For the CDW Risk Management
research project
Health Informatics research
group
Department of Biology
Faculty of Medicine
By
MarcAndré Léger, MscA (MIS)
Directed by Dr
Friday, March 17, 2006
An Electronic Health Record (EHR) is defined as a
repository of information regarding the health of a subject of care in computer
processable form, stored and transmitted securely, and accessible by multiple
authorised users [ISO-20514] [Ledbetter, 2001] [ Bakker, 2004] [ Schloeffel,
2002] [ Rector,1991] [Infoway, 2003]. The emerging importance of the EHR as
well as increase in the informatisation of other health system activities
including administration and research is progressively providing the access to
large quantities of data concerning patients, health care delivery and
biomedical research [Anderson, 2000] [Safran, 2000][MAL1] [Sujansky, 2001[a2] ]
[Takeda, 2000] [Zviran, 1998]. Electronic patient records are increasingly
using multimedia format, and they are being aggregated into clinical data
repositories and warehouses by many medical centers [Humpreys, 2000].
Data warehousing is a collection of decision support
technologies, aimed at enabling the knowledge worker (executive, manager and
analyst) to make better and faster decisions [Chaudhuri, 1997]. Data warehouses
contain data consolidated from several operational databases and tend to be
orders of magnitude larger than operational databases, often hundreds of
gigabytes to terabytes in size. Typically, the data warehouse is maintained
separately from the organization’s operational databases because analytical
applications’ functional and performance requirements are quite different from
those of operational databases. Data warehouses exist principally for decision
support applications and provide the historical, summarized, and consolidated
data more appropriate for analysis than detailed, individual records
[Chaudhuri, 2001].
A Clinical Datawarehouse or CDW is an information
system that functions as a repository (warehouse) of health data, from
different sources including the EHR, which together reflect the business
processes of a healthcare organisation, or of several linked organisations, for
example within a regional healthcare organisation[Ledbetter, 2001]. The
Clinical Datawarehouse (CDW) can be regarded as conceptually distinct from the
repository that is part of an operational EHR. The HER data, made accessible through a single portal, becomes a[a3] [MAL4] CDW.
Data warehousing offers the health care industry an
opportunity to accumulate and assimilate information from numerous data feeds
(e.g., laboratory, pharmacy, radiology, finance, etc.) and make it available
for decision-making [Miller, 2002][Berndt, 2003]. A CDW can contain information
and knowledge that can significantly improve patient care, help reduce medical
errors, enhance quality measures, improved clinical research and increase
organisational efficiency [Sujansky, 2001] [CIHR, 2002] [AAMC, 2002] [
Wismiewski, 2003] [Ledbetter, 2001] [Puhr, 2003] [Miller, 2002] [Bates, 1999]
[Hatcher, 1998] [Marsh, 1998] [Summers, 1996].Clinical datawarehouses have demonstrated
important benefits to the various stakeholder groups[a5] [Pedersen, 1998] [Kachur, 2000] [HIMMS, 2000] [Schubart,
2000] [Watson, 2003] [Einbinder, 2001] [Snee, 2004].
Some of the benefits of implementing a CDW in a
healthcare organisation are [Kerkri, 2001][Miller,
2002][Puhr, 2003]:
From our
preliminary analysis, we believe the stakeholders groups are composed of the
following stakeholder categories (See Annex B for a detailed list with the
source references):
Risk is defined the combination of the probability of
an [MAL6]event and its consequence [Burt, 2001] [Berryman,
2002] [ISO, 2002] [Hillson, 2003]. Risk should be viewed as a natural
occurrence, a force that results from the pressures of the environment [Novosyolov, 2002] [Damodaran, 2001] [
There are many different types, or categories, of risk
such as: financial risks [Glaessner, 2002], environmental risks [Shortreed, 2003], operational risks, and insurance risks[a7] [
Risk = threat x likelihood
x impact
mitigation
Risk can be defined in the mathematical fashion by a
simple equation [Novosyolov,
2002]. While risk is directly
proportional to the likelihood of their realization of a threat and is directly
proportional to the impact, it is inversely proportional to risk mitigation
measures that are implemented[a9] .[MAL10] In[a11] information
systems, risk is generally perceived in relation to requirements, or
expectations, of confidentiality, integrity, availability, non repudiation and
access controls, what we refer to as the attributes of risk.
While several theories have been developed in the past
[Edwards, 1996][Laibson, 1998], particularly in relation to gains and financial
investments, there is no single representation of risk that can apply to all
situations. The prominent risk theory at this time, Prospect Theory [Kahneman,
1979], depicts decision makers underweigh probable outcomes in comparison to perceived
certainties, demonstrate risk aversion in situation where the expected outcome is
a financial gain, and demonstrate risk seeking behaviours in situations where
the expected outcome is a financial losses [Edwards, 1996] [Chateauneuf, 1999] [Lloyd,
2003] [Kahneman, 1979] [Olsen, 1997]. Thus, in a risk assessment senario where
the expected outcome has no or little financial losses, such as is the case in loss
of privacy in general, the risk tends to be underweighted.
Total risk is composed the individual risks and
categories of risks that exist within the organization [Léger, 2004]. We can look at risk from an organizational
point of view but also in relation to an activity, an information system or a business
process. We can also look at risk in
relation to data managed and used within an organization. Whatever way we choose to look at it, the
existing risk is the sums of the various risks that are present. Each
individual risk requires the presence of a threat or of several threats that have
some probability to materialize and have a negative effect in relation to the
expected outcome. When considering that CDW are complex, expensive and timely
to implement [Kerkri, 2001], it would infer that there is potential for risk.
Risk in informations systems is generally perceived in
relation to attributes. proposes the attributes of confidentiality, integrity
and availability, aswell other attributes such as authenticity, accountability,
non-repudiation and reliability may also be involved [ISO 17799]. [Zhou, 1999]
proposes confidentiality, integrity, availability, non repudiation and
authentification. We present here some definitions.
Confidentiality is the property that information is
not made available or disclosed to unauthorized individuals, entities, or
processes.[2] Confidentiality exists
when information is communicated in the context of a special relationship (such
as doctor-patient, lawyer-client, etc.) where the information is intended to be
held in confidence or kept secret [CIHR, 2002]. It is an ethical concept that
regulates communication of information between individuals [Roger, 1998]. The status
of confidential is accorded to data or information indicating that it is
sensitive for some reason, and therefore it needs to be protected against
theft, disclosure, or improper use, or both, and must be disseminated only to
authorized individuals or organizations with a need to know.’[3]Individuals have a right to
the privacy and confidentiality of their health information [Buckovich, 1999].
