xml-dev - RE: Healthcare and Security/Privacy

[Jonathan Borden <jborden@mediaone.net>]

KenNorth wrote:
>
>
> Jonathan,
>
> > If healthcare records are important to preserve on a long term
> basis, they
> > need to be stored in a specified format that will allow this, hence XML.
> RDF
> > provides the necessary semantic structure on top of the XML data.
>
> It seems like we need a multi-level security model for medical records.
> We'll eventually be transmitting an individual's genetic map (DNA) so I
> imagine we'll need something like element- and attribute-level
> security. One
> application might be able to view a person's complete medical records, but
> another might be denied access to specific gene and chromosome data.
>
> Do you think the current set of W3C specs (RDF, schemas) is adequate for
> describing medical records in an environment that enforces attribute-level
> security?
>
This is an important issue. Clearly a multi-level security model is
essential. Standards/protocols such as IPSEC, SSL, certificates, S/MIME are
available to build security systems. Acceptable security systems can
certainly be (and have been) built. What is needed is proper implementation.
In terms of e.g. attribute level security, I like to use the grove plan
concept, where if a grove is an abstract representation of the data, a grove
plan describes a particular pruning of the data tree (graph in the complete
sense). One might, for example, associate a particular grove plan to a
particular security setting to specify what data a particular certificate
holder may access. An abstract grove plan might practically be represented
by an XSLT transform through which the actual data is accessed.

If one really wants to do attribute level access control, a not
insignificant overhead will be imposed. For medical records I've
encountered, access control would be at the element level. With proper
partitioning of elements into documents, access control lists can be placed
on the documents and enforcement can be performed by the underlying file
system (or database if the database provides for this). For systems I've
designed for organizations in countries with strict privacy laws such as
Britain and Germany, I've used a hybrid filesystem/database approach which
works well and is reasonably efficient. The true overhead in this case is
the administration of the certificate authority, the finer grained the
access control, the more administrative overhead occurs.

Also remember that the same systems designed for internet use can be used in
an intranet or extranet situation, so the fallback option is to pay $$$ for
a true private or virtual private network funded by your tax dollars, but
the decision about who gets to see what remains. My opinion is that with the
proper laws and use of current security techniques a reasonably secure sytem
is definately acheivable (remember that no system is *ever* completely
secure, its just a matter of how much $$$$$ you want to spend to access the
data).