:
'Standardization in the field of information for health and Health Information and Communication Technology (ICT) to achieve compatibility and interoperability between independent systems. Also to ensure comparability of data for comparative and statistical purposes, and to reduce duplication of effort and redundancies.'There can be no interoperability without interoperable access control, and a global standard for interoperability implies a global 'standard' for access control. John Lewis's paper describes a necessary infrastructure for the platform on which secure global interoperability could occur. It does not identify requirements for a global access system that could work despite the differences in practices and behaviors that are current in different jurisdictions or even within jurisdictions, nor how 'comparability' of data is to be achieved.
Requirements
We list the full 'requirements for access ' below. The first four are catered for by the proposed PKI infrastructure, as John Lewis proposes.
- Authentication
A guarantee that the message really has come from the person who appears or claims to have sent it.- Integrity
Proof that the message content has not altered, deliberately or accidentally in any way, during transmission.- Confidentiality
Evidence that only the person the message is directed to can open it and that the contents of the message have not been disclosed to third parties. The definition of valid access rules and roles must be flexible enough to be jurisdiction-specific if required.- Non-Repudiation
The sender, having sent a message, cannot at some later stage dispute they created and sent the message. This requirement refers to non-repudiation in the technical rather than legal sense.- Accountability
Assurance that the actions of an entity may be traced uniquely to the entity [ISO 7498-2].- Availability
The property of being accessible and useable upon demand by an authorised entity [ISO 7498-2].- Accessibility
Access to the ISO healthcare standard should not be constrained by financial considerations or use of particular technologies. ISO compliance should be achievable by record developers using different technologies and with different resources.- Interoperability
An ISO compliant medical record system must facilitate legitimate access within a jurisdiction and between jurisdictions. In other words ISO compliant record systems must in practice be able to work together, ie the 'standard' should work.Discussion
The last two requirements, for 'accessibility' and 'interoperability' emphasise that no legitimate healthcare worker should be excluded from access to ISO compliant medical records because ISO compliance itself requires a fee, or because such compliance depends on any particular technology.
The challenge for the ISO committee is to adopt a way of achieving access control that applies globally, is accessible to healthcare workers and consumers in all jurisdictions without financial constraint, and yet which can customised, as necessary, for each jurisdiction in terms of access rules and roles. It must also work for different data types and definitions. The access standard should both achieve its goal of conferring potential interoperability, and yet not constrain the practice, knowledge base, structure or performance of healthcare delivery (also from ISO/TC215 scope statement).
In the New Zealand Access paper which was accepted by WG1 at the Dunedin meeting2, (April 2000), we described the conceptual anatomy of a technique of access control which might meet all these requirements. One comment on our paper from a prominent member of the WG4 PKI work group included the suggestion that a joint WG1/WG4 task force could usefully be convened to develop a workable solution. It advised that we should 'focus on the characteristics of security objects that could be attached to elements of the individual health record and linking these proposed access methods to PKI-based attribute certificate supported techniques.'
Without discussion of the conceptual anatomy of a technique or techniques able to fulfil the requirements listed above, we believe the matter cannot be progressed further. Any 'solution' should also be consistent with the emergent General Domain Model that was explored at the General Domain Model meeting of WG1 members in Vancouver in December 2000.
Michael Mair
David Menkes
New Zealand
26 February 2001Ref:
1 From ISO/DTS 17090-1Document Title Health informatics - Public Key Infrastructure for Secure Exchange of Health Information across National Boundaries; Part 1 Framework and overview.
2 On www.health.nsw.gov.au/iasd/imcs/iso-215 user name 'wg1' and the password 'berlin'