Evaluation of an Enhanced Role-Based Access Control model to manage information access in collaborative processes for a statewide clinical education program

BACKGROUND Managing information access in collaborative processes is a critical requirement to team-based biomedical research, clinical education, and patient care. We have previously developed a computation model, Enhanced Role-Based Access Control (EnhancedRBAC), and applied it to coordinate information access in the combined context of team collaboration and workflow for the New York State HIV Clinical Education Initiative (CEI) program. We report in this paper an evaluation study to assess the effectiveness of the EnhancedRBAC model for information access management in collaborative processes when applied to CEI. METHODS We designed a cross-sectional study and performed two sets of measurement: (1) degree of agreement between EnhancedRBAC and a control system CEIAdmin based on 9152 study cases, and (2) effectiveness of EnhancedRBAC in terms of sensitivity, specificity, and accuracy based on a gold-standard with 512 sample cases developed by a human expert panel. We applied stratified random sampling, partial factorial design, and blocked randomization to ensure a representative case sample and a high-quality gold-standard. RESULTS With the kappa statistics of four comparisons in the range of 0.80-0.89, EnhancedRBAC has demonstrated a high level of agreement with CEIAdmin. When evaluated against the gold-standard, EnhancedRBAC has achieved sensitivities in the range of 97-100%, specificities at the level of 100%, and accuracies in the range of 98-100%. CONCLUSIONS The initial results have shown that the EnhancedRBAC model can be effectively used to manage information access in the combined context of team collaboration and workflow for coordination of clinical education programs. Future research is required to perform longitudinal evaluation studies and to assess the effectiveness of EnhancedRBAC in other applications.

[1]  Karen A. Scarfone,et al.  Guidelines for Access Control System Evaluation Metrics , 2012 .

[2]  Ana Silva,et al.  Why facilitate patient access to medical records. , 2007, Studies in health technology and informatics.

[3]  John J. McCarthy,et al.  The Rule Engine for the Java Platform , 2008 .

[4]  Gail-Joon Ahn,et al.  Patient-centric authorization framework for electronic healthcare services , 2011, Comput. Secur..

[5]  David W. McDonald,et al.  Incorporating collaboratory concepts into informatics in support of translational interdisciplinary biomedical research , 2009, Int. J. Medical Informatics.

[6]  B. Bouwman,et al.  Rights Management for Role-Based Access Control , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[7]  Fabrice Wendling,et al.  Computer-supported collaborative work (CSCW) in biomedical signal visualization and processing , 1999, IEEE Transactions on Information Technology in Biomedicine.

[8]  E V Kopsacheilis,et al.  Design of CSCW applications for medical teleconsultation and remote diagnosis support. , 1997, Medical informatics = Medecine et informatique.

[9]  Madhu C. Reddy,et al.  Incorporating ideas from computer-supported cooperative work , 2004, J. Biomed. Informatics.

[10]  José Luis Fernández Alemán,et al.  Security and privacy in electronic health records: A systematic literature review , 2013, J. Biomed. Informatics.

[11]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[12]  Duminda Wijesekera,et al.  A comprehensive privacy-aware authorization framework founded on HIPAA privacy rules , 2010, IHI.

[13]  Antoine Geissbühler,et al.  Comprehensive management of the access to the electronic patient record: Towards trans-institutional networks , 2007, Int. J. Medical Informatics.

[14]  Butler W. Lampson,et al.  Dynamic protection structures , 1899, AFIPS '69 (Fall).

[15]  Ling Liu,et al.  Security Models and Requirements for Healthcare Application Clouds , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[16]  J M Geib,et al.  An asynchronous co-operative model for co-ordinating medical unit activities. , 1997, Computer methods and programs in biomedicine.

[17]  Raghuraj Rao,et al.  MetDAT: a modular and workflow-based free online pipeline for mass spectrometry data processing, analysis and interpretation , 2010, Bioinform..

[18]  J. Aarts,et al.  Computerized provider order entry system--does it support the inter-professional medication process? Lessons from a Dutch academic hospital. , 2010, Methods of information in medicine.

[19]  Omolola Ogunyemi,et al.  Design and implementation of the GLIF3 guideline execution engine , 2004, J. Biomed. Informatics.

