【正文】 indirect relationship. Further details on the ‘D’ direct relationships follow in this chapter.,(ATNA),(CT),(EUA),(XUA),(DSG),(XDS),(XDR),(XDM),(PWP),(BPPC),IHE Security and Privacy Controls,Given the mandatory use of ATNA, the following is a breakdown of the security and privacy controls and in what way the IHE profiles can help. The following table shows the set of identified Controls as columns and the IHE Profiles as rows. In this table a ‘D’ indicates a direct relationship, and an ‘I” indicates an indirect relationship. Further details on the ‘D’ direct relationships follow in this chapter. Accountability Controls Identification and Authentication Controls Access Controls Confidentiality Controls Data Integrity Controls NonRepudiation Controls Patient Privacy Controls Availability Controls,Accountability Controls,ATNA: All systems must be assessed as trustable ATNA: All systems only communicate with other trustable systems ATNA: All systems must enforce access controls ATNA: All systems detect the auditable events and produce audit messages according to the defined audit schema DSG: records the identity of the signer,Identification and Authentication Controls,ATNA: All systems must have user authentication before allowing 325 access to PHI EUA: An enterprise user authentication system PWP: A system for getting details on users (personnel) XUA: Identify a principal in a crossenterprise transaction DSG: records the identity of the signer through the use of the private key. The presumption is that the user must have been authenticated prior to access to the private key.,Access Controls,ATNA: All systems must enforce access controls PWP: A system for getting roles assigned to users,Confidentiality Controls,ATNA: Encryption with 3DES or AES ATNA: All systems must authenticate users before providing access to PHI ATNA: Required audit log format and specific auditable events XDS: All Queries are patient specific XDS, XDM, XDR: Metadata has minimal PHI Integrity controls: Times, size, hash, oid, uri If Known: Author Institution, Author Name, Author Specialty HIE specific: Healthcare facility type, Practice Setting code, Patient Identifier number, Document Format Code Document MIMETYPE Document Source Specific: Patient demographics (Full Name, Gender, Date of Birth, and Address) XDR: A system for communicating documents directly between two systems XDM: A system for communicating documents using media,Data Integrity Controls,ATNA: Node Authentication with Certificates ensures nontrustable systems are kept out ATNA: Integrity using SHA1 to ensure the transaction is whole XDS: Integrity (SHA1) controls built into metadata to ensure the document lifespan is covered XDS: Document management model ensures that documents are not removed but are deprecated with clear successors XDS: Document model and standards formats ensure that the data can be maintained 355 over longtime DSG: Certificate based Digital Signatures can be applied to the documents XDS family is all standards based ensuring that the information managed in XDS is not locked into a proprietary system XDS is document centric assuring Persistence, Stewardship, Potential for Authentication, and Wholeness. ATNA: All actions are discoverable allowing for monitoring for appropriate use, test for leaks. Security is an actively managed process allowing for oversight and vigilance.,NonRepudiation Controls,The NonRepudiation Controls incorporate the Integrity Controls, but rely more specifically the following controls: DSG: Certificate based Digital Signatures can be applied to the documents ATNA: All actions are discoverable allowing for monitoring for appropriate use, test for leaks. Security is an actively managed process allowing for oversight and vigilance.,Patient Privacy Controls,The XDS model at a high level supports a simple patient use consent policy allowing for the support of optin or optout depending on the way the specific HIE chooses. In this way a patient can choose to be included or not included in the HIE. This would be recorded at the edge application and controlled by that application. In addition to this basic capability, the BPPC profile indicates the patient’s willingness to participate in the HIE, or to NOT participate. The BPPC profile is powerful enough to handle a small number of different policies that generally will cover most types of patients’ privacy consent. The BPPC profile is not powerful enough to handle individual patient’s exceptions to the basic set of policies. We recognize that there are patients that want to single out individuals that are authorized and individuals that must not be given access. This more advanced level of control is not readily expressible in current standards. There is ongoing standards work within HL7 and OASIS to address this. A powerful feature of the IHE model is a built in accountability system. The ATNA profile’s audit log can be examined for unacceptable behavior, and the HIE can react according to their Policy. For expressly sensitive patients, it might be best to keep their data within the edge application EMR and not share any of that patient’s data with the HIE.,Availability Controls,Availability Controls are more environmental in nature, that is they are provided by the infrastructure that is used to build the HIE. There are some key aspects of the 390 IHE profiles that are still highly important to maintaining availability: XDS: Document model and standards formats ensure that the data can be maintained over longtime XDS family is all standards based ensuring that the information managed in XDS is not locked into a proprietary system,HIE Security and Privacy through IHE,Introduction Scoping Security and Privacy International Data Protection Principles Policies and Risk Management Technical Security and Privacy controls Applying Security and Privacy to an HIE Building Upon Existing Security Environment IHE Security and Privacy Toolkit IHE Security and Privacy Contr