EHR Action Verbs and Security Operations Tony Weida HL7 May WGM May 7, 2014
Feb 25, 2016
EHR Action Verbsand
Security OperationsTony Weida
HL7 May WGM
May 7, 2014
EHR Data Management Action Verbs
Security and Privacy Ontology (SPO) Operations• Data Operations and Privacy Operations• Mostly taken from earlier HL7 Security sources• Legacy opportunities for improvement• Consistent format (“binomial definition”)
• Example: To [operation] is to [parent operation] where [differentiating text].• Eliminate, tolerate or embrace ambiguity?
• Example: Do operations like Mask and Encrypt create a new object or modify an existing object?
• Some honestly divergent intuitions about technical details• Example: Does masking, by definition, involve encryption?
• …
Sources of SPO Operations
Source Full Name of Source NotesHL7 RBAC HL7 RBAC Healthcare Permission Catalog CSP-DAM HL7 Composite Security and Privacy Domain Analysis Model
HL7 DO HL7 v3 DataOperation vocabularyAlso from HL7 v3 RIM Act state machine.
HL7 OP HL7 v3 ObligationPolicy value set
Table from SPO Specification (Section 7.7)
OWL Class OWL Description (Textual Definition) Source
OPERATION
To operate is to act on an object or objects. An operation is an executable image of a program, which upon invocation executes some function for the user. Within a file system, operations might include read, write, and execute. Within a database management system, operations might include append, delete, and update.
HL7 RBAC
DATAOPERATION The DataOperation class categorizes operations from the perspective of their effect on object(s). -
Abort Change the status of an object representing an Act to "aborted", i.e., terminated prior to the originally intended completion. HL7 DO
Activate Change the status of an object representing an Act to "active", i.e., so it can be performed or is being performed, for the first time. (Contrast with REACTIVATE.) HL7 DO
Annotate Add commentary, explanatory notes, critical notes or similar content to an object. HL7 RBAC
Anonymize Remove any information that could result in identifying the information subject. [From ANONY concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4] HL7 OP
Append Fundamental operation in an Information System (IS) that results only in the addition of information to an object already in existence.
HL7 RBAC
Archive Move (the content of) an object to long term storage. HL7 RBAC
Table from SPO Specification (Section 7.7)
OWL Class OWL Description (Textual Definition) Source
Backup Produce another object with the same content as the original for potential recovery (i.e., create a spare copy).
HL7 RBAC
Cancel Change the status of an object representing an Act to "cancelled", i.e., abandoned before activation. HL7 DO
Complete Change the status of an object representing an Act to "completed", i.e., terminated normally after all of its constituents have been performed. HL7 DO
Convert Derive another object with the same content in a different form (different data model, different representation, and/or different format).
HL7 RBAC
Copy Produce another online object with the same content as the original. HL7 RBAC
Create Fundamental operation in an Information System (IS) that results only in the act of bringing an object into existence.
HL7 RBAC
Decrypt Render information readable by algorithmically transforming ciphertext into plaintext. [Derived from ENCRYPT concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4] HL7 OP
Deduplicate Remove repetition/copies of data. [March 12, 2013 HL7 Security Work Group teleconference] teleconference
Deidentify Strip information of data that would allow the identification of the source of the information or the information subject. [From DEID concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4] HL7 OP
Table from SPO Specification (Section 7.7)
OWL Class OWL Description (Textual Definition) Source
Delete Fundamental operation in an Information System (IS) that results only in the removal of information about an object from memory or storage.
HL7 RBAC
Derive Make another object with content based on but different from that of an existing object. HL7 RBAC
Encrypt Render information unreadable by algorithmically transforming plaintext into ciphertext. [From ENCRYPT concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4] HL7 OP
Excerpt Derive another object which includes part but not all of the original content. HL7 RBAC
Execute Fundamental operation in an IS that results only in initiating performance of a single or set of programs (i.e., software objects).
