Managing Access Control in Collaborative Processes for Healthcare Applications

Team-based patient care, biomedical research, and clinical education require coordinated access of relevant information in specific contexts of workflow and collaboration. Research on methodology development to manage information access in collaborative processes therefore is essential to build successful healthcare applications. In this chapter, we first survey the existing research on access control to support team collaboration and workflow management. We then introduce an illustrative example, New York State HIV Clinical Education Initiative (CEI), as a domain application requiring complex information access in the combined contexts of workflow and team collaboration. To address the specific challenges in access control for CEI, we present a series of studies on model development, system implementation, and effectiveness evaluation. Specifically, we describe the enhancement of the Role-Based Access Control (RBAC) model through formulating universal constraints, defining bridging entities and contributing attributes, extending access permissions to include workflow contexts, synthesizing a role-based access delegation model to target on specific objects, and developing domain ontologies as instantiations of the general model to particular applications. We illustrate the development of a generic system framework to implement the enhanced RBAC model, with three functional layers: encoding of access control policies, interpretation of these policies, and application of the policies to specific scenarios for information access management. We present an evaluation study to assess the effectiveness of the enhanced RBAC model when applied to CEI, with quantitative measures on degree of agreement with a control system as well as sensitivity, specificity, and accuracy based on a gold-standard. We close this chapter with discussions, future works, and some conclusion remarks.

[1]  Bernd Blobel,et al.  Security and privacy issues of personal health. , 2007, Studies in health technology and informatics.

[2]  Karen A. Scarfone,et al.  Guidelines for Access Control System Evaluation Metrics , 2012 .

[3]  E V Kopsacheilis,et al.  Design of CSCW applications for medical teleconsultation and remote diagnosis support. , 1997, Medical informatics = Medecine et informatique.

[4]  Efthimios Tambouris,et al.  The linked medical data access control framework , 2014, J. Biomed. Informatics.

[5]  Fabrice Wendling,et al.  Computer-supported collaborative work (CSCW) in biomedical signal visualization and processing , 1999, IEEE Transactions on Information Technology in Biomedicine.

[6]  Butler W. Lampson,et al.  Dynamic protection structures , 1899, AFIPS '69 (Fall).

[7]  George Vassilacopoulos,et al.  Context-Aware Access Control for Pervasive Access to Process-Based Healthcare Systems , 2008, MIE.

[8]  G. Kurtz EMR confidentiality and information security. , 2003, Journal of healthcare information management : JHIM.

[9]  Dean F Sittig,et al.  Eight rights of safe electronic health record use. , 2009, JAMA.

[10]  Madhu C. Reddy,et al.  Incorporating ideas from computer-supported cooperative work , 2004, J. Biomed. Informatics.

[11]  Ana Silva,et al.  Why facilitate patient access to medical records. , 2007, Studies in health technology and informatics.

[12]  Benjamin N. Grosof,et al.  Supporting Rule System Interoperability on the Semantic Web with SWRL , 2005, SEMWEB.

[13]  Bernd Blobel,et al.  Modelling privilege management and access control , 2006, Int. J. Medical Informatics.

[14]  Peter Croll Privacy, security and access with sensitive health information. , 2010, Studies in health technology and informatics.

[15]  P. Loehrer,et al.  Components of the metabolic syndrome in long-term survivors of testicular cancer , 2008 .

[16]  G. Octo Barnett,et al.  Overcoming Information Overload: an Information System for the Primary Care Physician , 2004, MedInfo.

[17]  Nadine Cohen,et al.  Returning genetic research results to individuals: points-to-consider. , 2006, Bioethics.

[18]  Earnest J. Friedman-hill Jess in Action: Java Rule-Based Systems , 2003 .

[19]  David W. McDonald,et al.  Incorporating collaboratory concepts into informatics in support of translational interdisciplinary biomedical research , 2009, Int. J. Medical Informatics.

[20]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[21]  Chen-Tan Lin,et al.  Review Paper: The Effects of Promoting Patient Access to Medical Records: A Review , 2003, J. Am. Medical Informatics Assoc..

[22]  Joyce A. Mitchell,et al.  The BioMediator System as a Data Integration Tool to Answer Diverse Biologic Queries , 2004, MedInfo.

[23]  Henrik Eriksson,et al.  Using JessTab to Integrate Protégé and Jess , 2003, IEEE Intell. Syst..

[24]  Antonios Gouglidis,et al.  domRBAC: An access control model for modern collaborative systems , 2012, Comput. Secur..

