[WG-UMA] Transform e-magazine

Adrian Gropper agropper at healthurl.com
Mon Nov 26 12:03:09 EST 2012


Neil,

I had just a minute to glance at the IMSC draft but my impression is that
it is not directly applicable to health info authorizations.

The draft, and your comments, will need further scrutiny to ensure that
patients are not coerced to aggregate information about themselves without
a clear understanding of its implications. Health records are not a license
issue. Providers are licensed, institutions may be licensed, devices are
sometimes licensed, but patients are typically not licensed. Patients may
be registered if they receive narcotics or if they have a public health
issue but the vast majority of patient encounters are not a license to
aggregate or otherwise impinge on the privacy of the physician-patient
relationship.

When it comes to patients, UMA needs to be careful not to make assumptions
about linkage between identiy providers and attribute providers.

Adrian


On Mon, Nov 26, 2012 at 8:58 AM, Neil McEvoy
<neil.mcevoy at l5consulting.net<javascript:_e({}, 'cvml',
'neil.mcevoy at l5consulting.net');>
> wrote:

>
> Hi guys
>
> Here is some text from me on filling out the solution section, which I
> have notionally described as "Cloud Consent Management".
>
> This has been described as a key Cloud app area by the Canadian E-Health
> folks, and is also referenced by their counterparts in the Federal Govt in
> a paper on building a pan-Canadian federated identity system. This common
> and shared need would seem the key point to focus on.
>
> I've also noted that it mentions the possible use of encryption as part of
> the data privacy protection mechanisms, which would enable it to lead
> naturally on to and link in the article from Bob Griffin, on building KMIP
> services into Cloud Providers too.
>
> Kind regards, Neil.
>
>
>
> > Hi Adrian
> >
> > Yes some thoughts on possible implementation scenarios would be great
> > content to add to the piece.
> >
> > I am just reading up on the 'EnCoRe' system from HP, which would seem to
> > offer a possible software option for implementing UMA:
> >
> > http://www.hpl.hp.com/techreports/2012/HPL-2012-36.pdf
> >
> > Having this implemented via a SaaS model would therefore describe how
> > these mechanisms will be built "into the Cloud".
> >
> > Regards, Neil.
> >
> >
> >> Eve's perception matches mine: consent has proved to be insufficient in
> >> practice and it is slowly being replaced by authorization as the key to
> >> scaling health information exchange. Kairon (a project of MITRE) is
> >> among
> >> the more advanced in this area but the "Pull" method Automate Blue
> >> Button
> >> Initiative of ONC is completely based on authorization on top of OAuth.
> >> (Please see the UMA health care use-case for links since my iPad gmail
> >> is
> >> link-challenged.)
> >>
> >> Adrian
> >>
> >> On Monday, November 19, 2012, Eve Maler wrote:
> >>
> >>> Aha, I know Bob from the earliest days of SAML -- say hello for me. :-)
> >>> One of the things I'd love to understand is the health establishment's
> >>> view
> >>> of "consent". Is it defined parochially, as passive consent of the
> >>> "yes,
> >>> I
> >>> agree" sort? Or does it admit a broader definition that I prefer to
> >>> call
> >>> "authorization" through pre-configured policy? I believe that the
> >>> broadly
> >>> defined version can be much more powerful than mere passive consent
> >>> because
> >>> it enables the individual to offer terms of access rather than accept
> >>> other
> >>> parties' already worked-out terms. I made that case here...
> >>>
> >>> http://www.w3.org/2010/policy-ws/papers/18-Maler-Paypal.pdf
> >>>
> >>>         Eve
> >>>
> >>> On 19 Nov 2012, at 4:52 AM, Neil McEvoy <neil.mcevoy at l5consulting.net<javascript:_e({}, 'cvml', 'neil.mcevoy at l5consulting.net');>
> >
> >>> wrote:
> >>>
> >>> >
> >>> > Hi Eve
> >>> >
> >>> > Yes, I am reading Adrian's paper now - It is excellent and I'd love
> >>> to
> >>> > include this in TRANSFORM.
> >>> >
> >>> > As mentioned the key opportunity is that this issue is being
> >>> organized
> >>> > around the recent eHealth/Cloud strategy published by the main
> >>> standards
> >>> > body for EHR in Canada, who is at a uniquely open time given how new
