Abstract
Team-based patient care, biomedical research, and clinical education require coordinated access of relevant information in specific contexts of workflow and collaboration. Research on methodology development to manage information access in collaborative processes therefore is essential to build successful healthcare applications. In this chapter, we first survey the existing research on access control to support team collaboration and workflow management. We then introduce an illustrative example, New York State HIV Clinical Education Initiative (CEI), as a domain application requiring complex information access in the combined contexts of workflow and team collaboration. To address the specific challenges in access control for CEI, we present a series of studies on model development, system implementation, and effectiveness evaluation. Specifically, we describe the enhancement of the Role-Based Access Control (RBAC) model through formulating universal constraints, defining bridging entities and contributing attributes, extending access permissions to include workflow contexts, synthesizing a role-based access delegation model to target on specific objects, and developing domain ontologies as instantiations of the general model to particular applications. We illustrate the development of a generic system framework to implement the enhanced RBAC model, with three functional layers: encoding of access control policies, interpretation of these policies, and application of the policies to specific scenarios for information access management. We present an evaluation study to assess the effectiveness of the enhanced RBAC model when applied to CEI, with quantitative measures on degree of agreement with a control system as well as sensitivity, specificity, and accuracy based on a gold-standard. We close this chapter with discussions, future works, and some conclusion remarks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Alam, M., Zhang, X., Khan, K., Ali, G.: xDAuth: a scalable and lightweight framework for cross domain access control and delegation. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT ’11, pp. 31–40. ACM, New York (2011)
American Psychiatric Association.: Committee on confidentiality. Guidelines on confidentiality. Am. J. Psychiatry 144(11), 1522–1526 (1987)
Barnett, G., Barry, M., Robb-Nicholson, C., Morgan, M.: Overcoming information overload: an information system for the primary care physician. Stud. Health Technol. Inform. 107(Pt 1), 273–276 (2004)
Beimel, D., Peleg, M.: Editorial: using OWL and SWRL to represent and reason with situation-based access control policies. Data Knowl. Eng. 70(6), 596–615 (2011)
Biswas, A., Mynampati, K., Umashankar, S., Reuben, S., Parab, G., Rao, R., Kannan, V., Swarup, S.: MetDAT: a modular and workflow-based free online pipeline for mass spectrometry data processing, analysis and interpretation. Bioinformatics 26(20), 2639–2640 (2010)
Blobel, B., Pharow, P.: Security and privacy issues of personal health. Stud. Health Technol. Inform. 127, 288–297 (2007)
Blobel, B., Nordberg, R., Davis, J., Pharow, P.: Modelling privilege management and access control. Int. J. Med. Inform. 75(8), 597–623 (2006)
Bouillon, Y., Wendling, F., Bartolomei, F.: Computer-supported collaborative work (CSCW) in biomedical signal visualization and processing. IEEE Trans. Inform. Technol. Biomed. 3(1), 28–31 (1999)
Bradshaw, J., Uszok, A., Jeffers, R., Suri, N., Hayes, P., Burstein, M., Acquisti, A., Benyo, B., Breedy, M., Carvalho, M., Diller, D., Johnson, M., Kulkarni, S., Lott, J., Sierhuis, M., Hoof, R.V.: Representation and reasoning for DAML-based policy and domain services in KAoS and Nomads. In: Proceedings of the 2nd International Joint Conference on Autonomous Agents and Multiagent Systems, AAMAS ’03, pp. 835–842. ACM, New York (2003)
