Abstract
e-Health applications enable one to acquire, process, and share patient medical data to improve diagnosis, treatment, and patient monitoring. Despite the undeniable benefits brought by the digitization of health systems, the transmission of and access to medical information raises critical issues, mainly related to security and privacy. While several security mechanisms exist that can be applied in an e-Health system, they may not be adequate due to the complexity of involved workflows, and to the possible inherent correlation among health-related concepts that may be exploited by unauthorized subjects. In this article, we propose a novel methodology for the validation of security and privacy policies in a complex e-Health system, that leverages a formal description of clinical workflows and a semantically enriched definition of the data model used by the workflows, in order to build a comprehensive model of the system that can be analyzed with automated model checking and ontology-based reasoning techniques. To validate the proposed methodology, we applied it to two case studies, subjected to the directives of the EU GDPR regulation for the protection of health data, and demonstrated its ability to correctly verify the fulfillment of desired policies in different scenarios.
- Rajeev Alur, Costas Courcoubetis, and David Dill. 1993. Model-checking in dense real-time. Information and Computation 104, 1 (1993), 2–34. Google ScholarDigital Library
- Rajeev Alur and David L. Dill. 1994. A theory of timed automata. Theoretical Computer Science 126, 2 (1994), 183–235. Google ScholarDigital Library
- F. Amato, V. Casola, G. Cozzolino, A. De Benedictis, and F. Moscato. 2019. Exploiting workflow languages and semantics for validation of security policies in IoT composite services. IEEE Internet of Things Journal (2019), 1–1. DOI:https://doi.org/10.1109/JIOT.2019.2960316Google Scholar
- Muhammad Asim, Artsiom Yautsiukhin, Achim D. Brucker, Thar Baker, Qi Shi, and Brett Lempereur. 2018. Security policy monitoring of BPMN-based service compositions. Journal of Software: Evolution and Process 30, 9 (2018), e1944.Google ScholarCross Ref
- Hasiba Attia, Laid Kahloul, Saber Benharzallah, and Samir Bourekkache. 2019. Using hierarchical timed coloured Petri nets in the formal study of TRBAC security policies. International Journal of Information Security 19 (2020), 163–187. DOI:https://doi.org/10.1007/s10207-019-00448-9Google Scholar
- David Basin, Felix Klaedtke, Samuel Müller, and Eugen Zălinescu. 2015. Monitoring metric first-order temporal properties. Journal of the ACM 62, 2 (May 2015), Article 15, 45 pages. DOI:https://doi.org/10.1145/2699444 Google ScholarDigital Library
- Gerd Behrmann, Alexandre David, and Kim G. Larsen. 2004. A tutorial on UPPAAL. Formal Methods for the Design of Real-time Systems. Springer, 200–236.Google Scholar
- S. Chenthara, K. Ahmed, H. Wang, and F. Whittaker. 2019. Security and privacy-preserving challenges of e-health solutions in cloud computing. IEEE Access 7 (2019), 74361–74382. DOI:https://doi.org/10.1109/ACCESS.2019.2919982Google ScholarCross Ref
- Junho Choi, Chang Choi, SungHwan Kim, and Hoon Ko. 2019. Medical information protection frameworks for smart healthcare based on IoT. In Proceedings of the 9th International Conference on Web Intelligence, Mining and Semantics (WIMS’19). Association for Computing Machinery, New York, NY, Article 29, 5 pages. DOI:https://doi.org/10.1145/3326467.3326496 Google ScholarDigital Library
- Peter R. Croll. 2011. Determining the privacy policy deficiencies of health ICT applications through semi-formal modelling. International Journal of Medical Informatics 80, 2 (2011), e32–e38. DOI:https://doi.org/10.1016/j.ijmedinf.2010.10.006. Special Issue: Security in Health Information Systems.Google ScholarCross Ref
- Salvatore Cuomo, Francesco Maiorano, and Francesco Piccialli. 2018. Remarks of social data mining applications in the Internet of data. In International Conference on Network-Based Information Systems. Springer, 944–951.Google Scholar
- European Commission. [n.d.]. General Data Protection Regulation. Retrieved January 23, 2020 from https://gdpr-info.eu/.Google Scholar
- Bahar Farahani, Mojtaba Barzegari, Fereidoon Shams Aliee, and Khaja Ahmad Shaik. 2020. Towards collaborative intelligent IoT eHealth: From device to fog, and cloud. Microprocessors and Microsystems 72 (2020), 102938. DOI:https://doi.org/10.1016/j.micpro.2019.102938Google ScholarDigital Library
- Antonios Gouglidis, Ioannis Mavridis, and Vincent C. Hu. 2014. Security policy verification for multi-domains in cloud systems. International Journal of Information Security 13, 2 (April 2014), 97–111. DOI:https://doi.org/10.1007/s10207-013-0205-x Google ScholarDigital Library
- Michele Guerriero, Damian Andrew Tamburri, and Elisabetta Di Nitto. 2018. Defining, enforcing and checking privacy policies in data-intensive applications. In Proceedings of the 13th International Conference on Software Engineering for Adaptive and Self-Managing Systems (SEAMS’18). Association for Computing Machinery, New York, NY, 172–182. DOI:https://doi.org/10.1145/3194133.3194140 Google ScholarDigital Library