Confidentiality is at the heart of medical practice
and is essential for maintaining trust and integrity in the patient-physician
relationship. Knowing that their privacy will be respected gives patients the
freedom to share sensitive personal information with their physician [WMA,
2002]. The Declaration of Geneva, that requires physicians to "preserve
absolute confidentiality on all he knows about his patient even after the
patient has died" [WMA, 2002].
Confidentiality is a managerial responsibility: it
concerns the problems of how to manage data by rules that are satisfactory to
both the managers of data banks and the persons about whom the data pertain
[Thompson, 2001]. The enforcement of classification-clearance matching is
mandated by directives and regulations: an individual may not exercise his own
judgement to violate it [
Integrity is the property of safeguarding the accuracy
and completeness of assets [ISO 13335-1]. Integrity is a property determined by
approuved modification of information [
Individuals have the right to the integrity of their
health information. Entities and/or persons that create, maintain, use,
transmit, collect, or disseminate individual health information shall be
responsible for ensuring this integrity [Buckovich, 1999].
Continuity of care might imply a complete
communication of medical data, respecting its integrity and its availability
[Roger, 1998]. For example, in a picture archiving and communication system
(PACS), the data integrity is essential for passing the correct information to
the doctor [Tsong, 2003].
Outside of signing checksums on large fields (such as
medical images), integrity can only be partially guaranteed by authenticating
the individual at the source site responsible for transferring the information,
and trusting the individual to verify the data [Cody, 2003].
Data integrity includes minimization of data
redundancy, improvement of data maintenance, and elimination of multiple
versions of data [Candler, 1999].
In addition to malicious threats, the threats that
come from software, hardware, or network failure, or the threats that come from
simple human error can affect the integrity of an information system [Cody,
2003].
Availability is the property of being accessible and
usasable upon demand by an authorized entity (ISO 7498-2:1989).
The availability of intelligently integrated and
verified, operational information could have a profound effect on
decisionmaking in a wide range of contexts [Brender, 1999]. Health research,
particularly in the areas of health services and policy, population and public
health, critically depends on the ready availability of existing data about people
[CIHR, 2002].
Non-repudiation refers to the ability to prove an
action or event has taken place, so that this event or action cannot be
repudiated later.[4]
[ISO13888-1] identifies the following non repudiation
services:
Non-repudiation technologies, such as digital
signatures, are used to insure that a person performing an action cannot
subsequently deny performing that action. This is useful for digital contracts,
statements and anywhere else that a signature would be used in the physical
world. Digital signatures are commonly used for non-repudiation, and are
normally based on PKI, which uses asymmetric cyphers [Helvey, 2004].
Digital signature safeguards can provide protection to
enable non-repudiation [ISO 13335-2].
Cryptographic techniques (e.g. based on the use of
digital signatures) can be used to prove or otherwise the sending,
transmission, submission, delivery, receipt notification, etc. of messages,
communications and transactions [ISO 13335-2].
Access control technologies are used to protect
information by restricting access to information or operations, according to
the identity of the accessor. Common mechanisms for access control are
discretionary (DAC), mandatory (MAC), and role-based (RBAC). DAC is based on
the identity or group membership of the user, and allows the user to specify
which other users may access the information. MAC is common in secure operating
systems, and uses labels and access control lists to protect information. RBAC
allows access control policies to be defined according to the user’s role in an
organization, such as administrator, supervisor, researcher, and so on [Helvey,
2004].
Health care organisations have knowingly compromised
information security through less than satisfactory access controls simply in
order to encourage all staff to use the computer systems. Once such compromise
has been adopted, it is subsequently very difficult to convince users of the
need to strengthen access control..Once appropriate access control and auditing
is installed, staff scepticism soon turns to acceptance as they come to realise
their importance and benefit [Gaunt, 2000].
In a HIPAA mandated PACS environment, from an
application point of view, there should be a log mechanism to keep track the
access information such as [CAO, 2003]:
The model for authorisation and access control in
distributed health information systems has to deal with policy description and
negotiation including policy agreements, authentication, certification, and
directory services but also audit trails, altogether forming the privilege
management infrastructure [Blobel, 2004].
Technology can help ensure the granting and
restriction of access to those users with legitimate needs, by means of
passwords, access codes, and other identifying mechanisms [Buckovich, 1999].
The right to privacy entitles people to exercise
control over the use and disclosure of information about them as individuals.
The privacy of a patient's personal health information is secured by the
physician's duty of confidentiality [WMA, 2002].
Privacy is a social, cultural and legal concept, all
three aspects of which vary from country to country [Thompson, 2001]. While
security of personal data may be instrumental for this purpose, ‘data security
is a very different thing from privacy’.[5]
Privacy: ‘‘The
right of individuals to be left alone and to be protected against physical or
psychological invasion or the misuse of their property. It includes freedom
from intrusion or observation into one’s private affairs, the right to maintain
control over certain personal information, and the freedom to act without
outside interference.’’[6]
Information
privacy can be thought of as a set of controls placed upon organizations over
the uses of personal information in their custody and control, and the rights
conferred upon individuals over their personal information. What becomes clear
in mapping out these security and privacy elements is that some of the
components of privacy protection can be addressed by security safeguards, while
others cannot. Some security functions may actually hinder or even threaten
necessary privacy protection. Some privacy measures may weaken or threaten
justified security measures.Hence the security–privacy paradox [Cavoukian,
2003].
The Declaration
of Helsinki states: "It is the duty of the physician in medical research
to protect the life, health, privacy, and dignity of the human subject"
[WMA, 2002].
A recurring idea
is that a research database of patient data can and should be ‘‘scrubbed’’ of
personal identifying information, and thereafter the ‘‘clean’’ database can be made
available for research on a less restricted basis.
[Behlen, 1999]
argues that such complete scrubbing is not feasible, and even if it were
feasible, it would not be appropriate ethically. A troublesome requirement for
exemption is that of ‘‘throwing away the key’’ that links data to a patient. This
requirement presents some practical, scientific, and ethical problems:
Quality of data
is crucial to privacy protection. Security is necessary, but far from
sufficient, to ensure privacy. Computer scientists and others often take
‘privacy’ to mean (only) ‘data security’ against risks of unauthorized access,
physical damage to databases or transmissions, and the like. However, it is no
comfort to a privacy-aware individual to be told that inaccurate, outdated,
excessive and irrelevant data about her are encrypted and stored behind
hacker-proof firewalls until put to use by (say) a credit-granting organization
in making decisions about her [Raab, 2004]. Following intense scrutiny in some research
projects, it may be necessary to conduct an independent reanalysis of the data
and results to confirm the quality of the original data [Shortreed, 2003].
