Controlling the dissemination and disclosure of healthcare events

Information is central to healthcare: for proper care, information must be shared. Modern healthcare is highly collaborative, involving interactions between users from a range of institutions, including primary and secondary care providers, researchers, government and private organisations. Each has specific data requirements relating to the service they provide, and must be informed of relevant information as it occurs. Personal health information is highly sensitive. Those who collect/hold data as part of the care process are responsible for protecting its confidentiality, in line with patient consent, codes of practice and legislation. Ideally, one should receive only that information necessary for the tasks they perform—on a need-to-know basis. Healthcare requires mechanisms to strictly control information dissemination.Many solutions fail to account for the scale and heterogeneity of the environment. Centrally managed data services impede the local autonomy of health institutions, impacting security by diminishing accountability and increasing the risks/impacts of incorrect disclosures. Direct, synchronous (request-response) communication requires an enumeration of every potential information source/sink. This is impractical when considering health services at a national level. Healthcare presents a data-driven environment highly amenable to an event-based infrastructure, which can inform, update and alert relevant parties of incidents as they occur. Event-based data dissemination paradigms, while efficient and scalable, generally lack the rigorous access control mechanisms required for health infrastructure. This dissertation describes how publish/subscribe, an asynchronous, push-based, manyto-many middleware communication paradigm, is extended to include mechanisms for actively controlling information disclosure. We present Interaction Control: a data-control layer above a publish/subscribe service allowing the definition of context-aware policy rules to authorise information channels, transform information and restrict data propagation according to the circumstances. As dissemination policy is defined at the broker-level and enforced by the middleware, client compliance is ensured. Although policy enforcement involves extra processing, we show that in some cases the control mechanisms can actually improve performance over a general publish/subscribe implementation. We build Interaction Control mechanisms into integrated database-brokers to provide a rich representation of state; while facilitating audit, which is essential for accountability. Healthcare requires the sharing of sensitive information across federated domains of administrative control. Interaction Control provides the means for balancing the competing concerns of information sharing and protection. It enables those responsible for information to meet their data management obligations, through specification of fine-grained disclosure policy. To Amar, Charlene, Richelle and Jessica

[1]  Jean Bacon,et al.  Event Storage and Federation Using ODMG , 2000, POS.

[2]  Bill Segall,et al.  Content Based Routing with Elvin4 , 2000 .

[3]  Luis Carlos Vargas Herring Integrating databases and publish/subscribe , 2010 .

[4]  Alexandre V. Evfimievski,et al.  Limiting privacy breaches in privacy preserving data mining , 2003, PODS.

[5]  David S. Rosenblum,et al.  Design and evaluation of a wide-area event notification service , 2001, TOCS.

[6]  Bruce Schneier,et al.  Beyond fear - thinking sensibly about security in an uncertain world , 2003 .

[7]  Pablo E. Guerrero Looking into the Past: Enhancing Mobile Publish/Subscribe Middleware , 2004 .

[8]  Ab R. Bakker,et al.  Access to EHR and access control at a moment in the past: a discussion of the need and an exploration of the consequences , 2004, Int. J. Medical Informatics.

[9]  Ramez Elmasri,et al.  Fundamentals of Database Systems , 1989 .

[10]  Victoria Ungureanu,et al.  Law-governed interaction: a coordination and control mechanism for heterogeneous distributed systems , 2000, TSEM.

[11]  Marek J. Sergot,et al.  A logic-based calculus of events , 1989, New Generation Computing.

[12]  Atul Prakash,et al.  Supporting Privacy Policies in a Publish-Subscribe Substrate for Pervasive Environments , 2007, J. Networks.

[13]  A.S. Abrahams,et al.  Using Annotated Policy Documents as a User Interface for Process Management , 2007, Third International Conference on Autonomic and Autonomous Systems (ICAS'07).

[14]  Rajeev Rastogi,et al.  Efficient filtering of XML documents with XPath expressions , 2002, Proceedings 18th International Conference on Data Engineering.

[15]  Douglas Comer,et al.  Principles, protocols, and architecture , 1995 .

[16]  Jennifer Bayuk,et al.  Data-centric security , 2009 .

[17]  Gloria J. McNeal AACN Guide to Acute Care Procedures in the Home , 2000 .

[18]  Lauri I. W. Pesonen,et al.  Encryption-enforced access control in dynamic multi-domain publish/subscribe networks , 2007, DEBS '07.

[19]  Jai Mohan,et al.  The Malaysian Telehealth Flagship Application: a national approach to health data protection and utilisation and consumer rights , 2004, Int. J. Medical Informatics.

[20]  J Goldman Protecting privacy to improve health care. , 1998, Health affairs.

[21]  Rachid Guerraoui,et al.  Type-Based Publish/Subscribe , 2000 .

