[LINK] The "health" record security model

[David]

On Sunday, 11 November 2018 18:12:05 AEDT Karl Auer wrote:

> But mostly I want a statement of aims first.

That's absolutely critical.  Too many IT projects are launched on the basis of a vague wish-list, unstated objectives, ideology, no prior stakeholder approval (perhaps so not to rock the boat), sheer ignorance of what's involved (especially things like the required system engineering & impact on current practice), or some combination thereof.  Realistic contract clauses relating to changes are avoided like the plague.

> Regardless of all that, the first thing that must be discarded in any design is the "emergency room scenario". The system should be useful for some large percentage of normal medical interactions; it does not need to be useful for every edge case.

I imagine the ED scenario is probably the one which is most justified.  If the patient record held nothing but current status regarding allergies, medications, & critical health conditions, and the medical practice holding the patients records, it would surely be useful.  In any common scenario the patient or their agent will be perfectly able to interact with the medical staff.

> The second thing that must be discarded is the desire for the system to do everything. Pick one thing that will really make a difference, make sure the interoperability standards are flexible and extensible, then make that one thing happen well. It will cost a fraction of trying to develop everything at once, will be doable in fraction of the time, and will have an immediate positive effect. The lessons learned during implementation will allow new things to be handled faster and better.

That's known as having a well written System Requirements Specification.

David L.