Hi Tim, Might want to add:
Computer Security Basics http://www.oreilly.de/catalog/csb/toc.html IEEE; Compartmented Mode Workstation: Prototype Highlights http://csdl.computer.org/comp/trans/ts/1990/06/e0608abs.htm CMU; Trusted Operating Systems http://www.sei.cmu.edu/str/descriptions/trusted_body.html Operating System Security http://www.cs.ucd.ie/staff/tahar/home/courses/4thyear/chapter4/ppframe.htm From Security protocols to System Security http://www.hpl.hp.com/techreports/2003/HPL-2003-147.html Trusted Computing Platforms http://www.hpl.hp.com/techreports/2002/HPL-2002-221.html ASPECT - a tool for checking protocol security http://www.hpl.hp.com/techreports/2002/HPL-2002-246.html Resilient Infrastructure for Network Security http://www.hpl.hp.com/techreports/2002/HPL-2002-273.html Security Infrastructure for A Web Service Based Resource Management System http://www.hpl.hp.com/techreports/2002/HPL-2002-297.html Trusted Solaris Developers Guide http://docs.sun.com/db/doc/805-8060?q=compartmented+mode+workstation Trusted Network Environment http://www.tinfosol.com/lab/lab.html RFC 1825 - Security Architecture for the Internet Protocol http://www.faqs.org/rfcs/rfc1825.html RFC 1827 - IP Encapsulating Security Payload (ESP) http://www.faqs.org/rfcs/rfc1827.html Secure Trusted Operating System (STOS) Consortium http://www.stosdarwin.org/ The Blue Book http://secinf.net/info/rainbow/tg29.txt UK Security Citations Bibliography http://chacs.nrl.navy.mil/xtp1/uksecbib.html Regards! -Thomas Clark Tim Churches wrote: >On Tue, 2004-03-09 at 23:20, Thompson, Ken wrote: > > >>2) A mechanism on the patient record itself that displays a list of all >>users that have accessed the record (with date and time). This will probably >>be made available to the patient at some point, so they will actually >>provide a critical part of the checks and balances in the system. >> >> > >This is similar to the mechanisms envisaged under the "Consent and >notification" secion of the now-famous BMA Security Policy, developed by >Ross Anderson - see >http://www.cl.cam.ac.uk/users/rja14/policy11/policy11.html > >This is still the gold standard for EHR security policies, IMHO, yet >most people I have met who are involved in EHR work and who know of it >(curiously many seem ignorant of it) tend to dismiss it, not because the >policies are unsound (although they do need minor tweaking here and >there), but because implementing them is very difficult in practice - >particularly the multilateral as opposed to multilevel access control >policy. In fact you need both, but of the two, the former is more >important. In other words, role-based access control, where the "roles" >are specific to each patient, as well as to each health professional. > > > > - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
