In the last years, the adoption of Electronic Health Records (EHRs) have been widely promoted, with the final aim of improving care quality and patient safety. Yet, sharing patient data in a large distributed and heterogeneous context, such as the healthcare domain, has inherently introduced security and privacy risks, due to the great sensitivity and confidentiality of the patient data and the need of accessing such data by a large number of health care workers with various roles for the patient care. Even though various techniques have been developed to effectively implement fine-grained access control, which allows flexibility in specifying differential access rights of individual users, some unsolved problems can be pointed out with respect to the specification of complex policies over EHRs: (i) the difficulty of forcing narrative text to assume a semi-structured coded form into EHRs in order to build access control policies also working at a section-level; (ii) an overly high-level of theoretical ability required to practically use access control models and policy languages as a whole, due to a scarce integration among them; and (iii) the lack of tools for easily editing and upgrading access control policies over EHRs. In order to face all these open issues, this paper proposes a hybrid framework aimed at enabling and supporting the definition of fine-grained access control policies working on semi-structured EHRs. The key issues of the framework are: (i) a semantic-based method that hybridizes linguistic and statistical techniques in order to give a semi-structured form to a narrative text to be inserted into EHRs, by identifying its specific sections; (ii) a formal role-based authorization model, encoded as a couple of ontologies, to regulate the access to these semi-structured EHRs with respect to their sections; and (iii) a procedural policy language and a set of patterns to simply encode and update access control restrictions in the form of "if-then rules" built on the top of the ontological model formalized. A prototype implementation of this framework is realized in the form of a system offering simple and intuitive interfaces to the security administrators. Finally, an experimental evaluation over real documents contained into EHRs, i.e. discharge summaries, is described, showing the feasibility of the proposed framework and suggesting that its application could simply and proficiently secure the access to healthcare information contained into semi-structured EHRs and, thus, face security and privacy risks in real healthcare scenarios. © 2015 Elsevier B.V. All rights reserved.

An integrated framework for securing semi-structured health records

AMATO, FLORA;DE PIETRO, Giuseppe;Esposito, Massimo;MAZZOCCA, NICOLA
2015

Abstract

In the last years, the adoption of Electronic Health Records (EHRs) have been widely promoted, with the final aim of improving care quality and patient safety. Yet, sharing patient data in a large distributed and heterogeneous context, such as the healthcare domain, has inherently introduced security and privacy risks, due to the great sensitivity and confidentiality of the patient data and the need of accessing such data by a large number of health care workers with various roles for the patient care. Even though various techniques have been developed to effectively implement fine-grained access control, which allows flexibility in specifying differential access rights of individual users, some unsolved problems can be pointed out with respect to the specification of complex policies over EHRs: (i) the difficulty of forcing narrative text to assume a semi-structured coded form into EHRs in order to build access control policies also working at a section-level; (ii) an overly high-level of theoretical ability required to practically use access control models and policy languages as a whole, due to a scarce integration among them; and (iii) the lack of tools for easily editing and upgrading access control policies over EHRs. In order to face all these open issues, this paper proposes a hybrid framework aimed at enabling and supporting the definition of fine-grained access control policies working on semi-structured EHRs. The key issues of the framework are: (i) a semantic-based method that hybridizes linguistic and statistical techniques in order to give a semi-structured form to a narrative text to be inserted into EHRs, by identifying its specific sections; (ii) a formal role-based authorization model, encoded as a couple of ontologies, to regulate the access to these semi-structured EHRs with respect to their sections; and (iii) a procedural policy language and a set of patterns to simply encode and update access control restrictions in the form of "if-then rules" built on the top of the ontological model formalized. A prototype implementation of this framework is realized in the form of a system offering simple and intuitive interfaces to the security administrators. Finally, an experimental evaluation over real documents contained into EHRs, i.e. discharge summaries, is described, showing the feasibility of the proposed framework and suggesting that its application could simply and proficiently secure the access to healthcare information contained into semi-structured EHRs and, thus, face security and privacy risks in real healthcare scenarios. © 2015 Elsevier B.V. All rights reserved.
File in questo prodotto:
File Dimensione Formato  
1-s2.0-S0950705115000362-main.pdf

solo utenti autorizzati

Descrizione: Articolo Pubblicato
Tipologia: Documento in Post-print
Licenza: Accesso privato/ristretto
Dimensione 1.92 MB
Formato Adobe PDF
1.92 MB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11588/620465
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 30
  • ???jsp.display-item.citation.isi??? 24
social impact