Andrei Vasilateanu
Faculty of Engineering in Foreign Languages, Polytechnic University of Bucharest, Bucharest, Romania
Luca D. Serbanati
Faculty of Engineering in Foreign Languages, Polytechnic University of Bucharest, Bucharest, Romania
National Research Council, Institute for Biomedical Technology, Rome, Italy
eHealth, Agents, Authorization, RBAC.
In this article a proposal to an integrated e-Health solution based on the Patient Electronic Health Record is
presented. The main point is how the caregivers’ role that is obtained from authentification and authoriza-
tion process is enforced in a cross-organizational care workflow using multi agent systems. Interoperability
between healthcare organizations and provisioning of permission for accessing the medical record are also
addressed using mediation and negotiation software agents. We envision the healthcare system as an open
digital ecosystem, where multi-agent systems are organized in organizations.
In our paper we describe our vision for an e-Health
integrated solution based on the Virtual HealthCare
Record (VHCR), an internet entity that communicates
with the EHR and other systems of caregivers in or-
der to capture and integrate relevant information on
healthcare events occurred during the life of patients.
It is built to support a broad range of current health-
care processes while being flexible enough to work
with improvements and developments in best prac-
tice. Our solution is founded on the assumption that
a healthcare system is similar to a business enterprise
having its own business processes that are complex
activities undertaken and directed to prevent, treat,
and manage of illness, and preserve of mental and
physical well-being through specific services. Ac-
tually information systems are widely used to sup-
port business processes in healthcare as they do in an
enterprise (Serbanati et al., 2005). This is why our
approach embodies lessons learned from solutions
for enterprise integration (Luzi et al., 2006) and vir-
tual enterprise. VHCR realizes a longitudinal record,
spanning over the whole life of the patient, integrating
distributed and heterogeneoussources of information.
We model VHCR as a multiagent system following an
organizational approach, where avatars of caregivers
and the patient are composed of agents that cooper-
ate to maintain a complete and authoritative virtual
representation of the patient’s health state and clinical
history. The benefits of e-Health solutions depend on
their adoption rate, both by healthcare providers and
patients. The main obstacles in wide acceptance are,
in our opinion, interoperability and security issues. In
this paper we focus on the security aspects of our solu-
tion, namely the caregiver authorization and role pro-
visioning in complex, cross-organizational care pro-
cess workflows.
At the center of our solution lies the Virtual Health
Care Record (VHCR). VHCR is not a simple reposi-
tory; but a complex e-service provider for supporting
healthcare processes. VHCR has to deal with two ma-
jor functionalities: 1) maintaining the coherency and
consistence of information in the VHCR in order to
provide in any moment both an accurate and coher-
ent “snapshot“ of the patient‘s current health status as
well as the history of her/his clinical events, and 2)
providing services for message exchange with other
Vasilateanu A. and D. Serbanati L..
DOI: 10.5220/0003181104390442
In Proceedings of the 3rd International Conference on Agents and Artificial Intelligence (ICAART-2011), pages 439-442
ISBN: 978-989-8425-41-6
2011 SCITEPRESS (Science and Technology Publications, Lda.)
applications. VHCR cohesion is accomplished by a
dedicated ontology, derived from HL7 RIM v3, de-
veloped to have a consistent view on health services,
healthcare provider roles and process execution lan-
The services are implemented using an agent-
oriented approach; the community of agents con-
tained in VHCR is called VHCR Agency. Analyzing
the functionalities and deriving the agent roles from
the roles of external systems that interact with the
VHCR and the internal tasks the VHCR should carry
out, we designed agents that:
interact with the caregivers;
interact with the medical devices;
monitor the status of the patient‘s health as re-
flected in his record and issue notifications;
supervise the realization of the clinical workflow;
act as mediators between organizations;
negotiate permissions.
To design and implement such a complex system in-
volving interraction between parties with different ob-
jectives, a multi-agent approach was seen as the op-
timal choice as it minimalizes the semantic gap be-
tween the analysis used to conceptualize the prob-
lem and the implementation of the actual system. In
our view, the envriroment in which the agents func-
tion is the complexdigital health ecosystem populated
with interested parties organized in agencies, national
and international regulations, business processes and
models and contractual framework. An agent of the
VHCR has the ability to interact in this complex en-
vriroment, to communicate with other digital compo-
nents, to enter contextual alliances and to participate
in business processes.
