A prior comment. -Thomas Clark
----- Original Message ----- From: "Thomas Beale" <[email protected]> To: "Thomas Clark" <tclark at hcsystems.com> Sent: Monday, April 28, 2003 3:26 AM Subject: Re: openEHR security; Directed to Thomas Beale > [Thomas - you might want to send this reply to the list] > > Thomas Clark wrote: > > >Hi Thomas, > > > >"relevance" is understandable as is "germane" (a bit stronger). Both imply > >judgments that may occur prior to and/or after access to information, e.g., > >granting access because something might be "relevant" or "germane" and later > >discovering that the information was or was not "relevant" or "germane". > >This would be categorized as "a fishing trip". > > > >a priori information is or is not "relevant" or "germane". Security systems > >usually require such a classification before access is granted. Once the > >information is accessed any protection provided by a Security system is > >substantially diminished. > > > >A patient in a hospital should not be required to provide access to all > >members of the staff (including IT) who may or may not decide beforehand to > >build a case for "relevance". > > > >Relevant to what? If a member of the staff has no direct connection with my > >care then can there be "relevance"? Is anything they are doing or wish to do > >"germane"? > > > >Speaking for myself, if the requestor is not directly connected with my care > >then they can bugger-off! > > > >Phrased differently, they do not have a NEED TO KNOW. In advance of my stay > >in the hospital, etc., if the requestors cannot be identified with > >sufficient clarity then perhaps I am in the wrong place. > > > >A different viewpoint is that of a security auditor. An auditor would > >certainly object to access based upon foundations centered on "relevance" > >that have not been sufficiently defined beforehand and a determination of > >NEED TO KNOW made and implemented. > > > >Basically, one cannot afford to be found to have made the records less > >secure than they were when received. There is a legal side to security and > >one should strive to maintain security while the records are in your > >possession. > > > >Try "relevance" | "germane" -> NEED TO KNOW -> policies and procedures > > > >-Thomas Clark > > > > > > > >----- Original Message ----- > >From: "Thomas Beale" <thomas at deepthought.com.au> > >To: "Thomas Clark" <tclark at hcsystems.com> > >Cc: "Karsten Hilbert" <Karsten.Hilbert at gmx.net>; > ><openehr-technical at openehr.org> > >Sent: Sunday, April 27, 2003 8:12 PM > >Subject: Re: openEHR security; Directed to Thomas Beale > > > > > > > > > >>Thomas Clark wrote: > >> > >> > >> > >>>Hi Karsten, > >>> > >>>NEED TO KNOW is a 'working label' that has a meaning dependent upon the > >>>particular circumstance. A Healthcare Practitioner selected to perform > >>> > >>> > >foot > > > > > >>>surgery has a NEED TO KNOW pertinent information about the patient's > >>> > >>> > >feet, > > > > > >>>especially the one the surgery is to be performed on. This would include > >>> > >>> > >any > > > > > >>>condition that could impact the surgery and recovery, e.g., abnormal > >>> > >>> > >blood > > > > > >>>pressure. > >>> > >>> > >>> > >>would simply the term "relevance" be better than "need to know"? > >> > >>- thomas beale > >> > >> > >> > >>- > >>If you have any questions about using this list, > >>please send a message to d.lloyd at openehr.org > >> > >> > > > > > > > > > > > > -- > .............................................................. > Deep Thought Informatics Pty Ltd > mailto:thomasXXX at YYYdeepthoughtZZZ.WWWcom.AAAau (remove all caps) > > openEHR - http //www.openEHR.org > Archetypes - http //www.deepthought.com.au/it/archetypes.html > Community Informatics - http //www.deepthought.com.au/ci/rii/Output/mainTOC.html > .............................................................. > > > - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
