Consent Management

Posted on March 30, 2012 by blueimpact

Privacy is the person’s control over the collection, use and disclosure of his/her information. Consent management provided the control of the collection, use and disclosure of personal information to individuals. Consent management is the most significant component of privacy management program that support individual’s privacy right.

Ontario Personal Health Information Protection Act specifies consent requirements for collection, use and disclosure of personal health information. An Health Service Provider must implement proper consent management practices (processes) to manage the client’s consent.

Posted in Uncategorized | Leave a comment

Security Assessment

Posted on March 23, 2012 by blueimpact

Security Assessment is such a general term that is often abused by the people to give false sense of security to the stakeholder.  You may disagree with this statement and ask what do you mean “general” and “abuse”. Let’s talk about what exactly is “Security Assessment”.

First of all, we need to understand what is the risk exposure to an IT environment or a particular IT application. From security perspective, the risk exposure can be classified into the following categories:

-Business risk, such as IT governance, project management, business operations (client enrolment, de-registration, etc).

-Infrastructure risk, such as internet connectivity, intranet, networking devices, servers, operating system, storage, backup and recovery.

-Application risk, such as application vulnerabilities (SQL-injection, cross-site-scripting, re-play, man-in-the middle), application design flaws, application bugs, etc.

-Operational risk, such as system monitoring process, release management process, problem management process, incident handling process, backup and recovery process, user account management process, etc.

Specific type of security assessment, for example PenTest, if planned properly, will only be able to cover a portion of the risk profile. Please think about “if planned properly”, which leads to the second point.

There are many different types of Security Assessment:

– Penetration Testing

-Vulnerability scan (network, system and “application” interfaces)

-Application security scan (Operating system and application)

-Application security assessment (Operating system and application including application business logic)

-Security code review (application)

-Host security testing

-IT General Control (ITGC) audit

-IT security operations review

Each type of security assessment focuses on different IT components and discovers different vulnerabilities.  Each security assessment project has its defined scope very likely constrained by the budget, time and resource, skills, etc. Planning is very important to define the proper scope and type of the assessment to cover the high risks.

Now I hope you will agree with the statement at the beginning of this article.

Posted in Uncategorized | Tagged , , , , | Leave a comment

Challenges in Electronic Health Record in Ontario, Canada

Posted on March 12, 2012 by blueimpact

There are many challenges in the design, development and implementation of Electronic Health Record that facilitates sharing of personal information and personal health information across the province of Ontario, Canada.

As a starting point, here is a quick list of the challenges:

  • Governance model. Governance refers to the structure and process to make strategic decisions for the lifecycle of the EHR. The governance model deals with fundamental by critical questions such as who has the control of the data, who is accountable to the use of the data, who makes corrections if requested by the patient.
  • Benefit model. The EHR is not just a repository of clinical data; it is the solution to realize clinical benefit. Without clearly identified and agreed-upon benefit model managed throughout the lifecycle of the project, EHR won’t be a successful project that delivers the value as expected by various stakeholders.
  • Consent management model. Each party (healthcare organization) in EHR has its own consent management model that supports the lifecycle of patient’s consent directive – collections, recording, registration, enforcement, override.
  • Access control model. There are many access control model, such as role-based access control, policy-based access control, mandatory access control, discretionary access control, context-based access control. It is very challenging to determine the appropriate access control model that meets the privacy and security requirements and expectations from the stakeholders, and in the mean time, practically possible to implementation and support with the limitation of operational resource and budget.

The list will continue to be updated; detailed explanation of each challenge will be published soon. Please come back again.

Posted in Privacy and Security Architecture | Tagged , , , , | Leave a comment

Welcome

Posted on March 5, 2012 by blueimpact

Welcome to BlueImpact, where you can find information about privacy, security and risk management. Knowledge and experience will be shared with you regularly. So please come back and meet with us again.

Posted in Uncategorized | Tagged , , , , , , | Leave a comment