Achieving Patient-Centered Fine-Grained Access Control in Hospital Information Systems - Using Business Process Management Systems

Nahid AlThqafi, Hessah AlSalamah, Ahmad Daraiseh

Abstract

Access Control to patients’ medical information in Hospital Information Systems (HIS) is a challenge in modern Patient-Centered (PC) healthcare. Fine–Grained Access Control (FGAC) in particular has been identified as one of the security requirements in these systems. In FGAC, only parts of medical information that are relevant and required by healthcare providers are accessed at the point of care. This cannot be achieved without a holistic view of a medical condition through a Patient-Centered Fine-Grained Access Control (PCFGAC), in which patient-centricity is considered. This research proposes using Business Process Management (BPM) to achieve PCFGAC in order to provide a real-time access control based on a “need-to-know” principle. Through a prototype that uses BPM, security requirements of PCFGAC were met. These include: authority control, informed decision support, fine-grained access control, and dynamic policies support. Thus, a contribution to the knowledge and practice has been introduced.

References

  1. Abbas, A. & Khan, S. U. 2014. A Review on the State-ofthe-Art Privacy-Preserving Approaches in the e-Health Clouds. Biomedical and Health Informatics, IEEE Journal of, 18, 1431-1441.
  2. Agrawal, R., Grandison, T., Johnson, C. & Kiernan, J. 2007. Enabling the 21st century health care information technology revolution. Communications of the ACM, 50, 34-42.
  3. Al-Salamah, H. 2011. Velindre Hospital Integrated Care Pathway Gold Award: Medical and Healthcare Nominated by Cardiff School of Computer Science and Informatics, Cardiff University, UK. In: Swenson, K. D., Palmer, N. & Silver, B. (eds.) Taming the Unpredictable: Real World Adaptive Case Management: Case Studies and Practical Guidance. Future Strategies Inc.
  4. Alsalamah, H., Gray, A. & Morrey, D. 2012. Mapping the integrated care pathway into bpm for health case management. S-BPM ONE-Education and Industrial Developments. Springer.
  5. Alsalamah, S., Gray, W. A., Hilton, J. & Alsalamah, H. Information security requirements in patient-centred healthcare support systems. MedInfo, 2013. 812-816.
  6. Amato, F., Mazzocca, N., DE Pietro, G. & Esposito, M. A System for Semantic-Based Access Control. P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2013 Eighth International Conference on, 28-30 Oct. 2013 2013. 442-446.
  7. Ayoub, M. F., Hassan, R. & Elmongui, H. G. ESACBPM: Early Security Access Control in Business Process Management. ICSEA 2012, The Seventh International Conference on Software Engineering Advances, 2012. 650-655.
  8. Bizagi, 2014 [Online]. Available: http://www.bizagi.com.
  9. Bodhani, A. 2013.Warding off fraud. Engineering &Technology, 8, 36-39.
  10. Brucker, A. D. & Hang, I. Secure and compliant implementation of business process-driven systems. Business Process Management Workshops, 2013. Springer, 662-674.
  11. Chatterjee, S., Gupta, A. K., Mahor, V. K. & Sarmah, T. An efficient fine grained access control scheme based on attributes for enterprise class applications. Signal Propagation and Computer Technology (ICSPCT), 2014 International Conference on, 12-13 July 2014 2014. 273-278.
  12. Chen-Guang, H., Cun-Zhang, C. & Shu-DI, B. An Enhanced Role-Based Access Control Mechanism for Hospital Information Systems. Computational Intelligence and Security (CIS), 2011 Seventh International Conference on, 3-4 Dec. 2011 2011. 1001-1005.
  13. Chen, K., Chang, Y.-C. & Wang, D.-W. 2010. Aspectoriented design and implementation of adaptable access control for Electronic Medical Records. International journal of medical informatics, 79, 181- 203.
  14. Gajanayake, R., Iannella, R. & Sahama, T. R. Privacy oriented access control for electronic health records. Data Usage Management on the Web Workshop at the Worldwide Web Conference, 2012. ACM.
  15. Harith, I. & Gábor, H. 2009. Fine-Grained Data security in Virtual Organizations. Database Technologies: Concepts, Methodologies, Tools, and Applications. Hershey, PA, USA: IGI Global.
  16. Hovenga, E. J. S. & GRAIN, H. 2013. Health information systems. Studies In Health Technology And Informatics, 193, 120-140.
  17. Hu, J. & Weaver, A. C. Dynamic, context-aware access control for distributed healthcare applications. Workshop on Privacy, Security, and Trust, 2004.
  18. Hui, Z., Rong, H., Ximeng, L. & Hui, L. Spemr: A new secure personal electronic medical record scheme with privilege separation. Communications Workshops (ICC), 2014 IEEE International Conference on, 10-14 June 2014 2014. 700-705.
  19. Jingquan, L. & Michael, J. S. 2010. Electronic Medical Records, HIPAA, and Patient Privacy. Health Information Systems: Concepts, Methodologies, Tools, and Applications. Hershey, PA, USA: IGI Global.
  20. Jinyuan, S. & Yuguang, F. 2010. Cross-Domain Data Sharing in Distributed Electronic Health Record Systems. Parallel and Distributed Systems, IEEE Transactions on, 21, 754-764.
  21. Levina, O., Holschke, O. & Rake-Revelant, J. Extracting business logic from business process models. Information Management and Engineering (ICIME), 2010 The 2nd IEEE International Conference on, 16- 18 April 2010 2010. 289-293.
  22. Leyla, N. & Maccaull, W. 2012. A Personalized Access Control Framework for Workflow-Based Health Care Information. Berlin, Heidelberg: Springer Berlin Heidelberg.
  23. Liu, H.-Y., Deng, M.-L. & Yang, W.-D. A Context-Aware Fine-Grained Access Control Model. Computer Science & Service System (CSSS), 2012 International Conference on, 11-13 Aug. 2012 2012. 1099-1102.
  24. Long, D. L., Baker, J. & Fung, F. A prototype secure workflow server. Computer Security Applications Conference, 1999. (ACSAC 7899) Proceedings. 15th Annual, 1999 1999. 129-133.
  25. Map of medicine (MOM), 2014 [Online]. Available: http://healthguides.mapofmedicine.com/choices/map/i ndex.html.
  26. Matic, M. & Andrej, B. 2010. Electronic Environments for Integrated Care Management Case of Depression Treatment. Ubiquitous Health and Medical Informatics: The Ubiquity 2.0 Trend and Beyond. Hershey, PA, USA: IGI Global.
  27. Peffers, K., Tuunanen, T., Rothenberger, M. A. & Chatterjee, S. 2007. A design science research methodology for information systems research. Journal of management information systems, 24, 45- 77.
  28. Reddy, M. & Dourish, P. A finger on the pulse: temporal rhythms and information seeking in medical work. Proceedings of the 2002 ACM conference on Computer supported cooperative work, 2002. ACM, 344-353.
  29. Rizvi, S., Mendelzon, A., Sudarshan, S. & ROY, P. Extending query rewriting techniques for fine-grained access control. Proceedings of the 2004 ACM SIGMOD international conference on Management of data, 2004. ACM, 551-562.
  30. Russello, G., Dong, C. & Dulay, N. A workflow-based access control framework for e-health applications. Advanced Information Networking and ApplicationsWorkshops, 2008. AINAW 2008. 22nd International Conference on, 2008. IEEE, 111-120.
  31. Samuel, H. W. & Zaiane, O. R. PSST… privacy, safety, security, and trust in health information websites. Biomedical and Health Informatics (BHI), 2012 IEEE-EMBS International Conference on, 5-7 Jan. 2012 2012. 584-587.
  32. Steele, R. & Kyongho, M. HealthPass: Fine-Grained Access Control to Portable Personal Health Records. Advanced Information Networking and Applications (AINA), 2010 24th IEEE International Conference on, 20-23 April 2010 2010. 1012-1019.
  33. Van der Aalst, W. M., Ter Hofstede, A. H. & Weske, M. 2003. Business process management: A survey. Business process management. Springer.
  34. Wager, K. A., Lee, F. W. & Glaser, J. P. 2013. Health Care Information Systems: A Practical Approach for Health Care Management, Jossey-Bass.
  35. Yu, S., Wang, C., Ren, K. & Lou, W. Achieving secure, scalable, and fine-grained data access control in cloud computing. INFOCOM, 2010 Proceedings IEEE, 2010. Ieee, 1-9.
Download