- Jigna J. Hathaliya and Sudeep Tanwar. 2020. An exhaustive survey on security and privacy issues in Healthcare 4.0. Computer Communications 153 (2020), 311–335. DOI:https://doi.org/10.1016/j.comcom.2020.02.018Google ScholarDigital Library
- Vincent Hu, D. Kuhn, Tao Xie, and Jeehyun Hwang. 2011. Model checking for verification of mandatory access control models and properties. International Journal of Software Engineering and Knowledge Engineering 21 (Feb. 2011), 103–127. DOI:https://doi.org/10.1142/S021819401100513XGoogle ScholarCross Ref
- V. C. Hu and D. R. Kuhn. 2016. General methods for access control policy verification (application paper). In 2016 IEEE 17th International Conference on Information Reuse and Integration (IRI’16). 315–323. DOI:https://doi.org/10.1109/IRI.2016.49Google Scholar
- Amani Abu Jabal, Maryam Davari, Elisa Bertino, Christian Makaya, Seraphin Calo, Dinesh Verma, Alessandra Russo, and Christopher Williams. 2019. Methods and tools for policy analysis. ACM Computing Surveys 51, 6 (Feb. 2019), Article 121, 35 pages. DOI:https://doi.org/10.1145/3295749 Google ScholarDigital Library
- Fakhri Alam Khan, Sadaf Shaheen, Muhammad Asif, Atta Ur Rahman, Muhammad Imran, and Saeed Ur Rehman. 2019. Towards reliable and trustful personal health record systems: A case of cloud-dew architecture based provenance framework. Journal of Ambient Intelligence and Humanized Computing 10, 10 (2019), 3795–3808. DOI:https://doi.org/10.1007/s12652-019-01292-4Google ScholarCross Ref
- J. Ma, D. Zhang, G. Xu, and Y. Yang. 2010. Model checking based security policy verification and validation. In Proceedings of the 2010 2nd International Workshop on Intelligent Systems and Applications. 1–4. DOI:https://doi.org/10.1109/IWISA.2010.5473291Google ScholarCross Ref
- Irfan Mehmood, Zhihan Lv, Yudong Zhang, Kaoru Ota, Muhammad Sajjad, and Amit Kumar Singh. 2019. Mobile cloud-assisted paradigms for management of multimedia big data in healthcare systems: Research challenges and opportunities. International Jouornal of Information Management 45 (2019), 246–249. DOI:https://doi.org/10.1016/j.ijinfomgt.2018.10.020Google ScholarCross Ref
- Tom Mens and Pieter Van Gorp. 2006. A taxonomy of model transformation. Electronic Notes in Theoretical Computer Science 152 (2006), 125–142. Google ScholarDigital Library
- Samrat Mondal, Shamik Sural, and Vijayalakshmi Atluri. 2011. Security analysis of GTRBAC and its variants using model checking. Computer Security 30, 2–3 (March 2011), 128–147. DOI:https://doi.org/10.1016/j.cose.2010.09.002 Google ScholarDigital Library
- Francesco Piccialli and Jason J. Jung. 2018. Data fusion in the internet of data. Concurrency and Computation: Practice and Experience 30, 15 (2018), e4700.Google ScholarCross Ref
- Rohit Ranchal, Bharat Bhargava, Pelin Angin, and Lotfi Ben Othmane. 2018. Epics: A framework for enforcing security policies in composite web services. IEEE Transactions on Services Computing 12, 3 (2019), 415–428.Google ScholarCross Ref
- Sriti Thakur, Amit Kumar Singh, Satya Prakash Ghrera, and Mohamed Elhoseny. 2019. Multi-layer security of medical data through watermarking and chaotic encryption for tele-health applications. Multimedia Tools and Applications 78, 3 (Feb. 2019), 3457–3470. DOI:https://doi.org/10.1007/s11042-018-6263-3 Google ScholarDigital Library
- Wil M. P. Van Der Aalst and Arthur H. M. ter Hofstede. 2012. Workflow patterns put into context. Software & Systems Modeling 11, 3 (2012), 319–323. Google ScholarDigital Library
Index Terms
- A Security and Privacy Validation Methodology for e-Health Systems
Recommendations
Developing an interdisciplinary health informatics security and privacy program (abstract only)
SIGCSE '12: Proceedings of the 43rd ACM technical symposium on Computer Science EducationHealth informatics is one of the nation's largest growth industries. With the government's increasing interest in electronic health records and growing investment by healthcare organizations in technology, there is a large demand for a health ...
Privacy policies of personal health records: an evaluation of their effectiveness in protecting patient information
IHI '10: Proceedings of the 1st ACM International Health Informatics SymposiumIn recent years, there has been growing demand by patients for access to their own health information via tools like Personal Health Records [1]. The Markle Foundation [2] defines the Personal Health Record (PHR) as an electronic application through ...
Privacy and security in open and trusted health information systems
HIKM '09: Proceedings of the Third Australasian Workshop on Health Informatics and Knowledge Management - Volume 97The Open and Trusted Health Information Systems (OTHIS) Research Group has formed in response to the health sector's privacy and security requirements for contemporary Health Information Systems (HIS). Due to recent research developments in trusted ...
Comments