Social Credential-Based Role Recommendation and Patient Privacy Control in Medical Emergency

Emerging Health Information Technologies (HIT), such as Electronic Health Records (EHR) and Personal Health Records (PHR) systems, facilitate access to and sharing of patients’ medical data in a distributed environment. The privacy protection of medical information is a pressing issue with the use of these medical technologies. In this paper, the authors present a Patient-controlled Privacy Protection Framework, which allows a patient to specify his or her own privacy policies on their own medical data no matter where they are stored. In addition, the authors extend this basic framework to medical emergency situations, where roles and users may not be limited to an organizational boundary. To enforce patient’s privacy policies even in emergency situations, the authors propose the Situation Role-based Privacy Control model and a social network-based user credential discovery method to recommend a situation role to candidate users. The authors present a mobile prototype system and two experiments to show the feasibility of our approach. DOI: 10.4018/jcmam.2011100101 2 International Journal of Computational Models and Algorithms in Medicine, 2(4), 1-22, October-December 2011 Copyright © 2011, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. of patient data for sharing and for decision support analytics across healthcare providers’ organizational boundaries, urging the use of Health Information Exchange (HIE) standards and an interoperable framework. One of the many major challenges to overcome for EHR systems to be widely adopted for sharing of patient information across different EHR systems in the HIE environment is ensuring patient privacy. With the use of EHR systems, doctors, other healthcare providers, insurance companies, governments, as well as patients could easily access patient information that is stored in various locations. The patient’s privacy should be a paramount priority. Typically, a patient leaves medical records in various providers’ EHR systems. A general practitioner can enter initial checkup notes and his recommendations on his own EHR system. Then a specialist can also record some patient information in his own EHR system, and so do pharmacists, X-ray technicians, etc. In this distributed environment, it is difficult to ensure the consistent privacy control for different health information of the patient. Currently, a patient at the initial visit to a doctor’s office fills out a paper-based form regarding the health information privacy on how his or her own heath information may be shared. It is difficult to ensure that privacy is controlled in the manner the patient desires or to ensure that the healthcare providers honor the privacy specifications of the patient about sharing and using his or her own health data. The patient simply relies that the organization’s policy is executed in good faith, but has no control over who can access what and how her own data can be shared and used. In this paper, we first present the patient controlled privacy framework, where a patient can specify and manage her own privacy policies on her own data that are stored in different locations (e.g., doctor’s offices) to maximize the control on the privacy of her own data. In addition, the framework has a privacy policy enforcement component that can control and keep track of the provenance of access, release, sharing and advanced analytics of their medical data such that the patient’s privacy policies are properly adhered to. However, the basic patient controlled privacy framework may fail in case of a health emergency since the patient’s own policy may not list all the possible emergency situations and non-typical roles may be involved such as the first responders or volunteers who are not in the “regular” healthcare network of the patient. In the absence of pre-specified patient controlled privacy policy in an emergency situation, the system should still be able to provide privacy control, instead of revealing all the medical records unconditionally. To achieve this, we present an approach called Situation-Role based Privacy Control Framework, where a medical emergency situation is modeled with a typical sequence of activities that are associated with handling the medical emergency situation, and a set of default roles for each activity in the situation, called situation roles is defined. In this framework, the authentication process involves two levels: First, the system should verify the authenticity of the emergency situation. This process is called authentication of situation. Secondly, it should authenticate a person (user) for each activity in the mitigation process such that the person can assume the default situation role for the activity based on the person’s credentials. This process is called situation role activation. We present the situation-based policy specification for the patient enhancing the basic patient-controlled privacy framework. We introduce situation credentials, and an approach to authenticate a situation, based on situation credentials. We present a way how to discover dynamic credentials for potential medical providers who can participate in an activity for handling the emergency health situation. The potential users (e.g., nearby doctors or nurses) can be dynamically identified using their proximity to the emergency location, time to fetch them, and their public social credentials. The potential candidates are automatically notified with a request or alert to participate in solving a health emergency situation. We provide algorithms, a prototype 20 more pages are available in the full version of this document, which may be purchased using the "Add to Cart" button on the product's webpage: www.igi-global.com/article/social-credential-based-rolerecommendation/67528?camid=4v1 This title is available in InfoSci-Journals, InfoSci-Journal Disciplines Medicine, Healthcare, and Life Science. Recommend this product to your librarian: www.igi-global.com/e-resources/libraryrecommendation/?id=2

[1]  Mitja Peruš,et al.  Biological and Quantum Computing for Human Vision: Holonomic Models and Applications , 2010 .

