1. This lab will be based on information taken from the
Added on - 22 Sep 2019
1This lab will be based on information taken from the following case study:Evered, M. and Bogeholz, S., A case study in access control requirements for a health informationsystem, Proceedings of the second workshop on Australasian information security, Data Mining andWeb Intelligence, and Software Internationalisation, 32, 53--61, 2004.The case study is based on a Health Information System for an aged-care facility. The facility offers singleroom accommodation for some 30 residents.UsersFor this lab, we will use 10 users:Gloria (Manager) [username: gloria]Linda (Health Care Worker) [username: linda]Ian (Health Care Worker) [username: ian]Mary (Doctor) [username: mary]Markus (Doctor) [username: markus]Margaret (Patient) [username: margaret]George (Patient) [username: george]Russell (Patient) [username: russell]Patricia (Patient) [username: patricia]Mangle (admin/superuser) [username: amangle]The audit scripts will be tested using the admin/super user. All usernames must be as listedabove for auditing purposes.
2DataPersonal InformationoStatic data entered into the system when a resident is admitted. This includes personaldetails such as name, sex, religion etc., medical insurance information; medicalinformation such as blood group, allergies etc.; contact details for the resident’s doctor;contact details of a responsible person who is to be contacted in emergencies; andcontact details for whom, if the resident is not mentally capable, can make decisionsand provide signatures on behalf of the resident.Care PlanoThis is a working document that contains detailed information and instructionsregarding the day-to-day care of the resident, eg. assistance required with meals,hygiene etc. A care plan is started for each resident on admission and is updated on aregular basis. Old versions of the care plan are archived.Progress NotesoThese are observational entries covering such aspects as physical mobility, appetite,behavior, mood and the general state of the resident. Progress notes are used to updatethe care plan. Progress notes older than one year are also archived.Medical RecordsoA number of different doctors visit the facility with one doctor visiting each week on‘clinical day’. Residents can choose which of these doctors they wish to attend to them.The facility requires that each resident undergo a medical examination at least every sixmonths and medication is reviewed at least every three months. After each examinationthe doctor adds an entry to the medical records of the patient.Access RulesManageroHas the broadest access to the information, including access to personal, financial,clinical and medical information about each resident.oThe manager has full control of past and present medical records and is the only personwho can rename or delete records from the systemoOnly the manager is allowed to edit personal information and to start or update the careplan of a resident. The care plan is updated in consultation with the resident or theresponsible person.oOnly the manager is allowed to delete the information about a resident but here alsothat right is restricted. Privacy laws require that the information be held for a certainperiod after a resident leaves the facility.Health Care WorkersoHealth care workers can view the care plan for each resident and add progress noteentries based on their observations.oAccess to emergency details is available for all staff.oHealth care workers can view recent medical records of residents (up to one year old)but cannot normally view older medical information. For a special purpose, access to anolder medical record can be sought and obtained from the manager.DoctorsoDoctors have access to all the medical information of all residents and can add entries totheir medical records.oDoctors can also add private notes about a resident, which, on the basis of doctor-patient confidentiality, are not visible to health care staff or the manager.