FHIR Data Segmentation for Privacy
0.2.0 - 2021May Ballot

This page is part of the FHIR Data Segmentation for Privacy (v0.2.0: STU 1 Ballot 2) based on FHIR R4. . For a full list of available versions, see the Directory of published versions

Glossary

These defintions are based on the glossary of the HL7 Healthcare Privacy and Security Classification System (HCS), Release 1, Volume 1.

Access (Security) Level The combination of a hierarchical security classification and a security category that represents the sensitivity of an object or the security clearance of an individual [ISO 2382-8].

A level associated with an individual who may be accessing information (for example, a clearance level) or with the information which may be accessed (for example, a classification level) [HIPAA Security Glossary].

Access Control Decision Information (ADI) The portion (possibly all) of the ACI made available to the ADF in making a particular access control decision [ISO 10181-3/ITU X.812].

Access Control Information (ACI) Any information used for access control purposes, including contextual information [ISO 10181-3].

Classification Confidential protection of data elements by segmentation into restricted and specifically controlled categories set by policies [Adapted from ASTM E-1986].

Clearance Initiator-bound access control information (ACI) that can be compared with security labels of targets [ISO 10181-3/ITU X.812].

Permission granted to an individual to access data or information at or below a particular security level [ISO/IEC 2382-8:1998].

Clinical attribute Any clinical characteristic that binds a health care relevant parameter to a clinical element by a rule. Parameters may include authorship, category of information, terminological characteristics, history of permutations, integrity and provenance, as well as the relationship to and inclusive of associated clinical facts necessary to provide context essential for applying security labels. (PCAST discusses attributes that provide context to clinical data elements such as patient demographics).

Clinical Attribute Set The complete collection of parameters that in total describe the relevant characteristics of a clinical fact. These include, clinical attributes, security labels and provenance: For example, the patient’s name and birthdate, diagnosis code, the applicable privacy rules and policies, including any patient’s pre-consented privacy choices security label classification and sensitivity codes, and the data source (provider).

Clinical Element A clinical object that has been disaggregated into the smallest possible data element suitable for use in a healthcare context. (PCAST p. 70 description of clinical elements as the smallest clinical data units that make sense to exchange and aggregate.)

Clinical Fact A healthcare data IT resource comprised of a clinical element associated or “tagged” with at least one clinical attribute such as a clinical information category, patient information, and provenance. A clinical fact is a type of “tagged data element.” (PCAST p. 89 “Tagged data element: Data accompanied by metadata describing the data.”).

Clinical Rule A computational algorithm used for assigning a clinical attribute to a clinical element.

Compartment A security label tag that “segments” an IT resource by indicating that access and use is restricted to members of a defined community or project. A set of categories in a security label [Sandhu].

Compartment-Based Policies In a compartment-based policy, sets of targets are associated with a named security compartment or category, which isolates them from other targets. Users need to be given a distinct clearance for a compartment to be able to access targets in the compartment [Ford; chapter 6, p.155].

Compartmentalization A division of data into isolated blocks with separate security controls for the purpose of reducing risk [ISO 7498-2]. For example, the division of data in a major project into blocks corresponding to sub-projects, each with its own security protection, in order to limit exposure of the overall project.

Confidentiality Privacy metadata classifying an IT resource (data, information object, service, or system capability) according to its level of sensitivity, which is based on an analysis of applicable privacy policies and the risk of financial, reputational, or other harm to an individual or entity that could result if made available or disclosed to unauthorized individuals, entities, or processes.Usage Notes: Confidentiality codes are used in security labels and privacy markings to classify IT resources based on sensitivity to indicate the custodian or receiver obligation to ensure that the protected resource is not made available or redisclosed to individuals, entities, or processes (security principals) per applicable policies. Confidentiality codes are also used in the clearances of initiators requesting access to protected resources.

Definition aligns with ISO 7498-2: Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. (HL7 Confidentiality code system 2.16.840.1.113883.5.25 and value set 2.16.840.1.113883.1.11.10228).

Controlled Unclassified Information (CUI) CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see definition above) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.

Data Segmentation Process of sequestering from capture, access or view certain data elements that are perceived by a legal entity, institution, organization or individual as being undesirable to share [GWU].

Healthcare Privacy and Security Classification System (HCS) A defined scheme for the classification and handling of health care and healthcare related information.

IT Resource Any data, information object, operation, process, service, or system capability. An IT resource that is assigned a security label is sometimes referred to as a “security object”. An IT resource that is represented as a requested security object of an initiator’s access request is sometimes referred to as a “target”.

