[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Resend: [CPR security policies at BHS]

To: <hrac-rfp@cs.fiu.edu>
Subject: Re: Resend: [CPR security policies at BHS]
From: "David M. Chizmadia" <dmc@tycho.ncsc.mil>
Date: Wed, 24 Jun 1998 18:51:57 -0400
Sender: owner-hrac-rfp@cs.fiu.edu

Konstantin,

  It occurs to me that you are missing critical integrity and
non-repudiation requirements in terms of prescriptions for
therapy; although the integrity concern is addressed
indirectly by the access control requirement for append-
only access to records.

  Overall, I would agree with Juggy that the policy is
fairly mechanism-centric and that you should step back one
level of abstraction to focus on *what* you want to protect
about the record - rather than *how* you want the protection
implemented.  This is particularly important given your
assertion in the document that the policy will apply equally
to electronic and physical instances of the record.

-DMC


-----Original Message-----
From: V. Juggy Jagannathan <juggy@careflow.com>
To: Konstantin Beznosov <beznosov@baptisthealth.net>;
hrac-rfp@cs.fiu.edu <hrac-rfp@cs.fiu.edu>
Date: Tuesday, June 23, 1998 2:02 PM
Subject: RE: Resend: [CPR security policies at BHS]


>
>Konstantin,
>
>The document you mailed out was indeed interesting - here are a few
comments
>as you people
>refine and complete this important work -
>
>
> Section 2.2 Persistence
> How is appropriate time defined?
>
> 2.3 Access Control
> This section as currently written appears more an implementation
hint
>rather than a policy statement. Access control lists are
implementation
>tool. This could be better stated in terms of what is desired -
patient
>record access will be only to named individuals and it should be
possible to
>determine any time who exactly had access to the specific record,
etc.
>
> 2.3.1 Psychotherapist-patient privilge - probably should also
include that
>such an encounter took place - meaning it should not be possible to
find
>out whether someone sought such therapy or counseling irregardless of
the
>outcome of such consults.
>
>Also, noticed that there is lot of information related to HIV
treatment.
>Maybe it will be useful to organize
>separte chapters on general treatment, mental/psycotherapic issues,
and
>another on HIV related issues.
>
>Also, has any of you taken a look at pending legislation on patient
>confidentiality and what they are
>thinking about in terms of protection?
>
>- regards
>- juggy
>
>
>----------------
>Broadcast message to hrac-rfp from "V. Juggy Jagannathan"
<juggy@careflow.com>.
>Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list
archive.

----------------
Broadcast message to hrac-rfp from "David M. Chizmadia" <dmc@tycho.ncsc.mil>.
Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.

Follow-Ups:
- Re: Resend: [CPR security policies at BHS]
  - From: Konstantin Beznosov <beznosov@baptisthealth.net>
- Re: Resend: [CPR security policies at BHS]
  - From: Jim Williams <jgwilliams@mindspring.com>

Prev by Date: Re: teleconference call on the week of June 29 -- July 3
Next by Date: Re: Resend: [CPR security policies at BHS]
Prev by thread: RE: Resend: [CPR security policies at BHS]
Next by thread: Re: Resend: [CPR security policies at BHS]
Index(es):
- Date
- Thread