A Knowledge-Constrained Role-Based Access Control model for protecting patient privacy in hospital information systems

Current access control mechanisms of the hospital information system can hardly identify the real access intention of system users. A relaxed access control increases the risk of compromise of patient privacy. To reduce unnecessary access of patient information by hospital staff, this paper proposes a Knowledge-Constrained Role-Based Access Control (KCRBAC)model in which a variety of medical domain knowledge is considered in access control. Based on the proposed Purpose Tree and knowledge-involved algorithms, the model can dynamically define the boundary of access to the patient information according to the context, which helps protect patient privacy by controlling access. Compared with the Role-Based Access Control model, KC-RBAC can effectively protectpatient information according to the results of the experiments

Technical guidelines for enhancing privacy and data protection in modern electronic medical environments

Raising awareness and providing guidance to on-line data protection is undoubtedly a crucial issue worldwide. Equally important is the issue of applying privacy-related legislation in a coherent and coordinated way. Both these topics gain extra attention when referring to medical environments and, thus, to the protection of patients' privacy and medical data. Electronic medical transactions require the transmission of personal and medical information over insecure communication channels like the Internet. It is, therefore, a rather straightforward task to capture the electronic medical behavior of a patient, thus constructing "patient profiles," or reveal sensitive information related to a patient's medical history. The consequence is clearly a potential violation of the patient's privacy. We performed a risk analysis study for a Greek shared care environment for the treatment of patients suffering from beta-thalassemia, an empirically embedded scenario that is representative of many other electronic medical environments; we capitalized on its results to provide an assessment of the associated risks, focusing on the description of countermeasures, in the form of technical guidelines that can be employed in such medical environments for protecting the privacy of personal and medical information. © 2005 IEEE

Proposal of curriculum directives for the development of a specialization training course in information technology management in healthcare

Orientador: Saide Jorge CalilDissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de ComputaçãoResumo: A constante evolução tecnológica dos dispositivos biomédicos e sistemas informatizados nos centros hospitalares, tem aprimorado de forma significativa, os processos de análises clínicas, os procedimentos terapêuticos e o acesso ao sistema de saúde. Entretanto, a adoção inadequada e demasiada desses recursos aumenta consideravelmente a probabilidade da ocorrência de incidentes, transformando os recursos tecnológicos em potenciais fontes de risco. O engenheiro clínico como gestor de tecnologias em saúde deve estabelecer as medidas de gerenciamento necessárias para garantir a segurança de pacientes e operadores. Este trabalho tem por objetivo apresentar o processo de elaboração de uma proposta de diretrizes curriculares de um curso de especialização à distância, para capacitação profissional de engenheiros clínicos quanto ao gerenciamento de riscos de tecnologias da informação em saúde (TIS). Foram avaliadas as ementas curriculares dos principais cursos de especialização em engenharia clínica no Brasil, identificando as áreas de conhecimento abordadas durante a formação profissional dos engenheiros clínicos. O processo de desenvolvimento da proposta de diretrizes curriculares foi realizado a partir da estruturação dos tipos de conhecimentos necessários ao gerenciamento de risco de TIS, obtidos através da exploração e estudo do ambiente em que tais tecnologias estão inseridas. O processo de exploração do ambiente identificou diversos incidentes envolvendo a utilização de TIS e normas específicas ao gerenciamento de risco de tecnologias da informação. Foram levantados os tipos de riscos associados à utilização das tecnologias, as características profissionais dos engenheiros clínicos e as características necessárias à aplicação das normas de gerenciamento de risco de TIS nos centros hospitalares. O processo de estruturação dos tipos de conhecimentos em disciplinas utilizou como base o currículo de referência da Sociedade Brasileira de Computação (SBC) e de cursos de graduação em computação e informática. A formatação da proposta contemplando os objetivos do curso, conteúdo programático e a metodologia de ensino foi baseada nos instrumentos de avaliação de cursos presenciais e a distância utilizados pelo Ministério da Educação, resultando em uma proposta adequada à Resolução nº 1, de 8 de junho de 2007. Os conteúdos propostos pelo trabalho visam não só a especialização dos profissionais da engenharia clínica, mas também a integração e o trabalho em equipe com profissionais da área de tecnologias da informaçãoAbstract: The constant development of technology regarding biomedical devices and computerized systems in healthcare institutions has significantly improved the clinical analysis process, therapeutic procedures and access to healthcare system. However the excessive and the inappropriate adoption of these technologies have greatly increased the occurrence of incidents, transforming these new resources into potential sources of risk. As manager of healthcare technologies, the clinical engineer should establish the necessary management measures to ensure the safety of patients and operators. This study presents the process to develop curriculum directives for a distance education course for professional specialization of clinical engineers, on risk management of health information technology (HIT). Were evaluated the summaries of the main curricular specialization courses in clinical engineering in Brazil, identifying the areas of knowledge presented during the professional training of the clinical engineers. The focus of the evaluation was defining the types of knowledge related to the information technology. The process of developing the proposed curriculum was performed by structuring the types of knowledge needed for risk management of HIT obtained through the exploration and study of the environment in which these technologies are embedded. The process of exploration of the environment identified several incidents involving the use of HIT and specific standards to managing IT risk. It was also investigated the types of risks associated with the use of HIT, the professional characteristics of clinical engineers and the necessary requirements to apply the standards of risk management on the healthcare centers. The process for relating the types of knowledge to disciplines used as basis the set of disciplines part of reference curriculum of the Brazilian Computer Society (SBIS) for undergraduate courses in computing and informatics. The structure of the proposal contemplating the course objectives, contents, teaching methodology and the technology used. The proposal was based on the instruments for evaluating attendance and distance courses, recommended by the Ministry of Education. The proposal complies with the Resolution No. 1, of 8 June 2007. The proposed content of this work intended not only to upgrade the expertise of the clinical engineering professionals, but also aims to improve the integration and the teamwork with professionals in the field of information technologyMestradoEngenharia BiomedicaMestra em Engenharia Elétric