A Security Policy Model for Clinical Information Systems appeared at the 1996 IEEE Symposium on Security and Privacy. It presents the BMA policy model to the computer security community in a format comparable to policies such as Bell-LaPadula and Clark-Wilson. It had some influence on later US health privacy legislation (the Kennedy-Kassebaum Bill, now HIPAA).
A classic paper by Ross Anderson found here, more properly from Ross' own site.
These are just notes and pickings. Though all nine Principles are given.
The paper sets out a model that consciously parallels the Bell LaPadula model for military systems and the Clark - Wilson Model for the world of banking.
Extract from the Hippocratic oath
Whatsoever I shall see or hear in the course of my dealings with men, if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets.
Though this is a different translation to that on Wikipedia.
Consent must be informed and voluntary.
The main new threat comes from abuse by insiders.
Unnoticed failures from data corruption are also new, non-digital information stores tend to fail completely.
The ill-considered aggregation of systems has grown apace, culminating in cloud service provision.
BMA recommends a callback authentication protocol to defend against private investigators impersonating other health professionals.
Principle 1
Each identifiable clinical record shall be marked with an acccess control list naming the people or groups of people who may read it and append data to it. The system shall prevent anyone not on the access control list from accessing the record in any way.
Immediate bad smell: The system shall prevent. This suggests a failure mode where access is allowed. The requirement needs to be framed in the opposite sense: The system shall enable anyone on the access control list from accessing the record. There will be no other mechanism of access.
Patients must be informed of a care team's access control policy when they first enrol, and have the opportunity to restrict access further if they wish.
Principle 2
A clinician may open a record with herself and the patient on the access control list. Where a patient has been referred, she may open a record with herself, the patient and the referring clinician(s) on the access control list.
Apart from the patient himself, only clinicians may have access to his records.
This seems incredibly strong and calls for encrypted data storage.
Principle 3
One of the clinicians on the access control list must be marked as being responsible. Only she may alter the access control list, and she may only add other health care professionals to it.
This may be one principle but these are three separate requirements:
- Write access to the ACL is controlled by an entry in the ACL.
- Only one member of an ACL may have write access
- Only health care professionals may be added.
Where access has been granted to administrators, as in the USA, the result has been abuse.
Confused reference to UK safe havens and their role in difusing dispute.
German and Canadian examples of hospital billing data: aggregation is done prior to billing government.
All legal outputs, required by police, social workers etc, should be produced on paper.
Principle 4
The responsible clinician must notify the patient of the names on his record's access control list when it is opened, of all subsequent additions, and whenever responsibility is transferred. His consent must also be obtained, except in emergency or in the case of statutory exemptions.
Principle 5
No one shall have the ability to delete the clinical information until the appropriate time period has expired.
There is always a need to correct data. Current version, like Wikipedia, would need links to previous versions.
Patient consent is not immutable, but rather a continuing dialogue between the patient and the clinician.
Principle 6
All accesses to clinical records shall be marked on the record with the subject's name, as well as the data and time. An audit trail must also be kept of all deletions.
Remember here subject means data accessor, not patient.
Principle 7
Information derived from record A may be appended to record B if and only if B's access control list is contained in A's.
If there exist two records referring to a patient, with different ACLs, where one record is more restricted than the other, should the existence of the restricted record be shown to users of the less restricted record?
We expect that clinicians will decide in favour of discrete flags that indicate only the presence of hidden information.
Principle 8
There shall be effective measures to prevent the aggregation of personal health information. In particular, patients must receive special notification if any person whom it is proposed to add to their access control list already has access to personal health information on a large number of people.
In this policy model, the primary control is notification, and the secondary control is to keep a list somewhere of who has accessed what record outside their own team.
Principle 9
Computer systems that handle personal health information shall have a subsystem that enforces the above principles in an effective way. Its effectiveness shall be subject to evaluation by independent experts.
White hat job creation scheme?
Ideally a non-NHS accreditation and monitoring organisation. A Trusted Computer Base (TCB) must not itself leak personal data.
X.509 is probably not enough.
Information access audit must be effective, that is it must be quite likely that an intruder will be caught.
Our approach has been to provide two auditors, both of whom have an interest in detecting abuse and acting upon it.
Firstly the patient and secondly an audit office eg the GMC.
'show me the records of all females aged 35 with 2 daughters aged 13 and 15 both of whom suffer from eczema'
Suppose that I walk into a hospital and claim that my demons are bothering me. When asked my name I reply 'John Major'. May the psychiatrist get the prime ministers record and append a diagnosis of schizophrenia?
Can we trust the patient to self identify? How do we treat patients anonymously? What about people who claim identity change?
Re the unified patient record:
The onus is on proposers of such systems to provide a clear statement of the expected health benefits, and to analyse the threats, the cost of added countermeasures and the likely effects of the residual risk.