Sam Heard wrote:
>
> But if EHRs are to be moved about we need to be publish the security model
> in a form that consumers can comprehend and be sure who is going to have
> access to what parts of their EHR and under what circumstances.
>
The approach that my security reseacher colleagues prefer is to start
with policy defintions and then find ways to implement them in a
security policy tool that is humanly understandable. That creates a
security policy domain. Then one can start to work on cross domain
policy enforcement. For example, if we have a policy language standard,
then one can reference the security policy from the information and
expect the cross domain policy enforcement technology to ensure the
policy is in effect even though the new domain has a different default
policy. This is not trivial, but neither is it beyond our capabilities.