> >>> this
> >>> > all is to them.
> >>> >
> >>> > I.e. it's an ideal opportunity for influence, such as recommending
> >>> > adoption of UMA as best practices.
> >>> >
> >>> > Other authors include Robert Griffin, Chief Security Architect for
> >>> EMC
> >>> > RSA, and lead for OASIS KMIP, so we can propose a very complete view
> >>> of
> >>> > the possible ecosystem.
> >>> >
> >>> > Kind regards, Neil.
> >>> >
> >>> >
> >>> >> Finally catching up after all the work and personal travel...
> >>> >>
> >>> >> Neil, I'm really glad to see these artifacts being published. Your
> >>> use
> >>> >> case scenario of pharmacists getting access to eHeath info in order
> >>> to
> >>> >> dispense flu shots is a good one (and timely...I plan to go get my
> >>> shot
> >>> >> tomorrow :). I've kept Mario on cc because I wanted to let him know
> >>> that I
> >>> >> recorded a specific action item for him to contribute content to
> >>> you,
> >>> so
> >>> >> that we can track progress.
> >>> >>
> >>> >> I also cc'd Adrian, who has been working on a use-case writeup of
> >>> his
> >>> own
> >>> >> (sent to the list -- hopefully you came across this material), and I
> >>> >> wanted to invite you two to engage however makes sense. I realize US
> >>> and
> >>> >> Canadian health use cases might look a bit different given the heavy
> >>> role
> >>> >> of regulations in this area, but it would be cool either to
> >>> >> coordinate/align or to collect country-specific case study catalogs
> >>> as
> >>> we
> >>> >> go.
> >>> >>
> >>> >> Our current plan is to review Adrian's writeup in depth in our Nov
> >>> 29
> >>> >> meeting, so perhaps we can add the Shoppers Drug Mart angle
> >>> dynamically.
> >>> >>
> >>> >>      Eve
> >>> >>
> >>> >> On 1 Nov 2012, at 8:18 AM, Neil McEvoy
> >>> <neil.mcevoy at l5consulting.net <javascript:_e({}, 'cvml',
> 'neil.mcevoy at l5consulting.net');>>
> >>> >> wrote:
> >>> >>
> >>> >>>
> >>> >>> Hi Mario
> >>> >>>
> >>> >>> Here is some more info, and suggested focus areas.
> >>> >>>
> >>> >>> You'll see the headline news is that the Canada Health Infoway, the
> >>> main
> >>> >>> healthcare standards organization for Canada, has recently
> >>> published
> >>> >>> their
> >>> >>> Cloud strategy document.
> >>> >>>
> >>> >>> Integration between different systems is the key message, so we can
> >>> >>> position Identity & UMA as a central component of how to achieve
> >>> this.
> >>> >>>
> >>> >>> See: http://cloudbestpractices.net/2012/11/01/transform-2/
> >>> >>>
> >>> >>> I have started dialogue about the Personal Cloud Ecosystem, to
> >>> create a
> >>> >>> context for UMA.
> >>> >>>
> >>> >>> In terms of a good use case scenario, one example is how they have
> >>> now
> >>> >>> enabled pharmacists to now dispense flu shots - So how might
> >>> retailers,
> >>> >>> like Shoppers Drug Mart, look up the relevant EHealth info to
> >>> administer
> >>> >>> this?
> >>> >>>
> >>> >>> Neil.
> >>> >>>
> >>> >>>
> >>> >>>> Dear Eve, Neil,
> >>> >>>>
> >>> >>>> Thanks for keeping us in the loop!
> >>> >>>>
> >>> >>>> @Neil: attached you will find the complete slideset that I sent
> >>> Joni
> >>> >>>> Brennan for the London event I couldn't join, unfortunately. It
> >>> >>>> illustrates some eGov service scenarios that we currently partly
> >>> >>>> address
> >>> >>>> in a nationally funded R&D project in Germany called SealedCloud.
> >>> >>>> Please, don't hesitate to reuse some slides if helpful; mentioning
> >>> >>>> Fraunhofer AISEC and myself would then be highly appreciated :)
> >>> >>>>
> >>> >>>> Regarding the e-magazine we are interested in contributing an
> >>> article
> >>> >>>> about the apporach that is illustrated in the slideset. If this is
> >>> >>>> something that might be interesting for your readers, please,
> >>> don't
> >>> >>>> hesitate to contact me.
> >>> >>>>
> >>> >>>> Thank you and kind regards
> >>> >>>
> >>
> >>
> >>
> >> --
> >> Adrian Gropper MD
> >>
> >
> >
> > --
> > Neil McEvoy
> > Founder and CEO
> > http://CloudBestPractices.net
> >
>
>
> --
> Neil McEvoy
> Founder and CEO
> http://CloudBestPractices.net
>



-- 
Adrian Gropper MD


-- 
Adrian Gropper MD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20121126/db9ad128/attachment.html 


More information about the WG-UMA mailing list