HL7 RBAC
Export Reproduce an object (or a portion thereof) so that the data leaves the control of the security subsystem. HL7 RBAC
Forward Communicate (the content of) an object to another covered entity. HL7 RBAC
Hold Change the status of an object representing an Act to "held" HL7 DO
Identify Add information to data that would allow the identification of the source of the information or the information subject. [Derived from DEID concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4]
[Deidentify]
Table from SPO Specification (Section 7.7)
OWL Class OWL Description (Textual Definition) Source
Import Reproduce data so that an object (or a portion thereof) enters the control of the security subsystem. [Derived from EXPORT operation in HL7 RBAC Healthcare Permission Catalog.] [Export]
Jump Change the status of an object representing an Act to a normal state. HL7 DO
MaskRender information unreadable and unusable by algorithmically transforming plaintext into ciphertext. User may be provided a key to decrypt per license or "shared secret". [From MASK concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4]
HL7 OP
Modify_status Change the status of an object representing an Act. HL7 DO
Move Relocate (the content of) an object. HL7 RBAC
Nullify Change the status of an object representing an Act to "nullified", i.e., treat as though it never existed. HL7 DO
Obsolete Change the status of an object representing an Act to "obsolete" when it has been replaced by a new instance. HL7 DO
Print Render an object in printed form (typically hardcopy). HL7 RBAC
PseudonymizeStrip information of data that would allow the identification of the source of the information or the information subject. Custodian may retain a key to relink data necessary to reidentify the information subject. [From PSEUD concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4]
HL7 OP
Table from SPO Specification (Section 7.7)
OWL Class OWL Description (Textual Definition) Source
Purge Operation that results in the permanent, unrecoverable removal of information about an object from memory or storage (e.g., by multiple overwrites with a series of random bits).
HL7 RBAC
Reactivate Change the status of a formerly active object representing an Act to "active", i.e., so it can again be performed or is being performed. (Contrast with ACTIVATE.) HL7 DO
Read Fundamental operation in an Information System (IS) that results only in the flow of information about an object to a subject.
HL7 RBAC
Redact Remove information, which is not authorized to be accessed, used, or disclosed from records made available to otherwise authorized users. [From REDACT concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4] HL7 OP
Reidentify Restore information to data that would allow the identification of the source of the information or the information subject. [Derived from DEID concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4]
[Deidentify]
Release Change the status of an object representing an Act so it is no longer "held", i.e., allow action to occur. HL7 DO
Replace Replace an object with another object. The replaced object becomes obsolete in the process. HL7 RBAC
Reproduce Produce another online or offline object with the same content as the original. [Use of Reproduce does not imply any form of Copy.]
HL7 RBAC
Table from SPO Specification (Section 7.7)
OWL Class OWL Description (Textual Definition) Source
Restore Produce another object with the same content as one previously backed up (i.e., recreates a readily usable copy).
HL7 RBAC
Resume Change the status of a suspended object representing an Act to "active", i.e., so it can be performed or is being performed. HL7 DO
Sign Affix authentication information (i.e. An electronic signature) to an object so that its origin and integrity can be verified.
HL7 RBAC
Suspend Change the status of an object representing an Act to "suspended", i.e., so it is temporarily not in service. HL7 DO
Transfer Communicate (the content of) an object to an external clearinghouse without examining the content. HL7 RBAC
Translate Derive another object in a different natural language (e.g., from English to Spanish). HL7 RBAC
Update Fundamental operation in an Information System (IS) that results only in the revision or alteration of an object.
HL7 RBAC
Verify Determine whether an object has been altered and whether its signature was affixed by the claimed signer.
