FHIR Data Segmentation for Privacy
1.0.0 - trial-use International flag

FHIR Data Segmentation for Privacy, published by HL7 Security Working Group. This is not an authorized publication; it is the continuous build for version 1.0.0). This version is based on the current content of https://github.com/HL7/fhir-security-label-ds4p/ and changes regularly. See the Directory of published versions

Glossary

These definitions are based on the glossary of the HL7 Healthcare Privacy and Security Classification System (HCS), Release 1, Volume 1.

Access (Security) Level

The combination of a hierarchical security classification and a security category that represents the sensitivity of an object or the security clearance of an individual [ISO 2382-8].

A level associated with an individual who may be accessing information (for example, a clearance level) or with the information which may be accessed (for example, a classification level) [HIPAA Security Glossary].

Access Control Decision Information (ADI)

The portion (possibly all) of the ACI made available to the ADF in making a particular access control decision [ISO 10181-3/ITU X.812].

Access Control Information (ACI)

Any information used for access control purposes, including contextual information [ISO 10181-3].

Classification

Confidential protection of data elements by segmentation into restricted and specifically controlled categories set by policies [Adapted from ASTM E1986-98(2005)].

Clearance

Initiator-bound access control information (ACI) that can be compared with security labels of targets [ISO 10181-3/ITU X.812].

Permission granted to an individual to access data or information at or below a particular security level [ISO/IEC 2382-8:1998].

Clinical Attribute

Any clinical characteristic that binds a health care relevant parameter to a clinical element by a rule. Parameters may include authorship, category of information, terminological characteristics, history of permutations, integrity and provenance, as well as the relationship to and inclusive of associated clinical facts necessary to provide context essential for applying security labels. (PCAST discusses attributes that provide context to clinical data elements such as patient demographics).

Clinical Attribute Set

The complete collection of parameters that in total describe the relevant characteristics of a clinical fact. These include, clinical attributes, security labels and provenance: For example, the patient’s name and birthdate, diagnosis code, the applicable privacy rules and policies, including any patient’s pre-consented privacy choices security label classification and sensitivity codes, and the data source (provider).

Clinical Element

A clinical object that has been disaggregated into the smallest possible data element suitable for use in a healthcare context. (PCAST p. 70 description of clinical elements as the smallest clinical data units that make sense to exchange and aggregate.)

Clinical Fact

A healthcare data IT resource comprised of a clinical element associated or “tagged” with at least one clinical attribute such as a clinical information category, patient information, and provenance. A clinical fact is a type of “tagged data element.” (PCAST p. 89 “Tagged data element: Data accompanied by metadata describing the data.”).

Clinical Rule

A computational algorithm used for assigning a clinical attribute to a clinical element.

Compartment

A security label tag that “segments” an IT resource by indicating that access and use is restricted to members of a defined community or project. A set of categories in a security label [Sandhu].

Compartment-Based Policies

In a compartment-based policy, sets of targets are associated with a named security compartment or category, which isolates them from other targets. Users need to be given a distinct clearance for a compartment to be able to access targets in the compartment [Ford; chapter 6, p.155].

Compartmentalization

A division of data into isolated blocks with separate security controls for the purpose of reducing risk [ISO 7498-2]. For example, the division of data in a major project into blocks corresponding to sub-projects, each with its own security protection, in order to limit exposure of the overall project.

Confidentiality

Privacy metadata classifying an IT resource (data, information object, service, or system capability) according to its level of sensitivity, which is based on an analysis of applicable privacy policies and the risk of financial, reputational, or other harm to an individual or entity that could result if made available or disclosed to unauthorized individuals, entities, or processes.Usage Notes: Confidentiality codes are used in security labels and privacy markings to classify IT resources based on sensitivity to indicate the custodian or receiver obligation to ensure that the protected resource is not made available or redisclosed to individuals, entities, or processes (security principals) per applicable policies. Confidentiality codes are also used in the clearances of initiators requesting access to protected resources.

Definition aligns with ISO 7498-2: Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. (HL7 Confidentiality code system 2.16.840.1.113883.5.25 and value set 2.16.840.1.113883.1.11.10228).

Controlled Unclassified Information (CUI) (US-realm)

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see definition above) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify (based on US 32 CFR Part 2002).

Data Segmentation

Process of sequestering from capture, access, or view certain data elements that are perceived by a legal entity, institution, organization or individual as being undesirable to share [GWU].

Data Use and Reciprocal Support Agreement (DURSA)

A comprehensive, multi-party trust agreement signed by all eligible entities who wish to exchange data.

Healthcare Privacy and Security Classification System (HCS)

A defined scheme for the classification and handling of health care and healthcare related information.

