This paper has been motivated by a conflict between the NHS Executive and the BMA [Anderson] concerning the requirements for, and the provision of, security in the NHS-wide Networking Programme [NHSE-IMG]. It cannot attempt to resolve that conflict, because the documents from both parties to it lack the precision required of a Healthcare Security Policy Model. The NHS document is, quite correctly, more concerned with the mechanisms on which secure communications services must rely than with the purposes to which those mechanisms will be put. The BMA document is, quite correctly, concerned with the principles of confidentialty. It is critical of the mechanisms it but does not provide a statement of security policy in a form that admits the verification of its internal consistency, or its validation with respect to the purposes of Healthcare and the expectations of its pracitioners and patients. We hold such a formal statement to be both necessary and possible to construct. In fact, we construct a prototype Formal Healthcare Security Policy Model as a proof of concept. This expressed as a statebased (popularly known as object-oriented), set-theoretic model in the style of [Schuman]. For readers unfamiliar with discrete mathematics, the earlier parts of the model are accompanied by a tutorial in the notation, and a guide to the basic set-theoretic operators is appended.
[1]
Jeremy David Hasse Holland.
The requirements analysis & design for a clinical information system : a formal approach.
,
1995
.
[2]
David H. Pitt,et al.
Object-Oriented Process Specification
,
1988,
Specification and Verification of Concurrent Systems.
[3]
James H. Fetzer.
Program verification: the very idea
,
1988,
CACM.
[4]
H. Velthuijsen,et al.
Feature interactions in telecommunications systems
,
1993,
IEEE Communications Magazine.
[5]
Ross Anderson,et al.
Security in Clinical Information Systems
,
1996
.
[6]
Richard J. Lipton,et al.
Social processes and proofs of theorems and programs
,
1977,
POPL.