Saturday, 19 December 2009

OASIS - Healthcare Data Security & Privacy Authorization & Access Control Standards approved

The web services open standards group OASIS, an industry body which has done a lot of good work agreeing and promulgating technological standards, has just approved two new healthcare industry-related technology standards for health information interoperability i.e. access to healthcare data across different organisations, both as of 1 November 2009:

  1. the Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of the Security Assertion Markup Language (SAML) for Healthcare, version 1.0
    • a framework designed to provide access control interoperability in the healthcare environment via cross-enterprise security and privacy authorization (XSPA), using SAML assertions with common semantics and vocabularies in specified exchanges
    • aimed at satisfying requirements for information-centric security within the healthcare community; will enable hospitals and other service providers to validate requests for information access, allowing user attributes to be matched against the security policies related to user location, role, purpose of use, data sensitivity, and other relevant factors
    • includes a privacy policy that enforces patient preferences, consent directives and other privacy conditions (object masking, object filtering, user, role, purpose, etc.)
  2. the XSPA Profile of the eXtensible Access Control Markup Language (XACML) for Healthcare, version 1.0
    • a cross-enterprise security and privacy profile that describes how to use XACML to provide a mechanism to exchange security and privacy policies, evaluate consent directives and determine authorizations in an interoperable manner
    • i.e. describes mechanisms for authenticating, administering, and enforcing authorisation policies which control access to protected information residing within or across enterprise boundaries, thus promoting interoperability within the healthcare community by providing common semantics and vocabularies for policy enforcement.

For non-technical lawyers - the references to "security policies" and "privacy policies" here are used not so much in the sense of what people normally understand as "privacy policies" and the like, but rather as means to clearly represent and automatically check and enforce through technology the underlying policies or rules in the traditional sense.

These new standards set out a framework and means for exchanging data securely and consistently with any privacy policies, but (as with the ISTPA Privacy Management Reference Model) they still need to be implemented technically to see use.

No doubt the members of OASIS, who include IBM, Sun Microsystems, AOL, Boeing, Booz Allen Hamilton, CA, Cisco, EMC, HP, Intel, Jericho Systems, Neustar, Nokia, Oracle, Red Hat, SAP, Skyworth TTG, U.S. Veterans Health Administration and others, will be amongst the first to do so.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.