Explique mecanísticamente la conversión de la lactona 3.229 en el yodoéster 3.230.

As mentioned at 2.1.2, the Professional Access Control (PAC) model (de la Motte 2004, ; de la Motte & Hartnett 2005b) was developed as a prelude to this research. Here it is examined for the purpose of extracting Design Requirements for the Model in this Dissertation.

3.7.1 Professional Management

PAC was developed for the professional hospital environment. In this environment health professionals routinely take responsibility for the privacy of medical records and patient consent. In fact, with paper-based systems all the responsibility is placed on the health professionals. In other words, the professionals managed privacy and consent in paper-based systems. Due to the inconvenience in retrieving paper records and the presence of administrators who looked after them, there was limited opportunity or incentive for inappropriate action to be taken by the health professionals.

With the advent of IT systems in hospitals and digital health records a problem arose because in IT systems the IT system administrators traditionally control access to records. Health professionals were now required to obtain the appropriate permissions from the IT personnel. Now as the culture dictated that the health professionals should not be impeded in doing their work, access control rules tended to be relaxed. For example, all health professionals in a hospital could be given access to all patient records.

So with digital health records any health professional can potentially get access to any number of records instantaneously and without any scrutiny. This situation poses many security concerns including the stealing and divulging of private patient information. There are concerns, for example, that health insurers could gain access to digital medical records and use the information to refuse cover to particular individuals.

The main aim of PAC is to restrict access to hospital records on a “need-to-know” basis and give the health professionals the ability to manage access control themselves without the need for involving IT personnel (except in an auditing role). By providing simple access control mechanisms that could be employed at the coalface, PAC provides both increased security and reduced administration costs.

DR#21: Need-to-Know Access DR#22: Reduce Administration

3.7.2 Service Teams

In order to facilitate Need-to-Know access, PAC employs an individual “Patient Care Team” for each patient. Team Members are allowed to access parts of the Patient’s record according to their organisational role, for example, an Administrator on the team can access the Patient’s administrative records. Other persons in the hospital are allowed “Restricted Access” to the Patient’s record depending on the circumstances and their relationship to the Team.

Useful Aspects:

The concept of Need-to-Know access is appropriate for general use in Organisations. The concept of a Patient Care Team in a hospital can also be generalised to “Client Service Teams” in any Organisation.

DR#23: Service Teams

3.7.3 Restricted Access

For persons not in the Patient Care Team, PAC provides three types of Restricted Access through “Restricted Authorisation” mechanisms. Associate Authorisation

allows a colleague of a Team member with the same role to assist the Team Member with their work. Emergency Authorisation allows access to any patients’ record but limits access according to the Worker’s role. Critical Authorisation allows access to any part of any record.

DR#24: Associate Authorisation DR#25: Emergency Authorisation

DR#26: Critical Authorisation

These Restricted Authorisation types all provide “provisional access” where the authorisation must be later confirmed. The confirmations are provided through mechanisms that employ Authorisation Timing and Authorisation Ordering

techniques.21 These techniques are described below.

3.7.4 Authorisation Timing

If a Worker performs a service at a particular time, Authorisation Timing has to do with when, relative to this time, the Worker received the required authorisation. The reason that Authorisation Timing is an issue is that in order to fulfil the Principle of Least Privilege an authorisation should only persist for as long as is necessary to perform the required work. Many systems grant access for indefinite periods simply to cut down the amount of administration required. If authorisations are made more restrictive, mechanisms must exist to facilitate occasions, like emergencies, where an authorisation is not already in place.

As Bretan (2004) points out, most access control and authorisation models follow the principle that “[a] user makes an access request of a system in some context, and the system either authorises the access request or denies it”. However, there are other possibilities. Stevens and Wulf (2002) categorised authorisations as ex ante when given prior to access, uno tempore when given at the time access is required, and ex post when given retrospectively.22

A number of systems have been proposed which deal with ex post authorisations. In fact, it is common to use the processes of logging and auditing as a mechanism to check whether accesses are properly authorised. However, logging and auditing can be seen as unsatisfactory because the procedures involved are not necessarily well defined, extensive or reliable.

21_{Authorisation Timing and Authorisation Ordering are terms defined in the dissertation.}

Optimistic Security (Povey 1999) introduced the idea that all accesses can initially be allowed. It allows for integrity to be maintained by providing mechanisms for rolling back data to previous states. Actions can be taken against users who abuse their access rights.

The concept of provisional authorisations (Kudo 2002, p. 1) (Bretan 2004) tells the user that his request will be authorised provided he (and/or the system) takes certain security actions such as signing a statement prior to authorisation of his request. If the actions are mandatory then the mechanism can be used for uno tempore (or ex post) authorisations. If they are discretionary, they can be used only for ex post

authorisations.

Rissanen et al. (2004, p. 1) proposed a system which routinely allows access, under specified constraints, even when it is not explicitly permitted. Their system depends on audit and sanctioning for enforcement. They maintain that this mirrors procedures in “manual organisations” and that established organisation theory recognizes such dependency on “rule bending” (where rules are treated as discretionary guidelines rather than mandatory specifications).

Useful Aspect:

The ex ante, uno tempore and ex post concept and terminology is very useful. Ex ante authorisations are the norm and are given before an access is requested. Uno tempore authorisations are sought when an access is requested and must be received before the access proceeds. Ex post authorisations are retrospective in that the access is made and then its legitimacy is confirmed (or denied) through an auditing process.

The concept of provisional authorisations being given subject to specified security actions being performed is also useful and can be applied in the mechanisms that deal with uno tempore authorisations.

3.7.5 Authorisation Ordering

An access or a task may be authorised by a number of different persons. The concept of “Authorisation Order” recognizes that the authorisations given by one authoriser can override those of another authoriser. It also recognizes that there is logical order of who to seek an authorisation from. Rules can dictate the priority for choosing between multiple authorisers. For example, round robin or first-come-first-served methods could be used.

Various methods of seeking an authorisation can also exist, say, verbal, written or email methods may be used.

Rissanen et al. (2004, ; 2005) introduced the idea of “Discretionary Overriding of Access Control”, where ex post authorisations are available in certain situations when ex ante authorisations are not. They also propose that procedures for obtaining authorisations be part of the system. This is in contrast to most Access Control models, which specify what authorisations a user requires but do not provide the user with a mechanism (other than to contact a system administrator) to obtain the required authorisation. The procedures for obtaining authorisations essentially automatically direct an Authorisation Request to an appropriate authoriser(s).

DR#28: Authorisation Order