Automating Consent Management Lifecycle for Electronic Healthcare Systems

The notion of patient’s consent plays a major role in granting access to medical data. In typical healthcare systems, consent is captured by a form that the patient has to fill-in and sign. In e-Health systems, the paper-form consent is being replaced by access control mechanisms that regulate access to medical data, while taking into account electronic content. This helps in empowering the patient with the capability of granting and revoking consent in a more effective manner. However, the process of granting and revoking consent greatly varies according to the situation in which the patient is. Our main argument is that such a level of detail is very difficult and error-prone to capture as a set of authorisation policies. In this chapter, we present ACTORS (Automatic Creation and lifecycle managemenT Of authoRisation policieS), a goal-driven approach to manage consent. The main idea behind ACTORS is to leverage the goal-driven approach of Teleo-Reactive (TR) programming for managing consent that takes into account changes regarding the domains and contexts in which the patient is providing her consent.

[1]  J. Turow,et al.  Open to Exploitation: America's Shoppers Online and Offline , 2005 .

[2]  Naranker Dulay,et al.  Authorisation and Conflict Resolution for Hierarchical Domains , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[3]  Jane Kaye,et al.  Revoking consent: A 'blind spot' in data protection law? , 2010, Comput. Law Secur. Rev..

[4]  Tom Rodden,et al.  Terms of Agreement: Rethinking Consent for Pervasive Computing , 2013, Interact. Comput..

[5]  Thomas Kwok,et al.  A policy-based management system with automatic policy selection and creation capabilities by using a singular value decomposition technique , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[6]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[7]  Emil C. Lupu,et al.  Ponder2: A Policy System for Autonomous Pervasive Environments , 2009, 2009 Fifth International Conference on Autonomic and Autonomous Systems.

[8]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[9]  Naranker Dulay,et al.  Consent-Based Workflows for Healthcare Management , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.

[10]  Daniel J. Solove,et al.  Introduction: Privacy Self-Management and the Consent Dilemma , 2013 .

[11]  Zhi Fu,et al.  Network Management And Intrusion Detection For Quality of Network Services , 2001 .

[12]  Roger Clarke,et al.  eConsent: A Critical Element of Trust in eBusiness , 2002, Bled eConference.

[13]  Helen Nissenbaum,et al.  Privacy in Context - Technology, Policy, and the Integrity of Social Life , 2009 .

[14]  Paul M. Schwartz,et al.  The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures , 2013 .

[15]  Shyhtsun Felix Wu,et al.  Automatic Generation of IPSec/VPN Security Policies In an Intra-Domain Environment , 2001, DSOM.

[16]  Giovanni Russello,et al.  ACTORS: A Goal-Driven Approach for Capturing and Managing Consent in e-Health Systems , 2012, 2012 IEEE International Symposium on Policies for Distributed Systems and Networks.

[17]  Cédric Pruski,et al.  e-CRL: A Rule-Based Language for Expressing Patient Electronic Consent , 2010, 2010 Second International Conference on eHealth, Telemedicine, and Social Medicine.

[18]  Clare-Marie Karat,et al.  Usable Policy Template Authoring for Iterative Policy Refinement , 2010, 2010 IEEE International Symposium on Policies for Distributed Systems and Networks.

[19]  Annie I. Antón,et al.  Financial privacy policies and the need for standardization , 2004, IEEE Security & Privacy Magazine.

[20]  Paul Greenfield,et al.  A Decentralised Approach to Electronic Consent and Health Information Access Control , 2005, J. Res. Pract. Inf. Technol..

[21]  A. Pohl,et al.  Automated runtime management of embedded service systems based on design-time modeling and model transformation , 2005, INDIN '05. 2005 3rd IEEE International Conference on Industrial Informatics, 2005..

[22]  Aleecia M. McDonald,et al.  The Cost of Reading Privacy Policies , 2009 .

[23]  Amnon Shabo,et al.  Model Formulation: HL7 Clinical Document Architecture, Release 2 , 2006, J. Am. Medical Informatics Assoc..

[24]  Srdjan Marinovic,et al.  Teleo-Reactive policies for managing human-centric pervasive services , 2010, 2010 International Conference on Network and Service Management.

[25]  Paul M. Schwartz,et al.  The PII Problem: Privacy and a New Concept of Personally Identifiable Information , 2011 .

[26]  Nils J. Nilsson,et al.  Teleo-Reactive Programs for Agent Control , 1993, J. Artif. Intell. Res..

[27]  Heiko Krumm,et al.  Policy Controlled Automated Management of Distributed and Embedded Service Systems , 2005, Parallel and Distributed Computing and Networks.

[28]  Ian R. Kerr,et al.  Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society , 2009 .

[29]  Gail-Joon Ahn,et al.  Patient-centric authorization framework for sharing electronic health records , 2009, SACMAT '09.

[30]  Siani Pearson,et al.  Setting the Context , 2019, Third Language Acquisition and Linguistic Transfer.

[31]  P. Malone,et al.  ENDORSE: a legal technical framework for privacy preserving data management , 2010, GTIP '10.

[32]  Klara Nahrstedt,et al.  Identity, location, disease and more: inferring your secrets from android public resources , 2013, CCS.

[33]  Giovanni Russello,et al.  Flexible and Dynamic Consent-Capturing , 2011, iNetSeC.

[34]  Tom Rodden,et al.  An informed view on consent for UbiComp , 2013, UbiComp.

[35]  Roger Clarke,et al.  Viewpoint Paper: e-Consent: The Design And Implementation of Consumer Consent Mechanisms in an Electronic Environment , 2004, J. Am. Medical Informatics Assoc..

[36]  Hossam S. Hassanein,et al.  A mobile-based architecture for integrating personal health record data , 2014, 2014 IEEE 16th International Conference on e-Health Networking, Applications and Services (Healthcom).

[37]  Edgar A. Whitley,et al.  Informational privacy, consent and the "control" of personal data , 2009, Inf. Secur. Tech. Rep..

[38]  Wouter Joosen,et al.  Integrating Patient Consent in e-Health Access Control , 2011, Int. J. Secur. Softw. Eng..