Bricon-Souf, N., Beuscart, R., Renard, J., Geib, J.: An asynchronous co-operative model for co-ordinating medical unit activities. Comput. Methods Programs Biomed. 54(1–2), 77–83 (1997)
Buyl, R., Nyssen, M.: MedSkills: a learning environment for evidence-based medical skills. Methods Inf. Med. 49(4), 390–395 (2010)
Calvillo, J., Roman, I., Roa, L.: Empowering citizens with access control mechanisms to their personal health resources. Int. J. Med. Inform. 82(1), 58–72 (2013)
Chen, K., Chang, Y.C., Wang, D.W.: Aspect-oriented design and implementation of adaptable access control for electronic medical records. Int. J. Med. Inf. 79(3), 181–203 (2010)
Croll, P.: Privacy, security and access with sensitive health information. Stud. Health Technol. Inform. 151, 167–175 (2010)
Donelson, L., Tarczy-Hornoch, P., Mork, P., Dolan, C., Mitchell, J., Barrier, M., Mei, H.: The BioMediator system as a data integration tool to answer diverse biologic queries. Stud. Health Technol. Inform. 107(Pt 2), 768–772 (2004)
D.T.C.S.E.C. (TCSEC).: DoD 5200.28-STD Foundations. MITRE Technical Report 2547 (1973)
Elkin, P., Liebow, M., Bauer, B., Chaliki, S., Wahner-Roedler, D., Bundrick, J., Lee, M., Brown, S., Froehling, D., Bailey, K., Famiglietti, K., Kim, R., Hoffer, E., Feldman, M., Barnett, O.: The introduction of a diagnostic decision support system (DXplain) into the workflow of a teaching hospital service can decrease the cost of service for diagnostically challenging diagnostic related groups (DRG)s. Int. J. Med. Inform. 79(11), 772–777 (2010)
Eriksson, H.: Using JessTab to integrate Protégé and Jess. IEEE Intell. Syst. 18(2), 43–50 (2003)
Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
Ferreira, A., Correia, A., Silva, A., Corte, A., Pinto, A., Saavedra, A., Pereira, A., Pereira, A., Cruz-Correia, R., Antunes, L.: Why facilitate patient access to medical records. Stud. Health Technol. Inform. 127, 77–90 (2007)
Ferrini, R., Bertino, E.: Supporting RBAC with XACML+OWL. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT ’09, pp. 145–154. ACM, New York (2009)
Finin, T., Joshi, A., Kagal, L., Niu, J., Sandhu, R., Winsborough, W., Thuraisingham, B.: ROWLBAC: representing role based access control in OWL. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, SACMAT ’08, pp. 73–82. ACM, New York (2008)
Friedman, H.: Jess in Action: Java Rule-Based Systems. Manning Publications Co., Greenwich (2003)
Friedman, C., Wyatt, J.: Evaluation Methods in Biomedical Informatics, 2nd edn. Springer, New York (2006)
Geissbuhler, A.: Access to health information: a key for better health in the knowledge society. Yearb. Med. Inform. 2008, 20–21 (2008)
Gennari, J., Weng, C., Benedetti, J., McDonald, D.: Asynchronous communication among clinical researchers: a study for systems design. Int. J. Med. Inform. 74(10), 797–807 (2005)
Georgiadis, C., Mavridis, I., Pangalos, G., Thomas, R.: Flexible team-based access control using contexts. In: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies, SACMAT ’01, pp. 21–27. ACM, New York (2001)
Georgiadis, C., Mavridis, I., Nikolakopoulou, G., Pangalos, G.: Implementing context and team based access control in healthcare intranets. Med. Inform. Internet Med. 27(3), 185–201 (2002)
Gouglidis, A., Mavridis, I.: domRBAC: an access control model for modern collaborative systems. Comput. Secur. 31(4), 540–556 (2012)
Grando, M., Peleg, M., Cuggia, M., Glasspool, D.: Patterns for collaborative work in health care teams. Artif. Intell. Med. 53(3), 139–160 (2011)
Halsted, M., Perry, L., Cripe, T., Collins, M., Jakobovits, R., Benton, C., Halsted, D.: Improving patient care: the use of a digital teaching file to enhance clinicians’ access to the intellectual capital of interdepartmental conferences. AJR. Am. J. Roentgenol. 182(2), 307–309 (2004)
