CONTEXT-AWARE SECURITY IN CLOUD

EMERGENCY MEDICAL SERVICES

Vassiliki Koufi, Flora Malamateniou and George Vassilacopoulos

Department of Digital Systems, University of Piraeus, 80 Karaoli & Dimitriou Str., 18534 Piraeus, Greece

Keywords: Emergency care, Personal Health Records, Cloud Computing, Web Services, Context-aware Security.

Abstract: Recently, there has been a remarkable upsurge in activity surrounding the adoption of Personal Health

Records (PHRs). Since PHRs contain global patient information and not certain pieces collected by

individual healthcare providers, they can be used as basic infrastructures for building and operating several

important systems for both healthcare and the tax payers. Emergency medical systems (EMS) are among the

most crucial ones as they involve a variety of activities which are performed from the time of a call to an

ambulance service till the time of patient’s discharge from the emergency department of a hospital and are

closely interrelated so that collaboration and coordination becomes a vital issue for patients and for

emergency healthcare service performance. This paper is concerned with the development of a PHR-based

EMS in a cloud computing environment and focuses on the security aspect of delivering this particular

service. Although cloud-based services can prove important in healthcare delivery, the inherent nature of

medical service delivery underscores the need for ensuring that data security is better maintained. Moreover,

high expectations for emergency care delivery can be achieved only if provider organizations select systems

with the appropriate features, security being among the most prominent ones. Thus, the proposed EMS

system comes with a suitable security mechanism in order to ensure secure access to medical information

when and where needed. To this end, context-aware authorization has been embedded into the emergency

care process, enabling authorization to be based not only on static rules and roles but also to be influenced

by the process execution context to ensure precise and tight access control.

1 INTRODUCTION

Recent years have seen a remarkable upsurge in

activity surrounding the adoption of Personal Health

Records (PHR) to enable access to integrated

medical information that may entail to increased

patient satisfaction and continuity of care (Tang,

Ash, et.al., 2006; Wiljer, Urowitz, et.al., 2008). A

PHR is a consumer-centric approach to making

available comprehensive healthcare information

about a patient at the point of care while fully

protecting patient privacy (Lauer, 2009; Win, Susilo,

et.al., 2006). Unlike traditional electronic healthcare

records (EHRs) that are based on the “fetch and

show” model, PHR architectures are based on the

fundamental assumptions that the complete records

are held on a central repository (e.g. a data center)

and that each patient retains authority over access to

any portion of his/her record (Lauer, 2009; Wiljer,

Urowitz, et.al., 2008).

Although patients are the primary beneficiaries and

users of PHRs, healthcare providers may benefit

from their use as well as they have both economic

and quality impact (U.S. Department of Health and

Human Services, 2006; Shimrat, 2009; Van der Burg

and Dolstra, 2009). In particular, since patients may

receive care by various healthcare providers and

under various circumstances, there is a need for

ubiquitous, context-aware access to relevant and

timely patient information (Tentori, Favela, et.al.,

2006). Moreover, several healthcare applications can

be built around the PHR concept based on the

integration of leading-edge networking technologies,

such as cloud-based services and mobile

communications, to meet healthcare needs by

enabling easy and immediate access to patient data

from anywhere and via almost any device. Thus,

healthcare providers and organizations are

increasingly considering migrating to cloud

computing in an attempt to increase flexibility and

agility of their healthcare systems and services and

121

Kouﬁ V., Malamateniou F. and Vassilacopoulos G..

CONTEXT-AWARE SECURITY IN CLOUD EMERGENCY MEDICAL SERVICES.

DOI: 10.5220/0003106001210130

In Proceedings of the International Conference on Health Informatics (HEALTHINF-2011), pages 121-130

ISBN: 978-989-8425-34-8

 2011 SCITEPRESS (Science and Technology Publications, Lda.)

enhance quality of patient care (Shimrat, 2009; Van

der Burg and Dolstra, 2009).

Cloud computing may be able to provide a

solution to the need for sharing geographically

dispersed healthcare information. Cloud computing

concepts may assist in accomplishing some of the

goals that have been articulated by government

healthcare IT policy committees. Example goals

include the development of software that improves

interoperability and connectivity among health

information systems; infrastructure and tools for

telemedicine; the promotion of interoperability of

clinical data repositories; the development of self-

service technologies that facilitate the use and

exchange of patient information and reduce waiting

times; technologies that facilitate home healthcare

and patient monitoring; technologies that facilitate

the continuity of care among healthcare settings; and

technologies for developing mission critical

applications for healthcare delivery in all levels of

care (Rosenthal, Mork, et.al, 2010; Van der Burg

and Dolstra, 2009). This paper is concerned with the

development of emergency medical service (EMS)

systems and focuses on the security of medical

information stored and exchanged in dealing with

emergency cases.

