Most of the serious issues in EHR security are essentially ethical, not legal, in nature. When the NHS first introduced a nationwide Healthcare Network, the BMA Ethics Committee advised all practitioners to put NO patient-related data on it because it had not been PROVED that the network's security mechanims could guarantee non-violation of the ethical principles governing access to such data (see Anderson, R. A., Security in Clinical Information Systems, BMA, 1996). Of course, such a proof cannot be performed, not only because the security mechanisms are not formally defined, but because the ethical principles themselves are not formally stated. In an attempt to overcome this obvious impasse, I prepared a tentative formal definition of some of the dozen or so governing ethical principles stated in the BMA document. Unfortunately, this met with a deafening silence from both sides of the argument. I suspect that something of this nature is still needed and that the need for it cannot be admitted by any of the stakeholders. The latest round of discussions of this group merely confirm that suspicion. Those who are interested in this line of enquiry may care to read my seven-year-old paper at http://www.soi.city.ac.uk/~bernie/hsp.pdf
On Mon, 28 Apr 2003, Bill Walton wrote: > Date: Mon, 28 Apr 2003 16:33:06 -0500 > From: Bill Walton <bill.walton at jstats.com> > To: openehr-technical at openehr.org > Subject: Re: openEHR security > > Hi Thomas, > > Thomas Beale wrote: > > > /snip/ > > > So. What do we know? > > - role-based access control is required. To make it work properly in a > > shared care community context (e.g. a hospital, 50 GPs, aged care homes, > > nursing care, social workers etc etc) then the roles need to be defined > > congruently. I seem to remember some Canadian project coming to the > > conclusion that really the roles need to be defined the same across the > > entire (national) health care system. I think this is both correct and a > > the same time unrealistic. > > With all due respect, Thomas, it it's unrealistic then, IMO, it can't be > correct. (Pragmatism R Us ;-) ) > > I'd like to offer food for thought. The fundamental assumption at work here > seems to be that care givers will access the same system, thus driving the > need for all users of the system to be assigned roles that are defined > congruently. Let's consider an alternative model. > > When I travel from the U.S. to the U.K., I (the physical being) move from > one socio-cultural-legal model to another. That does not change who / what > I am, but it does change my behavior because I operate under a different set > of norms and mores in the new environment. I accept new forms of > interaction and find that familiar forms are no longer available. > > Why should it be any different for the information about me than it is for > me? > > If we work from a perspective that posits that health information will move > from system to system and be used / modified based on the rule sets in place > within the various systems, does that make the problem more amenable to > solution? > > > I think we will be able to find ways of > > having diversely defined roles without every health care facility having > > incompatible definitions of "consultant", "treating physician" etc. > > Bernd's work on this area is pretty detailed. > > I thank Bernd for opening my eyes to what should have been obvious to me at > a much earlier stage. The security problem with EHR systems is > fundamentally the same problem faced in OLAP databases. Or perhaps I should > say that it's the OLAP security problem with a twist. At least OLAP > databases are typically confined to one environment / business. It's clear > that the EHR problem is more difficult in that EHR's must, IMO, be capable > of moving between environments. Perhaps, by requiring a more generalized > solution, the EHR problem will actually be easier to solve. > > I don't know if you've checked out Mike Mair's paper but it implicitly poses > a very interesting question. "Is a biologically-based security model > fundamentally better aligned with the needs of an information system about > biological entities than alternative models?" I'm hopeful the list will > have some comments on Mike's paper. I think the question is worth some > thought / discussion. > > /snip/ > > Best regards, > Bill > > - > If you have any questions about using this list, > please send a message to d.lloyd at openehr.org > ________________________________________________________________________ Prof Bernard Cohen, Dept of Comp Sc, City Univ, Northampton Sq. London EC1V 0HB tel: ++44-20-7040-8448 fax: ++44-171-477-8587 b.cohen at city.ac.uk WWW: http://www.soi.city.ac.uk/~bernie "Patterns lively of the things rehearsed" - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
