In creating a medical record database, the question arises as to how to
prevent later alteration of a medical record. Paper records are always a
medico-legal problem, since sometimes they are altered to hide the truth.

How can a record be "sealed" once it is committed, so to speak?

David Robins, MD <trashadd (AT) bigfoot (DOT) com> wrote:

I create a special layout for data entry. The layout can only be
accessed via script. Users may create new reports or add something to an
existing report, but even then, they are writing in a new, blank record.

The person with full access to the filemaker database will always be
able to modify records, though.
--
http://clk.ch

In article <1h56wpz.14h093h8d0i0iN%clk (AT) freesurf (DOT) ch>, clk (AT) freesurf (DOT) ch
says...
That's a start, but a considerably better solution is to define a field
called "status", and then in user priviledges define the record as read
only if the status field equals "closed".

This prevents bugs in scripts etc from accidently changing it, or being
run against it, or some unexpected event occuring that dumps the user on
the data-entry layout etc. It also prevents users from creating a new
layout putting the fields they want on it, and modifying the record.

Its better. But its not perfect. There is, as you noted, no such thing
as perfect. Anyone with full access to the database will be able to
modify it.

If you really want to put the effort into making something industrial
strength - there *ARE* some techniques for "signing" the data that would
be quite effecitve.

Sign and Timestamp it.

By sign it I mean have someone periodically run a batch to "close"
records "pending closure", that uses something like PGP to digitally
sign the record contents, and then use a Digital Timestamper to date the
record.

Even if a hacker or unscrupulous admin managed to get unrestricted
access to the fields, he'd have to have both the private key (which
should be very carefully gaurded) of someone authorized to sign the
documents, AND have compromised the timestamper. (The timestamper
service would be purchased from a 'certificate authority' like
VeriSign.) Between the two the odds of someone making an undetected
change to the database is exceedingly small.

Of course you'll have to have backups to find out what the data WAS. But
even without backups just knowing that a record has been tampered with
is extremely valuable.

-regards,
Dave