Emergency medical services are concerned with

the provision of pre-hospital and in-hospital

emergency care and their operations typically

involve a wide range of interdependent and

distributed activities, performed by cooperating

individuals (administrative, paramedical, nursing

and medical) who differ on levels of background,

skill, knowledge and status. Conceptually, these

activities can be interconnected to form emergency

healthcare processes within and between the

participating organizations (i.e. ambulance services

and hospitals), thus comprising a virtual emergency

healthcare enterprise within the area covered by each

ambulance service. Thus, in developing an

information system that supports EMS processes, it

is essential to place particular emphasis on

supporting individual process activities as well as on

the collaboration and coordination needs among

them.

The development of an EMS system as a cloud

computing application which interfaces with a PHR

enables immediate access to critical medical

information concerning an emergency case either by

authorized ambulance center personnel on site of

incident and during patient transfer to a hospital or

by emergency department personnel allowing them

to check patient medical histories, patient

medication history, patient allergies and much more

to ensure that the treatment provided is the safest

and most effective choice for the patient (Buyya,

Yeoa, et.al., 2009).

Service-oriented architectures (SOA) can make

system-to-system interfaces consistent in the

enterprise architecture, thus saving resources on

future integration and hopefully improving the speed

at which integration can occur. The emphasis of

cloud computing is to leverage the network to

outsource IT functions across the entire stack. While

this can include software services as in an SOA, it

goes much further. Cloud computing allows the

marketplace to offer many IT functions as

commodities, thus lowering the cost to consumers

when compared to operating them internally. On

these grounds, cloud computing platform and

storage service offerings can provide a value-added

underpinning for SOA efforts. (Raines, 2009)

Hence, combining cloud computing with SOA

presents a new way for service-oriented integration

(SOI) of existing healthcare systems and for

developing distributed applications within and

between healthcare organizations. On these grounds,

ambulance services and hospital emergency

departments can integrate and automate their

operations by making information available where

and when needed and by providing an infrastructure

for the integration of pre-hospital and in-hospital

emergency medical care.

One important consideration in developing an

EMS system as a cloud application is security

(Bruening and Treacy, 2009; U.S. Department of

Health and Human Services, 2004). In addition to

the usual challenges of developing secure systems,

cloud computing presents an added level of risk

because essential services are externalized. Thus,

data security and confidentiality needs to be

examined and methods developed to minimize risks

and maintain privacy. For example, patients need

assurances that emergency care data will not be used

to harm them through disclosure to a prospective

employer. Thus, there is need for adhering to

appropriate privacy and security rules to provide the

necessary protections and, to this end, audit trails

and role-based access controls are strongly

recommended (Bruening and Treacy, 2009).

This paper focuses on a role-based, context-

aware authorization mechanism that is incorporated

into a prototype EMS application developed as a

cloud service which interacts with a cloud-based

PHR and is provided to authorized users on demand.

In particular, the EMS application has been

implemented in the framework of NefeliPortal, a

prototype medical portal which provides a web

HEALTHINF 2011 - International Conference on Health Informatics

122

interface to healthcare applications that are

implemented in a SOA architecture over a cloud

computing infrastructure. The proposed access

control mechanism incorporates the advantages of

role-based access control (RBAC) and yet provides

the flexibility for adjusting role permissions on web

service invocations and web service method

executions according to context (OASIS Standards,

n.d.). Thus, at run time contextual information is

collected to adapt user permissions to the minimum

required for completing a job.

2 CLOUD-BASED HEALTHCARE

SERVICES

Cloud computing is an on-demand service model for

IT provision, often based on virtualization and

distributed computing technologies (IBM

Corporation, 2009). It may be divided into software

as a service (SaaS), which allows software offered

by a third party provider to be available on demand,

usually via the Internet, platform as a service (PaaS),

which allows customers to develop new applications

using APIs deployed and configurable remotely, and

infrastructure as service (IaaS), which provides

virtual machines and other abstracted hardware and

operating systems which may be controlled through

a service API (Shimrat, 2009; van der Burg and

Dolstra, 2009). Clouds may also be divided into

public, which are available publicly (i.e. any

organization may subscribe), private, which are

services built according to cloud computing

principles, but accessible only within a private

network, and partner, which are cloud services

offered by a provider to a limited and well-defined

number of parties.

