ABSTRACT
The role of security management in the RHIOs has recently gained increasing attention due to strict privacy and disclosure rules, and federal regulations such as HIPAA. The envisioned use of electronic health care records in such systems involves pervasive and ubiquitous access to healthcare information from anywhere outside of traditional hospital boundaries which puts increasing demands on the underlying security mechanisms. In this paper, we have designed a context-aware policy-based system to provide security management for health informatics. The policies are based on a set of use cases developed for the HL7 Clinical Document Architecture (CDA) standard. Our system is designed to adapt well to ubiquitous healthcare services in a non-traditional, pervasive environment using the same infrastructure that enables federated healthcare management for traditional organizational boundaries. We also present an enforcement architecture and a demonstration prototype for the policy-based system proposed in this paper.
- Bartschat W, Burrington-Brown J, Carey S, Chen J, Deming S, Durkin S et al. Surveying the RHIO landscape. A description of current RHIO models, with a focus on patient identification. J AHIMA 2006; 77(1):64A-64D.Google Scholar
- Conn J. Destination RHIO. As regional data networks continue to grow in number, some find financial strength. Mod Healthc 2005; 35(42):28, 32.Google Scholar
- Clement J. McDonald, J. Marc Overhage, Michael Barnes, Gunther Schadow, Lonnie Blevins, Paul R. Dexter, Burke Mamlin. Indiana Network For Patient Care: A Working Local Health Information Infrastructure. Health Affairs, September/October 2005.Google Scholar
- Terry K. Why these docters love their RHIO. Med Econ 2005; 82(19):TCP8, TCP10, TCP12.Google Scholar
- Leviss J. Identity and access management: the starting point for a RHIO. Health Manag Technol 2006; 27(1):64, 63.Google Scholar
- R. Agrawal, J. Kiernan, R. Srikant, Y. Xu, "Hippocratic Databases", In Proceedings of the 28th Int'l Conf. on Very Large Databases (VLDB), Hong Kong, 2002. Google ScholarDigital Library
- IBM. The Enterprise Privacy Authorization Language (EPAL). Available at www.zurich.ibm.com/security/enterprise-privacy/epal.Google Scholar
- M. Mont, R. Thyne, K. Chan, P. Bramhall, "Extending HP Identity Management Solutions to Enforce Privacy Policies and Obligations for Regulatory Compliance by Enterprises", HP Laboratories Technical Report 2005--110.Google Scholar
- A. M. Snyder, A. C. Weaver, "The elogistics of Securing Distributed Medical Data," IEEE International Conference on Industrial Informatics, Banff, Alberta, Canada, August 20-25, 2003.Google Scholar
- A.C. Weaver, S. J. Dwyer III, A. M. Snyder, et al., "Federated, Secure Trust Networks for Distributed Healthcare IT Services," IEEE International Conference on Industrial Informatics, August 2003, Alberta, Canada.Google Scholar
- World Wide Web Consortium (W3C). Platform for Privacy Preferences (P3P). Available at www.w3.org/P3P.Google Scholar
- W. Pratt, K. Unruih, A. Civan, M. Skeels, "Personal Health Information Management", Communications of the ACM,Vol. 49,No. 1. Google ScholarDigital Library
- P. Fankhauser, G. Gardarin, M. Lopez, J. Munoz, A. Tomasic, "Experiences in Federated Databases: From IRO-DB to MIRO-Web", Proceedings of the 24th VLDB Conference, New York, USA, 1998. Google ScholarDigital Library
- D. Heimbigner, D. McLeod, "A federated architecture for information management", ACM Transactions on Information Systems (TOIS), Volume 3, Issue 3, July 1985. Google ScholarDigital Library
- M. Tempelton, D. Brill, A. Chen, S. Dao, E. Lund, "Mermaid: Experiences with network operation". In Proceedings of the 2nd International Conference on Data Engineering 1983. Google ScholarDigital Library
- A. Tomasic, L. Raschid, "Scaling Access to Heterogeneous Data Sources with Disco", IEEE Transactions on Knowledge and Data Engineering, Vol 10, No 5, September/October 1998. Google ScholarDigital Library
- R. Dolin, L. Alschuler, S. Boyer, C. Beebe, F. Behlen, P. Biron, Editors, HL7 Clinical Document Architecture, Release 2.0, August 2004.Google Scholar
- L. Alschuler, "Layered Constraints: The Proposal for HL7 Healthcare Templates", XML 2002, Baltimore, MD.Google Scholar
- F. Moss, "Clinical Record Use Cases", OASIS XACML Technical Committee, 2001.Google Scholar
- R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman, "Role-Based Access Control Models", IEEE Computer 29(2) Google ScholarDigital Library
- R. Bhatti, J. B. D. Joshi, E. Bertino, A. Ghafoor, "X-GTRBAC: An XML-based Policy Specification Framework and Architecture for Enterprise-Wide Access Control", ACM Transactions on Information and System Security (TISSEC),Vol. 8, No. 2. Google ScholarDigital Library
Index Terms
- Policy-based security management for federated healthcare databases (or RHIOs)
Recommendations
Engineering a Policy-Based System for Federated Healthcare Databases
Policy-based management for federated healthcare systems have recently gained increasing attention due to strict privacy and disclosure rules. While the work on privacy languages and enforcement mechanisms, such as Hippocratic databases, has advanced ...
Research Issues of Privacy Access Control Model for Mobile Ad Hoc Healthcare Applications with XACML
AINAW '07: Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops - Volume 02Information privacy is usually concerned with the confidentiality of protected health information (PHI) such as electronic medical records (EMR). To meet the needs of highly mobile patients in healthcare scenarios, mobile devices such as personal ...
Implementation of a Security Access Control Model for Inter-organizational Healthcare Information Systems
APSCC '08: Proceedings of the 2008 IEEE Asia-Pacific Services Computing ConferenceThe inability to share information across systems is just one of the major impediments in the health care business that hinders progress towards efficiency and cost-effectiveness. Workflow management systems are very popular and largely being used in a ...
Comments