[22]  Luis Felipe Cabrera Web Services Eventing (WS-Eventing) , 2004 .

[23]  Naranker Dulay,et al.  Authorisation and Conflict Resolution for Hierarchical Domains , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[24]  S. Brennan The NHS IT Project: The Biggest Computer Programme in the World... Ever! , 2005 .

[25]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[26]  Christof Bornhövd,et al.  Dealing with heterogeneous data in pub/sub systems : the concept-based approach , 2004, ICSE 2004.

[27]  E. F. CODD,et al.  A relational model of data for large shared data banks , 1970, CACM.

[28]  Alfonso Fuggetta,et al.  The JEDI Event-Based Infrastructure and Its Application to the Development of the OPSS WFMS , 2001, IEEE Trans. Software Eng..

[29]  Alastair D Hay,et al.  Sharing patient data: competing demands of privacy, trust and research in primary care. , 2005, The British journal of general practice : the journal of the Royal College of General Practitioners.

[30]  Ken Moody Coordinating Policy for Federated Applications , 2000, DBSec.

[31]  Jean Bacon,et al.  Secure event types in content-based, multi-domain publish/subscribe systems , 2005, SEM '05.

[32]  K. Holland Proposed changes for nurse education in England (UK) as a result of the Darzi report (DoH, 2008a) Health Quality Care for All--NHS next stage review final report: some initial observations. , 2008, Nurse education in practice.

[33]  Sharma Chakravarthy,et al.  How to Use Events and Rules for Supporting Role-Based Security? (Invited Paper) , 2006, 17th International Workshop on Database and Expert Systems Applications (DEXA'06).

[34]  Mike A. Lockyer,et al.  The tees confidentiality model: an authorisation model for identities and roles , 2003, SACMAT '03.

[35]  Jean Bacon,et al.  Integrating databases with publish/subscribe , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[36]  Yuanyuan Zhao,et al.  Dynamic Access Control in a Content-based Publish/Subscribe System with Delivery Guarantees , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[37]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[38]  Lawrence Lessig,et al.  Code and Other Laws of Cyberspace , 1999 .

[39]  C. J. Date Introduction to Data Base Systems: Custom Edition for Virginia College , 2004 .

[40]  Hua-Gang Li,et al.  Continuous Queries in Oracle , 2007, VLDB.

[41]  Peter Pietzuch Hermes: A scalable event-based middleware , 2004 .

[42]  Joshua S. Auerbach,et al.  Scalably supporting durable subscriptions in a publish/subscribe system , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[43]  David Evans,et al.  Deontic logic for modelling data flow and use compliance , 2008, MPAC '08.

[44]  Chris Clifton,et al.  SECURITY AND PRIVACY IMPLICATIONS OF DATA MINING , 1996 .

[45]  Guruduth Banavar,et al.  Gryphon: An Information Flow Based Approach to Message Brokering , 1998, ArXiv.

[46]  Emil C. Lupu,et al.  Ponder2 - A Policy Environment for Autonomous Pervasive Systems , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.

[47]  Atul Prakash,et al.  Secure Distribution of Events in Content-Based Publish Subscribe Systems , 2001, USENIX Security Symposium.

[48]  A. Tomasic,et al.  On the Evaluation of Symmetric Publish/Subscribe , 2006 .

[49]  Wingate M. Johnson,et al.  Hippocratic oath‐modern version , 1945 .

[50]  Alexandre V. Evfimievski,et al.  Auditing disclosure by relevance ranking , 2007, SIGMOD '07.

[51]  Álvaro Enrique Arenas,et al.  Detecting Conflicts in ABAC Policies with Rule-Reduction and Binary-Search Techniques , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[52]  David M. Eyers,et al.  PrivateFlow: decentralised information flow control in event based middleware , 2009, DEBS '09.

[53]  Lukáš Rajter IBM websphere MQ , 2010 .

[54]  Hans-Arno Jacobsen,et al.  Historic data access in publish/subscribe , 2007, DEBS '07.

[55]  Hans-Arno Jacobsen,et al.  The PADRES Distributed Publish/Subscribe System , 2005, FIW.

[56]  David W. Chadwick,et al.  PERMIS: a modular authorization infrastructure , 2008 .

[57]  Naranker Dulay,et al.  A Workflow-Based Access Control Framework for e-Health Applications , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[58]  Sasu Tarkoma,et al.  Distributed event routing in publish/subscribe communication systems , 2009 .

[59]  Felix C. Freiling,et al.  Supporting Mobility in Content-Based Publish/Subscribe Middleware , 2003, Middleware.

[60]  Douglas E. Comer,et al.  Internetworking with TCP/IP - Principles, Protocols, and Architectures, Fourth Edition , 1988 .