Cloud computing provides a new information

delivery and consumption model in which

applications and information are accessed from a

web browser while software and data are stored on

servers (IBM Corporation, 2009). Cloud components

communicate with one another over application

programming interfaces, which are usually web

services. Service computing focuses on the linkage

between business processes and IT services so that

business processes can be seamlessly automated

using IT services. Examples of services computing

technologies include SOA and web services. SOA

facilitates interoperable services between distributed

systems in order to communicate and exchange data

with one another while web services provide the

capability for self-contained business functions to

operate over the Internet (Communications of the

ACM, 2003).

In addition, cloud computing may be assumed a

disruptive technology that has the potential to affect

not only Internet services but also IT as a whole

since it enables organizations to increase hardware

utilization rates dramatically and scale up to massive

capacities in an instant — without having to invest

in new infrastructure, train new personnel or license

new software. It also creates opportunities to build a

better breed of network services in less time and for

less money (Buyya, Yeoa, et.al., 2009; IBM

Corporation, 2009). Cloud computing may be seen

as an extension of the paradigm wherein the

capabilities of business applications are exposed as

sophisticated services that can be accessed over a

network. Cloud service providers are incentivized by

the profits to be made by charging consumers for

accessing these services. Consumers, such as

healthcare enterprises, are attracted by the

opportunity for reducing or eliminating costs

associated with “in-house” provision of these

services. However, since cloud applications may be

crucial to the core business operations of the

consumers, it is essential that the consumers have

guarantees from providers on service delivery,

including the appropriate levels of security

(Bruening and Treacy, 2009; Muttig and Burton,

2009).

There is considerable excitement over the

potential benefits of operating in a cloud computing

environment. In fact, several reports highlight the

potential benefits of cloud computing for health –

and leading the way by using it to develop new

healthcare services – but they also identify at least

one major stumbling block. For example, the report

by the European Network and Information Security

Agency says that although health agencies can see

the benefits of cloud computing in terms of

increased flexibility and lower cost, they are

concerned about security (Bruening and Treacy,

2009; Muttig and Burton, 2009). It also uses the

analysis of an actual ehealth application that uses the

cloud to identify real issues about who is responsible

for infrastructure faults and information governance.

The agency suggests that there is a need to clarify

the obligations of cloud providers to report faults

and security breaches to customers and in setting

minimum data protection standards.

Healthcare delivery, consumption, cost and

quality as well as healthcare IT in general can

benefit from this new approach to computing.

Interoperability, open standards and open-source

software are critical to the growth of cloud

CONTEXT-AWARE SECURITY IN CLOUD EMERGENCY MEDICAL SERVICES

123

computing (Buyya, Yeoa, et.al., 2009). Sharing

patient data across the multiple institutions from

which patients receive healthcare services is a

problem for which no good solution currently exists.

Multisite institutions with business relationships

may invest in network connections and virtual

private networks to perform electronic data transfers.

However, such an approach is problematic and

costly and adversely affects the quality of care. In a

cloud computing environment, medical data could

be stored in a virtual generic archive and accessed

by healthcare providers as needed through the cloud.

This could facilitate the sharing of medical data and

significantly reduce local storage requirements. In

this context data security and confidentiality will

need to be examined and methods developed to

minimize risks and maintain privacy (Bruening and

Treacy, 2009).

Potential developments in the healthcare field

include health IT architectures supporting electronic

exchange or perhaps facilitate regional health

information organizations or even just multiple

healthcare systems wanting to share data (Lauer,

2009). The current implementations of regional

healthcare information organizations are not

practical for adoption as a standard approach, but

cloud computing may be able to provide a solution

to healthcare information sharing without

geographical boundaries (Lauer, 2009). A cloud

could be built to provide a way to input, store and

access medical information without the need to build

complex infrastructures to support outside medical

record numbers or patient identifiers, dictionaries

and user accounts, different databases and archive

protocols, and so on.

A scenario in which patients and healthcare

providers plug into front-end web services to input

all of patient’s information, including medications,

allergies, laboratory results, medical images and so

on, from wherever that patient has received medical

care might be envisioned for healthcare

environments of the future by evolving toward the

cloud (Shimrat, 2009; Van der Burg and Dolstra,

2009). Moreover, a cloud infrastructure provides the

ability of any authorized user to access web services

on demand in order to retrieve patient information at

the point of care as if all the information was stored

in one system. One realization of this scenario

constitutes the implementation of an EMS system

(Anantharaman and Han, 2001).

Emergency healthcare delivery involves a variety

of activities (administrative, paramedical and

medical) that are performed from the time of a call

for an ambulance to the time of patient’s disposal

from the emergency department of a hospital

(Reddy, Paul, et.al. 2009). As these activities are

performed in at least two organizations (i.e.

ambulance service and hospital) and they are

interrelated to form inter-organizational healthcare

processes, collaboration and coordination become a

vital issue for patients and for EMS performance.

