An integrated framework for securing semi-structured health records

作者:

Highlights:

摘要

In the last years, the adoption of Electronic Health Records (EHRs) have been widely promoted, with the final aim of improving care quality and patient safety. Yet, sharing patient data in a large distributed and heterogeneous context, such as the healthcare domain, has inherently introduced security and privacy risks, due to the great sensitivity and confidentiality of the patient data and the need of accessing such data by a large number of health care workers with various roles for the patient care. Even though various techniques have been developed to effectively implement fine-grained access control, which allows flexibility in specifying differential access rights of individual users, some unsolved problems can be pointed out with respect to the specification of complex policies over EHRs: (i) the difficulty of forcing narrative text to assume a semi-structured coded form into EHRs in order to build access control policies also working at a section-level; (ii) an overly high-level of theoretical ability required to practically use access control models and policy languages as a whole, due to a scarce integration among them; and (iii) the lack of tools for easily editing and upgrading access control policies over EHRs. In order to face all these open issues, this paper proposes a hybrid framework aimed at enabling and supporting the definition of fine-grained access control policies working on semi-structured EHRs. The key issues of the framework are: (i) a semantic-based method that hybridizes linguistic and statistical techniques in order to give a semi-structured form to a narrative text to be inserted into EHRs, by identifying its specific sections; (ii) a formal role-based authorization model, encoded as a couple of ontologies, to regulate the access to these semi-structured EHRs with respect to their sections; and (iii) a procedural policy language and a set of patterns to simply encode and update access control restrictions in the form of “if–then rules” built on the top of the ontological model formalized. A prototype implementation of this framework is realized in the form of a system offering simple and intuitive interfaces to the security administrators. Finally, an experimental evaluation over real documents contained into EHRs, i.e. discharge summaries, is described, showing the feasibility of the proposed framework and suggesting that its application could simply and proficiently secure the access to healthcare information contained into semi-structured EHRs and, thus, face security and privacy risks in real healthcare scenarios.

论文关键词:Electronic health record,Role-based access control,Policy language,Information structuring,Ontology

论文评审过程:Received 4 August 2014, Revised 30 January 2015, Accepted 2 February 2015, Available online 10 February 2015.

论文官网地址:https://doi.org/10.1016/j.knosys.2015.02.004