Empowering citizens with access control mechanisms to their personal health resources

BACKGROUND Advancements in information and communication technologies have allowed the development of new approaches to the management and use of healthcare resources. Nowadays it is possible to address complex issues such as meaningful access to distributed data or communication and understanding among heterogeneous systems. As a consequence, the discussion focuses on the administration of the whole set of resources providing knowledge about a single subject of care (SoC). New trends make the SoC administrator and responsible for all these elements (related to his/her demographic data, health, well-being, social conditions, etc.) and s/he is granted the ability of controlling access to them by third parties. The subject of care exchanges his/her passive role without any decision capacity for an active one allowing to control who accesses what. PURPOSE We study the necessary access control infrastructure to support this approach and develop mechanisms based on semantic tools to assist the subject of care with the specification of access control policies. This infrastructure is a building block of a wider scenario, the Person-Oriented Virtual Organization (POVO), aiming at integrating all the resources related to each citizen's health-related data. The POVO covers the wide range and heterogeneity of available healthcare resources (e.g., information sources, monitoring devices, or software simulation tools) and grants each SoC the access control to them. METHODS Several methodological issues are crucial for the design of the targeted infrastructure. The distributed system concept and focus are reviewed from the service oriented architecture (SOA) perspective. The main frameworks for the formalization of distributed system architectures (Reference Model-Open Distributed Processing, RM-ODP; and Model Driven Architecture, MDA) are introduced, as well as how the use of the Unified Modelling Language (UML) is standardized. The specification of access control policies and decision making mechanisms are essential keys for this approach and they are accomplished by using semantic technologies (i.e., ontologies, rule languages, and inference engines). RESULTS The results are mainly focused on the security and access control of the proposed scenario. An ontology has been designed and developed for the POVO covering the terminology of the scenario and easing the automation of administration tasks. Over that ontology, an access control mechanism based on rule languages allows specifying access control policies, and an inference engine performs the decision making process automatically. The usability of solutions to ease administration tasks to the SoC is improved by the Me-As-An-Admin (M3A) application. This guides the SoC through the specification of personal access control policies to his/her distributed resources by using semantic technologies (e.g., metamodeling, model-to-text transformations, etc.). All results are developed as services and included in an architecture in accordance with standards and principles of openness and interoperability. CONCLUSIONS Current technology can bring health, social and well-being care actually centered on citizens, and granting each person the management of his/her health information. However, the application of technology without adopting methodologies or normalized guidelines will reduce the interoperability of solutions developed, failing in the development of advanced services and improved scenarios for health delivery. Standards and reference architectures can be cornerstones for future-proof and powerful developments. Finally, not only technology must follow citizen-centric approaches, but also the gaps needing legislative efforts that support these new paradigms of healthcare delivery must be identified and addressed.

[1]  Lynda L. McGhie,et al.  THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT , 2004 .

[2]  Richard F. Paige,et al.  Raising the level of abstraction in the development of GMF-based graphical model editors , 2009, 2009 ICSE Workshop on Modeling in Software Engineering.

[3]  Haibo Shen A Semantic-Aware Attribute-Based Access Control Model for Web Services , 2009, ICA3PP.

[4]  Reinhold Haux,et al.  Individualization, globalization and health - about sustainable information technologies and the aim of medical informatics , 2006, Int. J. Medical Informatics.

[5]  Nora Kamprath,et al.  Supporting attribute-based access control with ontologies , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[6]  Philip Robinson,et al.  Security architecture for virtual organizations of business web services , 2009, J. Syst. Archit..

[7]  Adam Wright,et al.  USB-based Personal Health Records: An analysis of features and functionality , 2010, Int. J. Medical Informatics.

[8]  Axel Uhl,et al.  Model-Driven Architecture , 2002, OOIS Workshops.

[9]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[10]  Benoit Baudry,et al.  A Generic Metamodel For Security Policies Mutation , 2008, 2008 IEEE International Conference on Software Testing Verification and Validation Workshop.

[11]  Laura M. Roa,et al.  Privilege Management Infrastructure for Virtual Organizations in Healthcare Grids , 2009, IEEE Transactions on Information Technology in Biomedicine.

[12]  Sandro Etalle,et al.  POLIPO: Policies & OntoLogies for Interoperability, Portability, and autOnomy , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[13]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[14]  Richard O. Sinnott,et al.  Advanced Security for Virtual Organizations: The Pros and Cons of Centralized vs Decentralized Security Models , 2008, 2008 Eighth IEEE International Symposium on Cluster Computing and the Grid (CCGRID).

[15]  Aart Hendriks,et al.  Convention for the Protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine. , 2000, The Journal of medicine and philosophy.

[16]  B. A. Auber,et al.  Adoption of smart cards in the medical sector: the Canadian experience. , 2001, Social science & medicine.

[17]  R. Califf,et al.  Health Insurance Portability and Accountability Act (HIPAA): must there be a trade-off between privacy and quality of health care, or can we advance both? , 2003, Circulation.

[18]  Ian T. Foster,et al.  The anatomy of the grid: enabling scalable virtual organizations , 2001, Proceedings First IEEE/ACM International Symposium on Cluster Computing and the Grid.

[19]  ITU-T Rec. X.901 (08/97) Information technology - Open distributed processing - Reference Model: Overview , 1998 .

[20]  Bhavani M. Thuraisingham,et al.  ROWLBAC: representing role based access control in OWL , 2008, SACMAT '08.

[21]  H. Lan,et al.  SWRL : A semantic Web rule language combining OWL and ruleML , 2004 .

[22]  Duane DeCouteau,et al.  Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare Version 1.0 , 2008 .

[23]  Jan Hladik,et al.  Using OWL DL Reasoning to Decide about authorization in RBAC , 2008, OWLED.

[24]  Bernd Blobel,et al.  Ontology driven health information systems architectures enable pHealth for empowered patients , 2011, Int. J. Medical Informatics.

[25]  Muhammad Ali Babar,et al.  Modeling security for service oriented applications , 2010, ECSA '10.

[26]  John Karat,et al.  Privacy in information technology: Designing to enable privacy policy management in organizations , 2005, Int. J. Hum. Comput. Stud..

[27]  Morteza Amini,et al.  Multi-level authorisation model and framework for distributed semantic-aware environments , 2010, IET Inf. Secur..

[28]  L. Andersson,et al.  "They do what they think is the best for me." Frail elderly patients' preferences for participation in their care during hospitalization. , 2010, Patient education and counseling.

[29]  Mike Davis,et al.  Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of Security Assertion Markup Language (SAML) for Healthcare , 2008 .

[30]  Soon Myoung Chung,et al.  Semantic-Based Access Control for Grid Data Resources in Open Grid Services Architecture - Data Access and Integration (OGSA-DAI) , 2008, 2008 20th IEEE International Conference on Tools with Artificial Intelligence.

[31]  Daniel Amyot,et al.  Evaluation of Development Tools for Domain-Specific Modeling Languages , 2006, SAM.

[32]  A. Karp,et al.  From ABAC to ZBAC : The Evolution of Access Control Models , 2009 .

[33]  Thomas Erl,et al.  SOA Principles of Service Design , 2007 .

[34]  Holger Knublauch,et al.  The Protégé OWL Plugin: An Open Development Environment for Semantic Web Applications , 2004, SEMWEB.

[35]  J. Noll,et al.  Semantic Access Control in Web Based Communities , 2008, 2008 The Third International Multi-Conference on Computing in the Global Information Technology (iccgi 2008).