Engineering a Policy-Based System for Federated Healthcare Databases

Get BibTex-formatted data

Download

PDF

Author

Rafae Bhatti, Arjmand Samuel, Mohamed Y. Eltabakh, Haseeb Amjad, Arif Ghafoor

Tech report number

CERIAS TR 2007-14

Entry type

article

Abstract

Policy-based management for federated healthcare systems have recently gained increasing attention due to strict privacy and disclosure rules. While the work on privacy languages and enforcement mechanisms, such as Hippocratic databases, has advanced our understanding of designing privacy-preserving policies for healthcare databases, the need to integrate these policies in practical healthcare framework is becoming acute. Additionally, while most work in this area has been organization-oriented, dealing with exchange of information between healthcare organizations (such as referrals), the requirements for the emerging area of personal healthcare information management have so far not been adequately addressed. These shortcomings arise from the lack of a sophisticated policy specification language and enforcement architecture that can capture the requirement for (i) integration of privacy and disclosure policies with well-known healthcare standards used in the industry in order to specify the precise requirements of a practical healthcare system, and (ii) provision of ubiquitous healthcare services to patients using the same infrastructure that enables federated healthcare management for organizations. In this paper, we have designed a policy-based system to mitigate these concerns. One, we have designed our disclosure and privacy policies using a requirements specification based on a set of use cases for the Clinical Document Architecture (CDA) standard proposed by the community. Two, we present a context-aware policy specification language which allows encoding of CDA-based requirements use-cases into privacy and disclosure policy rules. We have shown that our policy specification language is effective in terms of handling a variety of expressive constraints on CDA-encoded document contents. Our language enables specification of privacy-aware access control for federated healthcare information across organizational boundaries, while the use of contextual constraints allows the incorporation of user and environment context in the access control mechanism for personal healthcare information management. Moreover, the declarative syntax of the policy rules makes the policy adaptable to changes in privacy regulations or patient preferences. We also present an enforcement architecture for the federated healthcare framework proposed in this paper.

Download

PDF

Institution

Purdue University

Key alpha

Security

School

ECE

Affiliation

Purdue University, IBM Research

Publication Date

2001-01-01

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Article{ Security,
	title = "Engineering a Policy-Based System for Federated Healthcare Databases",
	author = "Rafae Bhatti, Arjmand Samuel, Mohamed Y. Eltabakh, Haseeb Amjad, Arif Ghafoor",
	institution = "Purdue University",
	school = "ECE",
	abstract = "Policy-based management for federated healthcare systems have recently gained increasing attention due to
strict privacy and disclosure rules. While the work on privacy languages and enforcement mechanisms, such as Hippocratic
databases, has advanced our understanding of designing privacy-preserving policies for healthcare databases, the need to
integrate these policies in practical healthcare framework is becoming acute. Additionally, while most work in this area has been
organization-oriented, dealing with exchange of information between healthcare organizations (such as referrals), the
requirements for the emerging area of personal healthcare information management have so far not been adequately addressed.
These shortcomings arise from the lack of a sophisticated policy specification language and enforcement architecture that can
capture the requirement for (i) integration of privacy and disclosure policies with well-known healthcare standards used in the
industry in order to specify the precise requirements of a practical healthcare system, and (ii) provision of ubiquitous healthcare
services to patients using the same infrastructure that enables federated healthcare management for organizations. In this paper,
we have designed a policy-based system to mitigate these concerns. One, we have designed our disclosure and privacy policies
using a requirements specification based on a set of use cases for the Clinical Document Architecture (CDA) standard proposed
by the community. Two, we present a context-aware policy specification language which allows encoding of CDA-based
requirements use-cases into privacy and disclosure policy rules. We have shown that our policy specification language is
effective in terms of handling a variety of expressive constraints on CDA-encoded document contents. Our language enables
specification of privacy-aware access control for federated healthcare information across organizational boundaries, while the use
of contextual constraints allows the incorporation of user and environment context in the access control mechanism for personal
healthcare information management. Moreover, the declarative syntax of the policy rules makes the policy adaptable to changes
in privacy regulations or patient preferences. We also present an enforcement architecture for the federated healthcare framework
proposed in this paper.",
	affiliation = "Purdue University, IBM Research",
}