Team for Research in
Ubiquitous Secure Technology

Integration of Clinical Workflows with Privacy Policies on a Common Semantic Domain
Jan Werner, Bradley Malin, Yonghwan Lee, Akos Ledeczi, Janos Sztipanovits

Citation
Jan Werner, Bradley Malin, Yonghwan Lee, Akos Ledeczi, Janos Sztipanovits. "Integration of Clinical Workflows with Privacy Policies on a Common Semantic Domain". Talk or presentation, 11, November, 2008.

Abstract
As healthcare organizations (HCOs) migrate to electronic systems, they must ensure compliance with complex data protection legislation, such as the Health Insurance Portability and Accountability Act (HIPAA). Legislation specifies rules that must be enforced, but regulatory Language is often imprecise, forcing HCOs to define local policies and procedures, as well as specific enforcement technologies. It is difficult for HCOs to ensure requirements are correctly translated across the enterprise, a problem compounded by the constant growth and evolution of deployed information technology (IT), such as clinical information systems (CISs). The consequence is that HCOs frequently rely on ad hoc IT configurations, which are unverified and potentially conflict with an HCO's policy. We introduce a solution to these challenges by integrating HIPAA policy rules with a domain specific model-integrated computing suite, tailored to the clinical enterprise. We present a detailed description of the policy-modeling process, the enforcement mechanism, and illustrate how to implement several policies, including mandatory access control and emergency access. All policies are formally specified through Prolog, but their enforcement is dependent on when their compliance can be evaluated. Static policies are enforced at design-time by mapping them to the structural constraints of system models. In contrast, dynamic policy rules, enforced at run-time, are loaded into a Prolog-based Policy Decision Point and Policy Enforcement Point, our extension to the standard SOA execution platform, which controls access to all services reliant upon protected health information.

Electronic downloads

Citation formats  
  • HTML 
    Jan Werner, Bradley Malin, Yonghwan Lee, Akos Ledeczi, Janos
Sztipanovits. <a
href="http://www.truststc.org/pubs/475.html"
><i>Integration of Clinical Workflows with Privacy
Policies on a Common Semantic Domain</i></a>,
Talk or presentation,  11, November, 2008.
  • Plain text 
    Jan Werner, Bradley Malin, Yonghwan Lee, Akos Ledeczi, Janos
Sztipanovits. "Integration of Clinical Workflows with
Privacy Policies on a Common Semantic Domain". Talk or
presentation,  11, November, 2008.
  • BibTeX 
    @presentation{WernerMalinLeeLedecziSztipanovits08_IntegrationOfClinicalWorkflowsWithPrivacyPoliciesOnCommon,
    author = {Jan Werner and Bradley Malin and Yonghwan Lee and
              Akos Ledeczi and Janos Sztipanovits},
    title = {Integration of Clinical Workflows with Privacy
              Policies on a Common Semantic Domain},
    day = {11},
    month = {November},
    year = {2008},
    abstract = {As healthcare organizations (HCOs) migrate to
              electronic systems, they must ensure compliance
              with complex data protection legislation, such as
              the Health Insurance Portability and
              Accountability Act (HIPAA). Legislation specifies
              rules that must be enforced, but regulatory
              Language is often imprecise, forcing HCOs to
              define local policies and procedures, as well as
              specific enforcement technologies. It is difficult
              for HCOs to ensure requirements are correctly
              translated across the enterprise, a problem
              compounded by the constant growth and evolution of
              deployed information technology (IT), such as
              clinical information systems (CISs). The
              consequence is that HCOs frequently rely on ad hoc
              IT configurations, which are unverified and
              potentially conflict with an HCO's policy. We
              introduce a solution to these challenges by
              integrating HIPAA policy rules with a domain
              specific model-integrated computing suite,
              tailored to the clinical enterprise. We present a
              detailed description of the policy-modeling
              process, the enforcement mechanism, and illustrate
              how to implement several policies, including
              mandatory access control and emergency access. All
              policies are formally specified through Prolog,
              but their enforcement is dependent on when their
              compliance can be evaluated. Static policies are
              enforced at design-time by mapping them to the
              structural constraints of system models. In
              contrast, dynamic policy rules, enforced at
              run-time, are loaded into a Prolog-based Policy
              Decision Point and Policy Enforcement Point, our
              extension to the standard SOA execution platform,
              which controls access to all services reliant upon
              protected health information. },
    URL = {http://www.truststc.org/pubs/475.html}
}

Posted by Jessica Gamble on 23 Jan 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.