Break The Glass

There is quite a bit of talk about user-centric identity in particular the use of personas. In such a scenario, a single person would have one core identity and multiple personas or variety of claims. Now, there is still quite a bit of debate around the proper definitions of identity, persona, claim but suffice it to say for this posting, let’s agree to the following. A claim is:

1. An assembly of information that an owner controls and determine who sees what.
2. By its very nature disputed and in doubt because it is not a “a confident and forceful statement of fact or belief.”(OED) like an assertion.
3. Subject to the seven laws of identity which are not perfect but provide the only consistent message at this time.

In summary, here is the rough draft of the break the glass scenario:

1. An identified patient is admitted to the ER with life threatening injuries.
2. The ER doctor present is not the patient’s doctor nor do they have rights to access the patient’s information.
3. The patient’s doctor cannot be contacted and the patient is dying. The patients family is also unavailable.
4. As a result, the ER doctor needs dynamic entitlements to all the information on the injured patient.
5. The system needs to automatically assess the risk (governance, compliancy etc) and release the minimal amount of information for the ER doctor to do his/her job without violating an privacy legislation.
6. All interactions must be recorded and a time-to-live must be set on the access to the information.
7. All of this needs to be done within minutes; human intervention via a call centre is not an option

So we have the following challenges in creating a break the glass scenario:

1. A ER doctor has many personas: Citizen, ER Doctor, General Practitioner, Patient etc. Depending on the context, the ER Doctor would present a different persona and would be allowed access to different information depending on the persona presented.
2. How do we enforce the proper context on the ER doctor. In other words, how do we ensure that the ER doctor only has access to the patient information in the context of an emergency or life saving situation.
3. How do we ensure compliance with any regulations, standards, or requirements.

Here is a suggested solution:

In order to allow for a break-the-glass scenario (which is in essence a violation of a policy that was put in place to protect privacy) the following would have to occur:

In advance, a one time waiver, similar to a donor card but mandatory, would have to be signed or agreed to for a citizen to access healthcare. This waiver would give an authorized emergency medical practitioner reasonable leeway in accessing a patients information in the context of an emergency. It would absolve the practitioner, health authority, and government for any legal ramifications of privacy violation.

More complex access controls would have to be added. For example, certain computers within an ER would be considered a digital subject.This digital subjects credentials (location, IP, etc) would have to be provided in addition to the ER doctors claims. All of this information would meld together to become the persona or identity claim. Only when all aspects of the merged claim are verified, would access to the patient’s medical records be allowed. Such a scenario would prevent an ER doctor from casually accessing patient information from home, a coffee shop, etc. Another example would be a second person is given the role of verifier this person would oversee the operation and would have to counter claim with the ER doctor (think two keys turned or buttons pressed simultaneously to launch a missile). There are many other scenarios but these two should outline the general idea.

A robust and very transparent audit system would have to be implemented to track activity. In fact, the audit system should have the capability to log excessively when an access policy is violated for emergency reasons.