• Tidak ada hasil yang ditemukan

Establishing Blockchain Policy for EHRs

Dalam dokumen College of Information Technology (Halaman 46-57)

29

30

Table 2: Blockchain Policy for EHRs (Continued)

Statements

• The health management entity, which is represented by MOHAP, DOH, DHA, and EHS, acts as a trusted authority who is in charge of all

healthcare entities according to government regulations. They are responsible for healthcare entities and patients' identity authentication before joining the consortium Blockchain.

• DOH, DHA, and EHS must follow all the standards, policies, and regulations made by MOHAP.

• MOHAP should:

1. The unified policies should be communicated to all healthcare entities on the Blockchain.

2. Ensure compliance with this policy and all other policies, standards, and guidelines related to the management of EHRs.

3. Develop and oversee the implementation of further policies, standards, and guidelines as necessary.

4. Provide access once authorization procedures have been completed by the relevant healthcare entities.

5. Continuously improve related regulatory and compliance frameworks.

6. Perform periodic audits of healthcare facilities to ensure compliance with all relevant laws and policies.

7. Maintain and update a list of the healthcare entities identities regularly.

• Healthcare entities:

1. All entities shall establish and agree on a process to define the data type that will be stored on the Blockchain along with the data’s ownership responsibilities.

31 Table 2: Blockchain Policy for EHRs (Continued)

Statements

1.1. Define the data type, taking into consideration the patient's personal data as defined by established international

standards/regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPPA).

2. Actively participate in meaningful EHRs exchanges once connected to the Blockchain network.

3. Implementing and supporting the necessary infrastructure to connect to the Blockchain network, including hardware and software.

4. Each healthcare entity should regularly conduct a full-scope vulnerability assessment and penetration test on the Blockchain.

5. Each entity should comply with all relevant EHR management requirements and responsibilities outlined in this policy.

6. The underlying infrastructure (physical and logical components) of the Blockchain should be protected by all healthcare entities.

7. Each healthcare entity should continuously monitor the

Blockchain, as well as its components, applications, software, communications, the data and its flow, etc.

8. Each healthcare entity should define, develop, and implement a Blockchain incident and event management process, including planning, detection and analysis, containment, eradication, and recovery.

8.1. In case of any access violations and/or malicious transaction, release the incident report in line with the approved Information Security Incident Management Policy.

32

Table 2: Blockchain Policy for EHRs (Continued)

Statements

9. Each healthcare entity should regularly review and assess the effectiveness of the statements mentioned in this proposed Blockchain-based policy by, but not limited to, performing security controls assessments, auditing the relevant business processes and/or procedures, etc.

10. All healthcare entities should secure the data during creation, receipt, storage, processing, transmission, disposal, etc.

I. Blockchain

1. Identifying all participating entities and their roles within the Blockchain network-based management of EHRs.

2. All entities should agree on the policies and standards that should be followed and adhered to.

3. Employees, trainees, and anyone else over whom the entity has direct authority must be trained on the entity's privacy policies and procedures as required and appropriate for them to carry out their jobs duties and responsibilities.

4. For the management of EHRs, clear policies and processes should be developed and properly implemented.

5. The policies and procedures must be reasonable in design,

considering the volume of EHRs data, the scope of operations, the type of institution, the operating model (multiple sites), and the types of activities linked to EHRs, as well as applicable laws and regulations.

6. The policies must be communicated to all users of the Blockchain network by the participating entities.

7. Agreements of understanding should be in place where data is periodically exchanged among entities to ensure patients’

continuity of care.

8. Entities must decide what and how to handle United Arab Emirates national and expatriate patients' EHRs.

33 Table 2: Blockchain Policy for EHRs (Continued)

Statements

9. For the management of EHRs, including their creation, usage, archiving, sharing, and destruction, all entities should train personnel adequately and offer updated training regularly.

10. Establish and maintain the relevant documentation for processes and procedures related to the EHR's lifecycle in a Blockchain network, creating, storing, using, archiving, and destroying EHR.

11. Each entity must identify and document the system/service's owners or operators, as well as their roles and responsibilities.

12. Each entity must ensure that the level of access granted is appropriate to the roles and responsibilities of authorized users using a Role-Based Access Policy.

12.1. While providing or processing EHRs, each entity should have effective controls to restrict access to any data by following the concepts of "need to know" and "minimum necessary."

12.2. Assign, reassign, validate, and/or remove user privileges based on the user role and responsibility requirements.

13. Data access controls, such as security controls, authorization rules, access duration, and access scope, should all be in place.

14. Each entity should perform full scope vulnerability assessment and penetration testing regularly.

15. Proof of Authority is the consensus mechanism that will be used.

II. Smart Contract:

1. Each healthcare entity's user role and responsibilities for smart contract access should be defined, along with a predefined and approved access control list.

2. Access control is managed and updated via smart contracts whenever access is granted or denied.

3. Develop a process for defining, controlling, and monitoring the access to the smart contract, including other interactions with relevant processes and/or applications.

34

Table 2: Blockchain Policy for EHRs (Continued)

Statements

4. The smart contract code should be tested, examined, and audited by each healthcare entity.

4.1. Should be tested and audited against legal considerations, security vulnerabilities, bugs, and flaws.

III. Blockchain Network:

1. The entities should agree on a publication rate for the blocks in the Blockchain network.

2. The entities should establish a process for testing, monitoring, and evaluating the publication rate of a block, and adjust the rate if required.

3. An agreement between the entities on the block validation process of the Blockchain network-based management of EHRs.

4. A mechanism should be defined for how new blocks are published to all nodes in all the entities involved in the

consortium Blockchain network.

5. A mechanism should be specified to define communication between nodes from different Blockchain networks (inter- Blockchains) will take place.

