Hi Tim, Security policies are included as are implementation approaches.
Regards! -Thomas Clark Tim Churches wrote: >On Wed, 2004-03-10 at 19:10, Thomas Clark wrote: > > >>Hi Tim, >> >>Might want to add: >> >>Computer Security Basics >>http://www.oreilly.de/catalog/csb/toc.html >> >>IEEE; Compartmented Mode Workstation: Prototype Highlights >>http://csdl.computer.org/comp/trans/ts/1990/06/e0608abs.htm >> >>CMU; Trusted Operating Systems >>http://www.sei.cmu.edu/str/descriptions/trusted_body.html >> >>Operating System Security >>http://www.cs.ucd.ie/staff/tahar/home/courses/4thyear/chapter4/ppframe.htm >> >> From Security protocols to System Security >>http://www.hpl.hp.com/techreports/2003/HPL-2003-147.html >> >>Trusted Computing Platforms >>http://www.hpl.hp.com/techreports/2002/HPL-2002-221.html >> >>ASPECT - a tool for checking protocol security >>http://www.hpl.hp.com/techreports/2002/HPL-2002-246.html >> >>Resilient Infrastructure for Network Security >>http://www.hpl.hp.com/techreports/2002/HPL-2002-273.html >> >>Security Infrastructure for A Web Service Based Resource Management System >>http://www.hpl.hp.com/techreports/2002/HPL-2002-297.html >> >>Trusted Solaris Developers Guide >>http://docs.sun.com/db/doc/805-8060?q=compartmented+mode+workstation >> >>Trusted Network Environment >>http://www.tinfosol.com/lab/lab.html >> >>RFC 1825 - Security Architecture for the Internet Protocol >>http://www.faqs.org/rfcs/rfc1825.html >> >>RFC 1827 - IP Encapsulating Security Payload (ESP) >>http://www.faqs.org/rfcs/rfc1827.html >> >>Secure Trusted Operating System (STOS) Consortium >>http://www.stosdarwin.org/ >> >>The Blue Book >>http://secinf.net/info/rainbow/tg29.txt >> >>UK Security Citations Bibliography >>http://chacs.nrl.navy.mil/xtp1/uksecbib.html >> >> > >All of those deal with security implementation issues i.e. how you >achieve certain objectives. The BMA security policy sets out what those >objectives ought to be. Defining the security objectives, which in turn >ought be be informed by specific threat models, needs to be done before >you can consider which security technologies are appropriate. But yes, >most of those are appropriate. > >Tim c > > > >>Regards! >> >>-Thomas Clark >> >> >>Tim Churches wrote: >> >> >> >>>On Tue, 2004-03-09 at 23:20, Thompson, Ken wrote: >>> >>> >>> >>> >>>>2) A mechanism on the patient record itself that displays a list of all >>>>users that have accessed the record (with date and time). This will probably >>>>be made available to the patient at some point, so they will actually >>>>provide a critical part of the checks and balances in the system. >>>> >>>> >>>> >>>> >>>This is similar to the mechanisms envisaged under the "Consent and >>>notification" secion of the now-famous BMA Security Policy, developed by >>>Ross Anderson - see >>>http://www.cl.cam.ac.uk/users/rja14/policy11/policy11.html >>> >>>This is still the gold standard for EHR security policies, IMHO, yet >>>most people I have met who are involved in EHR work and who know of it >>>(curiously many seem ignorant of it) tend to dismiss it, not because the >>>policies are unsound (although they do need minor tweaking here and >>>there), but because implementing them is very difficult in practice - >>>particularly the multilateral as opposed to multilevel access control >>>policy. In fact you need both, but of the two, the former is more >>>important. In other words, role-based access control, where the "roles" >>>are specific to each patient, as well as to each health professional. >>> >>> >>> >>> >>> >>> >>- >>If you have any questions about using this list, >>please send a message to d.lloyd at openehr.org >> >> - If you have any questions about using this list, please send a message to d.lloyd at openehr.org