1 / 14

Authorization for Electronic Health Records

EHR in the UKIntro on SecPAL* ApproachSecPAL-based EHR demoConclusion. * With Andy Gordon, Cedric Fournet (MSRC) and Incubation Group in Redmond. EHR in the UK. NHS: National Health ServiceCfH: Connecting for HealthNPfIT: National Programme for ITAmbitious, expensive and controversialMain parts:EHR serviceChoose

Mia_John
Download Presentation

Authorization for Electronic Health Records

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Authorization for Electronic Health Records Moritz Y. Becker Microsoft Research, Cambridge moritzb@microsoft.com

    2. EHR in the UK Intro on SecPAL* Approach SecPAL-based EHR demo Conclusion

    3. EHR in the UK NHS: National Health Service CfH: Connecting for Health NPfIT: National Programme for IT Ambitious, expensive and controversial Main parts: EHR service Choose & book ePrescriptions IT infrastructure NPfIT: conceived in 2002: timescale 2010NPfIT: conceived in 2002: timescale 2010

    4. EHR Authorization Policy Idioms Roles: GP, radiologist, gynaecologist, ... “GPs can transfer patients to other clinicians” Legitimate Relationships (LR) Between patients and their current clinicians Between patients and their agents “People with a LR with the patient can read this item” Sealed Envelopes Patient can hide specified items from specified clinicians Clinicians can hide specified items from patient Consent

    5. EHR Authorization: The Problem Hard to understand Hard to implement Hard to verify Hard to maintain

    6. EHR in the UK Intro on SecPAL* Approach SecPAL-based EHR demo Conclusion

    7. AuthZ: The Naive Approach Insecure Doesn’t scale Not maintainable

    8. AuthZ: Reference Monitor Lots of different technologies Large part of policy still hardcoded Error-prone and hard to maintain

    9. AuthZ: The Policy Approach Policy is specified in a high-level language Admin only has to maintain policy

    10. EHR in the UK Intro on SecPAL* Approach SecPAL-based EHR demo Conclusion

    11. AuthZ: The Policy Approach

    12. SecPAL-based EHR Prototype

    13. EHR in the UK Intro on Policy Approach SecPAL*-based EHR demo Conclusion

    14. The SecPAL Approach: Advantages Policy is human-readable and machine-enforceable Highly expressive (reduces ref monitor) Reduces system down times Increased maintainability Based on logic and formal semantics Formal analysis tools

More Related