Hannan, A.: Providing patients online access to their primary care computerised medical records: a case study of sharing and caring. Inform. Prim. Care 18(1), 41–49 (2010)
Hoelzer, S., Schweiger, R., Rieger, J., Meyer, M.: Dealing with an information overload of health science data: structured utilisation of libraries, distributed knowledge in databases and Web content. Stud. Health Technol. Inform. 124, 549–554 (2006)
Hu, V., Scarfone, K.: Guidelines for access control system evaluation metrics. National Institute of Standards and Technology. Interagency Report 7874 (2012)
Hu, V., Ferraiolo, D., Kuhn, D.: Assessment of access control systems. National Institute of Standards and Technology. Interagency Report 7316 (2006)
IBM SPSS Software.: http://www.ibm.com/software/analytics/spss/. Accessed 1 Aug 2014
Jess, the Rule Engine for the JavaTM Platform. http://www.jessrules.com. Accessed 1 Aug 2014
Jitaru, E., Moisil, I., Alexandru, A., Mirescu, M., Pertache, I.: CSCW – a paradigm for an efficient management of the healthcare organizations. Stud. Health Technol. Inform. 90, 596–600 (2002)
Jung, Y., Joshi, J.: CPBAC: property-based access control model for secure cooperation in online social networks. Comput. Secur. 41, 19–39 (2014)
Kamateri, E., Kalampokis, E., Tambouris, E., Tarabanis, K.: The linked medical data access control framework. J. Biomed. Inform. 50, 213–225 (2014)
Kesselheim, A., Mello, M.: Confidentiality laws and secrecy in medical research: improving public access to data on drug safety. Health Aff. 26(2), 483–491 (2007)
Kopena, K., Regli, W.: DAMLJessKB: a tool for reasoning with the semantic web. IEEE Intell. Syst. 18(3), 74–77 (2003)
Kopsacheilis, E., Kamilatos, I., Strintzis, M., Makris, L.: Design of CSCW applications for medical teleconsultation and remote diagnosis support. Med. Inform. 22(2), 121–132 (1997)
Koufi, V., Vassilacopoulos, G.: Context-aware access control for pervasive access to process-based healthcare systems. Stud. Health Technol. Inform. 136, 679–684 (2008)
Kunzi, J., Koster, P., Petkovic, M.: Emergency access to protected health records. Stud. Health Technol. Inform. 150, 705–709 (2009)
Kurtz, G.: EMR confidentiality and information security. J. Healthc. Inf. Manag. 17(3), 41–48 (2003)
Lampson, B.: Dynamic protection structures. In: Proceedings of the November 18–20, 1969, Fall Joint Computer Conference, AFIPS ’69 (Fall), pp. 27–38. ACM, New York (1969)
LaPadula, L., Bell, D.: Secure Computer Systems: Mathematical Foundation, vol. 1. Hansom AFB, Bedford (1973)
Le, X., Wang, D.: Development of a system framework for implementation of an enhanced role-based access control model to support collaborative processes. In: Proceedings of the 3rd USENIX Conference on Health Security and Privacy, HealthSec’12, pp. 9–9 (2012)
Le, X., Lee, S., Lee, Y.K., Lee, H., Khalid, M., Sankar, R.: Activity-oriented access control to ubiquitous hospital information and services. Inform. Sci. 180(16), 2979–2990 (2010)
Le, X., Doll, T., Barbosu, M., Luque, A., Wang, D.: An enhancement of the role-based access control model to facilitate information access management in context of team collaboration and workflow. J. Biomed. Inform. 45(6), 1084–1107 (2012)
Le, X., Doll, T., Barbosu, M., Luque, A., Wang, D.: Evaluation of an enhanced role-based access control model to manage information access in collaborative processes for a statewide clinical education program. J. Biomed. Inform. 50, 184–195 (2014)
Lee, E., McDonald, D., Anderson, N., Tarczy-Hornoch, P.: Incorporating collaboratory concepts into informatics in support of translational interdisciplinary biomedical research. Int. J. Med. Inform. 78(1), 10–21 (2009)
Lewis, D.: Information overload: tips for focusing on what you need and ignoring what you don’t. Biomed. Instrum. Technol. 43(3), 188–195 (2009)
