Challenges for Log Based Detection of Privacy Violations during Healthcare Emergencies

The widespread adoption of Electronic Health Records (EHR) increases the requirement for sufficient auditing mechanisms enabled with health information technologies to protect against deliberate and accidental information misuses. Shared information environments improve the quality of healthcare. Healthcare environments are characterized by unanticipated emergency situations where access to information is essential. The ordinary work-flow of the health system may need to be violated in emergency situations in a \textit{break-the-glass} approach. Hence, a purely preventive approach for information access use is not adequate for the current trends of electronic healthcare systems. Instead, after-the-fact justification of patient data access violations is required. Assessing root causes for unusual human behaviours is feasible through maintenance and analysis of appropriate event logs. Here we describe the challenges of detecting information privacy violations of current EHR systems during emergency situations. We define how a log file with additional information could be used to detect deviations from expected sequences of events during emergency situations in healthcare.

[1]  Tony R. Sahama,et al.  Sharing with Care: An Information Accountability Perspective , 2011, IEEE Internet Computing.

[2]  Romain Laborde,et al.  Specification and Enforcement of Dynamic Authorization Policies Oriented by Situations , 2014, 2014 6th International Conference on New Technologies, Mobility and Security (NTMS).

[3]  Peter R. Croll,et al.  Determining the privacy policy deficiencies of health ICT applications through semi-formal modelling , 2011, Int. J. Medical Informatics.

[4]  Rafael Accorsi,et al.  BBox: A Distributed Secure Log Architecture , 2010, EuroPKI.

[5]  L. Emanuel,et al.  What Is Accountability in Health Care? , 1996, Annals of Internal Medicine.

[6]  Achim D. Brucker,et al.  Extending access control models with break-glass , 2009, SACMAT '09.

[7]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[8]  James A. Hendler,et al.  Information accountability , 2008, CACM.

[9]  Indrakshi Ray,et al.  Audit Log Management in MongoDB , 2014, 2014 IEEE World Congress on Services.

[10]  Renato Iannella,et al.  An insight into the adoption of accountable-eHealth systems: n empirical research model based on the Australian context , 2016 .

[11]  Laurie A. Williams,et al.  Cataloging and Comparing Logging Mechanism Specifications for Electronic Health Record Systems , 2013, HealthTech.

[12]  Alexander Pretschner,et al.  Data Accountability in Socio-Technical Systems , 2016, BMMDS/EMMSAD.

[13]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[14]  Colin J. Fidge,et al.  Anatomy of log files: Implications for information accountability measures , 2016, 2016 IEEE 18th International Conference on e-Health Networking, Applications and Services (Healthcom).

[15]  Tony R. Sahama,et al.  Demonstrating Accountable-eHealth systems , 2014, 2014 IEEE International Conference on Communications (ICC).

[16]  Achim D. Brucker,et al.  Attribute-Based Encryption with Break-Glass , 2010, WISTP.

[17]  Limin Jia,et al.  Policy auditing over incomplete logs: theory, implementation and applications , 2011, CCS '11.