High Water Mark (HWM)

“Rule that when information is combined from several targets, the result is assigned the highest classification level.” [Warwick Ford, Computer Communications Security: Principles, Standard Protocols & Techniques 29-30 (1994)]

“high water mark [is the] maximum potential impact values for each security objective from the information types resident on the acquisition system.” FIPS.199

“If individual portions are classified at one level, but the compilation is a higher classification, mark each portion with its own classification, and mark the document and pages with the classification of the compilation.” [DOD Information Security Chapter 5 Marking: 5-206 Identification of Specific Classified Information]

IT Resource

Any data, information object, operation, process, service, or system capability. An IT resource that is assigned a security label is sometimes referred to as a “security object”. An IT resource that is represented as a requested security object of an initiator’s access request is sometimes referred to as a “target”.

Named Tag Set

Field containing a Tag Set Name and its associated set of security tags [NIST FIPS PUB 188].

Privacy Mark

Human readable security labels, which are rendered in the graphic user interface on accessed electronic information, are called privacy marks. The act of enabling the rendering of a privacy mark is called “privacy marking.”

If present, the privacy-mark is not used for access control. The content of the privacy-mark may be defined by the security policy in force (identified by the security-policy-identifier) which may define a list of values to be used. Alternately, the value may be determined by the originator of the security-label [ISO 22600-3 Section A.3.4.3].

Provenance

The history of the ownership of an object, especially when documented or authenticated. For example, references to a type of equipment, standard clinical procedure, attestable content author, data source, provider or other clinical facts [PCAST].

Information about entities, activities, and people involved in producing a piece of data or thing, which can be used to form assessments about its quality, reliability or trustworthiness [W3C PROV-Overview].

Provenance of a resource is a record that describes entities and processes involved in producing and delivering or otherwise influencing that resource. Provenance provides a critical foundation for assessing authenticity, enabling trust, and allowing reproducibility. Provenance assertions are a form of contextual metadata and can themselves become important records with their own provenance [W3C Provenance XG Final Report].

Data provenance is information that helps determine the derivation history of a data product, starting from its original sources. Data product or dataset refers to data in any form, such as files, tables, and virtual collections. Two important features of the provenance of a data product are the ancestral data products from which this data product evolved, and the process of transformation of these ancestral data product(s), potentially through workflows, that helped derive this data product [Simmhan].

The information that documents the history of the Content Information. This information tells the origin or source of the Content Information, any changes that may have taken place since it was originated, and who has had custody of it since it was originated. The archive is responsible for creating and preserving Provenance Information from the point of Ingest; however, earlier Provenance Information should be provided by the Producer. Provenance Information adds to the evidence to support Authenticity [ISO 14721].

Security Attribute

A security-related quality of an object. Security attributes may be represented as hierarchical levels, bits in a bit map, or numbers. Compartments, caveats, and release markings are examples of security attributes [NIST FIPS PUB 188].

Characteristic of a subject, resource, action or environment that may be referenced in a predicate or target [XACML].

Security Category

A non-hierarchical grouping of sensitive information used to control access to data more finely than with hierarchical security classification alone [ISO 2382-8].

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals [FIPS].

If present, the security categories provide further granularity for the sensitivity of the message. The security policy in force is used to indicate the syntaxes that are allowed to be present in the security-categories. Alternately, the security-categories and their values may be defined by bilateral agreement [ISO 22600-3 Section A.3.4.3].

Security Classification

The determination of which specific degree of protection against access the data or information requires, together with a designation of that degree of protection; for example, “Top Secret”, “Secret”, “Confidential” [ISO 2382-8].

Security Clearance

See Clearance.

Security Label

(In the definitions below, "security label" is defined as both a verb: “means used to associate security attributes” as in “security labeling”, and as noun: “the markings bound to a resource.” As a noun, the term is sometimes considered synonymous with “security metadata” and “security tag.” As a verb, the term is sometimes considered synonymous with “tagging.” However, security standards sometimes use the term “security label” for both the classification given to IT resources and the classification level in an initiator’s clearance. In addition, some standards use the term “marking bound to a resource” to refer to both computable security labels and the human-readable rendering of security label fields, better known as “privacy markings”).

The means used to associate a set of security attributes with a specific information object as part of the data structure for that object [ISO 10181-3/ITU X.812].

Access control information associated with the attribute values being accessed [ISO/IEC 9594-2:2008/ITU X.501].

The marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. NOTE - The marking and/or binding may be explicit or implicit [ISO 7498-2].

The means used to associate a set of security attributes with a specific information object as part of the data structure for that object [NIST SP 800-53].

Security labels may be used to associate security-relevant information with attributes within the Directory. Security labels may be assigned to an attribute value in line with the security policy in force for that attribute. The security policy may also define how security labels are to be used to enforce that security policy. A security label comprises a set of elements optionally including a security policy identifier, a security classification, a privacy mark, and a set of security categories. The security label is bound to the attribute value using a digital signature or other integrity mechanism [ISO/IEC 9594-2:2008/ITU X.501].

A security label, sometimes referred to as a confidentiality label, is a structured representation of the sensitivity of a piece of information. A security label is used in conjunction with a clearance, a structured representation of what information sensitivities a person (or other entity) is authorized to access and a security policy to control access to each piece of information [XMPP Core].

A security label is a type of PCAST metadata tag defined as information that characterizes data, such as contextual information.

Security (Labeling) Policy

The definition of which classification and category values are used and how security labels are checked against clearances.