Named Tag Set Field containing a Tag Set Name and its associated set of security tags [NIST FIPS PUB 188].

Privacy Mark Human readable security labels, which are rendered in the graphic user interface on accessed electronic information, are called privacy marks. The act of enabling the rendering of a privacy mark is called “privacy marking.”

If present, the privacy-mark is not used for access control. The content of the privacy-mark may be defined by the security policy in force (identified by the security-policy-identifier) which may define a list of values to be used. Alternately, the value may be determined by the originator of the security-label [ISO 22600-3 Section A.3.4.3].

Provenance The history of the ownership of an object, especially when documented or authenticated. For example, references to a type of equipment, standard clinical procedure, attestable content author, data source, provider or other clinical facts [PCAST].

Information about entities, activities, and people involved in producing a piece of data or thing, which can be used to form assessments about its quality, reliability or trustworthiness [W3C PROV-Overview].

Provenance of a resource is a record that describes entities and processes involved in producing and delivering or otherwise influencing that resource. Provenance provides a critical foundation for assessing authenticity, enabling trust, and allowing reproducibility. Provenance assertions are a form of contextual metadata and can themselves become important records with their own provenance [W3C Provenance XG Final Report].

Data provenance is information that helps determine the derivation history of a data product, starting from its original sources. Data product or dataset refers to data in any form, such as files, tables, and virtual collections. Two important features of the provenance of a data product are the ancestral data products from which this data product evolved, and the process of transformation of these ancestral data product(s), potentially through workflows, that helped derive this data product [Simmhan].

The information that documents the history of the Content Information. This information tells the origin or source of the Content Information, any changes that may have taken place since it was originated, and who has had custody of it since it was originated. The archive is responsible for creating and preserving Provenance Information from the point of Ingest; however, earlier Provenance Information should be provided by the Producer. Provenance Information adds to the evidence to support Authenticity [ISO 14721].

Security Attribute A security-related quality of an object. Security attributes may be represented as hierarchical levels, bits in a bit map, or numbers. Compartments, caveats, and release markings are examples of security attributes [NIST FIPS PUB 188].

Characteristic of a subject, resource, action or environment that may be referenced in a predicate or target [XACML].

Security Category A non-hierarchical grouping of sensitive information used to control access to data more finely than with hierarchical security classification alone [ISO 2382-8].

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals [FIPS].

If present, the security categories provide further granularity for the sensitivity of the message. The security policy in force is used to indicate the syntaxes that are allowed to be present in the security-categories. Alternately, the security-categories and their values may be defined by bilateral agreement [ISO 22600-3 Section A.3.4.3].

Security Classification The determination of which specific degree of protection against access the data or information requires, together with a designation of that degree of protection; for example, “Top Secret”, “Secret”, “Confidential” [ISO 2382-8].

Security Clearance See Clearance.

Security Label (In the definitions below, "security label" is defined as both a verb: “means used to associate security attributes” as in “security labeling”, and as noun: “the markings bound to a resource.” As a noun, the term is sometimes considered synonymous with “security metadata” and “security tag.” As a verb, the term is sometimes considered synonymous with “tagging.” However, security standards sometimes use the term “security label” for both the classification given to IT resources and the classification level in an initiator’s clearance. In addition, some standards use the term “marking bound to a resource” to refer to both computable security labels and the human-readable rendering of security label fields, better known as “privacy markings”).

The means used to associate a set of security attributes with a specific information object as part of the data structure for that object [ISO 10181-3/ITU X.812].

Access control information associated with the attribute values being accessed [ISO/IEC 9594-2:2008/ITU X.501].

The marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. NOTE - The marking and/or binding may be explicit or implicit [ISO 7498-2].

The means used to associate a set of security attributes with a specific information object as part of the data structure for that object [NIST SP 800-53].

Security labels may be used to associate security-relevant information with attributes within the Directory. Security labels may be assigned to an attribute value in line with the security policy in force for that attribute. The security policy may also define how security labels are to be used to enforce that security policy. A security label comprises a set of elements optionally including a security policy identifier, a security classification, a privacy mark, and a set of security categories. The security label is bound to the attribute value using a digital signature or other integrity mechanism [ISO/IEC 9594-2:2008/ITU X.501].

Sensitivity labels are security labels which support data confidentiality models, like the Bell and LaPadula model. The sensitivity label tells the amount of damage that will result from the disclosure of the data and also indicates which measures the data requires for protection from disclosure. The amount of damage that results from unauthorized disclosure depends on who obtains the data; the sensitivity label should reflect the worst case [IETF RFC 1457].