[61]  Himanshu Khurana Scalable security and accounting services for content-based publish/subscribe systems , 2005, SAC '05.

[62]  David M. Eyers,et al.  Access Control in Decentralised Publish/Subscribe Systems , 2007, J. Networks.

[63]  Jatinder Singh,et al.  Policy-Based Information Sharing in Publish/Subscribe Middleware , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.

[64]  H. M. Evans,et al.  Public attitudes towards the use of primary care patient record data in medical research without consent: a qualitative study , 2004, Journal of Medical Ethics.

[65]  Mohsen Rouached,et al.  A Contract-Based Approach for Monitoring Collaborative Web Services Using Commitments in the Event Calculus , 2005, WISE.

[66]  Michael Huth,et al.  Logic in computer science - modelling and reasoning about systems , 2000 .

[67]  Aaron V. Cicourel,et al.  The integration of distributed knowledge in collaborative medical diagnosis , 1990 .

[68]  Andy Hopper,et al.  The Anatomy of a Context-Aware Application , 1999, Wirel. Networks.

[69]  David Eyers,et al.  A capability-based access control architecture for multi-domain publish/subscribe systems , 2006, International Symposium on Applications and the Internet (SAINT'06).

[70]  A. While Improving chronic disease management. , 2005, British journal of community nursing.

[71]  R. Chadha,et al.  A Cautionary Note About Policy Conflict Resolution , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[72]  Roberto J. Bayardo,et al.  Data privacy through optimal k-anonymization , 2005, 21st International Conference on Data Engineering (ICDE'05).

[73]  Murray Shanahan,et al.  The Event Calculus Explained , 1999, Artificial Intelligence Today.

[74]  Philip S. Yu,et al.  Data Mining: An Overview from a Database Perspective , 1996, IEEE Trans. Knowl. Data Eng..

[75]  Marcelo Masera,et al.  A context-related authorization and access control method based on RBAC: , 2002, SACMAT '02.

[76]  Yanlei Diao,et al.  Query Processing for High-Volume XML Message Brokering , 2003, VLDB.

[77]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[78]  Jean Bacon,et al.  A model for controlling data flow in distributed healthcare environments , 2008, Pervasive 2008.

[79]  Alessandra Russo,et al.  Using event calculus to formalise policy specification and analysis , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[80]  Peter R. Pietzuch,et al.  Hermes: a distributed event-based middleware architecture , 2002, Proceedings 22nd International Conference on Distributed Computing Systems Workshops.

[81]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[82]  David J. DeWitt,et al.  Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[83]  Douglas B. Terry,et al.  Continuous queries over append-only databases , 1992, SIGMOD '92.

[84]  Harry B. Hunt,et al.  Processing Conjunctive Predicates and Queries , 1980, VLDB.

[85]  Vincent M. Stanford,et al.  Guest Editors' Introduction: Pervasive Computing in Healthcare , 2007, IEEE Pervasive Computing.

[86]  Inderpal Singh Mumick,et al.  Deriving Production Rules For Incremental View Maintenance , 1999 .

[87]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[88]  David M. Eyers,et al.  Securing Publish/Subscribe for Multi-domain Systems , 2005, Middleware.

[89]  Douglas Comer,et al.  Internetworking with TCP/IP , 1988 .

[90]  David M. Eyers,et al.  Securing Event-Based Systems , 2010, Principles and Applications of Distributed Event-Based Systems.

[91]  Richard J. Whiddett,et al.  Patients' attitudes towards sharing their health information , 2006, Int. J. Medical Informatics.

[92]  Ludger Fiege,et al.  Security aspects in publish/subscribe systems , 2004, ICSE 2004.

[93]  David W. Chadwick,et al.  Enforcing "sticky" security policies throughout a distributed application , 2008, MidSec '08.

[94]  Zoltán Miklós Towards an access control mechanism for wide-area publish/subscribe systems , 2002, Proceedings 22nd International Conference on Distributed Computing Systems Workshops.

[95]  Calton Pu,et al.  Continual Queries for Internet Scale Event-Driven Information Delivery , 1999, IEEE Trans. Knowl. Data Eng..

[96]  Guruduth Banavar,et al.  A Case for Message Oriented Middleware , 1999, DISC.

[97]  Matthias Jarke,et al.  Common Subexpression Isolation in Multiple Query Optimization , 1984, Query Processing in Database Systems.

[98]  Michael Waidner,et al.  Platform for Enterprise Privacy Practices: Privacy-Enabled Management of Customer Data , 2002, Privacy Enhancing Technologies.

[99]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[100]  Jean Bacon,et al.  Using events to build distributed applications , 1995, Second International Workshop on Services in Distributed and Networked Environments.

