Consent-Based Workflows for Healthcare Management

In this paper, we describe a new framework for healthcare systems where patients are able to control the disclosure of their medical data. In our framework, the patient's consent has a pivotal role in granting or removing access rights to subjects accessing patient's medical data. Depending on the context in which the access is being executed, different consent policies can be applied. Context is expressed in terms of workflows. The execution of a task in a given workflow carries the necessary information to infer whether the consent can be implicitly retrieved or should be explicitly requested from a patient. However, patients are always able to enforce their own decisions and withdraw consent if necessary. Additionally, the use of workflows enables us to apply the need-to-know principle. Even when the patient's consent is obtained, a subject should access medical data only if it is required by the actual situation. For example, if the subject is assigned to the execution of a medical diagnosis workflow requiring access to the patient's medical record. We also provide a complex medical case study to highlight the design principles behind our framework. Finally, the implementation of the framework is outlined.

[1]  Emil C. Lupu,et al.  Security and management policy specification , 2002, IEEE Netw..

[2]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Ross Anderson,et al.  An Update on the BMA Security Policy , 1997, Personal Medical Information.

[4]  Steven G. Johnson,et al.  The Design and Implementation of FFTW3 , 2005, Proceedings of the IEEE.

[5]  Harriet S. Meyer,et al.  Protecting Privacy in Computerized Medical Information , 1994 .

[6]  Rajeev K. Bali,et al.  Workflow management systems: the healthcare technology of the future? , 2001, 2001 Conference Proceedings of the 23rd Annual International Conference of the IEEE Engineering in Medicine and Biology Society.

[7]  Moritz Y. Becker Cassandra: flexible trust management and its application to electronic health records , 2005 .

[8]  Liliana Ardissono,et al.  Adaptive Medical Workflow Management for a Context-Dependent Home Healthcare Assistance Service , 2006, Electron. Notes Theor. Comput. Sci..

[9]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[10]  Xiping Song,et al.  Managing exceptions in the medical workflow systems , 2006, ICSE.

[11]  M. Poulymenopoulou,et al.  A web-based workflow system for emergency healthcare. , 2002, Studies in health technology and informatics.

[12]  Naranker Dulay,et al.  Authorisation and Conflict Resolution for Hierarchical Domains , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[13]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[14]  Stanley M. Huff,et al.  Modeling Guidelines for Integration into Clinical Workflow , 2004, MedInfo.

[15]  Wil M. P. van der Aalst,et al.  Design and Implementation of the YAWL System , 2004, CAiSE.

[16]  Vijayalakshmi Atluri,et al.  An Authorization Model for Workflows , 1996, ESORICS.

[17]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[18]  Giordano Lanzola,et al.  Flexible guideline-based patient careflow systems , 2001, Artif. Intell. Medicine.

[19]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[20]  Michael Wells,et al.  Clinical Systems Security Implementing the BMA Policy and Guidelines , 1997, Personal Medical Information.