Team for Research in
Ubiquitous Secure Technology

Model-Based Design Environment for Clinical Information Systems
Akos Ledeczi

Citation
Akos Ledeczi. "Model-Based Design Environment for Clinical Information Systems". Talk or presentation, 10, October, 2007.

Abstract
Many health-care organizations have migrated from paper-based to Electronic Medical Records (EMR), which have been shown to increase both staff productivity and patient safety. Expanding on the success of EMRs, Clinical Information Systems (CIS) incorporate a wide range of the informational and organizational components of the health-care environment.rnrnLocal and federal regulations concerning the management of patient information present challenges for CIS design and implementation. The Health Insurance Portability and Accountability Act (HIPAA) specifically grants patients the right to access their medical records and requires healthcare organizations to provide security protection for protected health information. Patient Portals are one method to provide patients with a simple method to access their medical records, disclosures, and audits. Designing such a system optimally to protect patient confidentiality and respect health-care providers’ rights is an open problem.rnrnWe begin to address this challenge by casting patient portals, a key portion of CIS, onto a Service-Oriented Architecture (SOA). We developed a domain-specific modeling environment called Model-based Design Environment for Clinical Information Systems (MODECIS) with which we create formal models of healthcare services and features for detailed analysis. Our initial research with MODECIS successfully demonstrates that patient portals can be modeled as SOA. The development of critical modeling abstractions adds the feature of scalability to our tool. Although MODECIS is a work-in-progress, it has been used to create high-fidelity models of the MyHealth@Vanderbilt patient portal.rnrnSOA has been previously proposed for the design of formally-composed CIS environments; however, current implementations are limited by the fact they do not model patient-provider interactions. In this paper, we show how SOA can be applied to a specific patient-associated environment. We propose to use the web service standards defined by OASIS, which includes the Business Process Execution Language (BPEL) for web service orchestration and the Extensible Access Control Markup Language (XACML) for policy representation.rnrnWorkflows provide a representation of the manner by which data is accessed, handled, and shared. Without formal representations of daily business processes and their interrelationships within the healthcare environment, it is not clearly evident why a patient's medical record is accessed or how the interactions between patient and provider are managed. Both underspecified and ad hoc workflow design can lead to malformed policies with unanticipated consequences, and even seemingly routine business processes can lead to serious privacy compromises when taken in combination. Taking this into account, formal workflow models are a starting point for the development and analysis of policy-driven operations supporting privacy and security.rnrnThis inspired the creation of the building of our tool suite, MODECIS, where the formal basis of our approach allows for the extension, reuse, and evolution of clinical information system. MODECIS has three main components: a) a graphical design environment for capturing the business logic of CIS through workflows, b) an analysis tool, which allows for the analysis of information flows and the exploration of security and privacy properties of a CIS system modeled with the graphical design environment, and finally c) a model translator that maps the CIS-specific workflows to BPEL, WSDL and XACML. By translating the domain models onto these SOA standards, the underlying alternative implementations of SOA platforms for the standards become applicable. This radically simplifies the fast prototyping, integration and testing tasks.rnrnBy capturing the appropriate level of abstraction, it is possible to satisfy utility, security, and policy requirements for CIS. In MODECIS, workflows provide us with this abstraction layer, which is suitable for patient-centered clinical information representation and management. It will allow us to perform vulnerability, security and privacy analyses through model verification and simulation-based testing tools. Additionally, model-based design provides the tools for automated system generation directly from the models.rnrnAt the heart of our approach, the domain-specific modeling language captures the system from multiple aspects. The workflow models can be thought of as a graphical equivalent of a simplified BPEL representation. They capture the orchestration logic with graphs that describe control, which specify the sequence of service invocations and data flows that represent the movement of information within a CIS system. One aspect allows for the orchestration of control flows that are defined as a composition of service invocations – which can either be asynchronous or synchronous – and the typical control structures – such as switch, join, while, and catch – which allows for the definition of arbitrary workflow logic. Anotherr aspect of workflow modeling describes the flow of data elements: how these elements are exchanged, processed and stored between and within various processes. This way each workflow model can be thought of as an available service with well-defined interfaces. Since the workflow models only describe how data elements are used, we have created the view for building datatype models making the language to be strongly typed.rnrnWorkflows in general allow system