Privacy of
information collected during health care processes is necessary because of
significant economic, psychologic, and social harm that can come to individuals
when personal health information is disclosed [Barrows, 1996].
Privacy and
confidentiality of the patient record has attracted extensive debate and
analysis, including discussion of research. Although policy issues regarding
research access to public health databases have been analyzed in detail, less
attention has been paid to the problem of how to oversee and administer, within
the framework of applicable public policy, multicenter research using privately
held patient records. In addition to public policy, the policies of each
participating institution must be considered [Behlen, 1999].
The relationship between health care provider and
patient is one characterized by intimacy and trust, and confidentiality is
embedded at least implicitly in patient-provider interactions. The notion of
confidentiality in health care has a strong professional tradition that has
suffered progressive erosion due to thirdparty reimbursement schemes, managed
care and other health care organizational structures, and the perceptions and
culture of professionals within modem health care systems. One third of medical
professionals have indicated that information is given to unauthorized people
“somewhat often”. [Barrows, 1996]
Clinical research must be done in the utmost respect
of ethical concerns [Beecher, 1966].The rights to privacy and confidentiality
are intimately connected with the right to respect for one’s dignity, integrity
and autonomy are constitutionally enshrined in the Canadian Charter of Rights
and Freedoms and Quebec’s Charter of Human Rights and Freedoms [CIHR, 2002].
Privacy and confidentiality lie at the root of international and national ethics
guidelines, as well as professional codes of deontology [CIHR, 2002] [CIHR,
2004]. They are the principal drivers of the requirement for adequate treatment
of risk in healthcare organisations [Senate, 2002]. Legal uncertainty also
makes it difficult for consumers to be aware of and understand their privacy
and confidentiality rights [Buckovich, 1999].
The core principles at the heart of Canadian privacy
legislation form the basis of the Canadian Standards Association [CSA, 2003]
Model Code for the Protection of Personal Information are [CIHR, 2004], this
with [WMA, 1994] [WMA, 1995] [WMA, 2002] [Buckovich, 1999] [CIHR, 2004],
identifies the following areas of risk that need to addressed in a CDW:
This is in accord with the requirements of the
declarations of
Challenge: The selection and categorization of the different areas of risk that comprise the overall risk and areas of threats that should be considered in the implementation and use of a clinical data warehouse. |
This would be a significant improvement when compared
to the commonly used approaches that are mainly concerned with confidentiality,
integrity and availability. This would
also be better suited to the identified requirements that we have found in
literature.
If we put this in the form of a table, the
requirements could be represented as:
Risk Requirement category Stakeholder category | Confidentiality | Integrity | Availability | Privacy | Policies | Openness | Safeguards | Documentation and training |
Patients | 1, 14, 35, 54, 57, 58, 60 | 7, 47, 66 | 2, 3, 4, 8 | 1b, 5, 6, 9, 11, 38, 39 | 14, 29, 30, 35, 36, 37 | 24, 50 | 49 | |
Data users | 53, | 7b, 64, 65, 69, 70 | 72 | 13 | 40, 43 | 17, 18, 19, 35 | 19, 24, 42, 44, 45, 75, 76, 77, 78, 79, 80, 81, 82, 84 | 25, 48 |
Healthcare organisations | 14, 33, 54, 56, 60, 61 | 7b, 66 | 9, 10, 12, 13 | 26, 40, 61 | 14, 15, 16, 17, 18, 29 | 24, 50, 87 | 25, 48, 51 | |
Healthcare professionals | 32, 58, 59, 62 | 46 | 73 | 9, 59 | 33 | 31, 33 | 32 | 25 |
Professional associations | 13 | 52 | 25 | |||||
Healthcare industry | 13 | 26 | 15, 16 | |||||
Insurers | 13, 20 | 26 | 15, 18, | |||||
Government | 13 | 26 | 15, 16, 18, 22, 29 | 28, 50 | 48 | |||
NGOs and Community groups | 13 | 26 | ||||||
Educational | 74 | 13 | 41 | 17 | ||||
IT staff | 34, 56, 60, 61, 63 | 7b, 66, 69, 71 | 10 | 26, 40, 61 | 35 | 19, 23, 24, 27, 34, 83, 85, 86, 88, 89, 90 | 25, 48 | |
IT industry | 15 | |||||||
Other | 21 |
The requirements presented in this table were
identified in our literature review a complete list of the requirements with
the references are presented in Annex a.
Challenge: further work could identify additional requirements that have been missed, further analysis may be needed. As well the list of stakeholders and the categorization of stakeholder groups requires validation. |
Organizations need to identify the predictable
[Watkins, 2003] to perform optimaly, with regularity, over time. They need to
manage risk. Fundamentally, risk management encompasses three processes:
recognition of threats, priorization and mobilization of ressources (RPM
processes)[Watkins, 2003]. Formal methods as the most successful way to
implement change in IS[Clarke, 1996], this supports [Landwehr , 1981], that
formal risk management methods are the best course of actions for
organisations. Managing risks in information system is paramount to accurate
financial reporting and the provision of timely and relevant information
required in organisations for optimal decision-making [Stoneburner, 2002].
The use of an abstract security model is necessary,
without adequate models it is not possible to design secure systems [
The four possible treatments of risk are [BS-7799-2]
[ISO 13335-2]:
Transfer risk e.g. purchase insurance or outsource | Avoid risk e.g. choose not to proceed or implement |
Accept risk e.g. decide that the level of risk identified is within the tolerence capabilities of an organisation | Mitigate risk e.g. implement technical risk mitigation controls, such as a firewall |
Figure 1: Risk treatment options
For example, [ISO17799] does not define exact
requirements for how to proceed, it requires an organization to put in place a
formal process to identify, quantify and prioritize risks against criterias and
objectives relevant to the organization. This implies that an organization must
first define what these criteria and objectives are, expressed in relation to
the seven attributes of risk (confidentiality, integrity, availability, non
repudiation, control of the origins of data, controls of the origin of user
access and access controls). Once these
objectives have been identified, the organisation can determine the presence of
a threat or of several threats (recognition of threats) that have some
probability to materialize.
