Zusammenfassung
In der organisationsübergreifenden medizinischen Forschung werden äußerst sensible Patientendaten verschiedenen Teilnehmern in unterschiedlichen Verwaltungseinheiten oder sogar unterschiedlichen Ländern zur Verfügung gestellt. Aus diesem Grund ist ein wirkungsvolles Identitäts- und Zugriffskontroll-Management (engl. Identity and Access Management, IAM) hier von großer Bedeutung für die Sicherung der Vertraulichkeit dieser Daten. Dabei hat IAM zwei gegensätzliche Ziele: Zum einen sollen Mediziner auf über verschiedene Standorte verteilte medizinische Daten zugreifen können; zum anderen soll die Privatsphäre der Patienten, deren Daten bei den Studien untersucht werden, geschützt werden (beispielsweise durch Pseudonymisierung). Dieser Artikel präsentiert ein organisationsübergreifendes IAM-System, das im Rahmen des Projektes @neurIST entstanden ist. Dieses Projekt befasst sich mit der Entwicklung einer Infrastruktur für die Erforschung und Behandlung von zerebralen Aneurysmen. Dabei werden medizinische Einrichtungen und Dienstanbieter durch eine technische Plattform nach dem Paradigma der Service-orientierten Architektur miteinander verbunden. Diese Plattform verwendet das so genannte Claim-basierte Sicherheitsmodell zur Realisierung von IAM für die @neurIST-Dienste sowie Pseudonymisierungstechniken zur Sicherung der Vertraulichkeit der Patientendaten.
Summary
In multi-institutional medical research, identity and access management is crucial because of the sensitiveness of the medical data which is made available to distinct stakeholders with unique interests residing in different administrative domains as well as countries. Identity and access management in such a setting is twofold and should provide access to federated medical data spread across multiple sites to medical professionals while at the same time protect the privacy of the patients – whose medical data is used for research purposes – by pseudonymization. This paper discusses the identity and access management approach developed in the @neurIST project which deals with the study and treatment of cerebral aneurysms. @neurIST aims at developing a decision support system and a research infrastructure that unites multiple medical institutions and service providers offering technical solutions based on the Service Oriented Architecture (SOA) paradigm for treating and researching diseases. The system developed within @neurIST adopts claim-based security models to implement an efficient identity and access management for data access in the @neurIST service ecosystem and pseudonymization technologies to protect the patients' privacy.
References
American Medical Informatics Association (AMIA) (2007): A taxonomy of secondary uses and re-uses of healthcare data. Invitational Conf. on Secondary Use of Health Data. Available online at: http://www.amia.org/inside/initiatives/healthdata/2007/index.asp/
Arbona, A., Benkner, S., Engelbrecht, G., Fingberg, J., Hofmann, M., Kumpf, K., Lonsdale, G., Woehrer, A. (2007): A service-oriented grid infrastructure for biomedical data and compute services. IEEE Transactions NanoBioscience 6 (2): 136–141
Cantor, S., Kemp, J., Philpott, R., Maler, E. (eds) (2005): Assertions and Protocols for the Oasis Security Assertion Markup Language (SAML) V2.0, OASIS Standard. Available online at: http://www.oasis-open.org/committees/security/
Dunlop, R., Arbona, A., Rajasekaran, H., Lo Iacono, L., Fingberg, J., Summers, P., Benkner, S., Engelbrecht, G., Chiarini, A., Friedrich, C. M., Moore, B., Bijlenga, P., Iavindrasana, J., Hose, R. D., Frangi, A. F. (2008): @neurIST – chronic disease management through integration of heterogeneous data and computer-interpretable guideline services. In: Proc. of HealthGrid 2008, Chicago
Geissbuhler, A., Lovis, C., Lamb, A., Spahni, S. (2001): Experience with an XML/ http-based federative approach to develop a hospital-wide clinical information system. Medinfo 10: 735–739
Iavindrasana, J., Lo Iacono, L., Mueller, H., Periz, I., Summers, P., Wright, J. (2008): Access to clinical information systems for research in the life sciences: security and privacy considerations. In: Proc. of HealthGrid 2008. Amsterdam: IOS Press
Karasavvas, K., Antonioletti, M., Atkinson, M. P., Chue Hong, N. P., Sugden, T., Hume, A. C., Jackson, M., Krause, A., Palansuriya, C. (2005): Introduction to OGSA-DAI services. Lecture Notes in Computer Science 3458: 1–12
Lo Iacono, L. (2007): Multi-centric universal pseudonymisation for secondary use of the HER. In: Proc. of HealthGrid: 239–247. Amsterdam: IOS Press
Lo Iacono, L., Rajasekaran, H. (2008): Security architecture for distributed medical information systems. Workshop on Security for Web Services and Service-Oriented Architectures (SWSOA), Informatik 2008, München
Lovis, C., Spahni, S., Cassoni-Schoellhammer, N., Geissbuhler, A. (2006): Comprehensive management of the access to a component-based healthcare information system. Studies in Health Technology Informations, vol. 124: 251–256
Moses, T. (ed): Extensible access control markup language (XACML) Version 2.0, OASIS Standard, February 2005. Available online at: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml/
Nadalin, A., Kaler, C., Monzillo, R., Hallam-Baker, P. (2006): Web services security: SOAP message security 1.1, OASIS Standard Specification
Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H. (2007): WS-Trust 1.3, OASIS Standard
Pommerening, K., Reng, M. (2004): Secondary use of the EHR via pseudonymisation, In: L. Bos, S. Laxminarayan, A. Marsh (eds.): Medical Care Compunetics 1: 441–446. Amsterdam: IOS Press
Rajasekaran, H., Hasselmeyer, P., Lo Iacono, L., Fingberg, J., Summers, P., Benkner, S., Engelbrecht, G., Arbona, A., Chiarini, A., Friedrich, C. M., Hofmann-Apitius, M., Moore, B., Bijlenga, P., Iavindrasana, J., Müller, H., Hose, R. D., Dunlop, R., Frangi, A., Kumpf, K. (2008): @neurIST – Towards a system architecture for advanced disease management through integration of heterogeneous data, computing, and complex processing services. In: Proc. of 21 IEEE Int. Symp. on Computer-Based Medical Systems 2008 (CBMS 2008), Finland
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Gruschka, N., Lo Iacono, L. & Rajasekaran, H. Identity and access management in multi-institutional medical research. Elektrotech. Inftech. 127, 143–150 (2010). https://doi.org/10.1007/s00502-010-0734-1
Received:
Accepted:
Issue Date:
DOI: https://doi.org/10.1007/s00502-010-0734-1
Schlüsselwörter
- Identitätsmanagement
- Medizinische Forschung
- Verteilte Zugriffskontrolle
- Claim-basierte Zugriffskontrolle
- Service-orientierte Architekturen
- Web Services
- Grid Computing