[101]  David M. Eyers,et al.  Role-based access control for publish/subscribe middleware architectures , 2003, DEBS '03.

[102]  Jeffrey M. Bradshaw,et al.  KAoS policy management for semantic Web services , 2004, IEEE Intelligent Systems.

[103]  Hari Balakrishnan,et al.  6th ACM/IEEE International Conference on on Mobile Computing and Networking (ACM MOBICOM ’00) The Cricket Location-Support System , 2022 .

[104]  S. Mann Intellectual Capital: The New Wealth of Organizations , 1999 .

[105]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[106]  Jatinder Singh,et al.  Dynamic trust domains for secure, private, technology-assisted living , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[107]  Sharma Chakravarthy Early Active Database Efforts: A Capsule Summary , 1995, IEEE Trans. Knowl. Data Eng..

[108]  Felix C. Freiling,et al.  Evaluating advanced routing algorithms for content-based publish/subscribe systems , 2002, Proceedings. 10th IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems.

[109]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[110]  Mira Mezini,et al.  Engineering Event-Based Systems with Scopes , 2002, ECOOP.

[111]  Hans-Arno Jacobsen,et al.  A Policy Management Framework for Content-Based Publish/Subscribe Middleware , 2007, Middleware.

[112]  Anne-Marie Kermarrec,et al.  The many faces of publish/subscribe , 2003, CSUR.

[113]  Dipak Kalra,et al.  Inter-organizational future proof EHR systems: A review of the security and privacy related issues , 2009, Int. J. Medical Informatics.

[114]  David S. Rosenblum,et al.  Enabling Confidentiality in Content-Based Publish/Subscribe Infrastructures , 2006, 2006 Securecomm and Workshops.

[115]  Mudhakar Srivatsa,et al.  Securing publish-subscribe overlay services with EventGuard , 2005, CCS '05.

[116]  Jean Bacon,et al.  Event-Driven Database Information Sharing , 2008, BNCOD.

[117]  R. Priest Data Protection Act , 1988 .

[118]  Charles Garrod,et al.  Symmetric Publish / Subscribe via Constraint Publication , 2006, ExpDB.

[119]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[120]  Peter R. Pietzuch,et al.  Distributed event-based systems , 2006 .

[121]  A. R. Bakker,et al.  The need to know the history of the use of digital patient data, in particular the EHR , 2007, Int. J. Medical Informatics.

[122]  N Britten,et al.  Confidentiality of medical records: the patient's perspective. , 1995, The British journal of general practice : the journal of the Royal College of General Practitioners.

[123]  Gero Mühl,et al.  Disseminating information to mobile clients using publish-subscribe , 2004, IEEE Internet Computing.

[124]  Alexander L. Wolf,et al.  Security issues and requirements for Internet-scale publish-subscribe systems , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[125]  Donald W. Loveland,et al.  A machine program for theorem-proving , 2011, CACM.

[126]  Trisha Greenhalgh,et al.  Summary care record early adopter programme: an independent evaluation by University College London. , 2008 .

[127]  Mudhakar Srivatsa,et al.  Secure Event Dissemination in Publish-Subscribe Networks , 2007, 27th International Conference on Distributed Computing Systems (ICDCS '07).

[128]  Moritz Y. Becker Cassandra: flexible trust management and its application to electronic health records , 2005 .

[129]  Stephen E. Deering,et al.  Host extensions for IP multicasting , 1986, RFC.

[130]  David S. Rosenblum,et al.  Challenges for Distributed Event Services: Scalability vs. Expressiveness , 1999 .

[131]  Moritz Y. Becker Information governance in NHS's NPfIT: A case for policy specification , 2007, Int. J. Medical Informatics.

[132]  David M. Eyers,et al.  Access control in publish/subscribe systems , 2008, DEBS.

[133]  Frank P. Coyle Review of 'The power of events: An introduction to complex event processing in distributed enterprise systems,' by David Luckham, Addison Wesley Professional, May 2002 , 2003, UBIQ.

[134]  Steven J. DeRose,et al.  XML Path Language (XPath) Version 1.0 , 1999 .

[135]  David Luckham,et al.  The power of events - an introduction to complex event processing in distributed enterprise systems , 2002, RuleML.

[136]  David J. DeWitt,et al.  NiagaraCQ: a scalable continuous query system for Internet databases , 2000, SIGMOD '00.

[137]  Patients' knowledge and expectations of confidentiality in primary health care: a quantitative study. , 2000, The British journal of general practice : the journal of the Royal College of General Practitioners.

[138]  Sharma Chakravarthy,et al.  Snoop: An Expressive Event Specification Language for Active Databases , 1994, Data Knowl. Eng..

[139]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[140]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.