Purpose: The National Health Service's (NHS's) National Programme for Information Technology (NPfIT) in the UK with its proposed nation-wide online health record service poses serious technical challenges, especially with regard to access control and patient confidentiality. The complexity of the confidentiality requirements and their constantly evolving nature (due to changes in law, guidelines and ethical consensus) make traditional technologies such as role-based access control (RBAC) unsuitable. Furthermore, a more formal approach is also needed for debating about and communicating on information governance, as natural-language descriptions of security policies are inherently ambiguous and incomplete. Our main goal is to convince the reader of the strong benefits of employing formal policy specification in nation-wide electronic health record (EHR) projects.
Approach: Many difficulties could be alleviated by specifying the requirements in a formal authorisation policy language such as Cassandra. The language is unambiguous, declarative and machine-enforceable, and is based on distributed constrained Datalog. Cassandra is interpreted within a distributed Trust Management environment, where digital credentials are used for establishing mutual trust between strangers.
Results: To demonstrate how policy specification can be applied to NPfIT, we translate a fragment of natural-language NHS specification into formal Cassandra rules. In particular, we present policy rules pertaining to the management of Clinician Sealed Envelopes, the mechanism by which clinical patient data can be concealed in the nation-wide EHR service. Our case study exposes ambiguities and incompletenesses in the informal NHS documents.
Conclusions: We strongly recommend the use of trust management and policy specification technology for the implementation of nation-wide EHR infrastructures. Formal policies can be used for automatically enforcing confidentiality requirements, but also for specification and communication purposes. Formalising the requirements also reveals ambiguities and missing details in the currently used informal specification documents.