architects to follow the information traveling between entities and can represent diverse entities interacting with the system, such as physical databases or people. For this reason MODECIS incorporates two more types of models for the integration of workflows with the underlying architectures and physical entities. This means that a complex, explicitly represented social and technical architecture can be constructed that the services build on.rnrnThe creation of organizational models allows for the human coordination within CIS. These models are used to specify the architecture of the enterprise itself, such as the roles of different people. Organizational models reflect inter- and intradepartmental interactions, as well as people’s roles within departments specifying tasks and groups to whom these tasks are assigned to. This enables the specification of policies to facilitate role-based access control, for example.rnrnWhile organizational models relate human-based workflow (i.e. workflows that describe expected behavior of and tasks preformed by the human players in CIS), deployment models specify the organization of computer servers, their conjunctive networks and interface with workflows in a similar manner to organizational models. They are often referred to as the network architecture (ex: they depict hospital servers and workstations along with the services they provide).rnrnThe final abstraction captures policy statements that crosscut workflow, organizational and deployment models. They place restrictions on accessing certain services and information.rnrnMODECIS includes a model translator capable of mapping domain-specific models to executable BPEL code. Despite its wide acceptance, BPEL provides no support for the detection of a) possible deadlocks or b) process paths that are not viable. MODECIS plans to capitalize on existing technologies, such as Petri Nets, the SPIN model checker, Process Algebras, and Abstract State Machines, for (BPEL) model verification to identify such erroneous workflows.rnrnAs a final system-integration step to guarantee correct flow of logic captured by the domain models, the tool suite interfaces with an execution engine, which manages the multiple instances of workflows after deployment. Specifically, the engine organizes and executes the services required by the CIS entities (e.g., a patient, primary care provider, and patient portal) and enforces policies.rnrnThe MODECIS tool suite provides a domain-specific, graphical design environment for precisely describing organizational, deployment, service, and data models in relation to patient portals. Through our collaboration with the Vanderbilt University Medical Center (VUMC), we were able to create a modeling language capable of representing a functional patient portal. The VUMC group was also able to confirm the expressiveness and correctness of our patient portal workflow models, which we have begun to deploy on the Oracle BPEL execution engine.rnrnAlthough MODECIS is a work-in-progress, models created with the tool suite serve as formal system specifications that can be mapped onto various SOA execution platforms for simulation. Consistency and wellformedness checking is already supported by MODECIS; support for policy verification and vulnerability and security analysis of the models is our next step, which will be supported through the use of existing analysis tools.rnrnMODECIS provides a scalable tool to evaluate design decisions and system changes before deploying costly healthcare infrastructure. The creation of patient portal models and simulations is one step toward designing robust CIS that are able to take into account the diverse privacy and security concerns of stakeholders.

Electronic downloads


Internal. This publication has been marked by the author for TRUST-only distribution, so electronic downloads are not available without logging in.
Citation formats  
  • HTML
    Akos Ledeczi. <a
    href="http://www.truststc.org/pubs/295.html"
    ><i>Model-Based Design Environment for Clinical
    Information Systems</i></a>, Talk or
    presentation,  10, October, 2007.
  • Plain text
    Akos Ledeczi. "Model-Based Design Environment for
    Clinical Information Systems". Talk or presentation, 
    10, October, 2007.
  • BibTeX
    @presentation{Ledeczi07_ModelBasedDesignEnvironmentForClinicalInformationSystems,
        author = {Akos Ledeczi},
        title = {Model-Based Design Environment for Clinical
                  Information Systems},
        day = {10},
        month = {October},
        year = {2007},
        abstract = {Many health-care organizations have migrated from
                  paper-based to Electronic Medical Records (EMR),
                  which have been shown to increase both staff
                  productivity and patient safety. Expanding on the
                  success of EMRs, Clinical Information Systems
                  (CIS) incorporate a wide range of the
                  informational and organizational components of the
                  health-care environment.rnrnLocal and federal
                  regulations concerning the management of patient
                  information present challenges for CIS design and
                  implementation. The Health Insurance Portability
                  and Accountability Act (HIPAA) specifically grants
                  patients the right to access their medical records
                  and requires healthcare organizations to provide
                  security protection for protected health
                  information. Patient Portals are one method to
                  provide patients with a simple method to access
                  their medical records, disclosures, and audits.
