Gavin Brelstaff wrote: > Thomas Beale wrote: > >>> >> A well known study in Harvard medical school (I think) showed that >> putting the message "Do not inappropriately access patient data - all >> your accesses are being logged" on clinician screens a few times a >> day resulted in a drop to near 0 of inappropriate access. No other >> technology was used >> - thomas > > > There must be a downside to do that too - discouraging access by those > who have urgent need while being undertrained on the system - it would > sure scare me off - and that would effectively reduce medic-medic > communication rather than promote it. Sure security is important > but don't forget it is always compromise [Bruce Schneier].
I actually suspect the key to this is: whatever the security measures, we must assume that someday, one day, health data of you or me, or a politician or an actress will be hacked and sent to the Mirror or Sun (gutter tabloid press in Britain, for US readers!), or simply posted on a website. What will be the acceptable costs of preventative measures against this? When it happens, what will be the acceptable outcome? For the latter: it has to be at least that perpetrators' accesses were logged (assuming they weren't so smart that they bypassed logging and all other access detection systems); it has to be that the victim is informed of the information theft; and there have to be legislative measures which are severe enough that stories do not get published in the Mirror or on the web. Stopping a story in a newspaper is possible in most countries; stopping the posting of information on the web is going to be much harder, but if the identities of the information thieves can be logged, then something can be done. Perhaps "publishing another's health record" can be made so severe a crime that it just isn't worth it for some would-be hackers? That leaves us with hackers with personal or particular motives, e.g. insurance companies, private investigators, family members, political parties....again, it seems to me that the greatest deterrent to actually using stolen health information is the sure knowledge that your illegal accesses were logged somehow, not that you were prevented getting in in the first place; then you know that any use you make of the information, once detected will lead to severe action. - thomas beale - If you have any questions about using this list, please send a message to d.lloyd at openehr.org