This Article 
 Bibliographic References 
 Add to: 
Engineering a Policy-Based System for Federated Healthcare Databases
September 2007 (vol. 19 no. 9)
pp. 1288-1304
Policy-based management for federated healthcare systems have recently gained increasing attention due to strict privacy and disclosure rules. While the work on privacy languages and enforcement mechanisms, such as Hippocratic databases, has advanced our understanding of designing privacy-preserving policies for healthcare databases, the need to integrate these policies in practical healthcare framework is becoming acute. Additionally, while most work in this area has been organization-oriented, dealing with exchange of information between healthcare organizations (such as referrals), the requirements for the emerging area of personal healthcare information management have so far not been adequately addressed. These shortcomings arise from the lack of a sophisticated policy specification language and enforcement architecture that can capture the requirement for (i) integration of privacy and disclosure policies with well-known healthcare standards used in the industry in order to specify the precise requirements of a practical healthcare system, and (ii) provision of ubiquitous healthcare services to patients using the same infrastructure that enables federated healthcare management for organizations. In this paper, we have designed a policy-based system to mitigate these concerns. One, we have designed our disclosure and privacy policies using a requirements specification based on a set of use cases for the Clinical Document Architecture (CDA) standard proposed by the community. Two, we present a context-aware policy specification language which allows encoding of CDA-based requirements use-cases into privacy and disclosure policy rules. We have shown that our policy specification language is effective in terms of handling a variety of expressive constraints on CDA-encoded document contents. Our language enables specification of privacy-aware access control for federated healthcare information across organizational boundaries, while the use of contextual constraints allows the incorporation of user and environment context in the access control mechanism for personal healthcare information management. Moreover, the declarative syntax of the policy rules makes the policy adaptable to changes in privacy regulations or patient preferences. We also present an enforcement architecture for the federated healthcare framework proposed in this paper.

[1] G.D. Abowd, A.K. Dey, P.J. Brown, N. Davies, M. Smith, and P. Steggles, “Towards a Better Understanding of Context and Context-Awareness,” Proc. First Int'l Symp. Handheld and Ubiquitous Computing (HUC '99), pp. 304-307, 1999.
[2] R. Agrawal, P. Bird, T. Grandison, J. Kiernan, S. Logan, and W. Rjaibi, “Extending Relational Database Systems to Automatically Enforce Privacy Policies,” Proc. 21st Int'l Conf. Data Eng. (ICDE '05), pp. 1013-1022, 2005.
[3] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Hippocratic Databases,” Proc. 28th Int'l Conf. Very Large Databases (VLDB '02), 2002.
[4] R. Agrawal, D. Asonov, R. Bayardo, T. Grandison, C. Johnson, and J. Kiernan, “Managing Disclosure of Private Healthcare Data with Hippocratic Databases,” white paper, IBM, Jan. 2005.
[5] R. Agrawal and C. Johnson, “Securing Electronic Health Records without Impeding the Flow of Information,” Proc. Int'l Medical Informatics Assoc. Working Conf. Security in Health Information Systems, Apr. 2006.
[6] L. Alschuler, “Layered Constraints: The Proposal for HL7 Healthcare Templates,” XML, 2002.
[7] R. Bhatti, E. Bertino, and A. Ghafoor, “X-FEDERATE: A Policy Engineering Framework for Federated Access Management,” IEEE Trans. Software Eng., vol. 32, no. 5, pp. 330-346, May 2006.
[8] R. Bhatti, J.B.D. Joshi, E. Bertino, and A. Ghafoor, “X-GTRBAC: An XML-Based Policy Specification Framework and Architecture for Enterprise-Wide Access Control,” ACM Trans. Information and System Security, vol. 8, no. 2, pp. 187-227, 2005.
[9] R. Bhatti, B. Shafiq, E. Bertino, A. Ghafoor, and J. Joshi, “X-GTRBAC Admin: A Decentralized Administration Model for Enterprise-Wide Access Control,” ACM Trans. Information and System Security, vol. 8, no. 4, pp. 388-423, 2005.
[10] J. Byun, E. Bertino, and N. Li, “Purpose Based Access Control of Complex Data for Privacy Protection,” Proc. 10th ACM Symp. Access Control Models and Technologies (SACMAT '05), June 2005.
[11] HL7 Clinical Document Architecture, Release 2.0, R. Dolin, L.Alschuler, S. Boyer, C. Beebe, F. Behlen, P. Biron, eds., Aug. 2004.