The likelihood that a threat may materialize and the
significance of the impact taken together, should help the organisation
priorizatize its risk treatment options, as identified in figure 1, and
mobilize resources as required. [BS-7799-2] [ISO 13335-2] [Alberts, 1999][Clusif, 2000][Senate of
[ISO17799] and [BS 7799-2] require that the results of
risk assessment processes guide the organization and help it determine
appropriate actions and priorities. It
requires organizations to put in place management controls to ensure that risks
are mitigated to an acceptable level taking into account:
A risk management framework is a description of an
organizational specific set of functional activities and associated definitions
that define the risk management system in an organization and the relationship
to the risk management organizational system, it defines the processes and the
order and timing of processes that will be used to manage risks [Shortreed,
2003]. The integration of an on-going RPM
processes, with the addition of tools and accelerators, comprise what we define
as a Risk Management Framework (RMF). To provide the complete requirements, we
shoul to consider the elements included in the above list to the requirements
presented in the combined requirements table, presented on pages 15-16. RMF’s,
such as COBIT [COSO, 2003] or ISMS [BS-7799-2], implement some form of
continuous quality improvement model based on the Demming PDCA (or PDSA) model
and include management guidelines, a management system, some form of risk
assessment process and tools [Fulford, 2003]. Many of these have been used in
healthcare [Collmann, 2003][Janczewski, 2002] [Tsong, 2003][Léger, 2004].
According to [Barrows, 1996], the goals of information
security in healthcare are:
Risk management of Healthcare Information Systems
(HIS), such as a CDW, is generally a subset of information system risk
management [Watson, 2004]. Past research we have performed [Léger, 2003] in the
Québec healthcare system indicates that the same risk management techniques are
used. Current standards initiatives [ISO 27799] are promoting the adaptation of
existing standards [ISO 17799] to be used in healthcare internationally. We are
also aware of the same risk management standards [BS 7799-2][ISO 17799] being
used in[a16] [MAL17] healthcare [Toyoda, 1998].
The requirements for risk management in HIS or CDW are
different that those of Management Information Systems (MIS) [
Used inappropriately, a CDW can cause ethical,
privacy, legal, financial and even criminal risks [Miller, 2002] [Blobel, 2000]
[Snee, 2004] [Cody, 2003] [CIHR, 2002] [Senate, 2002]. Trustworthiness in
stakeholder communication and co-operation throughout the complete lifecycle[a18] [7][MAL19] of[a20] health data,
starting with an informed consent, while respecting an individual’s rights
[Belmont, 1979] [Helsinky, 1964] [Nuremberg, 1949] [Harkness, 2001] (including the right to privacy) is
fundamental [Kerkri, 2001][Blobel, 2004] [CIHR, 2002], expected by the
stakeholders [Roger, 1998] and necessary in clinical research [Beecher,
1966][Helvey, 2004]. Two of the
biggest challenges in the planning process of the CDW desbribed in [Wisniewski,
2003] were accommodating the security and confidentiality mandates of
regulatory agencies and obtaining institutional approvals.
Challenge: we must define the principal components of the risk management framework, how they interact with the various stakeholders and stakeholder groups, identify and defined the principal processes involved in the implementation of an RPM process and how these can be modeled. |
Ethical issues, and in particular privacy issues, are
not addressed in [a21] [MAL22]current RMF [Thompson, 2001]. Recent jurisprudence, in
Québec[8], indicates that in cases
of loss of privacy, that do not involve damages, the financial impact for an
organisation is low [Wellman c. Québec, 2002], however this may be changing[9]. Risk of loss of privacy
(Privacy risks) and risk that ethical uses of health data (Ethical risks) tend
to be underweighted[a23] . As these are
underweighted, the logical result is that Ethical risks and Privacy risks will
receive less attention.
Reference | Class. |
1 | |
Association of American Medical Colleges, Information Technology Enabling Clinical Research, Findings and Recommendations from a Conference Sponsored by the Association of American Medical Colleges with Funding from the National Science Foundation, October 30-31, 2002 | 2 |
Alberts, Christopher J., 1999, Octave Framework version 1.0, technical report, | 4 |
Bakker, Ab, Access to EHR and access control at a moment in the past: a discussion of the need and an exploration of the consequences, International Journal of Medical Informatics, 2004 | 3 |
Barber, B, Patient data and security: an overview, international journal of medical informatics, no 49, 1998, pages 19-30 | 1 |
Bates, D.W., Pappius, E., Kuperman, G.J., Sittig, D., Burstin, H., Fairchild, D., Brennan, T.A., Teich, J.M., Using information systems to measure and improve quality, International Journal of Medical Informatics, 1999, pages 115–12 | 2 |
Barrows, RC Jr, Clayton, PD, Privacy, confidentiality, and electronic medical records,Journal of the American Medical Informatics Association, 1996, pages 139-148 | 2 |
Beecher, HK. Ethics and clinical research, The New England Journal of Medicine, 1966, 274: 1354–1360. | 2 |
Behlen, Fred M., Johnson, Stephen B., Multicenter Patient Records Research, Journal of the American Medical Informatics Association, Volume 6, Number 6, Nov / Dec 1999 | 1 |
2 | |
Belmont Report, Ethical , Principles and Guidelines for the Protection of Human Subjects of Research, The National Commission for the Protection of Human Subjects of Biomedical andBehavioral Research, | 3 |
Berryman, Paul, Risk Assessment: The Basics, Mémoire présenté comme exigence partielle pour l’obtention de la certification de Global Information Assurance Certification du GIAC, http://www.giac.org/, Février 2002 | 4 |
Berndt, Donald J, Hevner, Alan R, Studnicki, James, The Catch data warehouse: support for community health care decision-making, Decision Support Systems, Vol 35, 2003, pages 367– 384 | 3 |
Blobel, Bernd, Advanced toolkits for EPR security, International journal of medical informatics, no 60, 2000, pages 169-175 | 2 |
Blobel, Bernd, Authorisation and access control for electronic health record systems, International Journal of Medical Informatics, 2004, pages 251—257 | 3 |
Boudreau, Christian et la CAI, Étude sur l’inforoute de la santé au Québec : Enjeux techniques, éthiques et légaux, document de réflexion, octobre 2001 | 4 |
