On Sat, Jan 28, 2006 at 09:47:15AM -0800, Jim Busser wrote: > >I still maintain the view that > >we need to safeguard against signed-scope manipulations. > > I am having a bit of trouble understanding the manipulation, in terms > of why it is proposed that some rows in gnumed deserve a record of > signing (on top of the audit trail that presumably preserves which > staff altered which rows). Well, consider this case:
Patient discharged from Hospital after colonoscopy with polypectomy. Original discharge letter forgets to mention histology results (they may have been pending when the letter was written). I import the scan and set the "reviewed flag". I do not take any action since I think the histology results will arrive in a followup letter (standard procedure over here). Later that letter arrives and my locum scans it but fails to bring it to my attention. The additional page is *added on* to the original letter. Three years later carcinoma of the colon is found in the followup colonoscopy. Had I known about the high-grade dysplasia I would have scheduled a half-year followup. Now I am busted. #1: This shows why we need to sign off single objects as reviewed, not entire documents - as long as we don't use crypto for signing. If I had signed off the *document* the additional page would have fallen under my "reviewed" flag while never having been reviewed, actually. #2: Even if we flagged individual objects as reviewed we are still prone to manipulation: Assume the original letter stated: "low grade dysplasia, no sign of malignancy, follow-up in 3 years". Now, the patient is, again, diagnosed with carcinoma of the colon. The patient is the father of the IT student of my practice management service company. She decides to get some money out of this and manipulates the scan to say "high-grade dysplasia, re-colonoscopy in 6 months is recommended". Now, even though I reviewed and ticked off the document I cannot prove what I saw back then ... ... wait, this is solved by digitally signing backups of my database well before the manipulation, or addition, for that matter, happens - so this whole thing is a non-issue :-) Nevertheless, to *detect* *legit* additions of document objects as not having been reviewed yet we need the per-object reviewed flag. Hehe, spelling it out helps at times to find flaws in the reasoning :) Karsten -- GPG key ID E4071346 @ wwwkeys.pgp.net E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346 _______________________________________________ Gnumed-devel mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnumed-devel
