On a Formal and User-friendly Linguistic Approach to Access Control of Electronic Health Data

Andrea Margheri, Massimiliano Masi, Rosario Pugliese, Francesco Tiezzi

2013

Abstract

The importance of the exchange of Electronic Health Records (EHRs) between hospitals has been recognized by governments and institutions. Due to the sensitivity of data exchanged, only mature standards and implementations can be chosen to operate. This exchange process is of course under the control of the patient, who decides who has the rights to access her personal healthcare data and who has not, by giving her personal privacy consent. Patients’ privacy consent is regulated by local legislations, which can vary frequently from region to region. The technology implementing such privacy aspects must be highly adaptable, often resulting in complex security scenarios that cannot be easily managed by patients and software designers. To overcome such security problems, we advocate the use of a linguistic approach that relies on languages for expressing policies with solid mathematical foundations. Our approach bases on FACPL, a policy language we have intentionally designed by taking inspiration from OASIS XACML, the de-facto standard used in all projects covering secure EHRs transmission protected by patients’ privacy consent. FACPL can express policies similar to those expressible by XACML but, differently from XACML, it has an intuitive syntax, a formal semantics and easy to use software tools supporting policy development and enforcement. In this paper, we present the potentialities of our approach and outline ongoing work.

References

  1. Bittins, S. and Masi, M. (2011). Cross community fetch. http://www.ihe.net.
  2. Directorate-General of Justice (2010). Article 29 working party: documents.
  3. EU Commission (2007). Mandate 403 en: Standardisation mandate addressed to cen, cenelec and etsi in the field of information and communication technologies. Technical report, European Commission Enterprise And Industry Directorate-General. http://www.ehealth-interop.eu.
  4. Health Level Seven organization (2009). Hl7 standards. http://www.hl7.org.
  5. Kennedy, E. and Kassebaum, N. (1996). Health insurance portability and accountability act. Technical report, US Congress. http://www.cms.gov/HIPAAGenInfo.
  6. Masi, M., Pugliese, R., and Tiezzi, F. (2012). Formalisation and implementation of the xacml access control mechanism. In Barthe, G., Livshits, B., and Scandariato, R., editors, ESSoS, volume 7159 of Lecture Notes in Computer Science, pages 60-74. Springer.
  7. OASIS Security Services TC (2005). Assertions and protocols for the OASIS security assertion markup language (SAML) v2.02. http://docs.oasisopen.org/security/saml/v2.0/saml-core-2.0-os.pdf.
  8. OASIS Web Services Security TC (2009). Cross enterprise security and privacy authorization profile for xacml for healthcare.
  9. OASIS XACML TC (2005). eXtensible Access Control Markup Language (XACML) version 2.0. http://docs.oasis-open.org/xacml/2.0/XACML-2.0- OS-NORMATIVE.zip.
  10. The epSOS project (2007). An european ehealth project. http://www.epsos.eu.
  11. The IHE Initiative (2009). Basic Patient Privacy Consent. http://www.ihe.net.
Download


Paper Citation


in Harvard Style

Margheri A., Masi M., Pugliese R. and Tiezzi F. (2013). On a Formal and User-friendly Linguistic Approach to Access Control of Electronic Health Data . In Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2013) ISBN 978-989-8565-37-2, pages 263-268. DOI: 10.5220/0004328202630268


in Bibtex Style

@conference{healthinf13,
author={Andrea Margheri and Massimiliano Masi and Rosario Pugliese and Francesco Tiezzi},
title={On a Formal and User-friendly Linguistic Approach to Access Control of Electronic Health Data},
booktitle={Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2013)},
year={2013},
pages={263-268},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004328202630268},
isbn={978-989-8565-37-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2013)
TI - On a Formal and User-friendly Linguistic Approach to Access Control of Electronic Health Data
SN - 978-989-8565-37-2
AU - Margheri A.
AU - Masi M.
AU - Pugliese R.
AU - Tiezzi F.
PY - 2013
SP - 263
EP - 268
DO - 10.5220/0004328202630268