Dear Bill,
""Is a biologically-based security model
> fundamentally better aligned with the needs of an information system about
> biological entities than alternative models?"
The view we developed when working on the ISO/TC215 access proposal (1.) was
that ownership was itself a cultural concept, and one extreme of a spectrum
of reciprocal relationships between rights and obligations. Pure ownership
is all rights and no obligations, which is scarcely achievable. It would
imply, for example, the right to destroy records, which would probably be
denied even where the paradigm of individual autonomy reigns supreme.
We suggested that there was no interoperability without an access control
mechanism being shared (how can you interoperate if you can't access?),
which was why we went for an actual technique for access control, which
developed
into the CDA 'detachable headers' concept in the later paper to which you
refer at the foot of this mail. The crucial components of this idea are
that:
- 'role for access' be part of a culture defined 'set' of roles, recognized
within a jurisdiction, and that these role sets and their access rules
change within and between jurisdictions.
-There would be a basic 'unit' of healthcare information which we called the
'attestable unit'. Later we learnt that the CDA was just such a unit
- That the header should contain 'role for access (role needed to access
that attestable unit).
-The header should be stored separately from the body,
and should act as a pointer to it when 'activated' by an appropriate search.
- Later we found that the CDA already had 'sections' to which different
access levels could apply. The culture defined (and dynamic) role set within
a
jurisdiction could connect in to a finite set of options within a finite
structure, the CDA.. The immunoglobin (biological) metaphor
seems very apt ('Gaia immunology'),
The audit trails of access are built in to the concept, since the data stays
put on the server, which also collects an audit trail of 'hits'.. but
the device itself, the CDA and its bifunctional structure are shared.
Thanks again for your interest.
Regards
Mike Mair
1.. 'Access to Electronic Health Records' NZ access proposal to ISO/TC 215
Current Work Item Proposals Available from: user name 'wg1' Password 'berlin
'. NB Section 3.2 had different authoring and contains conclusions that are
inconsistent with the other sections (the work item is not current at this
time). http://www.health.nsw.gov.au/iasd/imcs/iso-215/areas/atehr2000.pdf
Original Message -----
From: "Bill Walton" <bill.wal...@jstats.com>
To: <openehr-technical at openehr.org>
Sent: Tuesday, April 29, 2003 9:33 AM
Subject: Re: openEHR security
> Hi Thomas,
>
> Thomas Beale wrote:
>
>
> /snip/
>
> > So. What do we know?
> > - role-based access control is required. To make it work properly in a
> > shared care community context (e.g. a hospital, 50 GPs, aged care homes,
> > nursing care, social workers etc etc) then the roles need to be defined
> > congruently. I seem to remember some Canadian project coming to the
> > conclusion that really the roles need to be defined the same across the
> > entire (national) health care system. I think this is both correct and a
> > the same time unrealistic.
>
> With all due respect, Thomas, it it's unrealistic then, IMO, it can't be
> correct. (Pragmatism R Us ;-) )
>
> I'd like to offer food for thought. The fundamental assumption at work
here
> seems to be that care givers will access the same system, thus driving the
> need for all users of the system to be assigned roles that are defined
> congruently. Let's consider an alternative model.
>
> When I travel from the U.S. to the U.K., I (the physical being) move from
> one socio-cultural-legal model to another. That does not change who /
what
> I am, but it does change my behavior because I operate under a different
set
> of norms and mores in the new environment. I accept new forms of
> interaction and find that familiar forms are no longer available.
>
> Why should it be any different for the information about me than it is for
> me?
>
> If we work from a perspective that posits that health information will
move
> from system to system and be used / modified based on the rule sets in
place
> within the various systems, does that make the problem more amenable to
> solution?
>
> > I think we will be able to find ways of
> > having diversely defined roles without every health care facility having
> > incompatible definitions of "consultant", "treating physician" etc.
> > Bernd's work on this area is pretty detailed.
>
> I thank Bernd for opening my eyes to what should have been obvious to me
at
> a much earlier stage. The security problem with EHR systems is
> fundamentally the same problem faced in OLAP databases. Or perhaps I
should
> say that it's the OLAP security problem with a twist. At least OLAP
> databases are typically confined to one environment / business. It's
clear
> that the EHR problem is more difficult in that EHR's must, IMO, be capable
> of moving between environments. Perhaps, by requiring a more generalized
> solution, the EHR problem will actually be easier to solve.
>
> I don't know if you've checked out Mike Mair's paper but it implicitly
poses
> a very interesting question. "Is a biologically-based security model
> fundamentally better aligned with the needs of an information system about
> biological entities than alternative models?" I'm hopeful the list will
> have some comments on Mike's paper. I think the question is worth some
> thought / discussion.
>
> /snip/
>
> Best regards,
> Bill
>
> -
> If you have any questions about using this list,
> please send a message to d.lloyd at openehr.org
>
-
If you have any questions about using this list,
please send a message to d.lloyd at openehr.org
