Security begins at the data storage level. Unless it can be protected at this level more sophisticated techniques applied to transmission and content will not be as effective as desired.
Three common approaches are: 1)Data security 2)Data management and 3)Access to storage media-resident data, e.g., somebody's disk drive These can occur long before access security is needed in a Healthcare environment, but are also appropriate for data storage and access within a Healthcare environment. DATA SECURITY Good example is the CDSA project gratis from Intel: http://www.intel.com/labs/archive/cdsa.htm http://www.opengroup.org/security/l2-cdsa.htm which relieves upon: 1)digital certificates and 2)portable digital tokens Neat stuff since already the Healthcare Computer System Administrator has capable security tools. The Secure Data Store Admin should have these available as well. Target systems include Windows and Linux and security adaptability is supported. Fixed data transmission environment have multiple techniques for securing data during transmission, e.g., SSL, HTTPS and these work well between fixed Healthcare environments, e.g., Hospital-Clinic. Mobile applications are crucial. Mobile Healthcare applications are not exempt from data security requirements. Data transmission security mechanisms for fixed environments do not work well in mobile environments and hence new techniques have been developed. The following link covers Java in a mobile environment: http://www.javaworld.com/javaworld/jw-12-2002/jw-1220-wireless.html Presuming that the data is now available at a Healthcare environment the following may apply: 1)data storage, management, handling and transmission can be similar to that described previously 2)Healthcare-specific systems (e.g., GNUmed: http://www.gnumed.org/development/home.html and OpenEHR) can be interfaced to the data obtained from external sources 3)Bi-directional record translations are possible (may be required) 4)Data security and privacy issues remain COMMENTS 1)A single Healthcare facility complete with a familiar set of EHR/EPR software, process, procedures, techniques and trained personnel may represent a single intelligent node existing in a 'fabric' containing Patients, related services, non-conforming practitioners and other similarly intelligent node. 2)The intelligent nodes are not likely to be exact copies. 3)The processes, procedures, technologies, etc that have been used to interface perhaps dissimilar intelligent nodes in other environments apply 4)Content is important to a Practitioner where it is "relevant"/"germane" 5)The goal is to provide the Practitioner with "relevant"/"germane" information and nothing else SUGGESTIONS 1)Develop a secure data storage, management, handling, transmission system that delivers secured data to a systems available to a Practitioner 2)Develop applications that perform similar activities within a Healthcare environment 3)Develop security applications that will access. manage, handle and filter the data for the practitioner. exercising control over disposition, e.g., spawning copies/partial copies/forwarding/audits/time-limit functions, communicating with external users, etc. 4)Add new facility-unique security that will precisely identify content, e.g., digital watermarks. 5)Handle redundant data and secure data destruction. 6)Security plug-ins for practitioner- and facility-specific data security Lots of stuff available! -Thomas Clark - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
