Abstract
Modern eHealth systems require collaborations between individual social entities such as hospitals, medical centers, emergency services and community services. Security and privacy are critical issues in this interoperability challenge. In an eHealth system that crosses different administrative domains, individual organisations usually define their authorization control policies independently. When a collaboration opportunity arises a number of issues may be raised. For example, is the collaboration possible given the authorization policies of collaboration participants? How can policy inconsistencies among collaboration participants be identified and resolved? What kind of authorization control support is needed as the collaboration proceeds? In this paper, we analyze different types of collaborations and provide insights into authorization control in individual organisations as well as in collaboration activities. We propose a model to capture the necessary elements for specifying authorization policy for cross-border collaboration. Based on the model, various inconsistencies between authorization policies from different business units are discussed and handling strategies are suggested according to the intended collaboration types. We also briefly discuss how a description logic reasoner can be used to test whether two set of policies are suitable for collaboration. This work lays a foundation for policy development, negotiation and enforcement for cross-border collaboration.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Protégé 4.0 beta is available at http://protege.stanford.edu/
Pellet is available at http://pellet.owldl.com/
References
ASTM (2005). ASTM E2369—05e1 standard specification for Continuity of Care Record (CCR). Available at http://www.astm.org/Standards/E2369.htm.
Beale, T., & Heard, S. (2004). Open EHR. Available at http://xml.coverpages.org/OpenEHR-ADLv12-200409.pdf.
Benson, T. (2009). Principles of health interoperability: hl7 and snomed (health informatics). New York: Springer.
Bettini, C., Jajodia, S., Wang, X. S., & Wijesekera, D. (2002). Provisions and obligations in policy management and security applications. In 28th international conference on very large data bases (VLDB). Hong Kong.
Bhatti, R., Joshi, J., Bertino, E., & Ghafoor, A. (2003). Access control in dynamic XML-based web-services with X-RBAC. In International conference on web services (pp. 243–249). Las Vegas, Nevada, USA.
Bhatti, R., Bertino, E., & Ghafoor, A. (2004a). A trust-based context-aware access control model for web-services. In IEEE International Conference on Web Services (pp. 184–191). San Diego, CA.
Bhatti, R., Bertino, E., Ghafoor, A., & Joshi, J. (2004b). XML-based specification for web services document security. IEEE Computer, 37(4), 41–49.
Brooks, K. (1999). Migrating to role-based access control. In RBAC’99: Proceedings of the fourth ACM workshop on role-based access control (pp. 71–81). Fairfax, VA, USA.
Croll, P., & Croll, J. (2005). Quality assurance of electronic health information systems using Q.U.i.P.S. In HIC 2005 and HINZ 2005 (pp. 33–39). Victoria, Australia.
Demchenko, Y., Gommans, L., & Laat, C. D. (2007). Using SAML and XACML for complex resource provisioning in grid based applications. In 8th IEEE international workshop on policies for distributed systems and networks (pp. 183–187). Bologna, Italy.
Essmayr, W., Kastner, F., Pernul, G., Preishuber, S., & Tjoa, A. M. (1996). Authorization and access control in IRO-DB. In The 12th international conference on data engineering (pp. 40–47).
European-Commission (2008). Commission recommendation on cross-border interoperability of electronic health record systems. Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:190:0037:0043:EN:PDF.
He, D. D., Compton. M., Taylor, K., & Yang, J. (2009). Access control: What is required in collaboration? In 2009 Australasian database conference (ADC 2009). Wellington, New Zealand.
He, D. D., & Yang, J. (2007). Security policy specification and integration in business collaboration. In 2007 IEEE international conference on services computing (SCC 2007) (pp. 183–187). Salt Lake City, UT, USA.
Horrocks, I., Kutz, O., & Sattler, U. (2006). The even more irresistible \(\mathcal{SROIQ}\). In Proc. of the 10th int. conf. on principles of knowledge representation and reasoning (pp. 57–67). Menlo Park: AAAI Press.
Kagal, L., Paolucci, M., Srinivasan, N., Sycara, K., & Denker, G. (2004). Authorization and privacy for semantic web services. IEEE Intelligent Systems, 19(4), 50–56.
Kalra, D., Freriks, G., Lloyd, D., Klein, G., Beale, T., & Heard, S. (2002). Towards a revised cen standard for electronic health record communication. In Proc Mobile-Health Europe 2002. Medical Records Institute.
Kuziemsky, C.E. (2009). An ebusiness-based framework for ehealth interoperability. Journal Of Emerging Technologies in Web Intelligence, 1(2), 129–136.
Linehan, M. H. (2008). Sbvr use cases. In Rule representation,interchange and reasoning on the web, international symposium (pp. 182–196). Orlando, FL, USA.
Paci, F., Ouzzani, M., & Mecella, M. (2008). Verification of access control requirements in web services choreography. In IEEE international conference on services computing (Vol. 1, pp. 182–196).
Qing, X., & Adams, C. (2006). XACML-based policy-driven access control for mobile environments. In Canadian conference on electrical and computer engineering (pp. 643–646). Ottawa, ON, Canada.
Sandhu, R. S., Coyne, E., Feinstein, H., & Youman, C. (1996). Role-based access control models. IEEE Computer, 29(2), 38–47.
Shehab, M., Bhattacharya, K., & Ghafoor, A. (2007). Web services discovery in secure collaboration environments. ACM Transactions on Internet Technology, 8(5).
Sirer, E. G., & Wang, K. (2002). An access control language for web services. In SACMAT02: 7th ACM symposium on access control models and technologies (pp. 23–30).
Sirin, E., Parsia, B., Grau, B. C., Kalyanpur, A., & Katz, Y. (2007). Pellet: A practical OWl-DL reasoner. Journal of Web Semantics, 5(2), 51–53.
Steven, C., & Horii, M. (1997). A nontechnical introduction to DICOM. Available at http://www.rsna.org/Technology/DICOM/intro/index.cfm.
Taylor, K., & Murty, J. (2003). Implementing role based access control for federated information systems on the web. In Conferences in research and practice in information technology: Proc. Australasian information security workshop (Vol. 21). Adelaide: Australian Computer Society.
Thomas, R. K. (1997). Team-based access control (TMAC): A primitive for applying role-based access controls in collaborative environments. In 2nd ACM workshop on role-based access control (pp. 13–19). Fairfax, VA.
Vaidya, J., Atluri, V., & Guo, Q. (2008). Migrating to optimal RBAC with minimal perturbation. In 13th ACM symposium on access control models and technologies (SACMAT08) (pp. 11–20). Estes Park, CO, USA.
W3C (2004). Web Ontology Language (OWL). Available at http://www.w3.org/2004/OWL/.
W3C (2009). OWL 2 Web Ontology Language. Available at http://www.w3.org/TR/2009/REC-owl2-syntax-20091027/.
Yau, S. S., & Chen, Z. (2008). Security policy integration and conflict reconciliation for collaborations among organizations in ubiquitous computing environments. In UIC (pp. 3–19).
Zhang, X., Nakae, M., Covington, M. J., & Sandhu, R. S. (2008). Toward a usage-based security framework for collaborative computing systems. ACM Transactions on Information and System Security (TISSEC), 11(1), 3.1–3.36.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
He, D.D., Yang, J., Compton, M. et al. Authorization in cross-border eHealth systems. Inf Syst Front 14, 43–55 (2012). https://doi.org/10.1007/s10796-011-9316-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-011-9316-y