Moreover we envision our digital ecosystem as an
open system where agents can enter, live or become
extinct. Since direct control or internal modifications
or visualization of the agents in this open system is
impossible we must provide a superior abstraction,
that of agent organization. The organization provides
organizationalstructures and also organizational rules
which express global requirements for the execution
of multi-agent systems. The rules can control the ac-
tions performed in a MAS defining which agents are
permitted, obligated and prohibited to exectute those
actions. To interract with VHCR, an external agent
must assume a role in the organization, mapped to the
stakeholder it is representing (Patient, Doctor, Health
Researcher etc.) and be subject to the regulations of
this virtual world. (Zambonelli et al., 2001)
VHCR functions as a longitudinal record: the record
of a citizen keeps track on the progress of the patient
along a lifelong period of time. Healthcare is seen as a
life-long process composed from episodes of care and
our solution supports elaborated, personalized health
care workflows, denominated care plans. A care plan
is a healthcare service; a description of the planned
care activities. The care plan is derived from a med-
ical guideline, published in a national clearinghouse
and available for download in a computer represen-
tation like Guideline Interchange Format. Based on
this template and on the patient‘s medical history the
care provider creates a customized care plan and up-
loads it in the patient’s medical record. Once the ac-
tivities present in the care plan are performed, their
completion is also added to the medical record, and
the care plan execution is updated. If the execution of
the planned activities varies from the medical guide-
line, this variance is also documented. In the case the
care plan contains activities to be performed by differ-
ent care providers (which is the case for chronic dis-
eases in complex workflows), in different institutions,
then it becomes a tool for cooperation and integration.
5.1 Authentification and Authorization
The scenario described earlier raises many complex-
ities from the point of view of privacy as it implies
multi-role access to the patient‘s record. In a sim-
ple scenario it may involve a laboratory assistant to
add a set of investigation results to the health record,
supposing the investigations were a planned activity
in the care plan. In a complex scenario, the patient
can be sent for further investigation to another care
provider, a specialist, who can change the diagnos-
tic and/or the care plan activities in the health record.
Can we mandate him that authority? The patient must
give his/her “e-consent“ for access to his/her health
The following quickly summarizes the main types
of access control as well as the current foundation
ICAART 2011 - 3rd International Conference on Agents and Artificial Intelligence
documentation in HL7 regarding security. Further-
more, by analyzing several complex healthcare pro-
cesses we design our agent architecture introduc-
ing the following security-based agents in VHCR
Mediator Agent, for inter-organizational interop-
erability, workflow mediation and role discovery.
Clinical Workflow Engine Agent, for directing
and supervising the execution of the care work-
Permission Negotiator Agent, for negotiation per-
missions for non-default role permissions.
5.2 Types of Access Control
The first issues we need to tackle in securing our sys-
tem are authentification and authorization. We have
chosen a federated authentification protocol since au-
thentification schemas and products are already de-
ployed in legacy EHR systems which we want to co-
operate with. By applying Security Assertion Markup
Language (SAML) assertions our system can reuse
the local authentification services and exchange data
between security domains. Authorization, commonly
referred as access control determines whether an iden-
tified user has access to the functionalities he/she is
requesting. More access control techniques have been
developed, ranging from discretionary as DAC (Dis-
cretionary Access Control) to non-discretionary as
MAC (Mandatory Access Control) and RBAC (Role-
Based Access Control). Other models rely on Access
Control Lists in which administrators associate a list
of rules to each resource.
5.3 Organizational Interoperability and
Role Mapping
The main challenge we are faced with is that different
healthcare institutions are organized in heterogeneous
ways, usually opaque to the outside world. In order to
be able to automate access control, based on a care
plan workflow, we need roles acting as recipients of
our permissions.
A certain aspect to which we must pay atention is
that institutions can implement the same norms dif-
ferently as they use different ontologies to refer to the
same concepts present in the norms. (Grossi et al.,
In effect we need to achieve an organizational in-
teroperability, by harmonizing the security policies of
the healthcare institutions. Each institution will have
an expert software agent, aware of the institution or-
ganization ontology and able to respond to queries re-
garding the specific domain knowledge.
Our agent in VHCR Agency, called Mediator
Agent is tasked with querying the institution specific
agents and mapping their ontology to ours, in order to
translate the institution internal organization, extract
the care provider roles and map them to our defined
5.4 Workflow Execution and Permission
Once the care plan is uploaded in the medical record,
its execution will be directed by the Clinical Work-
flow Engine Agent. To each active care plan a work-
flow agent is assigned, which monitors the realization
of the care plan. The plan is divided in activities/tasks
(Minsky, 1988) and the Workflow Agent advertises
these tasks then acts as a manager, supervising its re-
alization. When deriving the care plan, the health-
care professional can mark which activity realizations
are required to be acknowledged. The care plan is in
fact modelled as a business process as described in
(Leonardi et al., 2007)
In the following “continuity of care“ scenario, a
patient must be administered a certain drug by intra-
venous injection on a regular basis. Since hospitaliz-
ing the patient is both expensive and unnecessary for
his condition, a nurse comes to his house every week
to provide him the medication. Acknowledging the
administration is critical as the patient‘s health will
degrade if the treatment is not followed. From this
information the care provider designs the care plan
which is uploaded to the medical record. The work-
flow agent analyzes the care plan and finds the prede-
fined role “NURSE“ with the permission to acknowl-
edge for drug administration. It must map this role to
a real person, and to a certain episode of care and par-
ticular drug. The former must be done with input from
the care provider or patient who inputs the ID of the
particular nurse. In a more complex scenario the roles
and permissions are not so clear cut and need to be
mapped or negotiated as they involve an escalation of
rights. Suppose the patient is sent to a specialist care
provider for a routine check and this specialist oper-
ates in a large hospital with a complex organization.