Lindberg, D., Humphreys, B.: Rising expectations: access to biomedical information. Yearb. Med. Inform. 2008, 165–172 (2008)
Lovis, C., Spahni, S., Cassoni, N., Geissbuhler, A.: Comprehensive management of the access to the electronic patient record: towards trans-institutional networks. Int. J. Med. Inform. 76(5–6), 466–470 (2007)
Maas, J., Kamm, W., Hauck, G.: An integrated early formulation strategy – from hit evaluation to preclinical candidate profiling. Eur. J. Pharm. Biopharm. 66(1), 1–10 (2007)
Mikels, D.: Privacy: after the compliance date. J. Healthc. Inf. Manag.. 18, 34–37 (2007)
Moraitis, P., Petraki, P., Spanoudakis, N.: Engineering jade agents with the Gaia methodology. In: Agent Technologies, Infrastructures, Tools, and Applications for E-Services, vol. 2592, pp. 77–91. Springer, Heidelberg (2002)
Motta, G., Furuie, S.: A contextual role-based access control authorization model for electronic patient record. IEEE Trans. Inform. Technol. Biomed. 7(3), 202–207 (2003)
New York State HIV Clinical Education Initiative. http://www.ceitraining.org. Accessed 1 Aug 2014
Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.M., Karat, J., Trombeta, A.: Privacy-aware role-based access control. ACM Trans. Inf. Syst. Secur. 13(3), 24:1–24:31 (2010)
Niazkhani, Z., Pirnejad, H., van der Sijs, H., de Bont, A., Aarts, J.: Computerized provider order entry system–does it support the inter-professional medication process? Lessons from a Dutch academic hospital. Methods Inform. Med. 49(1), 20–27 (2010)
Nijhuis, B., Reinders-Messelink, H., de Blecourt, A., Olijve, W., Groothoff, J., Nakken, H., Postema, K.: A review of salient elements defining team collaboration in paediatric rehabilitation. Clin. Rehabil. 21(3), 195–211 (2007)
OASIS: eXtensive Access Control Markup Language (XACML) Version 3.0. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cd-1-en.html. Accessed 1 Aug 2014
O’Connor, M., Knublauch, H., Tu, S., Grosof, B., Dean, M., Grosso, W., Musen, M.: Supporting rule system interoperability on the semantic web with SWRL. In: Proceedings of the 4th International Conference on The Semantic Web, ISWC’05, pp. 974–986. Springer, Heidelberg (2005)
Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)
Peleg, M., Beimel, D., Dori, D., Denekamp, Y.: Situation-based access control: privacy management via modeling of patient data access scenarios. J. Biomed. Inform. 41(6), 1028–1040 (2008)
Pratt, W., Reddy, M., McDonald, D., Tarczy-Hornoch, P., Gennari, J.: Incorporating ideas from computer-supported cooperative work. J. Biomed. Inform. 37(2), 128–137 (2004)
Predeschlyl, M., Dadam, P., Acker, H.: Security challenges in adaptive e-Health processes. In: Proceedings of the 27th International Conference on Computer Safety, Reliability, and Security, SAFECOMP ’08, pp. 181–192. Springer, Heidelberg (2008)
Protégé. http://protege.stanford.edu. Accessed 1 Aug 2014
Renegar, G., Webster, C., Stuerzebecher, S., Harty, L., Ide, S., Balkite, B., Rogalski-Salter, T., Cohen, N., Spear, B., Barnes, D., Brazell, C.: Returning genetic research results to individuals: points-to-consider. Bioethics 20(1), 24–36 (2006)
Reynolds, R., Candler, C.: MedEdPORTAL: educational scholarship for teaching. J. Contin. Educ. Health Prof. 28(2), 91–94 (2008)
Rinehart-Thompson, L., Hjort, B., Cassidy, B.: Redefining the health information management privacy and security role. Perspect. Health Inf. Manag. 6, 1–11 (2009)
Rodriguez, M., Favela, J., Martinez, E., Munoz, M.: Location-aware access to hospital information and services. IEEE Trans. Inf. Technol. Biomed. 8(4), 448–455 (2004)
Ross, S., Lin, C.T.: The effects of promoting patient access to medical records: a review. J. Am. Med. Inform. Assoc. 10(2), 129–138 (2003)
