Re: Resend: [CPR security policies at BHS]

[Konstantin Beznosov <beznosov@baptisthealth.net>]

David,

thanks for your feedback. See my comments below.

David M. Chizmadia wrote:
> 
> Konstantin,
> 
>   It occurs to me that you are missing critical integrity and
> non-repudiation requirements in terms of prescriptions for
> therapy; although the integrity concern is addressed
> indirectly by the access control requirement for append-
> only access to records.

The current version is not a complete set of policies. We are at the
beginning phase of developing them. Integrity, accountability, ..., will
be there eventually. Now, we are trying to understand if this is a right
approach to develop CPR security policies at all, and in what form they
should be to make them usable for multiple users of those policies.

> 
>   Overall, I would agree with Juggy that the policy is
> fairly mechanism-centric and that you should step back one
> level of abstraction to focus on *what* you want to protect
> about the record - rather than *how* you want the protection
> implemented.  This is particularly important given your
> assertion in the document that the policy will apply equally
> to electronic and physical instances of the record.

Agree. Let's see if the next version will address this issue.

Konstantin


----------------
Broadcast message to hrac-rfp from Konstantin Beznosov <beznosov@baptisthealth.net>.
Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.