A model-driven privacy compliance decision support for medical data sharing in Europe

Objectives: Clinical practitioners and medical researchers often have to share health data with other colleagues across Europe. Privacy compliance in this context is very important but challenging. Automated privacy guidelines are a practical way of increasing users' awareness of privacy obligations and help eliminating unintentional breaches of privacy. In this paper we present an ontology-plus-rules based approach to privacy decision support for the sharing of patient data across European platforms. Methods: We use ontologies to model the required domain and context information about data sharing and privacy requirements. In addition, we use a set of Semantic Web Rule Language rules to reason about legal privacy requirements that are applicable to a specific context of data disclosure. We make the complete set invocable through the use of a semantic web application acting as an interactive privacy guideline system can then invoke the full model in order to provide decision support. Results: When asked, the system will generate privacy reports applicable to a specific case of data disclosure described by the user. Also reports showing guidelines per Member State may be obtained. Conclusion: The advantage of this approach lies in the expressiveness and extensibility of the modelling and inference languages adopted and the ability they confer to reason with complex requirements interpreted from high level regulations. However, the system cannot at this stage fully simulate the role of an ethics committee or review board. © Schattauer 2011

An ontology-based compliance audit framework for medical data sharing across Europe

Complying with privacy in multi-jurisdictional health domains is important as well as challenging. The compliance management process will not be efficient unless it manages to show evidences of explicit verification of legal requirements. In order to achieve this goal, privacy compliance should be addressed through “a privacy by design” approach. This paper presents an approach to privacy protection verification by means of a novel audit framework. It aims to allow privacy auditors to look at past events of data processing effectuated by healthcare organisation and verify compliance to legal privacy requirements. The adapted approach used semantic modelling and a semantic reasoning layer that could be placed on top of hospital databases. These models allow the integration of fine-grained context information about the sharing of patient data and provide an explicit capturing of applicable privacy obligation. This is particularly helpful for insuring a seamless data access logging and an effective compliance checking during audit trials

Dynamic trust negotiation for decentralised e-health collaborations

In the Internet-age, the geographical boundaries that have previously impinged upon inter-organisational collaborations have become decreasingly important. Of more importance for such collaborations is the notion and subsequent nature of security and trust - this is especially so in open collaborative environments like the Grid where resources can be both made available, subsequently accessed and used by remote users from a multitude of institutions with a variety of different privileges spanning across the collaboration. In this context, the ability to dynamically negotiate and subsequently enforce security policies driven by various levels of inter-organisational trust is essential. Numerous access control solutions exist today to address aspects of inter-organisational security. These include the use of centralised access control lists where all collaborating partners negotiate and agree on privileges required to access shared resources. Other solutions involve delegating aspects of access right management to trusted remote individuals in assigning privileges to their (remote) users. These solutions typically entail negotiations and delegations which are constrained by organisations, people and the static rules they impose. Such constraints often result in a lack of flexibility in what has been agreed; difficulties in reaching agreement, or once established, in subsequently maintaining these agreements. Furthermore, these solutions often reduce the autonomous capacity of collaborating organisations because of the need to satisfy collaborating partners demands. This can result in increased security risks or reducing the granularity of security policies. Underpinning this is the issue of trust. Specifically trust realisation between organisations, between individuals, and/or between entities or systems that are present in multi-domain authorities. Trust negotiation is one approach that allows and supports trust realisation. The thesis introduces a novel model called dynamic trust negotiation (DTN) that supports n-tier negotiation hops for trust realisation in multi-domain collaborative environments with specific focus on e-Health environments. DTN describes how trust pathways can be discovered and subsequently how remote security credentials can be mapped to local security credentials through trust contracts, thereby bridging the gap that makes decentralised security policies difficult to define and enforce. Furthermore, DTN shows how n-tier negotiation hops can limit the disclosure of access control policies and how semantic issues that exist with security attributes in decentralised environments can be reduced. The thesis presents the results from the application of DTN to various clinical trials and the implementation of DTN to Virtual Organisation for Trials of Epidemiological Studies (VOTES). The thesis concludes that DTN can address the issue of realising and establishing trust between systems or agents within the e-Health domain, such as the clinical trials domain