Such activities may involve basic life support (BLS)

and advanced life support (ALS). For example, in

the case of a cardiac patient BLS emphasizes prompt

recognition of the case, treatment with oxygen and

rotating tourniquets for patients in pulmonary

edema. On the other hand, ALS adds skills in

electrocardiogram (ECG) arrhythmia pattern

recognition, antiarhythmic drug and/or defibrillation

treatments, intravenous therapy and airway

management with entrotracheal and/or esophageal

treatment. ALS activities impose increased support

requirements on an EMS: triage at the point of

dispatch (i.e. assessing patient’s condition), on-line

medical control, ECG transmission to a hospital base

for medical control and broadband wireless

communications.

Conceptually, EMS activities can be

interconnected to form EMS processes within and

between the participating organizations (i.e.

ambulance services and hospitals), thus comprising a

virtual healthcare enterprise. Hence, it is important

to define and automate EMS processes that span

organizational boundaries so that to create and

empower collaboration and coordination among the

participating organizations. Standard workflow

technology such as Business Process Execution

Language (BPEL) and SOA provide an appropriate

technological infrastructure for this purpose. They

enable easy integration of possibly heterogeneous

existing applications of the participating

organizations by orchestrating web services through

the use of BPEL (OASIS, 2007). Hence, cloud

applications that are based on a number of BPEL-

orchestrated web services present a new way for

service-oriented integration (SOI) of existing

systems and for developing distributed applications

within and between healthcare organizations. Thus,

through process automation and the use of web

services in the context of a cloud application,

ambulance service and hospital emergency

departments can automate their operations by

making information available where and when

needed and by providing an infrastructure for the

integration of pre-hospital and in-hospital

emergency healthcare. A prototype implementation

of this approach is considered in this paper.

HEALTHINF 2011 - International Conference on Health Informatics

124

The benefits accrued from the implementation of

an EMS system are manifold: For example, the

system puts eligibility, insurances and medical

information at the physician’s and other healthcare

professional’s fingertips when and where needed.

This enables healthcare professionals to exert best

practice approaches in emergency care delivery

provided by the insurance scheme (Reddy, Paul,

et.al. 2009). It also informs physicians of lower cost

alternatives. In addition, physicians can access a

timely and clinically sound view of a patient’s

medical history at the point of care, decreasing the

risk of preventable medical errors (Anantharaman

and Han, 1998; Reddy, Paul, et.al. 2009). Also, in

some circumstances medical instruction routing

from ambulance service physicians to ambulance

paramedics electronically during patient transfer

reduces the risk of medical errors associated with

uninformed ordering.

One aspect of the EMS service that needs

particular attention concerns home care, where

physicians may need to provide medical care during

home visits and cases where physicians may need to

provide pharmaceutical treatment during patient

transfer to a hospital by an ambulance (en-route

treatment). In such cases, there is a need to ensure

that medical information regarding the case (e.g.

health problems, allergies, medication history) is

automatically made available to the physician before

prescribing and/or administering the medications

needed. Thus, care inefficiencies are eliminated

resulting in enhanced quality of care and cost

containment (Bates, Leape, et.al. 1998).

3 MOTIVATING SCENARIO

The basic motivation for this research stems from

our involvement in a recent project concerned with

developing a prototype EMS system for the needs of

the Greek National Health Service with the objective

to improve quality of care while containing cost. To

illustrate the main principles of the security

architecture incorporated into the NefeliEMS,

consider an EMS process scenario that shows an

example of how an EMS may work. Figure 1 shows

a broad view of the EMS process.

In the EMS process of Figure 1, where the

ambulance service and a hospital emergency

department are involved, five user roles are

identified: ambulance communication operators,

ambulance service physician, ambulance

paramedics, emergency department physician and

emergency department nurse.

Ambulance communication operators -

Ambulance communication operators are located in

the ambulance center premises and use an EMS

application to write into a PHR system emergency

case data which is provided by either the patient or

another person and to pass this data to ambulance

personnel.

Ambulance service physician - Ambulance

service physicians are usually located in the

ambulance center premises and use an EMS

application to read from and write into a PHR

system relevant medical data of their current patients

(e.g. medical history, patient allergies and other

critical health factors) so that to give appropriate

medical instructions to ambulance paramedics,

regarding en route treatment, that are also recorded.

Ambulance paramedics - Ambulance paramedics

use an EMS application, via a smart handheld

device, to read authorized portions of medical data

from a PHR system and write data regarding the

paramedic activities performed on the patient at the

site of incident and en route.

Emergency department physician - Emergency

department physicians use an EMS application to

read from and write into a PHR system relevant

medical data of their current patients (e.g. medical

history, patient allergies and other critical health

factors).