HL7 RBAC
Privacy Operations• Collect• Access• Use• Disclose
Manage (Data)
Capture
Store
Render
Exchange
Determine
Manage-Data-Visibility
Auto-populate
EnterImpor
t
Receive
Archive
Backup Encryp
t
Decrypt
Recover
Restore
Save
Maintain
Deidentify
Hide
Mask
Reidentify
Unhide
Unmask
Analyze
Decide
Import
Export
Receive
Transmit
TransmitExtrac
tPresen
t
Remove
Delete
Purge
Update
Annotate
Attest
Edit
Harmonize
Integrate
Link
Tag
Untag
EHR Actions
Derived from Table 7. Action Verbs representing the Data Management category in HL7 EHR-System Functional Model, Release 2 (February 2014)
Note: Export is deprecated in the glossary
Actions shaded in gray appear in multiple locations
Manage (Data)
Capture
Store
Render
Exchange
Determine
Manage-Data-Visibility
Auto-populate
Enter
ImportImpor
t
Receive
ArchiveArchiv
e
BackupBacku
pEncryptEncryp
t
DecryptDecryp
t
Recover
RestoreRestor
e
Save
Maintain
DeidentifyDeidentif
y
Hide
MaskMas
k
ReidentifyReidentif
y
Unhide
Unmask
Analyze
Decide
ImportImpor
t
Export
Receive
Transmit
TransmitExtrac
tPresen
t
Remove
DeleteDelet
e
PurgePurg
e
UpdateUpdat
e
AnnotateAnnotat
e
Attest
Edit
Harmonize
Integrate
Link
Tag
Untag
EHR Actions Security Data Operationswith same names
(but not identical definitions)
Manage (Data)DataOperatio
n
Capture
Store
Render
Exchange
Determine
Manage-Data-Visibility
Auto-populate
Enter
ImportImpor
t
Receive
ArchiveArchiv
e
BackupBacku
pEncryptEncryp
t
DecryptDecryp
t
Recover
RestoreRestor
e
Save
Maintain
Derive
DeidentifyDeidentif
y
Hide
MaskMas
k
ReidentifyReidentif
y
Unhide
Unmask
Analyze
Decide
ImportImpor
t
ExportExpor
t
Receive
Transmit
TransmitExtrac
tPresen
t
Remove
DeleteDelet
e
PurgePurg
e
UpdateUpdat
e
AnnotateAnnotat
e
Attest
Edit
Harmonize
Integrate
Link
Tag
Untag
Convert
Excerpt
Translate
Deduplicate
Anonymize
Pseudonymize
Redact
Execute
Transfer
Move
Read
Reproduce
Copy
Sign
Append
ModifyStatus …
Other SecurityData Operations
(rough guesstimate of positions)
Create
Replace
Identify
Manage (Data)DataOperatio
n
Capture
Store
Render
Exchange
Determine
Manage-Data-Visibility
Auto-populate
Enter
ImportImpor
t
Receive
ArchiveArchiv
e
BackupBacku
pEncryptEncryp
t
DecryptDecryp
t
Recover
RestoreRestor
e
Save
Maintain
Derive
DeidentifyDeidentif
y
Hide
MaskMas
k
ReidentifyReidentif
y
Unhide
Unmask
Analyze
Decide
Import
ExportExpor
t
Receive
Transmit
TransmitExtrac
tPresen
t
Remove
DeleteDelet
e
PurgePurg
e
UpdateUpdat
e
AnnotateAnnotat
e
Attest
Edit
Harmonize
Integrate
Link
Tag
Untag
Convert
Excerpt
Translate
Deduplicate
Anonymize
Pseudonymize
Redact
Execute
Transfer
Identify
Move
Read
Reproduce
Copy
Sign
Append
ModifyStatus …
Create
Highlighted security data operations are deprecated actions in EHR Glossary.Several others under ModifyStatus (not shown) are likewise deprecated.Access and Disclose (Security Privacy Operations) are also deprecated.
Replace
Comparison of EHR / Security Definitions• Good news: those with the same name have reasonably compatible
definitions• So we might start with 14 cases involving active EHR actions
(additional cases involve deprecated EHR actions) …
Steps to Consensus• Agree on• Inclusion criteria• Text definitions• Structured description (consistent with text definitions)
• Hierarchy• Further logical description (eventually)
• Consider internal consistency vs. consistency with disparate sources• Defined work process
Annotate
EHR• To UPDATE data by attaching comments
or notes to the data without editing the data. For example, an Attending physician may ANNOTATE the information entered by the Resident physician before signing the report.
Security• Add commentary, explanatory notes,
critical notes or similar content to an object.
Archive
EHR• To STORE data by moving the data to long-
term storage media and deleting or purging data on the original online storage, according to scope of practice, organizational policy, and/or jurisdictional law. For example, the system at the Oak Street Hospital automatically ARCHIVES patient-related data that is older than eight years by encrypting and compressing it, moving it to long-term storage, purging it, identifying the data by month and year, and creating a pointer to the archived data. Another example is that a system may automatically ARCHIVE outpatient clinic schedules that are being replaced.
Security• Move (the content of) an object to long
term storage.
Backup
EHR• To STORE data by placing a copy of the
data onto an electronically-accessible device for preservation in case the original is lost, corrupted, or destroyed. For example, a system may BACK UP the incremental changes made to a patient’s record by storing it locally on a daily basis. Another example is that an administrator may BACK UP a complete copy of certain data by storing it at an offsite facility.
Security• Produce another object with the same
content as the original for potential recovery (i.e., create a spare copy).
