Mike Mair and Stephen Chu New Zealand Acupulco 22.10.2004The Immunological Model for CDA Access Revisited

AgendaHistoryImmunological model revisitedReview of Berlin proposalCDA as the empty boxand the CDA box revampedRole and role definition Role, tasks, and the division of labourExpression of local rolesSome examplesQuestions and discussions

The History ..At the ISO TC/215 WG1 in 1998 at Orlando, New Zealand team agreed to develop a work item on access for the ISO committee for delivery at the Seoul meeting in March 2001We called for the creation of a universal healthcare packet, which we termed the attestable unit. It was paired with an access lock for a universal access mechanism. It was modeled on the bifunctional immunoglobulin family of molecules of immunological science.

The Immunoglobulin MoleculeThe effector end of the IgG molecule The recognition ends of the IgG

The universal role for immunoglobulinIn the body the immunoglobulin molecule is pervasiveActs as a transmitter, a hormone, an activator, a switch, it can be extremely specific in its target, or very generalNature has implemented a single design, If we can get a universal access control process for the CDA, could it do the same for health informatics?

An example of AB-AG binding the HLA B27 antigenThe HLA antigen has many typesAn antibody can target all of them, or a sub class, or a single typeThis feature of the immune system, to be able to target a whole class, or a subset of a class is a good metaphor for a searchA class of meta-data is depicted as an Antibody binding site.

A Class of meta-data is like an antibody binding site. A search can match all members of a class, or any subset of the class hierarchy.

ISO-TC215 Seoul 2001: Access Proposalyour only find what you are meant to findThe access lock concept for the attestable unit was to act as a guard and pointer to the attestable unit. It contained the role required for access to the unit. It was matched by a search object containing a searchers public key (PKI), and attribute certificate. We evoked dual key cryptography for the actual retrieval of the unit. The data would remain with the system of origin, along with the audit trail of the 5 WH of instances of access to the data

ISO-TC215 Seoul 2001: Access ProposalAt the presentation to WG1 meeting in March 2001, Seoul, Korea, I mentioned that the CDA might function as the attestable unit, and the access lock might derive from a detachable header for the CDA.The concept was further developed and presented at the First International CDA Conference at Berlin in October 2002

The Detachable CDA HeaderDetachable Header

The Detachable CDA Header

Role WordsRole words in a language, like most other words, are language specific.Is Verstehen the same as UnderstandingIs Spirituel the same as SpiritualMost role words simply do NOT translateThe Chess analogy for language: SaussureThe concept of autopoiesis : Varela

Roles constitute self-defining autopoietic sets

Regional Server data storeList of CDA Headers(or Access Objects)Provider Server data storeLocatesCDA documentsourceEncrpytionkey transfer

SSLSOAP securitySOAP EnvelopeDigital signaturePublic key certificateSOAP encryptionRole-base access controlSSLSSL

The Proposal from Finland at BerlinFrom Timo Itala et alThere was already an implementation from Finland using the CDA headers as a referentWhen the doctor wants to look at the patient data the regional system looks up the entry from the list of pointersThis search and retrieval system does not include an index to the clinical data in the header, to preserve patient confidentiality

Refining the Berlin ProposalsTo allow this concept to be used as a searchable clinical repositoryTo allow role for access to be entirely locally defined To expand the concept to cover repositories of all types of health data

Problems with a Role-Registry .. It shall be possible to identify realm specific variations for vocabularies where this is permitted by existing HL7 rules. Each such variation shall be subject registration From Dr Guilliermo Reynosos presentation(5th International Affiliate Conference)This may not be true of local role setsSince role definition is a function of division of labour, the number of potential roles is limitlessWe could never track them all, and should NOT even try

Implementing Local Role Definition a Starter ModelWe propose a division of the domain up into four basic data types:ClinicalAdministrativeDemographicPersonal

And the CDA into four basic compartments

The Revamped CDA not quite emptyNOTE: The CDA repository can have the same structure

Implementing Local Role Definition a Starter ModelWe suggest that these are accessed by 4 core rolesClinicianAdministrativeResearcherSelf (subject of care addressed in record)

The Division of Labour

Local roles can be expressed by:A segregation of data into 4 compartmentsThe identification of 4 core rolesThe use of a grain filterNeed to know targeting of a subset of the CDA repository which is defined by task

The Hierarchical Organisation of Knowledge

The Theory of Granular PartitionsThe coarser the grain, the more the down stream informationFine grain search delivers limited knowledge (or information)The single CDA is the finest grain entity in this model

Grain range can be generalised across domains(Bittner, B. Smith, Granular Spatio-Temporal Ontologies, in A Theory of Granular Partitions. Foundations of Geographic Information Science, M. Duckham, M. F. Goodchild and M. F. Worboys (eds.), London:Taylor & Francis, (2003) 117151. )

A Class of meta-data is like an antibody binding site. A search can match all members of a class, or any subset of the class hierarchy.

How does this work in practice?A subset of the CDA repository is targeted by the need-to-know defined by the taskA requester role-key is configured and applied locally. It contains attribute certificates. If a search request is inconsistent with the requesters role-key, then permission is deniedThe accredited institution is responsible for the integrity and security of the records it handles

+checkRoleBasedSearchGrain()+generateSearc()+rejectSearch()

-permittedSearchGrain

AccessControl_Object

-roleBasedSearchGrainPermission

SearchGrain_Object

accesses

+sendSearchRequest()+getAttributeCertificate()

-requesterID-roleValue-searchParameters

Request_Object

sends-request

Method checks whether grain of searchis within range permitted for the role.IF NOT - step search, ELSE find andreturn CDA(s) that match(es) request

+logsAccessAttempt()

-requesterID-requesterRole-accessDateTime-requestParameters-requestOutcome

Audit_Object

sends-access-attempt-details

+findCDA()

-requesterID-attributeCertificate-requesterPublicKey-requestParameters

RoleKey_Object

activates

+getCDABody()

-documentInfo-encounterInfo-providerInfo-serviceTargetInfo-referenceToData

CDA_Object

1

1

includes base role valuefor access control

HealthData [CDA-Body]

searches-&-retrieves

ClinicalData

AdminData

DemongraphicData

SecretData

sends-search-result

accept-or-Reject()

searchResult()

RequestObject

CertificateObject

AccessControl

SearchGrain

RoleKeyObject

CDAObject

HeadData

AuditObject

requestSearch(userID; srchCriteria)

getGrainFilter()

returnsSrchGrainPermission()

getCDA()

getBody()

returnBody()

returnCDA()

returnCDA()

requestCDA(attribCert; digitalCert; searchCriteria)

searchAttempt()

sendAttrCert()

requestAttribCert()

CROSS BORDER ROLE MANAGMENTWhere there has been policy bridging and a role inventory for mapping , this can simply be appliedWhere no such work has been done, we suggest that proxy role key search object is assigned by an authority in the host realm.All other aspects of the process deliver interoperable results.

The end dream.A single pervasive device, the CDAA simple shared access processendlessly customizable, a stand alone, a component, an EHR extract a fix for now, a stage in a global evolutionJust let it go, release it in global healthcarefacilitate the emergence of implicate order

Lets give Gaia an immune system, maybe she will heal...

Questions?