British Standard BS-7799-2:2002, Information Security Management System – Specification with Guidance for use, September 2002 | 3 |
Buckovich, Suzy A. et als, Driving Toward Guiding Principles: A Goal for Privacy, Confidentiality, and Security of Health Information, Journal of the American Medical Informatics Association Volume 6 Number 2 Mar / Apr 1999, Pages 122-133 | 1 |
Burt, Dr. Brian A., DEFINITIONS OF RISK, Department of Epidemiology, | 3 |
CSA (Canadian Standards Association), Model Code for the Protection of Personal Information (Q830-96) , 2003, http://www.csa.ca/standards/privacy/code/Default.asp?language=english | 2 |
Chateauneuf, A., Wakker, P., An Axiomatization of Cumulative Prospect Theory for Decision Under Risk, Journal of Risk and Uncertainty, 1999, pages 137-145 | 4 |
Cavoukian, A., The Security-Privacy Paradox: Issues, Misconceptions, and Strategies, A Joint Report by the Information and Privacy Commissioner of Ontario and Deloitte & Touche, Information and Privacy Commissioner of Ontario, August 2003, http://www.ipc.on.ca/docs/sec-priv.pdf | 2 |
Chaudhuri, Surajit. Dayal Umeshwar, An overview of data warehousing and OLAP technology, ACM SIGMOD Record, Volume 26 Issue 1 March 1997 | 2 |
Chaudhuri, S.; Dayal, U.; Ganti, V. Database technology for decision support systems, IEEE computer, Volume 34, Issue 12, Dec 2001, Pages 48-55 | 2 |
CIHR (Canadian Institutes of Health Research), Guidelines for Protecting Privacy and Confidentiality in the Design, Conduct and Evaluation of Health Research: BEST PRACTICES, CONSULTATION DRAFT, April 2004 | 2 |
CIHR (Canadian Institutesof Health Research), Secondary use of personal information in health research: Case studies, Canadian Institute of Health Research, November 2002 | 2 |
CLARKE, EDMUND M., WING, JEANNETTE M., Formal Methods: State of the Art and Future Directions, ACM Computing Surveys, Vol. 28, No. 4, December 1996, pages 626-643 | 2 |
Clusif, MÉHARI, Club de la sécurité des informations français, August 2000 | 3 |
Cody, Patrick M, Dynamic Security for Medical Record Sharing, Submitted to the Department of Electrical Engineering and Computer Science in Partial Fulfillment of the Requirements for the Degrees of Bachelor of Science in Computer Science and Engineering and Master of Engineering in Electrical Engineering and Computer Science at the Massachusetts Institute of Technology, | 3 |
Collmann, Jeff, Alaoui, Adil, Nguyen, Dan, Lindisch, David, Safe teleradiology: information assurance as a project planning methodology, Elsevier Science International Congress Series 1256, 2003, pages 809– 814 | 3 |
Commission d’accès à l’information du Québec, Exigences minimales relatives à la sécurité des dossiers informatisés des usagers du réseau de la santé et des services sociaux, Avril 1992 | 4 |
Commission d’accès à l’information du Québec, Avis concernant le cadre global de gestion sur la sécurité des actifs informationnels du réseau de la santé et des services sociaux, décembre 2001 | 4 |
Commission d’accès à l’information du Québec, Guide en matière de protection des renseignements personnels dans le développement des systèmes d’information à l’intention des ministères et organismes publics, Décembre 2002 | 4 |
COSISS, Politique intérimaire de sécurité visant les actifs informationnels du réseau de la santé et des services sociaux, Québec, 1999 | 4 |
COSO, | 3 |
Damodaran, A., The basics of risk, http://pages.stern.nyu.edu/~adamodar/ , 2001 | 2 |
3 | |
Demers, DL., Fournier, F, Lemire, M, Péladeau, P, Prémont, M-C et Roy, DJ, Le réseautage de l'information de santé : Manuel pour la gestion des questions éthiques et sociales, Montréal, Centre de bioéthique, IRCM, 2004 | 2 |
Edwards, K., Prospect Theory: A Literature Review, International Review of Financial Analysis, Vol. 5, No. 1, 1996, pages 19-38 | 2 |
Einbinder,J.S., Scully, K.W.,Pates, R.D.,Schubart, J.R., Reynolds, R.E., Case Study: A Data Warehouse for an Academic Medical Center, JOURNAL OF HEALTHCARE INFORMATION MANAGEMENT, vol. 15, no. 2, Summer 2001, pages 165-175 | 1 |
Freeman, P, Robbins, A. The U.S. health data privacy debate: Will there be comprehension before closure?, International Journal of Technology Assessment in Health Care, 1999, pages 316-331. | 3 |
Fulford, Heather, Doherty, Neil F., The application of information security policies in large UK-based organizations: an exploratory investigation, Information Management & Computer Security, 2003, pages 106-114 | 3 |
Gendarmerie Royale du Canada, Guide d'évaluation de la menace et des risques pour les technologies de l'information, Novembre 1994 | 4 |
Glaessner, T., Kellermann, T., McNevin, V., Electronic Security: Risk Mitigation In Financial Transactions, Public Policy Issues, The World Bank, June 2002 | |
Godbout, L’Honorable Juge Bernard, j.c.s., jugement de la cause Wellman c. Québec (Ministère de la Sécurité du revenu-secrétariat) Cour Supérieure, Québec, District de Chicoutimi, N°:150-05-000416-950, 19 juillet 2002 | 4 |
Gordon, Laurence A. et Loeb, Martin, The economics of Information security investment, ACM Transactions on information and system security, vol 5, no 4, Novembre 2002, pages 438-457 | 3 |
Haimes, Yacov Y., The Role of the Society for Risk Analysis in the Emerging Threats to Critical Infrastructures , Risk Analysis, Blackwell Science, | 3 |
Hancock, Bill, COMMON SENSE GUIDE FOR SENIOR MANAGERS, Top Ten Recommended Information Security Practices, 1st Edition, July 2002 | 3 |
Harkness, J., Lederer, S.E., Wikler, D., Laying ethical foundations for clinical research, Bulletin of the World Health Organization, 2001 | 2 |
Hatcher, M., Decision-Making With and Without Information Technology in Acute Care Hospitals: Survey in the | 2 |
Helvey, T., Mack, R., Avula, S., Flook, P., Data security in Life Sciences research, Drug Discovery Today: BIOSILICO, Vol. 2, No. 3, May 2004 | 3 |
Hillson, Dr David, RISK MANAGEMENT FOR THE NEW MILLENNIUM, http://www.risk-doctor.com/ ,1999 | 4 |
Hillson, D., What is risk? Towards a common definition, http://www.risk-doctor.com/pdf-files/def0402.pdf , Inform, Journal of the UK Institute of Risk Management, April, 2002, pages 11-12 | 3 |
HIMMS, The Eleventh Annual HIMSS Leadership Survey, http://www.himss.org/survey/2000/survey2000.html , 2000 | 2 |
HM Treasury ( | 2 |
Humpreys, BL.,Electronic Health Record Meets Digital Library A New Environment for Achieving an Old Goal, J Am Med Inform Assoc, 2000, Sep; 7(5), pages 444-452 | 2 |
2 | |
International Standards Organisation (ISO), ISO/DTR 20514, Health informatics — Electronic health record — Definition, scope, and context, 2004 | |
