[Hxp-developers] Fwd: Re: FreeMED and HXP

[Elpidio Latorilla]

----------  Forwarded Message  ----------

Subject: Re: FreeMED and HXP
Date: Tue, 16 Mar 2004 21:37:44 -0500 (EST)
From: Jeffrey Buchbinder <[EMAIL PROTECTED]>
To: Elpidio Latorilla <[EMAIL PROTECTED]>
Cc: Irving Buchbinder <[EMAIL PROTECTED]>

On Wed, 17 Mar 2004, Elpidio Latorilla wrote:
> Hi Jeff,
> I visited your EMRi project at sf.net. You got already lots of good ideas
> there.  Since we use the same xml-rpc protocol, I believe we just agree on
> the procedure names and the data types.
>
> How about joining hands in developing the procedure call dictionary without
> necessary losing one's project identity? You go ahead with EMRi if you wish
> but we just create a single dictionary. This would require us to
> communicate more closely than before. We could even cross link our mailing
> lists so that all participants learn from each other.
>
> Please let me know your opinion on this.
>
> Thanks in advance,
> elpidio

I didn't really have an object model for patients and other EMR pieces,
just an idea for authentication.

I have been thinking about this further, and I'm not sure that distributed
authentication is the way to go. I'm thinking that for autonomy's sake, we
might want to go with GPG signed public and private keys.

It would work like this:

1) Physician A downloads generator (for any operating system, care of us
creating binaries...) and creates public and private key.

2) Physician A sends his colleagues a copy of said public key, probably
through a directory based delivery system, or by people subscribing to a
digest, or centralized directories (or a million other ways).

3) Physician A wants something from Physician B regarding a certain
patient. The patient has granted permission in their medical record (which
is flagged as being accessable by Physician A in Physician B's system).
Physician B has the "authoritative record" because he is the PCP.

4) Physician B's system receives a login request from Physician A's
system, using HTTPS wrapped XML-RPC with basic authentication. The
username is emri://directory/physician_a or something like that. Physician
B's system acquires a copy of Physician A's public key, and creates a
challenge request. If Physician A can return the plain text of the
challenge request (which can only be decoded with their private key) then
access is granted.

Does this sound pretty reasonable?

Also, for projects which have XMLRPC services already built in, we can
either require a seperate XML-RPC provider (as you have done in Care2x by
creating a seperate module) or create a higher level namespace like
EMRi.Patient.(whatever) or HXP.Patient.(whatever).

As you can see on the EMRi site, this is very important to my ideology and
my perception of opensource medical software survival, so I'd really like
to try to get this working with at least two systems. After there is a
reference implementation or two (and documentation, of course), people
will begin to implement it.

I would rather create a single authentication mechanism and fold EMRi in
as an authentication layer to the work that you are doing rather than
reinventing the wheel. As you have seen, there isn't much on the EMRi site
in terms of protocol, just authentication stuff. Unfortunately, a good
transport without trusted communications, authoritative records, etc, is
not HIPAA compliant, and definitely would not fly in the US, as well as in
a lot of other places... I want to try to seal those gaps.

Thanks,
Jeff
([EMAIL PROTECTED])
FreeMED Software Foundation
http://freemedsoftware.com/

-------------------------------------------------------



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Hxp-developers mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/hxp-developers