Solution sketches for Assignment-2 Refer to the solutions by Subramanian Vasudevan: [pdf]

Solution approach for Question 5 by Tim Juchichinski


5.  Assume a system containing many providers, patients, and records, and that every record’s write access can be shared with any given provider, given the consent of both the provider who created it and the patient who it is about, and perhaps can be shared in other (against policy) ways as well.  I will demonstrate that there will always be ways of sharing write access which violate the policy.

Consider the beginning of a record’s lifespan.  Initially, the provider who creates a record is the only entity with write access to the record.  In order for another provider to gain write access to that record, the two providers must be connected by a series of islands and bridges, and perhaps some subjects along that path must take certain actions to allow the sharing to take place.  The path falls into one of two cases:

  1. The patient whose record is being shared for writing is not required to take an action in order to facilitate the sharing.  This violates the requirement that the patient must authorize such sharing.
  2. The patient whose record is being shared for writing is required to take an action in order to facilitate sharing.  This means that the patient can gain write access to his own record (either through the original authorized sharing, or by the new provider sharing write access back to the patient without the original provider being involved), and will be capable of sharing that write access with any healthcare provider whom he is connected to by islands and bridges.  There are two subcases:
    1. The patient is connected to other providers by islands and bridges, and now may share write access to its record without the creator’s authorization.  This violates the requirement that the original provider must authorize such sharing.
    2. The patient is not connected to other providers by islands and bridges.  By the original assumption, we know that the record’s creator is able to share write access with other providers, so if the patient has no island/bridge connection to additional providers, the sharing path to the additional providers must fall under case 1 (above), which will cause a violation when the record’s creator shares write access with additional providers.