Decrypt
EHR• To STORE data by converting encrypted
data back into its original form, so it can be understood. For example, the system may DECRYPT clinical data received from an authenticated external laboratory system.
Security• Render information readable by
algorithmically transforming ciphertext into plaintext. [Derived from ENCRYPT concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4]
Deidentify
EHR• To MANAGE-DATA-VISIBILITY by removing
identifiers from data in such a way that the risk of identifying an individual is very small under the circumstances, as specified by scope of practice, organizational policy, and/or jurisdictional law. For example, a system may DE-IDENTIFY data for a researcher who wants to perform an analysis of drug effectiveness on diabetic patients. Another example is where a hospital may DE-IDENTIFY data for a set of patients to transmit to a university professor looking for illustrative cases for educational work.
Security• Strip information of data that would allow
the identification of the source of the information or the information subject. [From DEID concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4]
Delete
EHR• To REMOVE data by making it inaccessible to
the application. For example, a user may DELETE an existing patient-appointment at the request of the patient. Note: In the case where the data becomes invalid but needs to remain in the system, the word “TAG” is preferred over the word “DELETE” or the word “Nullify”. This type of action is considered a data “Tagging” process and not a data deletion process. For example, a health information management professional may desire to TAG a certain clinical term as obsolete, but the term needs to remain in the system for backward compatibility purposes.
Security• Fundamental operation in an Information
System (IS) that results only in the removal of information about an object from memory or storage.
Encrypt
EHR• To STORE data by transforming the data
into a form that is difficult to understand by unauthorized people or systems. For example, the system may ENCRYPT sensitive information such as the patient’s financial information.
Security• Render information unreadable by
algorithmically transforming plaintext into ciphertext. [From ENCRYPT concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4]
Export
EHR• Use RENDER instead.
Security• Reproduce an object (or a portion
thereof) so that the data leaves the control of the security subsystem.
Import
EHR• To CAPTURE data into a local system by
proactively accessing data from an external source and then downloading and integrating the data into the local system. For example, the system may IMPORT the latest drug trial data every Friday evening. Another example is that the user may IMPORT various sets of best practices related to juvenile diabetes.
Security• Reproduce data so that an object (or a
portion thereof) enters the control of the security subsystem.
Mask
EHR• To MANAGE-DATA-VISIBILITY by obscuring
(masking) specific data elements in order that this information is not available except to authorized users; viewers of the patient record can see that the data exists but cannot see actual contents. For example, the administrator may MASK the pregnancy status of all patients who are below the age of eighteen except for the obstetric unit staff. Note: the verb “unmask” is an acceptable verb to reverse the action of masking.
Security• Render information unreadable and
unusable by algorithmically transforming plaintext into ciphertext. User may be provided a key to decrypt per license or "shared secret". [From MASK concept in HL7 ActCode code system, OID: 2.16.840.1.113883.5.4]
Purge
EHR• To REMOVE data by making it
unrecoverable at the storage and/or media-level. For example, the system may PURGE the patient record for John Smith according to a rule that targets all records that are older than seven years. (Note: Destroy and Purge are synonyms; PURGE is the preferred term.)
Security• Operation that results in the permanent,
unrecoverable removal of information about an object from memory or storage (e.g., by multiple overwrites with a series of random bits).
Reidentify
EHR• To MANAGE-DATA-VISIBILITY by
combining data in such a way that the patient’s identity is re-established according to scope of practice, organizational policy, and/or jurisdictional law. For example, the system may RE-IDENTIFY de-identified data by providing a key that allows authorized users to re-establish the link between a given patient and that patient’s de-identified data.
Security• Restore information to data that would
allow the identification of the source of the information or the information subject
Restore
EHR• To STORE data to the production system
by using previously archived data. For example, the system may RESTORE patient-encounter data for a returning patient whose data had been archived due to inactivity. Another example is that the system may RESTORE, for evidentiary support, patient data that had been archived after the patient expired. (See ARCHIVE.)
Security• Produce another object with the same
content as one previously backed up (i.e., recreates a readily usable copy).
Update
EHR• To MAINTAIN data by annotating, editing,
harmonizing, integrating, linking and tagging the data. For example, a clinician may UPDATE a patient’s medication dosage. Another example is that the system may UPDATE a patient’s record.
Security• Fundamental operation in an Information
System (IS) that results only in the revision or alteration of an object.
Discussion