6. Each entity must validate the identity of the requesting entity before accepting the transaction.

7. Each entity should keep a close eye on the Blockchain, as well as its different applications, software, communications, and

communication links, along with the data flow.

8. Specify which cryptographic functions will be used.

9. Specify the block component with respect to the maximum size of the block, transaction, and data.

IV. Electronic Health Records:

Each entity must document how EHRs are stored, classified, and processed following applicable laws and regulations.

35 Table 2: Blockchain Policy for EHRs (Continued)

Statements

1. Create data:

1.1. Each entity should designate who oversees creating EHRs.

1.2. Patient’s EHRs should be unique, information should include but not limited to:

1.2.1. Unique patient’s identifiers (full name, emirate ID number, DoB, and address).

1.2.2. A unique identifier for each EHR.

1.2.3. The patient’s history includes information such as illness, medication allergies, family history of illnesses, current and prior symptoms, past medical history, and physical examination.

1.2.4. Laboratory and radiology reports.

1.2.5. All medical and surgical care and treatment must be documented and signed by the attending physician.

1.2.6. Progress notes for all disciplines.

1.2.7. Vaccination/immunization records.

1.3. The healthcare professional is responsible for flagging a patient's EHR, denoting any medication allergies, or any special information or needs such as blindness, disability, etc.

2. Store data:

2.1. No entity is permitted to store EHRs outside the United Arab Emirates that are related to health services provided, except in cases where an exception to do so is issued.

3. Use of data:

3.1. No entity is permitted to build EHRs outside the United Arab Emirates that are related to health services provided, except in cases where an exception to do so is issued.

36

Table 2: Blockchain Policy for EHRs (Continued)

Statements

3.2. EHRs must be used for purposes that are strictly confined to clinical treatment, operations, and other related medical uses, as permitted by applicable laws and this policy.

3.3. Patients should have the ability to selectively share their EHRs with entities (such as hospitals, health care

providers, and others) as needed.

3.4. Each entity must develop and implement policies and procedures that restrict access and uses of EHRs based on the specific roles of their staff, trainees, e.g., to carry out their duties.

3.5. If any changes, corrections, or other modifications are made to any part of the patient's EHRs, the healthcare professional must include the needed explanation, which must be approved by the health authority, with the

correction or other alteration in the EHR; otherwise, it will be deemed unethical and may result in legal action.

3.6. All necessary precautions must be taken to prevent EHRs misuse.

3.7. Data cannot be used for non-health activities/purposes.

4. Sharing of data:

4.1. No entity is permitted to share or transfer EHRs outside the United Arab Emirates that is related to health services provided, except in cases where an exception to do so is issued.

4.2. EHRs must be shared for purposes that are strictly confined to clinical treatment, operations, and other related medical uses, as permitted by applicable laws and this policy.

37 Table 2: Blockchain Policy for EHRs (Continued)

Statements

4.3. All necessary precautions must be taken to prevent unauthorized EHR disclosure.

4.4. All healthcare entities must be able to share information with other entities in the same Health Information System;

for instance, in the emirate of Abu Dhabi, all healthcare entities should fall under the DOH, through which they can view EHRs.

4.5. A healthcare entity needs a process to respond to the EHR's access requests.

4.5.1. Each healthcare entity should validate and confirm the requesting entity's identification before responding.

4.5.2. Each healthcare entity should develop a procedure and ensure that EHR sharing, and access rights are

assigned based on roles.

5. Archive data:

5.1. Each entity should identify staff responsible for EHRs archiving.

6. Destruction of data:

6.1. Each entity should identify staff responsible for EHRs destruction.

6.2. Entities shall maintain EHRs as per the data retention period of 25 years mandated by “The use of Information Technology and Telecommunication in the Healthcare field” (Federal Law no. 2, 2019).

6.3. Entities shall have a process to anonymize/secure disposal of EHRs based personal data once it has crossed its

retention date.

6.4. Original EHRs may be destroyed only when their age exceeds the retention period.

38

Table 2: Blockchain Policy for EHRs (Continued)

Statements

6.5. Procedures should be established for notifying patients whose original EHRs are to be destroyed before

undertaking destruction.

6.6. 6.6. EHR must not be kept for a longer period of time than the stated retention time unless justified business or legal reasons exist.

6.7. 6.7. The destruction of data will be processed through hard fork.

6.7.1. A new source code should be developed for a new fork (new Blockchain).

6.7.2. All the entities should agree on the new rules and on what comprises a legitimate block in the chain.

6.7.3. Entities on the original Blockchain will be moved to the new fork and will be able to continue

verifying where the old fork will be left to die.

Exceptions

1. EHRs must be used for purposes that are strictly confined to clinical treatment, operations, and other related medical uses, except:

1.1. With patient’s consent.

2. Exchanging and circulating patients' EHRs in the following cases is allowed:

2.1. The purposes of scientific and clinical research provided that the patient's identity is not disclosed and that the ethics and rules of scientific research are followed.

2.2. The goal of public health preventive and curative measures to protect the health and safety of patients and anyone else who comes into contact with them.

39 Table 2: Blockchain Policy for EHRs (Continued)

Exceptions

2.3. At the request of the judicial authorities (Court Orders, Court-Ordered Warrants and Subpoenas).

2.4. At the request of the patients.

2.5. At the request of the health authority for inspection, supervision, and protection of public health.

3. Exception cases—to create, use, and share the data—must be issued by the health authority of the emirate (DOH, DHA, and EHS) in coordination with the Ministry of Health and Prevention.

40

Dalam dokumen College of Information Technology (Halaman 46-57)
Unduh sekarang "College of Information..."

Garis besar

Dokumen terkait