Patient with Lab and Referral Use Case: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
Line 22: Line 22:


==Scenarios==
==Scenarios==
Scenario: Consumer signs into supplier and has never purchased liquor from this site.
Primary Scenario:
#Consumer selects to purchase liquor item
#Patient schedules an appointment with primary care physician and is authenticated at the front desk.
#Supplier asks user for over 21 proof with a nonce.
#Patient see doctor, is reauthenticated and explains symptoms.
#Consumer sends verifiable claim of over 21 they acquired from verifier.
#Doctor schedules a lab test for a sensitive condition
#Supplier asks verifier for proof. (This would be by redirect to verifier through user browser)
#The patient is given a consent receipt that tells the patient the labs trusted identity and adherence with the trust registry conditions for handling patient records.
#Verifier supplies validated claim (or statement of non-revocation) bound to nonce by redirect to Supplier, if this VC is bound to the user’s session with supplier, it can have a lifetime of the duration of bound session.
#The patient positively gives consent consonant with the receipt by signing a copy and returning to the doctors practice.
#Monetization is by direct micro payment (on the order of $.05) from supplier to verifier.
#The patient goes to the lab which gives a trusted identifier to the patient.
 
#The patient is authenticated and given the test.
 
#The lab has consent and so passes the patient data to the doctor's practice.
Alternative Paths:
#The doctor asks for patient consent to schedule further diagnostics with a doctor in a different practice.
#Consumer selects to purchase liquor item.
#The patient can evaluate that other practice with respect to competence and compliance with appropriate privacy practices.
#Supplier asks user for over 21 proof with a nonce.
#The patient gives consent, schedules a consultation and the lab results are passed to the other practice.
#Consumer asks verifier directly for proof with nonce from Supplier.
#The patient receives a consent receipt from the primary doctor as to the transfer of health records to that other practice
#Verifier asks consumer to enter token for proof of presence.
#Verifier send validated claim with nonce of supplier with short expiration time (10-20 mins - alternate life time of duration of session).
#Consumer sends verified claim to supplier.
#Monetization is by advertising from verifier to consumer.
 
A different path using biometrics:
 
#Yoti, a London-based startup which wants to become the “world’s trusted identity platform”, is one of many attempts to provide such a service. Its system stores government id documents and biometrics. If a user wants to buy a bottle of wine at a supermarket self-check-out and needs to prove their age, they scan a qr code and take a selfie using Yoti’s app. The retailer can be sure of their age, but no one has seen their name or nationality. From the Financial Times.
 
Failed Paths:
#User does not get verified claim for some reason.
#Verified claims fails validation at supplier.


==Results==
==Results==

Revision as of 20:56, 1 February 2019

Full Title of Use Case

Patient at private care provider is given a lab test which results to a referral to a different practice.

Context

To provide good assurance that a patient data is kept as private as possible consistent with quality health care.

Goal

The patient in the very near future has full capability to exercise their right to participate in the care plan and see who has access to their medical records.

Actors

  1. Patient
  2. Provider of patient's general health care
  3. Lab to perform test on patient sample
  4. Provider of specialized services related to patient diagnosis

Preconditions

  1. The patient is "known to the practice" where general health care is provided.
  2. A trust registry exists which the patient knows and trusts.
  3. The providers of health care and lab services present the patient with a trusted identity which confirms that they subscribe to the privacy regulations of the trust provider.

An optional condition would be for the patient to have a trusted identity in cyberspace that can be used to access their health records at any of their care providers.

Scenarios

Primary Scenario:

  1. Patient schedules an appointment with primary care physician and is authenticated at the front desk.
  2. Patient see doctor, is reauthenticated and explains symptoms.
  3. Doctor schedules a lab test for a sensitive condition
  4. The patient is given a consent receipt that tells the patient the labs trusted identity and adherence with the trust registry conditions for handling patient records.
  5. The patient positively gives consent consonant with the receipt by signing a copy and returning to the doctors practice.
  6. The patient goes to the lab which gives a trusted identifier to the patient.
  7. The patient is authenticated and given the test.
  8. The lab has consent and so passes the patient data to the doctor's practice.
  9. The doctor asks for patient consent to schedule further diagnostics with a doctor in a different practice.
  10. The patient can evaluate that other practice with respect to competence and compliance with appropriate privacy practices.
  11. The patient gives consent, schedules a consultation and the lab results are passed to the other practice.
  12. The patient receives a consent receipt from the primary doctor as to the transfer of health records to that other practice

Results

Accepted Risks:

  1. The consumer is not over-21 and has buddy’s token to enter into computer.
  2. Session hijacking mitigated with HTTPS and session cookies.
  3. MitM attacks mitigated by hardware token bound to origin URL of verifier.
  4. Note that the late binding token could be bound to supplier as well as needed.
  5. The identity of the verifier/validator is discoverable by the supplier.
  6. User makes choices on which attributes are trusted for sharing with the supplier.

Post Condition:

  1. If validation accepted, and consumer completes payment, the restricted goods are shipped to the consumer by the supplier.
  2. Note that at the end of the process of validating the user’s age, the state issued license to sell alcoholic beverages will determine which path to use. The penalty for the supplier using the wrong path is loss of the license to sell alcohol.

Examples:

  1. Late binding token - FIDO U2F token, TEE TPM VSC, etc.
  2. Client side code - javascript in a browser, native app, etc.

Dependencies::

  1. Web Sites must be trusted before any user information is released.
  2. Trust federations can be used to help users make informed decisions.
  3. User consent and trust must begin with no user information transferred.
  4. Standards exist to collect needed attributes where-ever they may be.

Workflow Diagram

TK

References