International Standards Organisation (ISO), JTC1-SC27, A Comparison of Terminology: ISO Guide 73 (Draft November 2001), PDTR 13335-1 (for terms used in all parts of TR 13335), Draft 17799 (N 3184) and compared to IS 17799:2000, and SC 27 SD 6 (2002-03-31), 2002 | 2 |
International Standards Organisation (ISO), ISO/EIC TR 13335-1, Information technology – Guidelines for the management of IT Security, Part 1: Concepts and models for IT security, 1996 | 2 |
Janczewski, | 2 |
Kachur, R. J., The Data Warehouse Management Handbook, | 3 |
Kahneman, D., Tversky, A., Prospective theory: An analysis of decision under risk, Econometrica, 1979, pages 263–291 | 4 |
Kane, | 3 |
Keil, Mark, Wallace, Linda, Turk, Dan, Dixon-Randall, Gayle, Nulden, Urban, An investigation of risk perception and risk propensity on the decision to continue a software development project, The Journal of Systems and Software, 2000, pages 145-157 | 3 |
Kerkri, E. M. Quantin, C., Allaert F.A., Cottin, Y., Charve, P.H., Jouanot, F., Yétongnon, K., An Approach for Integrating Heterogeneous Information Sources in a Medical Data Warehouse, Journal of Medical Systems, Vol. 25, No. 3, 2001 | 1 |
Kim 2003… | |
Kremer, S. et als, An tensive survey of non-repudiation protocols, Computer Communications, no 25,2002, pages 1606-1621 | 3 |
Lagadec, Patrick, Risques, Crises et Gouvernance: ruptures d’horizons, ruptures de paradigmes, Réalités Industrielles, Annales des Mines, numéro spécial: “Sciences et génie des activités à risques”, Mai 2003, pages 5-11 | 3 |
Laibson, D., Zeckhauser, R., Amos Tversky and the Ascent of Behavioral Economics, Journal of Risk and Uncertainty, 1998, pages 7–47 | 3 |
Landwehr, Carl E., Formal models for computer security, ACM Computing serveys, vol 13, no 3, Septembre 1981pages.247-278 | 2 |
Ledbetter, Craig S., Morgan, Matthew W., Toward Best Practice: Leveraging the Electronic Patient Record as a Clinical Data Warehouse, JOURNAL OF HEALTHCARE INFORMATION MANAGEMENT, vol. 15, no. 2, summer 2001 | 1 |
Léger, Marc-André, Un processus d’analyse des vulnérabilités technologiques comme mesure de protection contre les cyber-attaques, Rapport d’activité de synthèse, Maîtrise en Informatique de Gestion, UQAM, Juin 2003, 110 pages | 3 |
Léger, Marc-André, Méthodologie IVRI de gestion du risque en matière de sécurité de l’information, Éditions Fortier Communications, Montréal, Septembre 2003 | 3 |
Lloyd, Andrew J, Threats to the estimation of benefit: are preference elicitation methods accurate?, Health Economics, 2003, pages 393–402 | 3 |
Maguire, Stuart (2002), Identifying risks during information system development: managing the process, Journal of Information Management & Computer Security, Volume 10 Number 3, pages 126-p134 | |
Marsh, Andy, The Creation of a global telemedical information society, International Journal of Medical Informatics, 1998, pages 173–193 | 3 |
Miller, Gerald C., Ph.D., Data warehousing and information management strategies in the clinical immunology laboratory, Clinical and Applied Immunology Reviews, 2002 | 2 |
Misslin, René, The defense system of fear: behavior and neurocircuitry, Neurophysiologie clinique 33, 2003, pages 55–66 | 5 |
MSSS, Ministère de la Santé du Québec, Le réseau RTSS C’est, site internet du MSSS, http://www.msss.gouv.qc.ca/rtss/, 2003 | 4 |
MSSS, Ministère de la Santé du Québec, Le réseau de télécommunication sociosanitaire en bref, document interne du TCR, 2002 | 3 |
Myerson, Judith, Risk Management, INTERNATIONAL JOURNAL OF NETWORK MANAGEMENT, 1999, pages 305-308 | 2 |
Neumann, Peter G., Risks to the Public in Computers and Related Systems, ACM SIGSOFT Software Engineering Notes, vol 26 no 1, January 2001, Pages 14-38 | 3 |
Novosyolov, A., Risk Theory: Basic Concepts of Risk Theory, Lecture for math department students, | 3 |
3 | |
Pace, Wilson D, Database Design to Ensure Anonymous Study of Medical Errors: A Report from the ASIPS Collaborative, Journal of the American Medical Informatics Association, Volume 10, Number 6, Nov / Dec 2003, pages 531-540 | 3 |
Puhr, Claus, OPIS – A web enabled clinical data warehouse prototype, presentation, | 2 |
Pedersen, T.B., Jensen, C.S., Research issues in clinical data warehousing, Proceedings of SSDBM’98, | 1 |
RAAB, Charles D., The future of privacy protection, Cyber Trust & Crime Prevention Project, 2004 | 2 |
Rector, A.L., Nowlan, W.A. , Kay, S., Foundations for an electronicmedical record, Methods of Information in Medicine, 1991, pages 179–186 | 2 |
Safran, Charles, Goldberg, Howard, Electronic patient records and the impact of the Internet, International Journal of Medical Informatics, 2000, pages 77–83 | 2 |
Senate ( | 3 |
Schloeffel, P., Electronic Health Record Definition, Scope and Context: ISO/TC 215 Discussion Paper, October 2002, available at https://committees.standards.com.au/COMMITTEES/IT-014-09-02/N0004/IT-014-09-02-N0004.DOC | 2 |
Shortreed, J., Hicks, J., Craig, L., Basic Frameworks for Risk Management, Final Report, Prepared for The Ontario Ministry of the Environment, Network for Environmental Risk Assessment and Management, | 2 |
Schubart, Jane R., Einbinder, Jonathan S, Evaluation of a data warehouse in an academic health sciences center, International Journal of Medical Informatics, 2000, pages 319–333 | 2 |
Schumacher, H. J., Ghosh, S., A fundamental framework for network security, Journal of Network and Computer Applications, 1997, pages 305–322 | 2 |
Smith, E. Eloff, J.H.P., Security in health-care information systems – current trends, International journal of medical informatics, no 54, 1999, pages 33-54 | 2 |
Snee, N.L., The Case for Integrating Public Health Informatics Networks, An Overview of the Elements Required for an Integrated | 2 |
Stoneburner, Gary, Goguen, Alice, Feringa, Alexis, NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology, July 2002 | 1 |
Sujansky, Walter, Heterogeneous Database Integration in Biomedicine, Journal of Biomedical Informatics, 2001, pages 285–298 | |
Summers, K.H., Measuring and Monitoring Outcomes of Disease Management Programs, Clinical Therapeutics, volume 18, NO. 6, 1996 | One12 |
Sweltz ,Ken, Network Vulnerability Assessment Strategy for Small State and Local Government Agencies, SANS Institute, GIAC practical repository, 2003 | 3 |
Takeda, H., Matsumura, Y., Kuwata, S., Nakano, H., Sakamoto, N., Yamamoto, R., Architecture for networked electronic patient record systems, International Journal of Medical Informatics, 2000, pages 161–167 | 2 |
Thompson, Paul B., Privacy, secrecy and security, Ethics and Information Technology, 2001, pages 13–19 | 1 |
Tong, C.K.S., Implementation of ISO17799 and BS7799 in picture archiving and communication system: local experience in implementation of BS7799 standard, Elsevier Science B.V International Congress Series 1256, 2003, pages 311–318 | |