Emergency department nurse - Emergency

department nurses use an EMS application to read

authorized portions of patient data from a PHR

system, to write a nursing assessment of patient’s

condition (triage) and to write data of the nursing

activities performed on the patient.

From a role-based authorization perspective in a

process-oriented environment, the business process

of Figure 1 surfaces several requirements with

regard to task execution and associated data

accesses. These requirements include the following:

 Task Execution - Task execution specified by

a role-to-task permission assignment may be

further restricted dynamically during EMS

process execution and be a subset of the

authorized role holders. For example, medical

instructions to ambulance personnel may only

be provided by physicians who are currently at

the ambulance service premises and are

assigned to deal with the particular case (having

access to the “Provide & Write Medical

Instruction” task).

 Data Access - Some role holders are allowed to

exercise a set of permissions on certain data

objects only and/or for a limited duration. For

CONTEXT-AWARE SECURITY IN CLOUD EMERGENCY MEDICAL SERVICES

125



Figure 1: A high level model of an emergency care process.

example, during the execution of the “Provide

& Write Medical Instruction” task, a physician

may be allowed to read patient records only

for his/her patients and the permission to read

patient records may be revoked upon

successful task execution.

Table 1 shows an extract of authorization

requirements regarding task execution and related

data access privileges assigned to the roles of

“ambulance communication operators”, “ambulance

service physicians” and “ambulance service

paramedics”, “emergency department physicians”

and “emergency department nurses”, respectively.

These requirements suggest that certain task

execution and associated data access permissions of

the EMS process participants depend on the EMS

process execution context. In particular, contextual

information available during process execution, like

user/patient relationship, location or time, can

influence the authorization decision that allows a

user to perform a task and access associated data

objects. This enables a more flexible and precise

authorization policy specification that incorporates

the advantages of having broad, role-based

permissions across process tasks and object classes,

like RBAC, yet enhanced with the ability to

simultaneously support the above requirements.

Given a cloud PHR architecture, where relevant

medical data are accessed via web services, the

above authorization requirements of the EMS

process can be translated into authorization

requirements with regard to web service invocations

and associated method executions as follows:

 Web Service Invocation: Web service

invocations for EMS and PHR access may be

Table 1: Extract of authorization requirements for the

emergency process.

Ambulance communication operators may write current

patient data into relevant portions of PHRs from within

ambulance center premises only.

Ambulance service physicians may read and write

relevant portions of PHRs of their current patients and

from within ambulance center premises only.

Ambulance service paramedics may read and write

relevant portions of PHRs of their current patients and

from within ambulances only.

Emergency department physicians may read and write

relevant portions of PHRs of their current patients and

from within hospital premises only.

Emergency department nurses may read and write

relevant portions of PHRs of their current patients and

from within hospital premises only.

specified by a role-to-web service permission

assignment.

 Method Execution: Given an authorization for

invoking a web service, role holders can

execute a dynamically determined set of web

service methods subject to contextual

constraints (e.g. user/patient proximity, time

and location of method execution).

Thus, permission is defined as the authority to

invoke a specific web service and/or to execute a

web service method on a class of objects. A role is

then defined as a collection of such permissions. A

user may be granted membership of a role, but the

role membership is only valid within a certain

context that limits the applicability of the role's

permissions to a subset of the process instances. The

advantage of this approach is that the role context

can be specified by the system administrator at the

time of role creation and remains valid unless the

role definition itself changes.

HEALTHINF 2011 - International Conference on Health Informatics

126

4 SYSTEM ARCHITECTURE

The EMS system comprises a number of

BPEL-orchestrated web services that are called

either by the ambulance service personnel or by the

physicians and nurses of a hospital emergency

department. The whole process starts when the

telephone operator of the ambulance service receives

an emergency call and records the case’s

demographic and medical data. If a physician of

either the ambulance service or the emergency

department of a hospital requests past medical data

of the current patient, the appropriate web service is

invoked. This takes as input the doctor’s role and the

patient’s code or name and searches the patient’s

PHR to retrieve authorized portions of medical data.

Case data collected by the ambulance service

personnel and by the personnel of the emergency

department of a hospital form two separate XML

documents that are recorded into the cloud storage.

These XML documents are formed automatically

upon recording ambulance arrival at the emergency

department of a hospital and when the patient is

discharged from the emergency department,

respectively.

Figure 2: System Architecture.

Figure 2 shows a high-level architectural view of

the prototype NefeliPortal cloud computing

environment. In essence, this architecture refers to

both the PHR system and the EMS application

delivered as services over the Internet and the

hardware and systems software in the data centres

that provide those services. Thus, central to the

cloud architecture is the PHR component which is

accompanied by a number of peripheral applications

such as the EMS system component. These

applications are licensed for use as services and are

provided to authorized users on demand. The

application software of both the PHR and the EMS

component consists of a number of web services

which are deployed and orchestrated using BPEL.

