> The main issue here is varification of authenticity of digital > data entry. There must be some mechanism to ensure that every > entry placed in the EHR must be authenticated by the signitory, > even if the entry is made by a secretary, DEO or transcription- > ist. A first-step solution might be this:
- writes are tracked (author, timestamp) - regular clear-text database dumps are taken (say, twice daily) this includes the tracked writes (eg audit logs) - dumps are signed to be authentic by a, say, CMO - dump hashes are timestamp-signed by non-affiliated third parties (say, digital notary servers provided by medical faculties, etc.) This is kept for later presentation to a court. It shows proper care and due course (we aim at doing this - and partially already do - in GnuMed). In a second step writes might not just be tracked but also required to be digitally signed off which would add non-repudiation to the data in the authenticated dump. > Audit trails of visits are only to ensure read access by > authorised agencies. Even that does not really add any value. IF access occurred it must have occurred with proper credentials (barring bugs in the software). The question is whether those credentials were abused by someone who wasn't supposed to know them or by someone in the know but who wasn't supposed to access that part of the data. One study showed a decrease in the latter when "tracking reads" was announced to the regular users. Karsten -- GPG key ID E4071346 @ wwwkeys.pgp.net E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346 - If you have any questions about using this list, please send a message to d.lloyd at openehr.org