MedMid Conference
Call 27-June-2002
*Attendees*
Jere Retzer, Oregon Health & Science University (OHSU)
Dave Damassa, Tufts
Morgan Passiment, AAMC
Michael Gettes, Georgetown
Keith Hazelton, UW-Madison
Tamara O'Brien, UW-Madison
Bill Gordon, U. Cincinnati
Steve Olshansky, Internet2
Jeanette Fielden, Internet2
*Scenarios Discussion*
There are two sets of scenarios that have been distributed: Dave’s scenarios that were distributed last week and a set Jere Retzer created last year predating the creation of Shibboleth and focusing on PKI architecture. There was discussion of how the scenarios could be reframed utilizing Shibboleth and challenges in disclosing certain information under various circumstances, such as patient names, insurance data etc.
The scenario discussed has an Institution A and a Hospital B where a doctor from institution A has privileges at B, network account, access to records system etc. A more generalized case would be where a certain group at A are authorized at B for a set class of privileges. Issues include how to extend fuller medical record access in an emergency critical care situation. An additional consideration is that while a credential is portable, the authentication mechanism might not be, for example biometric authentication. Issues might be addressed by binding the user to the authentication site so their actual physical location is irrelevant. Consensus was reached that this scenario could be modified to consider such factors.
It was decided to take the scenarios from Jere’s document that cover pertinent issues and critical factors and incorporate them into a single document using the format agreed upon, which has proven useful in other working groups. One goal is to demonstrate the capability to support role-based access control since that’s considered needed by many as a factor in implementing the Health Insurance Portability and Accountability Act (HIPAA).
There was discussion at length over what access and resource issues are included in medical middleware and what is more logically left at the application layer. Issues include items such as access to printers, system folders or other networked resources. It was agreed that including an introduction to the scenarios that makes it clear that gaining access to networks resources is an authorization issue relating to applications, and contractual agreements between participants, would be helpful.
The next calls will continue to focus on refining the scenarios, which will also take place on the list in the interim.