another old post that deserves a reply...
Tim Churches wrote:
Maybe I've missed something much earlier on this thread, but don't you need a
target security policy and associated threat model before you start designing
ways to implement it?
some work has been done on this, and I would expect
Bill,
there are two kinds of audit trails in openEHR - the audit trail of a
change to a transaction or other artifact (eg. access control group) -
see the COmmon RM for the semantics; and audit trails of access. openEHR
has not yet defined these, and I don't know if it should - I suspect
Hi Karsten,
Comments in text.
-Thomas Clark
- Original Message -
From: Karsten Hilbert karsten.hilb...@gmx.net
To: openehr-technical at openehr.org
Sent: Thursday, May 08, 2003 2:04 AM
Subject: Re: openEHR security; Directed to Thomas Beale
Tracking is super-important. Include
Hi Thomas,
Constructive! Do you anticipate entering this type status information
into an OpenEHR record?
Absolutely ! I do record such information even today.
If so, what record?
I do so now in the narrative part of the record, at times
linked to previous data by plain and simple layout of
Thomas,
maybe I'm too dense but I cannot appreciate the complexity of
the issue as you hash it out.
To me this is simply:
3.5.2003 10:35 am first seen patient
medium pain frontal skull after contusion in traffic accident
5 mins ago, no neurological abnormalities right now, GCS 15
3.5.2003
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL:
http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20030507/2e5985d3/attachment.pl
Hi Karsten,
Comments in text.
-Thomas Clark
- Original Message -
From: Karsten Hilbert karsten.hilb...@gmx.net
To: openehr-technical at openehr.org
Sent: Tuesday, May 06, 2003 4:43 PM
Subject: Re: openEHR security; Directed to Thomas Beale
Thomas,
maybe I'm too dense but I cannot
At 03:18 PM 5/6/2003 +0200, Patrick Lefebvre wrote:
Hi everyone,
As Thomas al. pointed, security addresses a number of aspects,
including security policy (defining who does what), data safety, and how
security is ensured: so, including safety of the network, the application
architecture
patrick.lefebvre at psl.ap-hop-paris.fr;
openehr-technical at openehr.org; Thomas Beale thomas at
deepthought.com.au
Sent: Tuesday, May 06, 2003 11:29 PM
Subject: Re: openEHR security
At 03:18 PM 5/6/2003 +0200, Patrick Lefebvre wrote:
Hi everyone,
As Thomas al. pointed, security addresses a number
at
deepthought.com.au
Sent: Tuesday, May 06, 2003 11:29 PM
Subject: Re: openEHR security
At 03:18 PM 5/6/2003 +0200, Patrick Lefebvre wrote:
Hi everyone,
As Thomas al. pointed, security addresses a number of aspects,
including security policy (defining who does what), data safety
Hi karsten,
Comments in text.
-Thomas Clark
- Original Message -
From: Karsten Hilbert karsten.hilb...@gmx.net
To: openehr-technical at openehr.org
Sent: Wednesday, May 07, 2003 4:14 AM
Subject: Re: openEHR security; Directed to Thomas Beale
Thomas,
To me this is simply
: openEHR
security); Bill Walton
Hi Bill.
The following link might be appropriate for ftp-based messaging solutions:
http://www.linuxmednews.com/linuxmednews/1046134538/index_html
TITLE: ... and open-source Electronic Data Interchange
NOTES:
-... SolAce Server was designed to do reliable, secure
that they could not view or that it is simply hidden?
Matt
-Original Message-
From: Thomas Clark [mailto:tclark at hcsystems.com]
Sent: 02 May 2003 04:18
To: Matt Evans; openehr-technical at openehr.org
Subject: Re: openEHR security; Directed to Thomas Beale
Hi Matt,
Fragmented records
Hi Matt,
Comments in text.
- Original Message -
From: Matt Evans m...@totalise.co.uk
To: 'Thomas Clark' tclark at hcsystems.com; openehr-technical at
openehr.org
Sent: Monday, May 05, 2003 7:09 AM
Subject: RE: openEHR security; Directed to Thomas Beale
Hi Thomas,
I forgot I had set
Uhm,
Faced with handling a potential
SARS Patient worrying about retrieving precise, accurate information from
them about non-SARS history might be wasted effort and highly frustrating,
[...]
Presuming that the Patient just arrived from the recesses of China an
initial effort might be an
still want to
attend that meeting.
-Thomas Clark
- Original Message -
From: Karsten Hilbert karsten.hilb...@gmx.net
To: openehr-technical at openehr.org
Sent: Monday, May 05, 2003 9:14 AM
Subject: Re: openEHR security; Directed to Thomas Beale
Uhm,
Faced with handling a potential
Bill Walton wrote:
BW: Further, it looks like the EHR access history should include
reads as well as writes. That way, the trail would lead to the
providers that have, with permission, made copies of the EHR within
their own systems.
SH: True - it will only be able to be
Bill Walton wrote:
BW: Further, it looks like the EHR access history should include
reads as well as writes. That way, the trail would lead to the
providers that have, with permission, made copies of the EHR within
their own systems.
