论文信息 - Privacy Preserving Event Driven Integration for Interoperating Social and Health Systems

Privacy Preserving Event Driven Integration for Interoperating Social and Health Systems

Processes in healthcare and socio-assistive domains typically span multiple institutions and require cooperation and information exchange among multiple IT systems. In most cases this cooperation today is handled "manually" via document exchange (by email, post, or fax) and in a point-to-point fashion. One of the reasons that makes it difficult to implement an integrated solution is that of privacy, as health information is often sensitive and there needs to be a tight control on which information is sent to who and on the purpose for which it is requested and used. In this paper we report on how we approached this problem and on the lessons learned from designing and deploying a solution for monitoring multi-organization healthcare processes in Italy. The key idea lies in combining a powerful monitoring and integration paradigm, that of event bus and publish/subscribe systems on top of service-oriented architectures, with a simple but flexible privacy mechanism based on publication of event summaries and then on explicit requests for details by all interested parties. This approach was the first to overcome the privacy limitations defined by the laws while allowing publish/subscribe event-based integration.

[1] Anne-Marie Kermarrec,et al. The many faces of publish/subscribe , 2003, CSUR.

[2] Sabrina De Capitani di Vimercati,et al. A fine-grained access control system for XML documents , 2002, TSEC.

[3] Fabio Casati,et al. Engineering Privacy Requirements in Business Intelligence Applications , 2008, Secure Data Management.

[4] Gustavo Alonso,et al. Web Services: Concepts, Architectures and Applications , 2009 .

[5] Mariemma I. Yagüe. Survey on XML-Based Policy Languages for Open Environments , 2006 .

[6] Lorrie Faith Cranor,et al. The platform for privacy preferences , 1999, CACM.

[7] Peng Liu,et al. QFilter: fine-grained run-time XML access control via NFA-based query rewriting , 2004, CIKM '04.

[8] Andreas Matheus,et al. How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[9] Sam Heard,et al. Exploiting ebXML registry semantic constructs for handling archetype metadata in healthcare informatics , 2006, Int. J. Metadata Semant. Ontologies.

[10] Shih-Chien Chou,et al. An extended XACML model to ensure secure information access for web services , 2010, J. Syst. Softw..

[11] Anne H. Anderson,et al. A comparison of two privacy policy languages: EPAL and XACML , 2006, SWS '06.