A security policy model for clinical information systems

The protection of personal health information has become a live issue in a number of countries, including the USA, Canada, Britain and Germany. The debate has shown that there is widespread confusion about what should be protected, and why. Designers of military and banking systems can refer to Bell & LaPadula (1973) and Clark & Wilson (1987) respectively, but there is no comparable security policy model that spells out clear and concise access rules for clinical information systems. In this article, we present just such a model. It was commissioned by doctors and is driven by medical ethics; it is informed by the actual threats to privacy, and reflects current best clinical practice. Its effect is to restrict both the number of users who can access any record and the maximum number of records accessed by any user. This entails controlling information flows across rather than down and enforcing a strong notification property. We discuss its relationship with existing security policy models, and its possible use in other applications where information exposure must be localised; these range from private banking to the management of intelligence data.

[1]  Andy Hopper,et al.  The active badge location system , 1992, TOIS.

[2]  Peter Gray,et al.  How to Keep a Clinical Confidence , 1995 .

[3]  Wayne Kondro,et al.  Proposed confidentiality law angers Canadians , 1995, The Lancet.

[4]  N Britten,et al.  Confidentiality of medical records: the patient's perspective. , 1995, The British journal of general practice : the journal of the Royal College of General Practitioners.

[5]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[6]  L Dusserre,et al.  Security of health information system in France: what we do will no longer be different from what we tell. , 1994, International journal of bio-medical computing.

[7]  R Smith,et al.  Growing pressure on BMJ's obituaries , 1995, BMJ.

[8]  Mortimer Jy,et al.  'Soundex' codes of surnames provide confidentiality and accuracy in a national HIV database. , 1995 .

[9]  Butler Rn,et al.  Who's reading your medical records? , 1997 .

[10]  B. Woodward The computer-based patient record and confidentiality. , 1995, The New England journal of medicine.

[11]  R. Anderson,et al.  NHS-wide networking and patient confidentiality , 1995, BMJ.

[12]  Robert Pitchford,et al.  GP Practice computer security survey , 1995 .

[13]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[14]  L. Gostin,et al.  Privacy and security of personal information in a new health care system. , 1993, JAMA.

[15]  Ross J. Anderson,et al.  Clinical system security: interim guidelines , 1996, BMJ.

[16]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.