-
Notifications
You must be signed in to change notification settings - Fork 21
Legal Analysis of Hypothetical Agency Fact Patterns
Listing the legal party (by name) and the UMA role and then the business and/or legal role.
UMA Roles
- Authorizing Party
Agency Law Role(s)
FIPS/Privacy Law Role(s)
UMA Roles
- Authorization Server Operator
Agency Law Role(s)
UMA Roles
- Portal Provider
UMA Roles
- Resource Server Operator:
- Bob's Client Provider:
Agency Law Role(s)
UMA Roles
- Requesting Party
- Client Operator:
Agency Law Role(s)
“negative use case”, growing out of the agency and “RS risk” discussion we’ve been having:
“I, US hospital NYP, have an online service that exposes a FHIR API for electronic medical records. Alice set up policies at her consumer-grade AS Schmoogle, and I accepted outsourcing authorization there. One of her policies said "Share my entire EMR with Dr. Bob at BlueHealth practice using PortalPro client app for an indeterminate period." Dr. Bob requested access to the EMR using PortalPro. The token from the AS told me that it was okay to give access, so I did. But then Alice sued me”.
Basic Potential Legal Questions:
- What are the key legal issues presented by this scenario?
- What legal role(s) and corresponding rules apply to the actions and data of the parties in this scenario?
- What are the potential or probable outcomes if things go wrong (eg: result of enforcement actions, allocation of loss or other dispute resolutions)?
- What advice or other resources for parties seeking to adopt UMA could help them manage legal risks and/or structure legal affairs to expand or create new value?
To prepare for tomorrow's agenda, here is the composite list of real-life examples of negatives. Please read these in the context of a Resource Server holding records for 4.5 Million Alice's and accessible to some 10,000 Bobs:
- Was it really Bob that accessed the resource or someone that Bob shared credentials with in his office?
- Why is it that the Resource Server did not implement a Bob authentication means that would mitigate sharing of credentials by Bob?
- Why was it that Bob's staff member, who is not an employee of the Resource Server institution, could get access even though they were not trained in security practices by the institution?
- Why didn't the Resource Server system notice that Bob had no prior relationship with this particular patient and kick the request out for enhanced audit?
- Why doesn't the Resource Server notify Alice of significant events such as a new Bob in a remote location getting access to her resource?
- Why does the Resource Server depend on an honor code and whistle blowers to detect breaches?
- Why does it take 6 months and 4.5 Million records breached to detect a breach had taken place?
- Why did it take a month for the Resource Server to investigate and respond to Alice's complaint (this escalates the cost of the damages caused by the breach.)
- Was the Resource Server following typical industry practice in managing the security of their system? - The jury said yes :-(