Toyoda, Ken, Standardization and security for the EMR, International Journal of Medical Informatics, 1998, pages 57–60 | 2 |
Tregear, Jonathan, Risk Assessment Information Security Technical Report , Volume 6, numéro 3, septembre 2001, pages 19-27 | |
Wagner, | 2 |
Watkins, Michael D., Bazerman, Max H., Predictable Surprises: The Disasters You Should Have Seen Coming, Harvard Business review Online, 2003 | 2 |
Winter | 2 |
Wismiewski, M.F., A Clinical Data Warehouse for Infection Control, Journal of the American Medical Informatics Association Volume 10 Number 5 Sep / Oct 2003 | 1 |
WORLD MEDICAL ASSOCIATION, DECLARATION OF HELSINKI, Ethical Principles for Medical Research Involving Human Subjects, Helsinki, Finland, June 1964 | 2 |
Yoshihara, H., Development of the electronic health record in Japan, Int. J. Med. Inf., 1998, pages 53–58 (***) | 3 |
Zhou, Lidong, Haas Zygmunt J., Securing Ad Hoc Networks, IEEE Network, 1999 | 3 |
Zviran, M., Armoni, A., Glezer, C., HIS/BUI: A Conceptual Model for Bottom-Up Integration of Hospital Information Systems, Journal of Medical Systems, Vol. 22, No. 3, 1998, Pages 147-159 | 2 |
Code | Significance |
1 | Very important |
2 | Less significant |
3 | Helps define subject |
4 | Informative or less significant |
5 | Not that significant |
No | Cat | Description of requirement | SOURCE |
1 | C | Individuals have a right to the privacy and confidentiality of their health information. | Buckovich, 1999 |
1b | Pv | Individuals have a right to the privacy and confidentiality of their health information. | Buckovich, 1999 |
2 | Ac | Individuals have a right to access in a timely manner their health information. | Buckovich, 1999 |
3 | Ac | Individuals have a right to copy, in a timely manner, their health information. | Buckovich, 1999 |
4 | Ac | Individuals have a right to amend and/or correct their health information. | Buckovich, 1999 |
5 | Pv | Individuals have the right to withhold their health information from electronic format including being stored, managed, or transmitted electronically. | Buckovich, 1999 |
6 | Pv | Individuals have the right to segregate their health information from shared medical records. | Buckovich, 1999 |
7 | I | Individuals have the right to the integrity of their health information. | Buckovich, 1999 |
7b | I | Entities and/or persons that create, maintain, use, transmit, collect, or disseminate individual health information shall be responsible for ensuring this integrity. | Buckovich, 1999 |
8 | Ac | Individuals have a right to control the access and disclosure of their health information and to specify limitations on period of time and purpose of use. | Buckovich, 1999 |
9 | Pi | Outside the doctor–patient (other health care provider) relationship, health information that makes a person identifiable shall not be disclosed without prior patient informed consent and/or authorization. | Buckovich, 1999 |
10 | Pi | Informed consent and/or authorization for release of personal health information shall include identification of requester, declaration of purpose and boundaries, restriction of redisclosure, and explanation of potential harmful risks that could result from the release of this information. | Buckovich, 1999 |
11 | Pi | Individuals harmed by the abuse or misuse of their health information shall be afforded individual redress through civil and criminal penalties. | Buckovich, 1999 |
12 | Pi | Health care providers have the right to maintain private recordings of observations, opinions, and impressions whose release they consider could be potentially harmful to the well-being of the patient. They shall not disclose this information without due reflection on the impact of such release. | Buckovich, 1999 |
13 | Pi | The obligation of health care providers to maintain confidentiality and privacy of medical records shall not be undermined by outside organizations such as insurers, suppliers, employers, or government agencies (i.e., forced disclosure without informed consent). | Buckovich, 1999 |
14 | Ic | Personally identifiable information collected for one purpose shall not be used for another purpose without prior informed consent of the patient. | Buckovich, 1999 |
15 | Op | No secret databases shall exist. | Buckovich, 1999 |
16 | Ic | No medical record demographics or other potential patient identifiers shall be sold, utilized for marketing purposes, or utilized for other commercial or financial gain without the prior informed consent of the individual. | Buckovich, 1999 |
17 | Pi | Access to aggregate data shall be made available to support public health research and outcome studies as long as individuals are not and can not be reasonably identified. | Buckovich, 1999 |
18 | Ot | Information gathered from available aggregate data shall not be used to the detriment of any individual in employment, access to care, rate setting, or insurability. | Buckovich, 1999 |
19 | Ot | Access to health information shall be limited to that information necessary for the entities or individual’s legitimate need and/ or purpose. | Buckovich, 1999 |
20 | Pi | Insurers have the right to access only that health information deemed necessary for claims administration and/or claims resolution. | Buckovich, 1999 |
21 | Pi | Employers have a right to collect and maintain health information about employees allowable or otherwise deemed necessary to comply with state and federal statutes. However, employers shall not use this information for job or other employee benefit discrimination. | Buckovich, 1999 |
22 | S | A warrant requirement shall exist for law enforcement to obtain health information. | Buckovich, 1999 |
23 | S | Health information and/or medical records that make a person identifiable shall be maintained and transmitted in a secure environment. | Buckovich, 1999 |
24 | S | An audit trail shall exist for medical records and be available to patients on request. | Buckovich, 1999 |
25 | Ot | All entities involved with health care information have a responsibility to educate themselves, their staff, and consumers on issues related to these principles (e.g., consumers’ privacy rights). | Buckovich, 1999 |
26 | S | All entities with exposure or access to individual health information shall have security/privacy/confidentiality policies, procedures, and regulations (including sanctions) in place that support adherence to these principles. | Buckovich, 1999 |
27 | S | Current and new technologies should be continually incorporated in the design of information systems to support the implementation of these principles and compliance with them. | Buckovich, 1999 |
