On Sun, 2003-01-26 at 05:00, K.S. Bhaskar wrote: > > On , January 26, 2003 at 08:43:44 (GMT-1000), Tim Churches wrote: > > On Sat, 2003-01-25 at 01:54, Cecil O. Lynch, MD wrote: > > [KSB] <...snip...> > > > Yes, there is much to learn from banks, including the need to spend over > > 10% of revenue on IT to achieve their goals. However, most banks still > > use a multilevel security model (in which there is a hierarchy of > > permission levels and trust), albeit often with dual control and other > > checks-and-balances on edits, but they generally don't implement > > multilateral or compartmentalised security, especially for viewing > > information. I can walk into any branch of my bank and any of the sales > > staff can call up all my details on their screen just by knowing my name > > and address. That might be acceptable for my financial records, but it > > is unacceptable for my medical records - only those involved in my > > direct care should be able to see my records, and any exceptions to this > > (such as for research, quality assurance etc) I want to know about. > > That's the gist of the BMA security policy. > > [KSB] I can't speak to most banking software, but in our Profile > banking application (which runs on GT.M) access controls go beyond the > typical "this user has access to this table" or even "this user has > access to this row". It is "this user has access to this row and this > column". Yes, you as a customer can walk into a bank and every teller > has access to your balance. But they are authorized to, in much the > same way that if you were involved in a car wreck and were taken to the > nearest emergency room, you would want them to have access to your > medical records. However, consider the fact that the officers and > directors of a bank also have their accounts there, and don't want > their balances viewed by thousands of employees. So, Profile > implements access controls by data element. Of course, this is mostly > managed at the group level (Joe is a teller and has access to all > accounts that all tellers have access to but not the account of Erin > who is an executive, but Mary is also a member of the executive tellers > and has access to Erin's account by having access to all executive > accounts).
Certainly that sounds like a compartmentalised lattice model, which is a big improvement of the more usual multilevel model, and would be suitable for a community EHR provided it scales well to having a very large number of compartments. To continue the banking analogy, the requirement is to restrict access to your account only to those tellers in the bank branch which you usually visit. If you happen to visit a different branch, either you or your usual branch need to authorise (perhaps temporarily) the tellers in the branch you are visiting to access your account. Except if you are completely broke and you need to withdraw emergency cash in a hurry from the non-usual branch, in which case the tellers there can enter an emergency override code and access your account, knowing that the emergency access will be especially logged and scrutinised by an auditor. The only bank manager who can see your account should be the manager in your usual branch, not any manager anywhere in the banking organisation. Of course, when banking (and medical) records were kept only on paper, that's exactly the way in which things worked. It is a security model which has worked quite well. Clearly electronic system offer much greater flexibility and have many advantages over paper-based systems, but we shouldn't too willingly abandon well accepted security models in the headlong rush towards computerisation, at least not without much thought, reflection and validation of the security models which these new systems implement. Tim C
