On Wed, 25 Apr 2001 16:31:41 Horst Herb wrote: ... >As long as trail logging happens on the same machine that is logged, it can >always be bypassed. Right, it can be bypassed even if a notary service is used to notarize the audit trail! >You need a network with at least two physically >separated machines, where one of them is locked away and not accessible at >all to establish trustworthy trail logging. Yes. That is one of the ideas in SDSS. :-) >Even then, you have to have a >sentry daemon on the logging machine checking for network integrity and >preventing spoofing. Gets complicated. I think a simple public key system will be adequate. >Much easier to "notarize" your audit >trail at regular intervals. I thought we already discussed the limitations of a notary service. Basically, the log will remain vulnerable to destruction attack. ... >Confidentiality requires that technical / >clerical staff shall *never* have access to unencypted patient data. >Therefore, >1.) you can't have health records without proper encryption, as non-medical >staff typically does the servicing of the software/hardware. Right. Furthermore, I think keyless encryption strategies are more appropriate. Some of the reasons have already been outlined. >2.) you can't have a single "super user" that is fully trusted: the audit >trail has to be unaccessible to the ones responsible for the health records. Yes. This is exactly the goal of SDSS. It is really not easy to assuredly eliminate the single "super user". ... >>SSL is not that easy to crack >> compared to copying a database. > >Both are necessary, and both (transmission security and database security) >are but a two aspects of the general security issue. There is far more to >it. We need to start somewhere. Once we have transmission and database security, we will have most of the security infrastructure in place. ... >Administrative solutions alone *DO NOT WORK*. Never have. The idea is to provide sufficient technology so that difficult administrative controls become easier and more assurable. Cheers, Andrew --- Andrew P. Ho, M.D. OIO: Open Infrastructure for Outcomes www.TxOutcome.Org Assistant Clinical Professor Department of Psychiatry, Harbor-UCLA Medical Center University of California, Los Angeles Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com