28 | S | Support for these principles needs to be at the federal level. | Buckovich, 1999 |
29 | Ai | Patients have the right to know what information physicians hold about them, including information held on health databases. In many jurisdictions, they have a right to a copy of their health records. | WMA, 2002 |
30 | Ai | Patients should have the right to decide that their personal health information in a database (as defined in 7.2) be deleted. | WMA, 2002 |
31 | Ai | In rare, limited circumstances, information may be withhold from a patient if it is likely that disclosure cause serious harm to the patient or another person. Physicians must be able to justify any decision to withhold information from a patient. | WMA, 2002 |
32 | C | All physicians are individually responsible and accountable for the confidentiality of the personal health information they hold. Physicians must also be satisfied that there are appropriate arrangements for the security of personal health information when it is stored, sent or received, including electronically. | WMA, 2002 |
33 | C | In addition, medically qualified person(s) should be appointed to act as guardian of a health database, to have responsibility for monitoring and ensuring compliance with the principles of confidentiality and security. | WMA, 2002 |
34 | C | Safeguards must be in place to ensure that there is no inappropriate or unauthorised use of or access to personal health information in databases, and to ensure the authenticity of the data. When data is transmitted, there must be arrangements in place to ensure that the transmission is secure. | WMA, 2002 |
35 | C | Audit systems must keep a record of who has accessed personal health information and when. Patients should be able to review the audit record for their own information. | WMA, 2002 |
36 | Pc | Patients should be informed if their health information is to be stored on a database and of the purposes for which their information may be used. | WMA, 2002 |
37 | Pc | Patients' consent is needed if the inclusion of their information on a database involves disclosure to a third party or would permit access by people other than those involved in the patients' care, unless there are exceptional circumstances as described in paragraph 11. | WMA, 2002 |
38 | Pc | Under certain conditions, personal health information may be included on a database without consent, for example where this conforms with applicable national law that conforms to the requirements of this statement, or where ethical approval has been given by a specially appointed ethical review committee. In these exceptional cases, patients should be informed about the potential uses of their information, even if they have no right to object | WMA, 2002 |
39 | Pc | If patients object to their information being passed to others, their objections must be respected unless exceptional circumstances apply, for example where this is required by applicable national law that conforms to the requirements of this statement or necessary to prevent a risk of death or serious harm. | WMA, 2002 |
40 | Pc | Authorization from the guardian of the health database is needed before information held on databases may be accessed by third parties. Procedures for granting authorization must comply with recognised codes of confidentiality. | WMA, 2002 |
41 | Pc | Approval from a specially appointed ethical review committee must be obtained for all research using patient data, including for new research not envisaged at the time the data were collected. An important consideration for the committee in such cases will be whether patients should be contacted to obtain consent, or whether it is acceptable to use the information for the new purpose without returning to the patient for further consent. The committee's decisions must be in accordance with applicable national law and conform to the requirements of this statement. | WMA, 2002 |
42 | Pc | Data accessed must be used only for the purposes for which authorization has been given. | WMA, 2002 |
43 | Pc | People who collect, use, disclose or access health information must be subject to an enforceable duty to keep the information secure | WMA, 2002 |
44 | S | Wherever possible, data for secondary purposes should be de-identified. If this is not possible, however, the use of data where the patient's identity is protected by an alias or code should be used in preference to readily identifiable data. | WMA, 2002 |
45 | S | The use of de-identified data does not usually raise issues of confidentiality. Data about people as individuals, in which they retain a legitimate interest, for example a case history or photograph, require protection. | WMA, 2002 |
46 | I | Physicians are responsible for ensuring, as far as practicable, that the information they provide to, and hold on, databases is accurate and up-to-date. | WMA, 2002 |
47 | I | Patients who have seen their information and believe there are inaccuracies in it have the right to suggest amendments and to have their comments appended to the information. | WMA, 2002 |
48 | Do | There must be documentation to explain: what information is held and why; what consent has been obtained from the patients; who may access the data; why, how and when the data may be linked to other information; and the circumstances in which data may be made available to third parties. | WMA, 2002 |
49 | Do | Information to patients about a specific database should cover: consent to the storage and use of data; rights of access to the data; and rights to have inaccurate data amended. | WMA, 2002 |
50 | Mg | Procedures for addressing enquiries and complaints must be in place. | WMA, 2002 |
51 | Mg | The person or persons who are accountable for policies, procedures, and to whom complaints or enquiries can be made must be identified. | WMA, 2002 |
52 | P | National medical associations should co-operate with the relevant health authorities, ethical authorities and personal data authorities, at national and other appropriate administrative levels, to formulate health information policies based on the principles in this document. | WMA, 2002 |
53 | C | Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. | [ISO/IEC 7498-2] as described in [ISO 1335-1] |
54 | C | Confidentiality exists when information is communicated in the context of a special relationship (such as doctor-patient, lawyer-client, etc.) where the information is intended to be held in confidence or kept secret | [CIHR, 2002] |
55 | C | It is an ethical concept that regulates communication of information between individuals |