next up previous contents
Next: Conclusions Up: Security Architecture Options Previous: Evaluation and accreditation

European and global standardisation

The policy and guidelines set out in this document are as far as the author is aware broadly consistent with European and other standards work. We understand that a European standardisation group for Security and Privacy of Medical Informatics (CEN TC 251/WG6) is working on a draft that mandates the encryption of personal health information in large networks; encryption has been required by the data protection authorities in Sweden for several years, and a number of countries are building trusted certification authorities which will sign healthcare professionals' keys [SPR95].

The use of digital signatures is also discussed in a report to the Ontario Ministry of Health [Smu94]. The Australian standard on health information privacy [Aus95], the Royal Australian College of General Practitioners Interim Code of Practice for Computerised Medical Records in General Practice [RAC+93], the New Zealand Health Information Privacy Code [NZ94], and the US Office of Technology Assessment report [OTA93] may also be referred to. They each contribute in different ways to our understanding of the threats, of the principle of consent, of the technical options, and of pragmatic standards of best practice in other countries.

Suppliers are also encouraged to adopt best European practice, which may be very important once European data protection law comes to be enforced in British courts. This will if anything increase the emphasis on patient consent.

Ross Anderson
Fri Jan 12 10:49:45 GMT 1996