Authorized users interact with NefeliPortal through

either a desktop workstation or a mobile device such

as a Personal Digital Assistant (PDA) that run an

HTTP(S)-based client.

In our implementation, process models were

used for the definition of web services and web

services were used for process activity

implementations. Specifically, there exists a web

service of the mechanism for retrieving past medical

data of a patient by authorized users. This web

service is used by the ambulance service and the

emergency department of a hospital on demand as a

BPEL activity implementation. The system

architecture is illustrated on Figure 3.

In broad terms, the architecture of the prototype

NefeliPortal cloud computing environment consists

of the following main components:

 PHR Application: PHR architectures are based

on the fundamental assumptions that the

complete patient records are centrally stored

and that each patient retains authority over

access to any portion of his/her record. Hence,

the PHR platform consists of a data repository

which stores patient data and a user interface

which allows patients to access their own

information and authorized healthcare

professionals to access appropriate parts of

patient information.

 EMS Application: The EMS application

consists of a data repository which stores

emergency medical data and the application

software comprised by a number of BPEL-

orchestrated web services that are accessed by

authorized personnel of the ambulance service

and the emergency department. Users which are

authorized to use the EMS system for some

patients are also authorized to access certain

portions of the PHR of these patients.

 Portal: The portal component provides a web-

based front end to PHR and EMS processes.

Authorized users enter the portal to interact

with either the PHR or the EMS system. The

portal is flexibly sized so that to fit in PDA or

mobile phone screen, which is particularly

useful in cases where there is a need for remote

SAAS

NefeliEMS

Security Services

Business Processes

Web Services

Platform as a Service

PAAS

BPEL Engine

PHR Platform

Web/Application Server

Web Portal Container

Infrastructure as a Service

IAAS

Servers

Networking

Data Server Fabric

Storage

Software as a Service

CONTEXT-AWARE SECURITY IN CLOUD EMERGENCY MEDICAL SERVICES

127

Figure 3: Security Architecture of NefeliEMS Service.

access to these applications (e.g. in emergency

cases where the patient’s PHR is accessed

through a wireless network either from the

place of incident or from the ambulance en

route).

5 AUTHORIZATION

ARCHITECTURE

A significant issue in cloud computing is the lack of

delegated authorization. While some cloud services

provide for delegated strong authentication that

enables access control based on user identity, few, if

any, provide delegated authorization to enable

access control based on contextual information and

user roles. This capability is turning out to be

increasingly important as fine-grained entitlements

for authorization management and control will be

most essential. Hence, more granular authorization

is needed. Authorization can be coarse-grained

within an enterprise or even a private cloud, but in

order to handle sensitive (such as medical) data and

compliance requirements, public clouds will need

granular authorization capabilities (such as role-

based access controls and IRM) that can be

persistent throughout the cloud infrastructure and the

data’s lifecycle (Bruening and Traecy, 2009; IBM

Corporation 2009).

As the number of partners and shared resources

increase, one will face extra labour to manage

permissions. There is also extra risk of inappropriate

data release, due to having more users who may

misunderstand policy or be careless or malicious.

Hence, a security system must be implemented that

reduces the possibility of breaching patient privacy

under any circumstances. To this end, one important

issue is to define and enforce authorization

constraints that are both effective and efficient.

Figure 3 shows a high-level view of the

authorization architecture implemented into

NefeliPortal. The access control mechanism uses

collected contextual information to mediate between

subjects (healthcare professionals) and objects (web

services and associated tasks) to decide whether

execution of an object by a given subject should be

permitted or denied. The access control mechanism

is certificate-based as it relies on Community

Authorization Service (CAS) certificates issued to

healthcare professionals by a CAS server. These

certificates specify user-to-role assignments in the

form of security assertions, expressed in Security

Assertion Markup Language (SAML) (Pearlman,

Welch, et.al., 2002). The role-to-permission (role-to-

web service invocation and role-to-task execution)

mapping is performed by means of access control

policies expressed by using the RBAC profile of

eXtensible Access Control Markup Language

(XACML) (OASIS Standards, n.d).

In the NefeliPortal prototype, the contextual

information is determined by a pre-defined set of

attributes related to the user (e.g. user certificate,

user/patient relationship), to the environment (e.g.

location and time of attempted access) and to the

client or healthcare organization (e.g. local security

policy). Contextual information is collected by a

Context Manager which consists of two kinds of

HEALTHINF 2011 - International Conference on Health Informatics

128

agents developed in JADE (Java Agent

Development Framework, n.d.):

 Cloud Agent: Hosted on a cloud server and

manages user permissions on web services.