A security label, sometimes referred to as a confidentiality label, is a structured representation of the sensitivity of a piece of information. A security label is used in conjunction with a clearance, a structured representation of what information sensitivities a person (or other entity) is authorized to access and a security policy to control access to each piece of information [XMPP Core].

A security label is a type of PCAST metadata tag defined as information that characterizes data, such as contextual information.

Security (Labeling) Policy The definition of which classification and category values are used and how security labels are checked against clearances.

Security Label Rule A computational algorithm used for assigning a security label to an IT resource such as a clinical fact.

Security Policy Information File (SPIF) A construct that conveys domain-specific security policy information [ISO/IEC 15816].

An XML schema, that provides a high level representation of a security labeling policy in a generic and open fashion [Open XML SPIF].

Security Tag Information unit containing a representation of certain security-related information (e.g., a restrictive attribute bit map) [NIST FIPS PUB 188].

Segmentation The process of sequestering from capture, access or view certain data elements or “datatypes” (clinical information categories) that are perceived by a legal entity, institution, organization, or individual as being undesirable to share.

Sensitivity The characteristic of a resource which implies its value or importance and may include its vulnerability [ISO/IEC 7498-2].

Sensitivity Label Security labels which support data confidentiality models, like the Bell and LaPadula model. The sensitivity label tells the amount of damage that will result from the disclosure of the data and also indicates which measures the data requires for protection from disclosure. The amount of damage that results from unauthorized disclosure depends on who obtains the data; the sensitivity label should reflect the worst case [IETF RFC 1457].

Share with Protections Share with Protections is an information exchange paradigm that describes an environment of continuous end-to-end protection and trust for information shared by senders, thereafter received, retained and used by receivers, and backed by healthcare systems using automation. Core features include:

  • Senders attach standards-based security labels to information indicating its relative sensitivity for sharing with trusted recipients and any handling instructions,
  • Recipients honor, retain, and enforce senders’ labels by managing policy-driven access to information based on machine-computable sensitivity rules, “need to know,” and application of least privilege and segregation of duties within their own workforce, and
  • Patient safety enabled through Emergency Access, utilizing Clinical Decision Support, and clinician break-glass priorities.

Share with Protections recommends standard Role- or Attribute-based access control (RBAC/ABAC) services for information classification and user clearances as a best approach to protecting an organization’s healthcare mission, patient privacy and to optimize clinician support. See the Share with Protections White Paper Project.

Tag Set Name Numeric identifier associated with a set of security tags [NIST FIPS PUB 188].

Target A target is a IT resource subject to access control [Ford].

Target Label See Security Label.

Trust Contract Sets of rules followed by the parties involved for achieving interoperability [ISO 22600-2].

Trust Framework Policy that rules the behavior of a system. The Trust Framework facilitates trustworthy co-operation between domains by defining a common set of security and privacy policies that applies to all collaborating entities, derived from the relevant domain-specific policies across all of those policy domains [ISO 22600-2].

Trustmark Trustmarks are a visual indication that a service provider is compliant with a federation’s requirements. Trustmarks comprise a very specific subset of compliance marks. In addition to being electronically verifiable, these logos or seals are backed by rigorous third party validation, assessment, or auditing. Certification of conformance and associated trustmarks may be issued by the assessor, the federation, or a separate certifying body on behalf of the federation. The key point is that certification trustmarks result from independent 3rd- party assessments and both the assessing and the certifying organizations stand behind the certifications with their own brand name and reputation. Therefore, trustmarks serve as a reliable and high assurance means to convey compliance with federation rules [NISTIR 8149].

References:

  • [GWU] Mellissa M. Goldstein, JD et al, Data Segmentation in Electronic Health Information Exchange: Policy Considerations and Analysis, George Washington University Medical Center, September 29, 2010.
  • [Ford] Warwick Ford, Computer Communications Security, Prentice Hall, ISBN 0-13-799453-2, 1994.
  • [Sandhu] Sandhu, Ravi S. (1993). “Lattice-based access control models”. IEEE Computer 26 (11): 9–19. doi:10.1109/2.241422
  • [Simmhan] Yogesh, L. Simmhan, et al, A survey of data provenance in e-science, Newsletter ACM SIGMOD Record, Volume 34 Issue 3, Pages 31 - 36, ACM New York, NY, USA, September 2005.