Glossary of Terms
-
Authentication is the process of verifying the identity of a health consumer (or device) who presents identity credentials and authentication key(s);
-
Authentication Authority – is a system entity that provides authentication services to ensure only permitted health consumers (or devices) gain access
-
Authorisation is the process of verifying that a health consumer (or device) has the right to perform an action and what they are allowed to access;
-
Availability is the ability to minimise API downtime by implementing threat protection;
-
Confidentiality is the ability to ensure information that is sent between health consumers, Applications and Servers is only visible to those authorised to use it;
-
Delegation is when a health consumer authorises another health consumer (or device) to serve as his or her representative for a particular task;
-
Delegated Authorisation is a framework that defines how an owner of a set of resources can grant (delegate) access to a designated health consumer or consuming application to perform actions on some of those resources on the owner’s behalf, but without sharing their credentials;
-
Federation is the process that allows for the leverage and reuse of identity credentials to multiple Authentication Authorities for authentication and/or Single Sign On;
-
Integrity is the ability to ensure that information received has not been modified by a third party, also providing non-repudiation services;
-
Personally Identifiable Information is defined in section 7(1) of the Privacy Act 2020 as:
(a) information about an identifiable individual; and
(b) includes information relating to a death that is maintained by the Registrar-General under the Births, Death, Marriages, and Relationships Registration Act 2021 or any former Act (as defined in Schedule 1 of that Act).
Individual means a natural person, other than a deceased natural person. -
Protected Health Information refers to Health Information defined in clauses 3(1) and 4(1) of the Health Information Privacy Code 2020 (HIPC). The code applies to the following information or classes of information about an identifiable individual:
(a) about the health of that individual, including their medical history; or
(b) information about any disabilities that individual has, or has had; or
(c) information about any health services or disability support services that are being provided, or have been provided, to that individual; or
(d) information provided by that individual in connection with the donation, by that individual, of any body part or any bodily substance of that individual or derived from the testing or examination of any body part, or any bodily substance of that individual; or
(e) information about that individual which is collected before or in the course of, and incidental to, the provision of any health service or disability support service to that individual.
Note that for health information, information about deceased individuals is included in the coverage of the Health Information Privacy Code whereas for personal information, information about deceased individuals is not covered by the Information Privacy Principles in the Privacy Act. -
Provisioning is the automated or manual service for aggregating and correlating identity data resulting in the creation of health consumer (IT) accounts and the delivery of health consumer meta data used by systems to define access policies and controls for services.
-
Threat protection is the service for protecting APIs (at the ingress and egress points of an organisation) from known threats (e.g. the OWASP top 10) by preventing misuse or loss of availability. Note: Threat protection should also be addressed at the OS hardening level and should be an integral part of the API software development;
-
User Managed Access has been developed to provide a user data delegation model that enables a resource owner to control the authorisation of data sharing and other protected-resource access made between online services on the owner’s behalf or with the owner’s authorisation by an autonomous requesting party;
-
Consent Management is the process that manages the collection of health consumer data, ensuring that the required policies are applied, and the required consent has been obtained from the health consumer, allowing the health consumer to understand how the data is used and to be able to opt out if required. This is being driven by many global Privacy Laws.
-
Zero Trust (ZT) is the term for an evolving set of cybersecurity paradigms that move network defences from static, network-based perimeters to focus on health consumers, assets, and resources. A zero-trust architecture (ZTA) uses zero-trust principles to plan enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or health consumer accounts based solely on their physical or network location