[25]  Peter Dadam,et al.  Security Challenges in Adaptive e-Health Processes , 2008, SAFECOMP.

[26]  Yan Xiao,et al.  Emergent CSCW systems: The resolution and bandwidth of workplaces , 2007, Int. J. Medical Informatics.

[27]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[28]  Amir Hannan,et al.  Providing patients online access to their primary care computerised medical records: a case study of sharing and caring. , 2010, Informatics in primary care.

[29]  Yong Se Kim,et al.  A Teaching Strategies Engine Using Translation from SWRL to Jess , 2006, Intelligent Tutoring Systems.

[30]  Da-Wei Wang,et al.  Aspect-oriented design and implementation of adaptable access control for Electronic Medical Records , 2010, Int. J. Medical Informatics.

[31]  S. Berney,et al.  The Effect of Methotrexate and Anti–Tumor Necrosis Factor Therapy on the Risk of Lymphoma in Rheumatoid Arthritis in 19,562 Patients During 89,710 Person-Years of Observation , 2008 .

[32]  William C. Regli,et al.  DAMLJessKB: A Tool for Reasoning with the Semantic Web , 2003, IEEE Intell. Syst..

[33]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[34]  Lalana Kagal,et al.  A Semantic Context-Aware Access Control Framework for Secure Collaborations in Pervasive Computing Environments , 2006, SEMWEB.

[35]  J M Geib,et al.  An asynchronous co-operative model for co-ordinating medical unit activities. , 1997, Computer methods and programs in biomedicine.

[36]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[37]  Darcy Lewis Information overload: tips for focusing on what you need and ignoring what you don't. , 2009, Biomedical instrumentation & technology.

[38]  Jochen Maas,et al.  An integrated early formulation strategy--from hit evaluation to preclinical candidate profiling. , 2007, European journal of pharmaceutics and biopharmaceutics : official journal of Arbeitsgemeinschaft fur Pharmazeutische Verfahrenstechnik e.V.

[39]  Aaron S Kesselheim,et al.  Confidentiality laws and secrecy in medical research: improving public access to data on drug safety. , 2007, Health affairs.

[40]  Sérgio Shiguemi Furuie,et al.  A contextual role-based access control authorization model for electronic patient record , 2003, IEEE Transactions on Information Technology in Biomedicine.

[41]  Brett Benyo,et al.  Representation and reasoning for DAML-based policy and domain services in KAoS and nomads , 2003, AAMAS '03.

[42]  Dongwen Wang,et al.  Development of a system framework for implementation of an enhanced role-based access control model to support collaborative processes , 2012 .

[43]  Ioana Moisil,et al.  CSCW--a paradigm for an efficient management of the healthcare organizations. , 2002, Studies in health technology and informatics.

[44]  David Glasspool,et al.  Patterns for collaborative work in health care teams , 2011, Artif. Intell. Medicine.

[45]  Bhavani M. Thuraisingham,et al.  ROWLBAC: representing role based access control in OWL , 2008, SACMAT '08.

[46]  Heejo Lee,et al.  Activity-oriented access control to ubiquitous hospital information and services , 2010, Inf. Sci..

[47]  Antoine Geissbühler,et al.  Comprehensive management of the access to the electronic patient record: Towards trans-institutional networks , 2007, Int. J. Medical Informatics.

[48]  Rebecca C. Henry,et al.  Better data for teachers, better data for learners, better patient care: college-wide assessment at Michigan State University's College of Human Medicine , 2011, Medical education online.

[49]  Nikolaos I. Spanoudakis,et al.  Engineering JADE Agents with the Gaia Methodology , 2002, Agent Technologies, Infrastructures, Tools, and Applications for E-Services.

[50]  C. Candler,et al.  MedEdPORTAL: educational scholarship for teaching. , 2008, The Journal of continuing education in the health professions.

[51]  David F. Ferraiolo,et al.  Assessment of Access Control Systems , 2006 .

[52]  Marion J. Ball,et al.  Evaluation Methods in Biomedical Informatics , 2006 .

[53]  Laurie A. Rinehart-Thompson,et al.  Redefining the health information management privacy and security role. , 2009, Perspectives in health information management.

[54]  A Geissbuhler,et al.  Access to Health Information: a Key for Better Health in the Knowledge Society , 2008, Yearbook of Medical Informatics.

