Dear colleagues,
If we want to secure privacy at the very detailed XML-element level then we
might need something like Secure-XML.
This product is developped in Holland by TNO.
Unfortunately it is not an open-source product.
And using it will require a database that stores information in XML
documents.
Gerard
|-----Original Message-----
|From: Thomas Beale [mailto:[EMAIL PROTECTED]]
|Sent: donderdag 28 september 2000 14:58
|To: [EMAIL PROTECTED]
|Subject: Re: Principles of health care system security.
|
|
|
|
|Horst Herb wrote:
|
|> > But if EHRs are to be moved about we need to be publish the
|security model
|> > in a form that consumers can comprehend and be sure who is
|going to have
|> > access to what parts of their EHR and under what circumstances.
|> >
|> > Just saying it is too hard will not suffice.
|>
|> I believe that ultimately there will be no other way than the way gnumed
|> implements access regulation: arbitrary encryption at column level. The
|> patient or the doctor can decide at any time which fraction of
|information
|> shall be restricted in access. Algorithms have to be implemented as
|> plug-ins, as virtually all cryptographic algorithms have only
|limited "life
|> span".
|>
|> Horst
|
|I don't want to sound too critical here, since you are probably
|way ahead of the
|field in implementation terms, but there is a problem with this. Clinical
|information is like any other non-trivial information - complex and
|interrelated. If I ask for the fact that I have HIV to be
|supressed, what column
|is this in, and what else gets suppressed? And someone has to remember to
|suppress the AZT and/or other indicative medication entries. But
|presumably, we
|can't just suppress "current medications" column(s), since that
|would wipe out a
|lot of things.
|
|To selectively encrypt information will require something quite
|smart, which
|operates at the level of clinical concepts such as "problems", not database
|columns or object fields.
|
|The best approach we can see in GEHR is to do access control on a
|per-transaction basis. This results in exposing/hiding information
|in logical
|packets which correspond to the lumps the information was added to
|the record.
|So suppressing HIV/AIDS items might be possible at least, since a
|different set
|of transactions is likely to relate to this than to other
|unrelated problems
|(although HIV might be a bad example, if everything ends up "related"!).
|
|In either case, even if we succeed in hiding HIV & AZT from all
|but intended
|recipients (treating physicians perhaps) we may not stop other physicians
|guessing from other history that I in fact have full-blown AIDS.
|It may then be
|a case of allowing my whole EHR to be visible only to those people
|on the most
|restrictive access list.
|
|This perhaps extreme example could easily be applied in other areas, where
|patients could feel stigmatised, e.g. diagnoses & treatments for
|mental health
|conditions, sexual abuse, etc, so I think the underlying problem
|does need to be
|addressed.
|
|(Francois Mitterand famously kept his cancer secret in order not
|to raise doubts
|about his continued presidency in France).
|
|- thomas beale
|
|
|--
|..............................................................
|Deep Thought Informatics Pty Ltd
| Information and Knowledge Systems Engineering
|phone: +61 7 5439 9405
|mailto:[EMAIL PROTECTED]
|Health Informatics - http://www.gehr.org/
|Community Informatics -
http://www.deepthought.com.au/ci/rii/Output/mainTOC.html
..............................................................