SH: True - it will only be able to be stored
Hi Thomas,
Thomas Beale wrote:
Bill Walton wrote:
BW: Further, it looks like the EHR access history should include
reads as well as writes. That way, the trail would lead to the
providers that have, with permission, made copies of the EHR within
their own systems.
SH: True -
On 2003-05-02 19:25, Bill Walton bill.walton at jstats.com wrote:
Hi Gerard,
Gerard Freriks wrote:
/snip/
In other words: the OpenEHR can assume that the Access Control function
operates as if it is a fire wall that executes a set of rules
and that the
Audit trail is the log with
Freriks gf...@luna.nl
To: Bill Walton bill.walton at jstats.com; openehr-technical at
openehr.org
Sent: Saturday, May 03, 2003 2:37 AM
Subject: Re: openEHR security; Directed to Thomas Beale
On 2003-05-02 19:25, Bill Walton bill.walton at jstats.com wrote:
Hi Gerard,
Gerard Freriks wrote
[...]
At all points NEED TO KNOW
governs access
[...]
Except that the Need-To-Know paradigm doesn't work very well
in healthcare. The provider may not know what she needs to
know at the time of the patient encounter. The patient can't
possibly correctly decide what her doctor must know in order
Hi,
I must confess I didn't read very carefully each message on this thread ;
however, I think that I may contribute by explaining the direction we are
currently following.
First I think we must distinguish between care coordination (inside an
openEHR node) and continuity of care.
Continuity
: openEHR security
Hi Thomas,
Thomas Beale wrote:
/snip/
So. What do we know?
- role-based access control is required. To make it work properly in a
shared care community context (e.g. a hospital, 50 GPs, aged care homes,
nursing care, social workers etc etc) then the roles need
Bill Walton wrote:
Hi Thomas,
Thomas Beale wrote:
/snip/
So. What do we know?
- role-based access control is required. To make it work properly in a
shared care community context (e.g. a hospital, 50 GPs, aged care homes,
nursing care, social workers etc etc) then the roles need to be
vs. normalizing denial (was openEHR security)
This is a multi-part message in MIME format.
--=_NextPart_000_0183_01C30D90.8FC88240
Xontent-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
HI Sam,
=20
BW: Related to all of the above, it seems like
Philippe,
The approach you have identified makes a lot of sense to me and goes a
long ways toward clarifying ownership of the record. I do think it
would be helpful to develop standard taxonomy for distinguishing the
two: EMR signifying within a closed health care system, and EHR
signifying the
Hi Paul, hi the list,
Thanks for your post - I thought nobody took the time to read mine ;o)
I tried to keep my post in the range of openEHR, however, since you are
pushing me one step further, I need to tell that, from my point of view,
continuity of care is probably a step to cross, but not
Subject: Re: openEHR security
Bernd Blobel wrote:
Dear Bill, dear Sam
Meanwhile, security constraint modelling succeeds. This concerns policy
modelling, policy negotiation, privilege management, access control,
object security categorisation. Unfortunately, the preparation of EU 6th
to patients
moving, specialist care/testing etc etc.
Emergency-based access is crucial. In a variety of situations one would not
necessarily be in a position to grant access. A nationwide emergency access
mechanism is definitely a good idea.
CONCLUSION
OpenEHR security should:
1)address record-based
Thomas Clark wrote:
Hi Karsten,
NEED TO KNOW is a 'working label' that has a meaning dependent upon the
particular circumstance. A Healthcare Practitioner selected to perform foot
surgery has a NEED TO KNOW pertinent information about the patient's feet,
especially the one the surgery is to be
Hi Thomas,
Thomas Beale wrote:
/snip/
So. What do we know?
- role-based access control is required. To make it work properly in a
shared care community context (e.g. a hospital, 50 GPs, aged care homes,
nursing care, social workers etc etc) then the roles need to be defined
congruently. I
their function, e.g.,
health and social services.
-Thomas Clark
- Original Message -
From: Bill Walton bill.wal...@jstats.com
To: openehr-technical at openehr.org
Sent: Monday, April 28, 2003 12:15 PM
Subject: normalizing access vs. normalizing denial (was openEHR security)
This is a multi-part
[...]
At all points NEED TO KNOW
governs access
[...]
Except that the Need-To-Know paradigm doesn't work very well
in healthcare. The provider may not know what she needs to
know at the time of the patient encounter. The patient can't
possibly correctly decide what her doctor must know in order
mailto:bill.walton at jstats.com ;
openehr-technical at openehr.org mailto:openehr-technical at
openehr.org
Sent: Wednesday, April 23, 2003 6:10 PM
Subject: RE: openEHR security
Bill
Security and the EHR - ah theres a question! At least having a
reference
, and the Physician that lives down the
block has to build a case for having some NEED TO KNOW.
-Thomas Clark
- Original Message -
From: Karsten Hilbert karsten.hilb...@gmx.net
To: openehr-technical at openehr.org
Sent: Sunday, April 27, 2003 5:48 AM
Subject: Re: openEHR security; Directed
Bill
First, and perhaps you consider this a seperate issue that's out of scope
for Access Control, but what about Audit Trails?
SH: openEHR has full version control of all components so we have this
thoroughly covered. If you are talking about auditing what is viewed, our
research in the
37 matches
Mail list logo