                  Designing such a system optimally to protect
                  patient confidentiality and respect health-care
                  providers’ rights is an open problem.rnrnWe
                  begin to address this challenge by casting patient
                  portals, a key portion of CIS, onto a
                  Service-Oriented Architecture (SOA). We developed
                  a domain-specific modeling environment called
                  Model-based Design Environment for Clinical
                  Information Systems (MODECIS) with which we create
                  formal models of healthcare services and features
                  for detailed analysis. Our initial research with
                  MODECIS successfully demonstrates that patient
                  portals can be modeled as SOA. The development of
                  critical modeling abstractions adds the feature of
                  scalability to our tool. Although MODECIS is a
                  work-in-progress, it has been used to create
                  high-fidelity models of the MyHealth@Vanderbilt
                  patient portal.rnrnSOA has been previously
                  proposed for the design of formally-composed CIS
                  environments; however, current implementations are
                  limited by the fact they do not model
                  patient-provider interactions. In this paper, we
                  show how SOA can be applied to a specific
                  patient-associated environment. We propose to use
                  the web service standards defined by OASIS, which
                  includes the Business Process Execution Language
                  (BPEL) for web service orchestration and the
                  Extensible Access Control Markup Language (XACML)
                  for policy representation.rnrnWorkflows provide a
                  representation of the manner by which data is
                  accessed, handled, and shared. Without formal
                  representations of daily business processes and
                  their interrelationships within the healthcare
                  environment, it is not clearly evident why a
                  patient's medical record is accessed or how the
                  interactions between patient and provider are
                  managed. Both underspecified and ad hoc workflow
                  design can lead to malformed policies with
                  unanticipated consequences, and even seemingly
                  routine business processes can lead to serious
                  privacy compromises when taken in combination.
                  Taking this into account, formal workflow models
                  are a starting point for the development and
                  analysis of policy-driven operations supporting
                  privacy and security.rnrnThis inspired the
                  creation of the building of our tool suite,
                  MODECIS, where the formal basis of our approach
                  allows for the extension, reuse, and evolution of
                  clinical information system. MODECIS has three
                  main components: a) a graphical design environment
                  for capturing the business logic of CIS through
                  workflows, b) an analysis tool, which allows for
                  the analysis of information flows and the
                  exploration of security and privacy properties of
                  a CIS system modeled with the graphical design
                  environment, and finally c) a model translator
                  that maps the CIS-specific workflows to BPEL, WSDL
                  and XACML. By translating the domain models onto
                  these SOA standards, the underlying alternative
                  implementations of SOA platforms for the standards
                  become applicable. This radically simplifies the
                  fast prototyping, integration and testing
                  tasks.rnrnBy capturing the appropriate level of
                  abstraction, it is possible to satisfy utility,
                  security, and policy requirements for CIS. In
                  MODECIS, workflows provide us with this
                  abstraction layer, which is suitable for
                  patient-centered clinical information
                  representation and management. It will allow us to
                  perform vulnerability, security and privacy
                  analyses through model verification and
                  simulation-based testing tools. Additionally,
                  model-based design provides the tools for
                  automated system generation directly from the
                  models.rnrnAt the heart of our approach, the
                  domain-specific modeling language captures the
                  system from multiple aspects. The workflow models
                  can be thought of as a graphical equivalent of a
                  simplified BPEL representation. They capture the
                  orchestration logic with graphs that describe
                  control, which specify the sequence of service
                  invocations and data flows that represent the
                  movement of information within a CIS system. One
                  aspect allows for the orchestration of control
                  flows that are defined as a composition of service
                  invocations – which can either be asynchronous
                  or synchronous – and the typical control
                  structures – such as switch, join, while, and
                  catch – which allows for the definition of
                  arbitrary workflow logic. Anotherr aspect of
                  workflow modeling describes the flow of data
                  elements: how these elements are exchanged,
                  processed and stored between and within various
                  processes. This way each workflow model can be
                  thought of as an available service with
                  well-defined interfaces. Since the workflow models
                  only describe how data elements are used, we have
                  created the view for building datatype models
                  making the language to be strongly
                  typed.rnrnWorkflows in general allow system
                  architects to follow the information traveling
                  between entities and can represent diverse
                  entities interacting with the system, such as
                  physical databases or people. For this reason
                  MODECIS incorporates two more types of models for
                  the integration of workflows with the underlying
                  architectures and physical entities. This means
                  that a complex, explicitly represented social and
                  technical architecture can be constructed that the
                  services build on.rnrnThe creation of
                  organizational models allows for the human
                  coordination within CIS. These models are used to
                  specify the architecture of the enterprise itself,
                  such as the roles of different people.
