Horst Herb wrote:
> > But if EHRs are to be moved about we need to be publish the security model
> > in a form that consumers can comprehend and be sure who is going to have
> > access to what parts of their EHR and under what circumstances.
> >
> > Just saying it is too hard will not suffice.
>
> I believe that ultimately there will be no other way than the way gnumed
> implements access regulation: arbitrary encryption at column level. The
> patient or the doctor can decide at any time which fraction of information
> shall be restricted in access. Algorithms have to be implemented as
> plug-ins, as virtually all cryptographic algorithms have only limited "life
> span".
>
> Horst
I don't want to sound too critical here, since you are probably way ahead of the
field in implementation terms, but there is a problem with this. Clinical
information is like any other non-trivial information - complex and
interrelated. If I ask for the fact that I have HIV to be supressed, what column
is this in, and what else gets suppressed? And someone has to remember to
suppress the AZT and/or other indicative medication entries. But presumably, we
can't just suppress "current medications" column(s), since that would wipe out a
lot of things.
To selectively encrypt information will require something quite smart, which
operates at the level of clinical concepts such as "problems", not database
columns or object fields.
The best approach we can see in GEHR is to do access control on a
per-transaction basis. This results in exposing/hiding information in logical
packets which correspond to the lumps the information was added to the record.
So suppressing HIV/AIDS items might be possible at least, since a different set
of transactions is likely to relate to this than to other unrelated problems
(although HIV might be a bad example, if everything ends up "related"!).
In either case, even if we succeed in hiding HIV & AZT from all but intended
recipients (treating physicians perhaps) we may not stop other physicians
guessing from other history that I in fact have full-blown AIDS. It may then be
a case of allowing my whole EHR to be visible only to those people on the most
restrictive access list.
This perhaps extreme example could easily be applied in other areas, where
patients could feel stigmatised, e.g. diagnoses & treatments for mental health
conditions, sexual abuse, etc, so I think the underlying problem does need to be
addressed.
(Francois Mitterand famously kept his cancer secret in order not to raise doubts
about his continued presidency in France).
- thomas beale
--
..............................................................
Deep Thought Informatics Pty Ltd
Information and Knowledge Systems Engineering
phone: +61 7 5439 9405
mailto:[EMAIL PROTECTED]
Health Informatics - http://www.gehr.org/
Community Informatics - http://www.deepthought.com.au/ci/rii/Output/mainTOC.html
..............................................................
