Monday, September 26, 2011

Security, Masking, and Legal Signatures in CDA

A while back I made a statement about how "Masking" interferes with the wholeness and legal authenticity of a document that has been signed in CDA.  Someone recently asked for clarification on the point that I made:
The main problem with "MASKING" as it were are that in implementing such an infrastructure you are interfering with the wholeness and legal authenticity of the content being viewed. 

So, to clarify:

  1. In CDA, the legal signature attests that the provider has legally signed (and is thereby taking responsibility) for the content in the whole document.
  2. That signature does not necessarily apply to the provider taking responsibility for a "MASKED" version of the document, as masking could eliminate critical information.
What the signature means in this case depends on how one interprets the applicable policies. 

Two other questions were also asked:
  1. What is the legal authenticity of a CCD?
    CDA documents need not be signed, but can be.  A CCD does not require a legal signature, that is up to organizational policies.  A couple of other points: The signature of a CDA document (and thus a CCD) is not a "digital signature".  Instead, it is an "electronic signature".  The latter is merely a mark indicating that a signature has been obtained.  The former is a strong mathematical proof that it was obtained.  For more information on using digital signatures with CDA documents, see two excellent posts from John Moehrke:
    1. IHE Privacy and Security Profiles (a detailed Bloginar on several security related topics)
    2. Signing CDA Documents
  2. Does a CCD have to be diplayed in its entirety?
    How the CCD is used depends upon also upon organizational policy.  The advice I give is that if the use case is to "summarize the encounter" to a human, to display the whole content, but there are plenty of other uses that may not have that same requirement, such as medication reconciliation.

In all cases, the actually resolution of these questions would need to be addressed by local policy.  Local policy is a phrase you will frequently hear security geeks use to mean:  Governing laws, regulation and the procedures instituted by organizations to implement them.  Essentially that means that the CDA and CCD specifications do not set forth what is the "legal authenticity".  Those decisions are made in courts.  They do however, support procedures that enable others to establish the "legal authenticity".


  1. Thank you for this post!

    There is an annoying tendency in SDOs to assign the hard parts of use cases to other domains, e.g., records authenticity to the security domain. I have seen this happen in almost every standards activity, including current works in progress.

    Another example of this phenomenon is assumption that local policies are somehow superior to global ones. That is a politically easy approach, yet it is ineffective and costly. It is anarchy.

    Tossing hard problems through the figurative transom is not a path to solution. Why? Because the recipients of the problems lack the knowledge of the domains that sent them. This is a root cause for delays in standards maturity and adoption.

    What we need is a spirit of collaboration. In HL7, for instance, a joint records authenticity effort between Structured Documents and Security -- in consultation with other knowledge domains -- is required. Similarly, we need a comprehensive national policy for health records management to replace the crazy quilt of local policies. It will be hard work. So what?

  2. I liked your blog and also I liked the comment of Glen and his statement "Tossing hard problems through the figurative transom is not a path to solution"
    Its very true in every sense.
    electronic signatures