Changes between Version 24 and Version 25 of Archtectural Overview Security
- Timestamp:
- Feb 28, 2008, 10:13:55 PM (16 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Archtectural Overview Security
v24 v25 116 116 In and of itself, the openEHR EHR imposes only a minimal security policy profile which could be regarded as necessary, but generally not sufficient for a deployed system (i.e. other aspects would still need to be implemented in layers whose semantics are not defined in openEHR). The following policy principles are embodied in openEHR. 117 117 118 === 一般===118 ==== 一般 ==== 119 119 * 整合性: ヘルス・レコード情報は削除できない。論理的な削除は、データがあたかも削除されたかのように見せる方法で実現される(バージョン制御で実装されている)。 120 120 * 監査証跡: コンテント・オブジェクト、及びEHRステータスやアクセス制御オブジェクトを含めEHRに対して行われたすべての変更について、ユーザー識別、タイム・スタンプ、理由、オプションとしての電子署名、及び該当バージョン情報による監査証跡が取られる。例外が一つあり、変更者が患者である場合には、シンボリックな識別子を用いることができる(openEHRでPARTY_SELF と呼ぶもの。次の点を参照のこと)。 … … 127 127 * Anonymity: the content of the health record is separate from identifying demographic information. This can be configured such that theft of the EHR provides no direct clue to the identity of the owning patient (indirect clues are of course harder to control). Stealing an identified EHR involves theft of data from two servers, or even theft of two physical computers, depending on deployment configuration. 128 128 129 === アクセス制御===129 ==== アクセス制御 ==== 130 130 Access Control 131 131 … … 162 162 A key feature of the policy is that it must scale to distributed environments in which health record information is maintained at multiple provider sites visited by the patient. As Anderson points out in the BMA study, policy elements are also needed for guarding against users gaining access to massive numbers of EHRs, and inferencing attacks. Currently these are outside the scope of openEHR, and realistically, of most EHR implementations of any kind today. The following sections describe how openEHR supports the first list of policy objectives. 163 163 164 == 7.3.3 一貫性==164 === 7.3.3 一貫性 === 165 165 7.3.3 Integrity 166 166 167 === バージョニング===167 ==== バージョニング ==== 168 168 Versioning 169 169 … … 172 172 The most basic security-related feature of openEHR is its support for data integrity. This is mainly provided by the versioning model, specified in the change_control package in the Common Information Model, and in the Extract Information Model. Change-set based versioning of all information in the EHR and demographic services constitutes a basic integrity measure for information, since no content is ever physically modified, only new versions are created. All logical changes and deletions as well as additions are therefore physically implemented as new Versions rather than changes to existing information items. Clearly the integrity of the information will depend on the quality of the implementation; however, the simplest possible implementations (1 Version = 1 copy) can provide very good safety due to being write-once systems. The use of change-sets, known as Contributions in openEHR, provides a further unit of integrity corresponding to all items modified, created or deleted in a single unit of work by a user. The openEHR versioning model defines audit records for all changed items, which can be basic audits and/or any number of additional digitally signed attestations (e.g. by senior staff). This means that every write access of any kind to any part of an openEHR record is logged with the user identification, time, reason, and potentially other meta-data. Versioning is described in detail in section 8 on page 45. 173 173 174 === デジタル署名===174 ==== デジタル署名 ==== 175 175 Digital Signature 176 176