 Task Agent: Hosted on a cloud server and

manages user permissions on web service

methods.

Each agent uses context collection services to

monitor context and interacts with a state machine

that maintains the permission subset of each role.

The state machine consists of variables that encode

state (permissions assigned to each role) and events

that transform its state. Upon an attempted access

(either to a web service or to an associated task), the

relevant agent generates an event to trigger a

transition of the state machine. Changes in user and

environmental context are sensed by both agents,

whereas changes in client context are sensed and

dealt with by the cloud agent of each client node.

6 IMPLEMENTATION ISSUES

The prototype implementation of the EMS system

and its authorization architecture has been developed

on a laboratory cloud computing infrastructure. The

system has been developed as a web application

using the Apache/Tomcat as Web/Application

Server. The platform used for the generation of

sample patient PHRs is Care2X Integrated

Healthcare Environment (Care2X Integrated

Healthcare Environment, n.d.). Although Care2X is

not a PHR platform but an open source Web based

hospital information system, it has been considered

sufficient for the purpose of our research. In order to

enable access to data stored in Care2X repository a

number of web services have been implemented

which make use of the Care2X Application

Programming Interface (API). The BPEL engine

used for the execution of BPEL healthcare processes

is ActiveBPEL, an open source BPEL Engine

(Active Endpoints, n.d.). NefeliPortal that provides

access to this engine is based upon IBM WebSphere

portal framework (IBM, n.d.), a JSR-168 compliant

portal (JSR-168 Portlet Specification, n.d.).

Development of cloud computing applications

that provide readily access to integrated healthcare

information at the point of care introduces security

risks especially with regard to authorization and

access control. To this end, a suitable security

mechanism is embedded into the proposed cloud

portal application, which ensures authorized data

access through the invocation of relevant web

services. Authorization decisions are made subject to

the constraints imposed by the execution context.

With regard to web service invocation, the

security mechanism acts as follows: Upon

submitting a request for invoking a web service, the

roles contained in the CAS certificate accompanying

the request are extracted and their permissions

regarding web service invocations are specified

using a file where XACML policies have been

stored. Then, during web service execution, a

request for executing one of the associated tasks is

issued which is accompanied by the same CAS

certificate. The roles extracted from this certificate

are used in order to specify the permissions

regarding BPEL task executions using XACML

policies which are stored at each client node (i.e.

healthcare organization). Permissions on both web

services and associated BPEL tasks are dynamically

adapted by the constraints imposed by the current

context.

7 CONCLUDING REMARKS

Healthcare organizations are faced with the

challenge to improve quality by preventing medical

errors, to reduce costs by improving administrative

efficiencies, to reduce paperwork and to increase

access to affordable healthcare. One important

healthcare delivery application is EMS system

which has been modeled as an inter-organizational

process involving ambulance services and hospital

emergency departments based on the need for

integrating pre-hospital and in-hospital emergency

care activities into a virtual healthcare enterprise.

Cloud computing and SOA convergence can be

used to meet the increased collaboration and

coordination requirements between emergency

healthcare process participants by facilitating

relevant information access by authorized people

where and when needed. Cloud computing was used

to produce a flexible and scalable system, supporting

interoperability and execution of platform

independent applications while providing secure

access to sensitive data. This paper presents a cloud

EMS system, within the context of a prototype

healthcare portal, namely NefeliPortal. One

important characteristic of the proposed system

specifically calls for the integration of EMS systems

with PHRs and, possibly, other external systems

since systems integration is a prerequisite for

accurate safety alerts, patient monitoring, and other

recommended capabilities.

CONTEXT-AWARE SECURITY IN CLOUD EMERGENCY MEDICAL SERVICES

129

Development of cloud computing applications

that provide readily access to healthcare information

introduces security risks especially with regard to

authorization and access control. Hence, this paper

presented a context-aware security framework which

can be embedded into the EMS cloud application to

ensure authorized invocation of web services and

execution of associated web service tasks subject to

contextual constraints. The security framework

proposed should aid EMS developers in comparing

alternative systems and in prioritizing their

development efforts. However, there is an obvious

need for its real world validation before it is widely

adopted. This requires setting up a cloud computing

infrastructure for eHealth services, an endeavour that

needs much more than proven technological

feasibility.

REFERENCES

Communications of the ACM, 2003. Service-Oriented

Computing, 46 (10).

Active Endpoints, ActiveBPEL Open Source Engine

Project, http://www.activebpel.org/

Anantharaman, V., Han, L., 2001. Hospital and emergency

ambulance link: IT to enhance emergency pre-hospital

care, International Journal of Medical Informatics, 61:

147–161.

