-------- Original Message -------- Subject: Re: CCOW open source tools? - "Care-Team-Role-Based-Access-Control" Date: Wed, 29 Dec 2004 17:23:52 +0100 From: Etienne Saliez <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] CC: [email protected], [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Dear Antas and Tony Marston,
Thank you very much for your overview, but I would like to make some comments and suggestions.
* "Role-Based-Access-Control":
o Permanent "Role" or "Profile":
+ I agree with what you call "Role", although in our
project we call it "User-Profile". Anyhow we
understand here that it define what a user is allowed
to do in general, at any time, for any patient.
o "Care-Team-Role-Based-Access-Control":
+ In your project I am missing an aspect, which I
believe to be very important : the relation between
the care provider and the patient.
Indeed access to patient record information is
exclusively justified when the care provider is in
charge of the particular patient. In other word only
when the user is necessary for the care of the patient.
To be a doctor or any healthcare professional does not
give automatically access rights to any patient
records, in case one is not working for that patient.
(For example healthcare professionals themselves may
ask a colleague an advice about their own health, but
do not like to share their own personal health record
with the whole healtcare community).
+ In our "Virtual Care Team" project we maintain inside
the patient record a table of the users, who are
currently in charge of the patient, at least a Family
Doctor, but more when necessary. In order to get
access to read and to write in a patient record, a
user must be a member of the Care Team:
# In most case the Care Team is usually managed by
the GP. The patient give a "mandate" to the GP
of his choice in order to do that.
# The patient himself may see his own Care Team
list, and he may ask extensions or sometimes a
removal.
# It is necessary that an emergency department
must be allowed to declare himself as a new
member of the Care Team, but they are
responsible to explain later why they did force
the access.
# A membership in the Care Team has always a
limited duration, as far as normally necessary.
For example an emergency department do not need
more then 3 days.
+ One of the underlying aspects of the problem is also
that we have to take account of a kind of privacy
between doctors, when they do not have a common
patient. Independent doctors do not like that other
competing colleagues could look how they work. In
general they do not say that, in that way, at day
ligth, but this may be in fact a great obstacle before
a shared network will be accepted !
o Access rigths at Item level:
+ Moreover we did create an additional access control at
document level, as optional attributes of the
document. It is optional and it make possible to
restrict the access only to some members of the Care
Team, e.g. in order to share a report only between the
GP and the psychiater, but excluding the other members
of the Care Team.
o Access rights may be given to individual users as well to
small groups of users. The notion of functional groups is
useful because the persons may change over time, e.g. the
department of cardiology of an hospital, having usually 5
cardiologists. The patient record is shared with that
department, even if next year one of the cardiologists would
have changed. The same for a team of nurses in which the
persons may change.
o A user may be member of more than one group. In contrast
with your approach memberships define here only positive
accessrights and may therefore be added.
* Permanent context:
o It is of course very useful that to have an object
"Current-User-Session" containing diverse informations about
the application environment (e.g. information about the
current user, the current patient, etc....). This
information remain available when, keeping the same patient,
the user move to new pages in a new application.
When I saw Care2X last year, my main concern was the lack of
permanent context. If I did good understand it was necesary
to type the patient identification again and again, when
moving to other functionalities.
* Navigation and menus:
o In general I feel a trend toward a hypertext approach.
Links may be very useful directly inside structured
documents. For ewample if a screen is presented containind
several Items, it is easy to find small buttons inside every
Item, in order to perform in one click, some ation relevant
to a particular Item.
o Menus may continue to exist, but be aware that they are just
one optional way to trigger related actions. At the end
menus are just a specific way to present links.
o In order to keep a generic approach, the access controls
should be associated with the content of "Actions" rather
than only with "Menu-Items".
o Of course links or buttons may only appear if they are
allowed in the context of the current user.
http://www.crisnet.be/index-uk.html is a project in developement with an Open Source approach and using PHP and Python. A first version is already in production for 40 doctors.
We would like to share componets with other Open Source teams.
Etienne Saliez, MD
J. Antas wrote:
Joseph Dal Molin wrote:
Does anyone know whether there is an open source CCOW implementation similar to Sentillion?
Does a OSS PHP+MySQL routine like RBAC qualifies? See more on: "A Role-Based Access Control (RBAC) system for PHP" http://www.tonymarston.net/php-mysql/role-based-access-control.html
Some time ago we looked at it as a possible candidate to inclusion in the Care2x project. We could not find a well documented piece of working code for it.
J. Antas
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________
Care2002-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/care2002-developers