Sittig, D., Singh, H.: Eight rights of safe electronic health record use. J. Am. Med. Assoc. 302(10), 1111–1113 (2009)
Sousa, A., Wagner, D., Henry, R., Mavis, B.: Better data for teachers, better data for learners, better patient care: college-wide assessment at Michigan State University’s College of Human Medicine. Med. Educ. Online 16, 1–10 (2011)
Sujansky, W., Faus, S., Stone, E., Brennan, P.: A method to implement fine-grained access control for personal health records through standard relational database queries. J. Biomed. Inform. 43(5 Suppl), S46–S50 (2010)
SWRL: A Semantic Web Rule Language Combining OWL and RuleML. http://www.w3.org/Submission/SWRL/. Accessed 1 Aug 2014
The Workflow Engine Model. https://msdn.microsoft.com/en-us/library/aa188337(office.10).aspx. Accessed 1 Aug 2014
Toninelli, A., Montanari, R., Kagal, L., Lassila, O.: A semantic context-aware access control framework for secure collaborations in pervasive computing environments. In: Proceedings of the 5th International Conference on The Semantic Web (ISWC), ISWC’06, pp. 473–486. Springer, Heidelberg (2006)
Unertl, K., Weinger, M., Johnson, K., Lorenzi, N.: Describing and modeling workflow and information flow in chronic disease care. J. Am. Med. Inform. Assoc. 16(6), 826–836 (2009)
Van Harrison, R., Standiford, C.J., Green, L.A., Bernstein, S.J.: Integrating education into primary care quality and cost improvement at an academic medical center. J. Cont. Educ. Health Prof. 26(4), 268–284 (2006)
Wang, E., Kim, Y.: A teaching strategies engine using translation from SWRL to Jess. In: Proceedings of the 8th International Conference on Intelligent Tutoring Systems (ITS), pp. 51–60 (2006)
Wang, D., Peleg, M., Bu, D., Cantor, M., Landesberg, G., Lunenfeld, E., Tu, S., Kaiser, G., Hripcsak, G., Patel, V., Shortliffe, E.: GESDOR – a generic execution model for sharing of computer-interpretable clinical practice guidelines. In: AMIA Annual Symposium Proceedings, pp. 694–698 (2003)
Wang, D., Peleg, M., Tu, S., Boxwala, A., Ogunyemi, O., Zeng, Q., Greenes, R., Patel, V., Shortliffe, E.: Design and implementation of the GLIF3 guideline execution engine. J. Biomed. Inform. 37(5), 305–318 (2004)
Xiao, Y., Seagull, F.: Emergent CSCW systems: the resolution and bandwidth of workplaces. Int. J. Med. Inform. 76(Suppl 1), S261–S266 (2007)
Yeh, L.Y., Chen, Y.C., Huang, J.L.: ABACS: an attribute-based access control system for emergency services over vehicular ad hoc networks. IEEE J. Sel. Areas Commun. 29(3), 630–643 (2011)
Zhang, L., Ahn, G.J., Chu, B.T.: A rule-based framework for role-based delegation and revocation. ACM Trans. Inf. Syst. Secur. 6(3), 404–441 (2003)
Zhang, X., Oh, S., Sandhu, R.: PBDM: a flexible delegation model in RBAC. In: Proceedings of the 8th ACM Symposium on Access Control Models and Technologies, SACMAT ’03, pp. 149–157. ACM, New York (2003)
Acknowledgements
The CEI project is sponsored by New York State Department of Health AIDS Institute through Contracts #C024882 and #C023557. We would like to thank Amneris Luque, Monica Barbosu, Terry Doll, Matthew Bernhardt, and Thomas Della Porta for their contributions. We would like to thank CEI program staff Howard Lavigne, Cheryl Smith, Lyn Stevens, Bruce Agins and the colleagues from the other CEI Centers for their support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Le, X.H., Wang, D. (2015). Managing Access Control in Collaborative Processes for Healthcare Applications. In: Gkoulalas-Divanis, A., Loukides, G. (eds) Medical Data Privacy Handbook. Springer, Cham. https://doi.org/10.1007/978-3-319-23633-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-23633-9_13
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23632-2
Online ISBN: 978-3-319-23633-9
eBook Packages: Computer ScienceComputer Science (R0)