Security Issues In A Computerized Patient Record System Konstantin Beznosov Baptist Health Systems of South Florida Computerized Patient Record (CPR) project is a long-term initiative at Baptist Health systems of South Florida (BHS). Its ultimate goal is to create truly CORBA-based healthcare information enterprise spanning 4 major hospitals in Miami, FL. All new clinical systems acquired by BHS will be based on CORBA technology. CPR security project was inspired by the last (April, 1997) workshop on DOC security. The project goal is to research and to model CORBA security applicability to healthcare computing enterprise. The project main phases are modeling healthcare enterprise security, prototyping the model with CORBA security level 2 service and defining CPR security architecture based on CORBA and other distributed computing technologies. As a result of the project first phases the following papers were authorized by the project members: Taxonomy of CPR Enterprise Security Concerns at Baptist Health Systems of South Florida , which categorizes legal security requirements imposed by federal and state legislation. CORBAmed Security White Paper, which discusses problems stated in the draft Healthcare Security Framework RFP in detail. Applicability of CORBA Security to Healthcare Problem Domain, (http://www.omg.org/cgi-bin/doc?corbamed/97-09-11), which suggests directions of security-related part of the roadmap for OMG Healthcare task force. CORBA-based Security and Intranet Services: Object Technology Group Position Paper, which proposes a solution for integrating CORBA-based and non-CORBA-based security infrastructures into a consistent security environment. Some of the main results (related directly to CORBA security in healthcare) we learned so far, are: * A necessity to exercise content and context-based security policies in healthcare enterprises. * * A necessity to isolate security policy decision logic, which depends on a given enterprise policies, from application systems provided by different vendors. * * A necessity to have uniform interface to security policies administration for all application systems. * The Healthcare Security Framework draft RFP at CORBAmed (corbamed/97-11-04) was based on these results. To better understand potentials and limitations of CORBA security model in the context of healthcare computing enterprise, we prototype with such CORBA security service product as DAIS security from ICL. Ongoing project activities include prototyping of a possible solution for problems stated in the HSF RFP.