...
OHIE Privacy and Security Framework
To help implementers think about the multiple dimensions of security, OpenHIE has the following framework.
Security Technology
Basic Security - Technical capabilities | OHIE Security - Level 1 | OHIE Security - Level 2 | OHIE Security - Level 3 |
---|---|---|---|
Encryption in transit between entities | System Level encrypt transactions between HIE and external system | HIE System Component level Encrypted transactions inside the HIE | |
Security in processing / storage | HIE System Component Level - Option OHIE Architecture components have the option to require authentication to access data | HIE Component Level OHIE Architecture components require authentication to access data | |
Authentication / Identity assertion level
| System Level HIE and the external system are authenticated at the “device” level | HIE System Component level HIE components are mutually authenticated at the device level | User Level External systems are able to assert user identity, location and purpose of use to the HIM |
Audit Record Points | HIE Component Level Audits for PHI transactions Mirrored audits are collected between the HIM and infrastructure services whenever PHI is conveyed. | HIE Component Level Audits for all transactions Mirrored audits are collected between the HIM and infrastructure services whenever PHI is conveyed. | Mirrored audits between all parties POS systems are able to send relevant audits to central audit-repository |
Audit Records Content | Basic content Transactions between the HIE and an external system are tracked. | Audit contents contain subject field Audits contain the X.509 Subject field of the requesting party | Detailed Audit Contents Audit contents All audits contain the asserted user identity, location and purpose of use. |
...