Compusec, or computer security, measures include the access control mechanisms built into operating system and applications software. They typically comprise an authentication mechanism such as passwords, an access control mechanism which decides which subject can access which object, and an audit trail which tells who did what. A standard textbook on compusec is Amoroso [Amo94].
Our policy principle describe the functional requirements of the access control mechanism in some detail. As for the authentication mechanism, the strength we require will depend on whether outside access is possible. With a network that is completely within protected space, passwords may suffice. However, if a system supports dial access or Internet access, then it may need the more complex controls discussed in the next section.
This leads to the more general problem of where the access controls are located in the system. It is possible, but expensive, to implement them in each application program; it will usually be cheaper at a lower level in the system. Access control lists are supported by many operating systems, such as Unix, whose group and individual permissions may be used to make records accessible to all team members and to individuals respectively. If a database management system is used, then access controls at the granularity of individual patient records may have to be implemented in the database. In a heterogeneous distributed system that used cryptography as its primary control, then the access control might be largely embedded in the key management mechanism.
The automatic enforcement of principle 7 is very important. When a program derives data from an identifiable clinical record, then the derivative data shall have the same access control list as the original data, or a subset of it. A summary of a record is just as sensitive as the original. One of the benefits of this mechanism is to help prevent accidental as well as deliberate security breaches. For example, it is quite common to post personal messages to a mailing list or newsgroup by mistake. The system should prevent a clinician leaking personal health information in this way.
Finally, where records are made anonymous for audit or research purposes, it is the responsibility of the clinician to ensure that the anonymising process is effective in the context, and for this reason it should take a deliberate action of the clinician to release the data. As the Joint Computer Group guidance makes clear, it is not acceptable for records to be sent to a health authority or drug company on the promise that they will be made anonymous once there.