Security Labeling Rule

A computational algorithm used for assigning a security label to an IT resource such as a clinical fact.

Security Policy Information File (SPIF)

A construct that conveys domain-specific security policy information [ISO/IEC 15816].

An XML schema, that provides a high level representation of a security labeling policy in a generic and open fashion [Open XML SPIF].

ISO/IEC 15816:2002 Information technology — Security techniques — Security information objects for access control

The Security Policy Information File contains a sequence of the following:

  • versionInformation – indicates the version of the ASN.1 syntax and associated semantics of the Security Policy Information File specification.
  • updateInformation – indicates the currency of the security policy information file data.
  • securityPolicyIdData – identifies the security policy to which the Security Policy Information File applies.
  • privilegeId – indicates the OID that identifies the syntax included in the clearance attribute security category of relying certificates used in conjunction with the Security Policy Information File. The syntax indicated by privilegeId must be consistent with that indicated by rbacId.
  • securityClassifications – maps the classification of the security label to a classification in the clearance attribute, and also provides equivalency mappings.
  • rbacId – rule based access control object identifier which identifies the syntax included in the securityLabel security category that is used in conjunction with the Security Policy Information File. The syntax indicated by rbacId must be consistent with that indicated by privilegeId.
  • securityCategories – maps the security categories of the security label to the security categories in the clearance attribute, and also provides equivalency mappings.
  • equivalentPolicies – consolidates all equivalent policies in the SPIF.
  • defaultSecurityPolicyIdData – identifies the security policy which will apply if data is received without a security label.
  • extensions – provides a mechanism to include additional capabilities as future requirements are identified. The Security Policy Information File is a signed object to protect it from unauthorized changes.

Security Tag

Information unit containing a representation of certain security-related information (e.g., a restrictive attribute bit map) [NIST FIPS PUB 188].

Segmentation

The process of sequestering from capture, access or view certain data elements or “datatypes” (clinical information categories) that are perceived by a legal entity, institution, organization, or individual as being undesirable to share.

Sensitivity

The characteristic of a resource which implies its value or importance and may include its vulnerability [ISO/IEC 7498-2].

Sensitivity Label

Security labels which support data confidentiality models, like the Bell and LaPadula model. The sensitivity label tells the amount of damage that will result from the disclosure of the data and also indicates which measures the data requires for protection from disclosure. The amount of damage that results from unauthorized disclosure depends on who obtains the data; the sensitivity label should reflect the worst case [IETF RFC 1457].

Share with Protections

Share with Protections is an information exchange paradigm that refers to an ecosystem where sharing of information is encouraged and enables by:

  • communicating policies and handling instructions via security labels,
  • continuous end-to-end protections, and
  • overarching trust agreements between senders and receivers.

The core concepts are:

  • Senders and receivers establish a broad trust relationship by agreeing on, and ensuring a mutual understanding of machine-readable standards-based security labels,
  • Senders use standards-based security labels to shared data to indicate its relative sensitivity and any handling instructions, and
  • Recipients honor, retain, and enforce senders’ security labels (in addition to all other local policy requirements)

See the “Share with Protections” project page.

Tag Set Name

Numeric identifier associated with a set of security tags [NIST FIPS PUB 188].

Target

A target is a IT resource subject to access control [Ford].

Target Label

See Security Label.

Trust Contract

Sets of rules followed by the parties involved for achieving interoperability [ISO 22600-2].

Trust Framework

Policy that rules the behavior of a system. The Trust Framework facilitates trustworthy co-operation between domains by defining a common set of security and privacy policies that applies to all collaborating entities, derived from the relevant domain-specific policies across all of those policy domains [ISO 22600-2].

Trustmark

Trustmarks are a visual indication that a service provider is compliant with a federation’s requirements. Trustmarks comprise a very specific subset of compliance marks. In addition to being electronically verifiable, these logos or seals are backed by rigorous third party validation, assessment, or auditing. Certification of conformance and associated trustmarks may be issued by the assessor, the federation, or a separate certifying body on behalf of the federation. The key point is that certification trustmarks result from independent 3rd- party assessments and both the assessing and the certifying organizations stand behind the certifications with their own brand name and reputation. Therefore, trustmarks serve as a reliable and high assurance means to convey compliance with federation rules [NISTIR 8149].

References:

  • [GWU] Mellissa M. Goldstein, JD et al, Data Segmentation in Electronic Health Information Exchange: Policy Considerations and Analysis, George Washington University Medical Center, September 29, 2010.
  • [Ford] Warwick Ford, Computer Communications Security, Prentice Hall, ISBN 0-13-799453-2, 1994.
  • [Sandhu] Sandhu, Ravi S. (1993). “Lattice-based access control models”. IEEE Computer 26 (11): 9–19. doi:10.1109/2.241422
  • [Simmhan] Yogesh, L. Simmhan, et al, A survey of data provenance in e-science, Newsletter ACM SIGMOD Record, Volume 34 Issue 3, Pages 31 - 36, ACM New York, NY, USA, September 2005.