The workflow agent analyzes the care plan and then
calls the mediator agent to map its predefined role
“SPECIALIST“ to the actual role and id of the care
provider in the organization of the institution. Next it
assigns the default permissions for this role in the care
plan, to view the general health information as well
as the information for this episode of care and to add
an observation to the episode. However during the
consultation, the specialist needs additional data and
he/she must be allowed to consult information for dif-
ferent episodes of care, information he has not yet the
permission to read. This demand is transferred to the
software agent of the healthcare provider, responsible
for interoperating with VHCR. In order to obtain the
needed information the Provider Agent begins a dia-
logue with the VHCR Permission Negotiator. Each
dialogue begins with a negotiation phase in which the
Provider Agent requests the information. If the nego-
tiation phase fails, the dialogue shifts to persuasion,
where the requestor brings arguments in favour of his
claim such as the potential negative impact on the di-
agnostic quality in case of a rejection or advertises the
trust record of the healthcare provider. In its turn, the
VHCR Negotiator has the goal to communicate only
needed information, which will not affect the privacy
of its owner. Particularly it will reason whether the
claims of the opposite party are acceptable for the dis-
closure of confidential medical and social facts in the
health record.
VHCR started as a stand-alone, proof-of-concept pro-
totype. To this date we have worked on extract-
ing scenarios and work flows from current medical
practice, national documents and regulations, pub-
lished clinical pathways and also HL7 storyboards
and functional requirements. We have also concen-
trated on designing a message ontology to support
our agent-based communication. More recently we
are tasked with integrating VHCR in a greater ehealth
research project, namely LUMIR. LUMIR (LUcania -
Medici In Rete), a project managed by the Institute for
Biomedical Technologies, National Research Coun-
cil in Italy, is a a region-wide infrastructure of web-
services which interconnects at application level local
healthcare applications (including EMRs), as well as
regional healthcare information systems in use in the
Basilicata Region. LUMIR has at its core an intel-
ligent broker for routing messages. Our intention is
to “plug in“ VHCR in the existing Enterprise Service
Bus, in order for it to reuse the existing services for
security, authentification and notification. The agent
messages will be wrapped in the existing messaging
solution based on HTTP web services and the current
public key infrastructure(PKI) based on Bouncy Cas-
tle Crypto API and Java Cryptographic Extensions
(JCE). The other applications used by the healthcare
providers connect to the esb by installing a wrapper
that handles the tranformation, routing of messages
and also authentification. This wrapper also holds a
lightweight agent container in which the agents of the
healthcare providers reside.
Using a multi-agent implementation for an open sys-
tem involving the transport, storage and interpretation
of sensitive medical data created the necessity to em-
ploy additional, superior abstractions to guarantee the
privacy of the stakeholders. To construct these higher-
level frameworks, we have used concepts from Orga-
nizational Theory.
Work on VHCR is still in progress as we are an-
alyzing different technology stacks and we are refin-
ing the message protocols based on healthcare ontolo-
gies. Also the seamless interoperability as process-
level is being put under scrutiny to evaluate the extent
at which it can be incorporated in a nation-wide de-
ployment. The possibility of using an ebXML registry
and repository is also evaluated.
Grossi, D., Aldewereld, H., V´azquez-Salceda, J., and
Dignum, F. (2006). Ontological aspects of the imple-
mentation of norms in agent-based electronic institu-
tions. Computational & Mathematical Organization
Theory, 12(2):251–275.
Leonardi, G., Panzarasa, S., Quaglini, S., Stefanelli, M., and
van der Aalst, W. (2007). Interacting agents through
a web-based health serviceflow management system.
Journal of Biomedical Informatics, 40(5):486–499.
Luzi, D., Ricci, F., and Serbanati, L. (2006). E-Clinical
trials supported by a service-oriented architecture. in
Minsky, M. (1988). The society of mind. Simon and Schus-
Serbanati, L., Ricci, R., Luzi, D., Fazi, P., Collada Ali,
L., and Vignetti, M. (2005). Modelling medical re-
search processes in humans to set up a standard for
clinical trial management system. Cunningham P. and
Cunningham M. (Eds), Innovation and the Knowledge
Economy: Issues, Applications, Case Studies.
Zambonelli, F., Jennings, N., and Wooldridge, M. (2001).
Organisational abstractions for the analysis and design
of multi-agent systems. In Agent-Oriented Software
Engineering, pages 407–422. Springer.
ICAART 2011 - 3rd International Conference on Agents and Artificial Intelligence