The crucial step is to move the access control from "I work for this organisation", to "I have a need to know this information".
Does any one have good examples of this in healthcare?
Jonathan
On 5 Dec 2011, at 11:33, Webster Craig wrote:
> How do you protect against this? Only audits would pick this up?
>
> Cheers
> Craig
> On 5 Dec 2011, at 11:06, Jonathan Kay wrote:
>
> http://www.theregister.co.uk/2011/12/05/unlawful_disclosure_of_personal_data_successful_action_for_compensation/
>
> "The partner of the data subject had unlawfully accessed his medical records in the course of her employment as a nurse and thereby committed a breach of the (Data Protection) Act. "
>
> This will probably be the most common type of malicious access to computerised medical records. How strong are your defences?
>
> Jonathan
>
|