[55]  Mor Peleg,et al.  Using OWL and SWRL to represent and reason with situation-based access control policies , 2011, Data Knowl. Eng..

[56]  David W. McDonald,et al.  Asynchronous communication among clinical researchers: A study for systems design , 2005, Int. J. Medical Informatics.

[57]  Simon Hölzer,et al.  Dealing with an Information Overload of Health Science Data: Structured utilisation of libraries, distributed knowledge in databases and web content , 2006, MIE.

[58]  Omolola Ogunyemi,et al.  Design and implementation of the GLIF3 guideline execution engine , 2004, J. Biomed. Informatics.

[59]  Dov Dori,et al.  Situation-Based Access Control: Privacy management via modeling of patient data access scenarios , 2008, J. Biomed. Informatics.

[60]  Debbie Mikels Privacy: after the compliance date. , 2004, Journal of healthcare information management : JHIM.

[61]  Xinwen Zhang,et al.  xDAuth: a scalable and lightweight framework for cross domain access control and delegation , 2011, SACMAT '11.

[62]  Patricia Flatley Brennan,et al.  A method to implement fine-grained access control for personal health records through standard relational database queries , 2010, J. Biomed. Informatics.

[63]  K Postema,et al.  A review of salient elements defining team collaboration in paediatric rehabilitation , 2007, Clinical rehabilitation.

[64]  Christos K Georgiadis,et al.  Implementing Context and Team Based Access Control in Healthcare Intranets , 2002, Medical informatics and the Internet in medicine.

[65]  Edward H. Shortliffe,et al.  A generic execution model for sharing of computer-interpretable clinical practice guidelines , 2003 .

[66]  D. Lindberg,et al.  Rising Expectations: Access to Biomedical Information , 2008, Yearbook of Medical Informatics.

[67]  Yen-Cheng Chen,et al.  ABACS: An Attribute-Based Access Control System for Emergency Services over Vehicular Ad Hoc Networks , 2011, IEEE Journal on Selected Areas in Communications.

[68]  Lee A Green,et al.  Integrating education into primary care quality and cost improvement at an academic medical center , 2006, The Journal of continuing education in the health professions.

[69]  Kim M. Unertl,et al.  Research Paper: Describing and Modeling Workflow and Information Flow in Chronic Disease Care , 2009, J. Am. Medical Informatics Assoc..

[70]  Marcela D. Rodríguez,et al.  Location-aware access to hospital information and services , 2004, IEEE Transactions on Information Technology in Biomedicine.

[71]  Le Xuan Hung,et al.  An enhancement of the Role-Based Access Control model to facilitate information access management in context of team collaboration and workflow , 2012, J. Biomed. Informatics.

[72]  James B. D. Joshi,et al.  CPBAC: Property-based access control model for secure cooperation in online social networks , 2014, Comput. Secur..

[73]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[74]  M Nyssen,et al.  MedSkills: a Learning Environment for Evidence-based Medical Skills , 2010, Methods of Information in Medicine.

[75]  Elisa Bertino,et al.  Supporting RBAC with XACML+OWL , 2009, SACMAT '09.

[76]  Mark J Halsted,et al.  Improving patient care: the use of a digital teaching file to enhance clinicians' access to the intellectual capital of interdepartmental conferences. , 2004, AJR. American journal of roentgenology.

[77]  Raghuraj Rao,et al.  MetDAT: a modular and workflow-based free online pipeline for mass spectrometry data processing, analysis and interpretation , 2010, Bioinform..

[78]  J. Aarts,et al.  Computerized provider order entry system--does it support the inter-professional medication process? Lessons from a Dutch academic hospital. , 2010, Methods of information in medicine.

[79]  Jorge Lobo,et al.  Privacy-aware role-based access control , 2010 .

[80]  Le Xuan Hung,et al.  Evaluation of an Enhanced Role-Based Access Control model to manage information access in collaborative processes for a statewide clinical education program , 2014, J. Biomed. Informatics.

[81]  Peter L. Elkin,et al.  The introduction of a diagnostic decision support system (DXplainTM) into the workflow of a teaching hospital service can decrease the cost of service for diagnostically challenging Diagnostic Related Groups (DRGs) , 2010, Int. J. Medical Informatics.

[82]  Laura M. Roa,et al.  Empowering citizens with access control mechanisms to their personal health resources , 2013, Int. J. Medical Informatics.

[83]  Milan Petkovic,et al.  Emergency Access to Protected Health Records , 2009, MIE.