Paper Citation


in Harvard Style

AlThqafi N., AlSalamah H. and Daraiseh A. (2016). Achieving Patient-Centered Fine-Grained Access Control in Hospital Information Systems - Using Business Process Management Systems . In Proceedings of the 9th International Joint Conference on Biomedical Engineering Systems and Technologies - Volume 5: HEALTHINF, (BIOSTEC 2016) ISBN 978-989-758-170-0, pages 39-48. DOI: 10.5220/0005630200390048


in Bibtex Style

@conference{healthinf16,
author={Nahid AlThqafi and Hessah AlSalamah and Ahmad Daraiseh},
title={Achieving Patient-Centered Fine-Grained Access Control in Hospital Information Systems - Using Business Process Management Systems},
booktitle={Proceedings of the 9th International Joint Conference on Biomedical Engineering Systems and Technologies - Volume 5: HEALTHINF, (BIOSTEC 2016)},
year={2016},
pages={39-48},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005630200390048},
isbn={978-989-758-170-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 9th International Joint Conference on Biomedical Engineering Systems and Technologies - Volume 5: HEALTHINF, (BIOSTEC 2016)
TI - Achieving Patient-Centered Fine-Grained Access Control in Hospital Information Systems - Using Business Process Management Systems
SN - 978-989-758-170-0
AU - AlThqafi N.
AU - AlSalamah H.
AU - Daraiseh A.
PY - 2016
SP - 39
EP - 48
DO - 10.5220/0005630200390048