[12] P. Fankhauser, G. Gardarin, M. Lopez, J. Munoz, and A. Tomasic, “Experiences in Federated Databases: From IRO-DB to MIRO-Web,” Proc. 24th Int'l Conf. Very Large Data Bases (VLDB '98), 1998.
[13] G. Gardarin, S. Gannouni, and B. Finance, “A Distributed System Federating Object and Relational Databases,” Object-Oriented Multi-Database System: A Solution for Advanced Applications, Prentice Hall, 1995.
[14] D. Heimbigner and D. McLeod, “A Federated Architecture for Information Management,” ACM Trans. Information Systems, vol. 3, no. 3, July 1985.
[15] J. Hu and A.C. Weaver, “Dynamic Context-Aware Access Control for Distributed Healthcare Applications,” Proc. First Workshop Pervasive Security, Privacy and Trust (PSPT '04), 2004.
[16] IBM, “The Enterprise Privacy Authorization Language (EPAL),” epal, 2007.
[17] V. Kumar and S. Zidonik, “Workshop Report,” Proc. NSF Workshop Context Aware Mobile and Sensor Information Management, Jan. 2002
[18] M. Mont, R. Thyne, K. Chan, and P. Bramhall, “Extending HP Identity Management Solutions to Enforce Privacy Policies and Obligations for Regulatory Compliance by Enterprises,” HP Laboratories Technical Report 2005-110, 2005.
[19] F. Moss, “Clinical Record Use Cases,” OASIS XACML Technical Committee, 2001.
[20] OASIS SAML, http://xml.coverpages.orgsaml.html, 2006.
[21] OASIS XACML, home.php?wg_abbrev=xacm , 2006.
[22] W. Pratt, K. Unruih, A. Civan, and M. Skeels, “Personal Health Information Management,” Comm. ACM, vol. 49, no. 1, Jan. 2006.
[23] X. Qian and T.F. Lunt, “A MAC Policy Framework for Multilevel Relational Databases,” IEEE Trans. Knowledge and Data Eng., vol. 8, no. 1, Feb. 1996.
[24] M.P. Reddy, B.E. Prasad, P.G. Reddy, and A. Gupta, “A Methodology for Integration of Heterogeneous Databases,” IEEE Trans. Knowledge and Data Eng., vol. 6, no. 6, Dec. 1994.
[25] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “Role-Based Access Control Models,” Computer, vol. 29, no. 2, pp. 38, 47, Feb. 1996.
[26] A.M. Snyder and A.C. Weaver, “The Elogistics of Securing Distributed Medical Data,” Proc. First IEEE Int'l Conf. Industrial Informatics (INDIN '03), Aug. 2003.
[27] M. Tempelton, D. Brill, A. Chen, S. Dao, and E. Lund, “Mermaid: Experiences with Network Operation,” Proc. Second Int'l Conf. Data Eng. (ICDE '86), 1986.
[28] B. Thuraisingham and W. Ford, “Security Constraint Processing in a Multilevel Secure Distributed Database Management System,” IEEE Trans. Knowledge and Data Eng., vol. 7, no. 2, Apr. 1995.
[29] A. Tomasic and L. Raschid, “Scaling Access to Heterogeneous Data Sources with Disco,” IEEE Trans. Knowledge and Data Eng., vol. 10, no. 5, Sept./Oct. 1998.
[30] M. Wilikens, S. Feriti, A. Sanna, and M. Masera, “A Context-Related Authorization and Access Control Method Based on RBAC: A Case Study from the Health Care Domain,” Proc. Seventh ACM Symp. Access Control Models and Technologies (SACMAT '02), June 2002.
[31] Platform for Privacy Preferences (P3P), World Wide Web Consortium (W3C), www.w3.orgP3P, 2006.

Index Terms:
Federated database security, healthcare engineering, policy-based management, role based access control
Rafae Bhatti, Arjmand Samuel, Mohamed Eltabakh, Haseeb Amjad, Arif Ghafoor, "Engineering a Policy-Based System for Federated Healthcare Databases," IEEE Transactions on Knowledge and Data Engineering, vol. 19, no. 9, pp. 1288-1304, Sept. 2007, doi:10.1109/TKDE.2007.1050
Usage of this product signifies your acceptance of the Terms of Use.