[2]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[3]  Barbara Carminati,et al.  Rule-Based Access Control for Social Networks , 2006, OTM Workshops.

[4]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[5]  Marcelo Masera,et al.  A context-related authorization and access control method based on RBAC: , 2002, SACMAT '02.

[6]  Sebastian Ryszard Kruk,et al.  D-FOAF: Distributed Identity Management with Access Rights Delegation , 2006, ASWC.

[7]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[8]  Sergey Brin,et al.  The Anatomy of a Large-Scale Hypertextual Web Search Engine , 1998, Comput. Networks.

[9]  Gail-Joon Ahn,et al.  Patient-centric authorization framework for electronic healthcare services , 2011, Comput. Secur..

[10]  David M. Eyers,et al.  Credential management in event-driven healthcare systems , 2008, Companion '08.

[11]  Ramon Sangüesa,et al.  Extracting reputation in multi agent systems by means of social network topology , 2002, AAMAS '02.

[12]  Noboru Sonehara,et al.  Privacy-aware access to Patient-controlled Personal Health Records in emergency situations , 2009, 2009 3rd International Conference on Pervasive Computing Technologies for Healthcare.

[13]  Balázs Csanád Csáji,et al.  PageRank Optimization in Polynomial Time by Stochastic Shortest Path Reformulation , 2010, ALT.

[14]  Barbara Carminati,et al.  Enforcing access control in Web-based social networks , 2009, TSEC.

[15]  Hans-Ulrich Prokosch,et al.  Implementing security and access control mechanisms for an electronic healthcare record , 2002, AMIA.

[16]  Arif Ghafoor,et al.  Policy-based security management for federated healthcare databases (or RHIOs) , 2006, HIKM '06.

[17]  Gail-Joon Ahn,et al.  A role-based delegation framework for healthcare information systems , 2002, SACMAT '02.

[18]  Peter Druschel,et al.  Online social networks: measurement, analysis, and applications to distributed information systems , 2009 .

[19]  Mitja Peruš,et al.  Appendix D: Abbreviations and Neurological Adjectives , 2011 .

[20]  Xin Chen,et al.  JFeature: A Java Package for Extracting Global Sequence Features from Proteins for Functional Classification , 2011 .

[21]  Gerhard Weikum,et al.  Exploiting social relations for query expansion and result ranking , 2008, 2008 IEEE 24th International Conference on Data Engineering Workshop.

[22]  A. Jøsang,et al.  Trust and Reputation Management in Web-based Social Network , 2010 .

[23]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[24]  Pierre St. Juste,et al.  Integrating Overlay and Social Networks for Seamless P2P Networking , 2008, 2008 IEEE 17th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[25]  Kohta Ohshima,et al.  DHT Network with Link Access Control Using a Social Network , 2008, 2008 International Symposium on Applications and the Internet.

[26]  Sasikanth Avancha,et al.  A privacy framework for mobile health and home-care systems , 2009, SPIMACS '09.

[27]  T. Lambert,et al.  New and Fringe Residential Development and Emergency Medical Services Response Times in the United States , 2008 .

[28]  Hesham H. Ali,et al.  Bioinformatics: Concepts, Methodologies, Tools, and Applications , 2013 .

[29]  Jorge Lobo,et al.  Privacy-aware role-based access control , 2010 .

[30]  Patrick C. K. Hung,et al.  Towards an integrated privacy framework for HIPAA-compliant Web services , 2005, Seventh IEEE International Conference on E-Commerce Technology (CEC'05).