Security begins at the data storage level. Unless it can be protected at
this level more sophisticated techniques applied to transmission and content
will not be as effective as desired.
Three common approaches are:
1)Data security
2)Data management and
3)Access to storage media-resident data, e.g., somebody's disk drive
These can occur long before access security is needed in a Healthcare
environment, but are also appropriate for data storage and access within a
Healthcare environment.
DATA SECURITY
Good example is the CDSA project gratis from Intel:
http://www.intel.com/labs/archive/cdsa.htm
http://www.opengroup.org/security/l2-cdsa.htm
which relieves upon:
1)digital certificates and
2)portable digital tokens
Neat stuff since already the Healthcare Computer System Administrator has
capable security tools. The Secure Data Store Admin should have these
available as well. Target systems include Windows and Linux and security
adaptability is supported.
Fixed data transmission environment have multiple techniques for securing
data during transmission, e.g., SSL, HTTPS and these work well between fixed
Healthcare environments, e.g., Hospital-Clinic.
Mobile applications are crucial. Mobile Healthcare applications are not
exempt from data security requirements. Data transmission security
mechanisms for fixed environments do not work well in mobile environments
and hence new techniques have been developed.
The following link covers Java in a mobile environment:
http://www.javaworld.com/javaworld/jw-12-2002/jw-1220-wireless.html
Presuming that the data is now available at a Healthcare environment the
following may apply:
1)data storage, management, handling and transmission can be similar to that
described previously
2)Healthcare-specific systems (e.g., GNUmed:
http://www.gnumed.org/development/home.html and OpenEHR) can be interfaced
to the data obtained from external sources
3)Bi-directional record translations are possible (may be required)
4)Data security and privacy issues remain
COMMENTS
1)A single Healthcare facility complete with a familiar set of EHR/EPR
software, process, procedures, techniques and trained personnel may
represent a single intelligent node existing in a 'fabric' containing
Patients, related services, non-conforming practitioners and other similarly
intelligent node.
2)The intelligent nodes are not likely to be exact copies.
3)The processes, procedures, technologies, etc that have been used to
interface perhaps dissimilar intelligent nodes in other environments apply
4)Content is important to a Practitioner where it is "relevant"/"germane"
5)The goal is to provide the Practitioner with "relevant"/"germane"
information and nothing else
SUGGESTIONS
1)Develop a secure data storage, management, handling, transmission system
that delivers secured data to a systems available to a Practitioner
2)Develop applications that perform similar activities within a Healthcare
environment
3)Develop security applications that will access. manage, handle and filter
the data for the practitioner. exercising control over disposition, e.g.,
spawning copies/partial copies/forwarding/audits/time-limit functions,
communicating with external users, etc.
4)Add new facility-unique security that will precisely identify content,
e.g., digital watermarks.
5)Handle redundant data and secure data destruction.
6)Security plug-ins for practitioner- and facility-specific data security
Lots of stuff available!
-Thomas Clark
-
If you have any questions about using this list,
please send a message to d.lloyd at openehr.org