[20]  Rakesh Agrawal,et al.  Securing electronic health records without impeding the flow of information , 2007, Int. J. Medical Informatics.

[21]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[22]  Yan Xiao,et al.  Emergent CSCW systems: The resolution and bandwidth of workplaces , 2007, Int. J. Medical Informatics.

[23]  Sun K. Yoo,et al.  Web-based secure access from multiple patient repositories , 2008, Int. J. Medical Informatics.

[24]  David W. McDonald,et al.  Asynchronous communication among clinical researchers: A study for systems design , 2005, Int. J. Medical Informatics.

[25]  Edward H. Shortliffe,et al.  Evaluation Methods in Biomedical Informatics , 2000 .

[26]  Gail E. Kaiser,et al.  GESDOR - A Generic Execution Model for Sharing of Computer-Interpretable Clinical Practice Guidelines , 2003, AMIA.

[27]  H. Lan,et al.  SWRL : A semantic Web rule language combining OWL and ruleML , 2004 .

[28]  Reihaneh Safavi-Naini,et al.  Privacy preserving EHR system using attribute-based infrastructure , 2010, CCSW '10.

[29]  Ioana Moisil,et al.  CSCW--a paradigm for an efficient management of the healthcare organizations. , 2002, Studies in health technology and informatics.

[30]  Milan Petkovic,et al.  Emergency Access to Protected Health Records , 2009, MIE.

[31]  Yuguang Fang,et al.  Cross-Domain Data Sharing in Distributed Electronic Health Record Systems , 2010, IEEE Transactions on Parallel and Distributed Systems.

[32]  Mark J Halsted,et al.  Improving patient care: the use of a digital teaching file to enhance clinicians' access to the intellectual capital of interdepartmental conferences. , 2004, AJR. American journal of roentgenology.

[33]  Reihaneh Safavi-Naini,et al.  Using digital rights management for securing data in a medical research environment , 2010, DRM '10.

[34]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[35]  W.D. Yu,et al.  An Electronic Health Record Content Protection System Using SmartCard and PMR , 2007, 2007 9th International Conference on e-Health Networking, Application and Services.

[36]  Lillian Røstad,et al.  An Initial Model and a Discussion of Access Control in Patient Controlled Health Records , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[37]  Le Xuan Hung,et al.  An enhancement of the Role-Based Access Control model to facilitate information access management in context of team collaboration and workflow , 2012, J. Biomed. Informatics.

[38]  Edward H. Shortliffe,et al.  A generic execution model for sharing of computer-interpretable clinical practice guidelines , 2003 .

[39]  Yen-Cheng Chen,et al.  ABACS: An Attribute-Based Access Control System for Emergency Services over Vehicular Ad Hoc Networks , 2011, IEEE Journal on Selected Areas in Communications.

[40]  Kim M. Unertl,et al.  Research Paper: Describing and Modeling Workflow and Information Flow in Chronic Disease Care , 2009, J. Am. Medical Informatics Assoc..

[41]  Chen-Tan Lin,et al.  Review Paper: The Effects of Promoting Patient Access to Medical Records: A Review , 2003, J. Am. Medical Informatics Assoc..

[42]  Snezana Sucurovic,et al.  Implementing security in a distributed web-based EHCR , 2007, Int. J. Medical Informatics.

[43]  Peter L. Elkin,et al.  The introduction of a diagnostic decision support system (DXplainTM) into the workflow of a teaching hospital service can decrease the cost of service for diagnostically challenging Diagnostic Related Groups (DRGs) , 2010, Int. J. Medical Informatics.

[44]  Nadine Cohen,et al.  Returning genetic research results to individuals: points-to-consider. , 2006, Bioethics.

[45]  Dongwen Wang,et al.  Development of a system framework for implementation of an enhanced role-based access control model to support collaborative processes , 2012 .

[46]  Steve Evans,et al.  The DEDUCE Guided Query tool: Providing simplified access to clinical data for research and quality improvement , 2011, J. Biomed. Informatics.

[47]  David F. Ferraiolo,et al.  Assessment of Access Control Systems , 2006 .

[48]  Aaron S Kesselheim,et al.  Confidentiality laws and secrecy in medical research: improving public access to data on drug safety. , 2007, Health affairs.