Defining, Measuring, and Enabling Transparency for Electronic Medical Systems

Transparency is a novel concept in the context of Information and Communication Technology (ICT). It has arisen from regulations as a data protection principle, and it is now being studied to encompass the peculiarities of digital information. Transparency, however, is not the first security concept to be borrowed from regulations; privacy once emerged from discussions on individual’s rights. Privacy began to be vigorously debated in 1890, when Warren and Brandeis analysed legal cases for which penalties were applied on the basis of defamation, infringement of copyrights, and violation of confidence. The authors defended that those cases were, in fact, built upon a broader principle called privacy. But privacy was only given a structured definition almost one century later, in 1960, when Prosser examined cases produced after Warren and Brandeis’ work, classifying violation of privacy into four different torts; it took twenty years more before the concept was thoroughly studied for its functions in ICT. Guidelines by the OECD outlined principles to support the discussion of privacy as a technical requirement. Proceeded by international standards for a privacy framework (ISO/IEC 29100), which translated the former legal concepts into information security terms, such as data minimisation, accuracy, and accountability. Transparency has a younger, but comparable history; the current General Data Protection Regulation (GDPR) defines it as a principle which requires “that any information and communication relating to the processing of those personal data be easily accessible and easy to understand [..]". However, other related and more abstract concepts preceded it. In the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Privacy Rule demands to document privacy policies and procedures and to notify individuals of uses of their health information. Former European Directives, i.e., 95/46/EC and 2011/24/EU, establish “the right for individuals to have access to their personal data concerning their health [..] also in the context of cross-border healthcare”. The same did the Freedom of Information Act (FOIA) of 1966, instituting that any person has a right to obtain from agencies information regarding their records. These and other similar requests refer to the transversal quality called transparency. Similarly to what happened with privacy, transparency was also the subject of guidelines that clarify its interpretation in ICT. However, no framework or standard has been defined yet that translates transparency into a technical property. This translation is the goal of our work. This thesis is dedicated to debate existing interpretations for transparency, to establish requirements and measurement procedures for it, and to study solutions that can help systems adhere to the transparency principle from a technical perspective. Our work constitutes an initial step towards the definition of a framework that helps accomplish meaningful transparency in the context of Electronic Medical Systems

Data, metadata, and workflow in healthcare informatics

This dissertation considers a number of interlinked concepts, propositions and relations, and puts forward a set of design theses, to support the role of informatics in the overall goal of knowledge-based, information-driven, integrated, patient-centred, collaborative healthcare and research. This rather ambitious scope may be delimited by exclusion: the work is not concerned explicitly with genomics or bioinformatics, but it does encompass certain aspects of trans- lational medicine and personalized healthcare, which I take to be subsumed in some sense under “knowledge-based” and “information-driven”. Although I do not exclude public health informatics, my exposure extends only to surveillance of infectious diseases, patient engagement, and the effectiveness of screening programmes. I do take ethical, legal, social and economic issues (ELSE) to be included, at least to the extent that I aim at an infrastructure that encompasses these issues and aims to incorporate them in technical designs in an effort to meet ethicists’, lawyers’, policy makers’, and economists’ concerns halfway. To a first approx- imation, the aim has been to integrate two strands of work over the last decade or more: the informatics of medical records on one hand and the distributed computational infrastructures for healthcare and biomedical research on the other.The papers assembled in this dissertation span a period of rapid growth in biomedical inform- atics (BMIi). Their unifying theme was not declared programmatically at the beginning of this period, but rather developed, along with individual pieces of work, as my engagement – and that of my students – with BMI became more focused and penetrated deeper into the issues. Nevertheless, I believe I have learned something from each project I have been involved in and have brought this cumulative experience to bear on the central theme of my present work. My thematic vision is of a scientifically literate and engaged community whose members – citizens, patients, caregivers, advocates – are sufficiently interested in medical progress and in their own health to take ownership of their medical records, to subscribe to a research service that informs them about progress and about current studies that may interest them, and so take responsibility for their own and the health of those close to them. This entails many things: agreements on what constitutes legitimate data sharing and when such sharing may be permitted or required by the patient as owner of the data. It calls for a means of recognizing the intellectual contribution, and in some healthcare economies, the economic interest of a physician who generates that record. Ethically, it requires a consenting policy that allows patients to control who may approach them for participation in a study, whether as a subject, as a co-investigator, as a patient advocate, or as a lay advisor. Educationally, it requires willingness on the part of physician- researchers and scientists to disseminate what they have discovered and what they have learned in terms that are comprehensible to the interested lay participant—but do not speak down to her