                  Organizational models reflect inter- and
                  intradepartmental interactions, as well as
                  people’s roles within departments specifying
                  tasks and groups to whom these tasks are assigned
                  to. This enables the specification of policies to
                  facilitate role-based access control, for
                  example.rnrnWhile organizational models relate
                  human-based workflow (i.e. workflows that describe
                  expected behavior of and tasks preformed by the
                  human players in CIS), deployment models specify
                  the organization of computer servers, their
                  conjunctive networks and interface with workflows
                  in a similar manner to organizational models. They
                  are often referred to as the network architecture
                  (ex: they depict hospital servers and workstations
                  along with the services they provide).rnrnThe
                  final abstraction captures policy statements that
                  crosscut workflow, organizational and deployment
                  models. They place restrictions on accessing
                  certain services and information.rnrnMODECIS
                  includes a model translator capable of mapping
                  domain-specific models to executable BPEL code.
                  Despite its wide acceptance, BPEL provides no
                  support for the detection of a) possible deadlocks
                  or b) process paths that are not viable. MODECIS
                  plans to capitalize on existing technologies, such
                  as Petri Nets, the SPIN model checker, Process
                  Algebras, and Abstract State Machines, for (BPEL)
                  model verification to identify such erroneous
                  workflows.rnrnAs a final system-integration step
                  to guarantee correct flow of logic captured by the
                  domain models, the tool suite interfaces with an
                  execution engine, which manages the multiple
                  instances of workflows after deployment.
                  Specifically, the engine organizes and executes
                  the services required by the CIS entities (e.g., a
                  patient, primary care provider, and patient
                  portal) and enforces policies.rnrnThe MODECIS tool
                  suite provides a domain-specific, graphical design
                  environment for precisely describing
                  organizational, deployment, service, and data
                  models in relation to patient portals. Through our
                  collaboration with the Vanderbilt University
                  Medical Center (VUMC), we were able to create a
                  modeling language capable of representing a
                  functional patient portal. The VUMC group was also
                  able to confirm the expressiveness and correctness
                  of our patient portal workflow models, which we
                  have begun to deploy on the Oracle BPEL execution
                  engine.rnrnAlthough MODECIS is a work-in-progress,
                  models created with the tool suite serve as formal
                  system specifications that can be mapped onto
                  various SOA execution platforms for simulation.
                  Consistency and wellformedness checking is already
                  supported by MODECIS; support for policy
                  verification and vulnerability and security
                  analysis of the models is our next step, which
                  will be supported through the use of existing
                  analysis tools.rnrnMODECIS provides a scalable
                  tool to evaluate design decisions and system
                  changes before deploying costly healthcare
                  infrastructure. The creation of patient portal
                  models and simulations is one step toward
                  designing robust CIS that are able to take into
                  account the diverse privacy and security concerns
                  of stakeholders.},
        URL = {http://www.truststc.org/pubs/295.html}
    }
    

Posted by Larry Rohrbough on 16 Oct 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.