Ash, J. S., Berg, M., Coiera, E., 2004. Some Unintended

Consequences of Information Technology in Health

Care: The Nature of Patient Care Information System

Related Errors. Journal of American Medical

Informatics Association, 11(2): 104-112.

Bates, D. W., Leape, L. L., Cullen, D. J., Laird, N.,

Petersen, L. A., Teich, J. M., et.al., 1998. Effect of

Computerized Physician Order Entry and a Team

Intervention on Prevention of Serious Medication

Errors. Journal of the American Medical Association,

280(15): 1311–1316.

Bruening, P., Treacy, B, 2009. Cloud Computing: Privacy,

Security Challenges. In The Bureau of National

Affairs.

Buyya, R., Yeoa, C. S., Venugopala, S., Broberga, J., and

Ivona Brandicc, I., 2009. Cloud computing and

emerging IT platforms: Vision, hype, and reality for

delivering computing as the 5th utility. Future

Generation Computer Systems, 25: 599-616.

Care2X Integrated Healthcare Environment,

http://www.care2x.org/

IBM, IBM Websphere, www.ibm.com/websphere

IBM, 2009. IBM Point of View: Security and Cloud

Computing, Cloud Computing White paper, ftp://

public.dhe.ibm.com/common/ssi/sa/wh/n/tiw14045use

n/TIW14045USEN_HR.PDF

Java Agent Development Framework, http://jade.

tilab.com/.

JSR-168 Portlet Specification, http://www.jcp.org/

aboutJava/communityprocess/final/ jsr168/

Lauer, G., 2009. Health Record Banks Gaining Traction in

Regional Projects, http://www.ihealthbeat.org/

features/2009/health-record-banks-gaining-traction-in-

regional-projects.aspx

Muttig I., Burton C., 2009. Cloud Security Technologies.

Information Security Technical Report, 14: 1-6.

OASIS Standards, http://www.oasis-open.org/

OASIS, 2007. OASIS Web Services Business Process

Execution Language (WSBPEL) v.2, http://docs.oasis-

open.org/wsbpel/2.0/wsbpel-v2.0.pdf

Pearlman, L., Welch, V., Foster, I., Kesselman, C.,

Tuecke, S., 2002. A Community Authorization

Service for Group Collaboration. In the 3rd IEEE

International Workshop on Policies for Distributed

Systems and Networks.

Raines, G., 2009. Cloud Computing and SOA. Service-

Oriented Architecture (SOA) Series, Systems

Engineering at MITRE.

Reddy, M. C., Paul, S. A., Abraham, J., McNeese,M.,

DeFlitch, C., Yen, J., 2009. Challenges to effective

crisis management: Using information and

communication technologies to coordinate emergency

medical services and emergency department teams.

International Journal of Medical Informatics, 78 (4):

259-269.

Rosenthal A., Mork, P., Lia, M. H., Stanforda, J.,

Koestera, D., Reynolds, P., 2010. Cloud computing: A

new business paradigm for biomedical information

sharing. Journal of Biomedical Informatics, 43: 342-

253.

Shimrat, O., 2009. Cloud Computing and Healthcare, San

Diego Physician.org.

Tang, P. C., Ash, J. S., Bates, D. W., Overhage, J. M.,

Sands, D. Z., 2006. Personal health records:

definitions, benefits, and strategies for overcoming

barriers to adoption. Journal of American Medical

Informatics Association, 13 (2): 121-126.

Tentori, M., Favela, J., Rodriguez, M. D., 2006. Privacy-

Aware Autonomous Agents for Pervasive Healthcare,

IEEE Intelligent Systems Magazine, 21 (6): 55-62.

U.S. Department of Health and Human Services: Personal

Health Records and Personal Health Record Systems,

A Report and Recommendations from the National

Committee on Vital and Health Statistics, 2006.

Van der Burg, S., Dolstra, E., 2009. Software

Development in a Dynamic Cloud: From Device to

Service Orientation in a Hospital. Environment, In

2009 ICSE Workshop on Software Engineering

Challenges of Cloud Computing.

Wiljer, D., Urowitz, S., Apatu, E., DeLenardo, C.,

Eysenbach, G., Harth, T., Pai, H., Leonard, K. J.,

2008. Patient accessible electronic health records:

exploring recommendations for successful

implementation strategies. Journal of Medical Internet

Research,. 10 (4).

Win, K. T., Susilo, W., Mu, Y., 2006. Personal Health

Record Systems and Their Security Protection.

Journal of Medical Systems, 30: 309-315.

HEALTHINF 2011 - International Conference on Health Informatics

130