Team for Research in
Ubiquitous Secure Technology

Integration of Clinical Workflows with Privacy Policies on a Common Semantic Domain
Jan Werner, Bradley Malin, Yonghwan Lee, Akos Ledeczi, Janos Sztipanovits

Citation
Jan Werner, Bradley Malin, Yonghwan Lee, Akos Ledeczi, Janos Sztipanovits. "Integration of Clinical Workflows with Privacy Policies on a Common Semantic Domain". Talk or presentation, 11, November, 2008.

Abstract
As healthcare organizations (HCOs) migrate to electronic systems, they must ensure compliance with complex data protection legislation, such as the Health Insurance Portability and Accountability Act (HIPAA). Legislation specifies rules that must be enforced, but regulatory Language is often imprecise, forcing HCOs to define local policies and procedures, as well as specific enforcement technologies. It is difficult for HCOs to ensure requirements are correctly translated across the enterprise, a problem compounded by the constant growth and evolution of deployed information technology (IT), such as clinical information systems (CISs). The consequence is that HCOs frequently rely on ad hoc IT configurations, which are unverified and potentially conflict with an HCO's policy. We introduce a solution to these challenges by integrating HIPAA policy rules with a domain specific model-integrated computing suite, tailored to the clinical enterprise. We present a detailed description of the policy-modeling process, the enforcement mechanism, and illustrate how to implement several policies, including mandatory access control and emergency access. All policies are formally specified through Prolog, but their enforcement is dependent on when their compliance can be evaluated. Static policies are enforced at design-time by mapping them to the structural constraints of system models. In contrast, dynamic policy rules, enforced at run-time, are loaded into a Prolog-based Policy Decision Point and Policy Enforcement Point, our extension to the standard SOA execution platform, which controls access to all services reliant upon protected health information.

Electronic downloads

Citation formats  
  • HTML
    Jan Werner, Bradley Malin, Yonghwan Lee, Akos Ledeczi, Janos
    Sztipanovits. <a
    href="http://www.truststc.org/pubs/475.html"
    ><i>Integration of Clinical Workflows with Privacy
    Policies on a Common Semantic Domain</i></a>,
    Talk or presentation,  11, November, 2008.
  • Plain text
    Jan Werner, Bradley Malin, Yonghwan Lee, Akos Ledeczi, Janos
    Sztipanovits. "Integration of Clinical Workflows with
    Privacy Policies on a Common Semantic Domain". Talk or
    presentation,  11, November, 2008.
  • BibTeX
    @presentation{WernerMalinLeeLedecziSztipanovits08_IntegrationOfClinicalWorkflowsWithPrivacyPoliciesOnCommon,
        author = {Jan Werner and Bradley Malin and Yonghwan Lee and
                  Akos Ledeczi and Janos Sztipanovits},
        title = {Integration of Clinical Workflows with Privacy
                  Policies on a Common Semantic Domain},
        day = {11},
        month = {November},
        year = {2008},
        abstract = {As healthcare organizations (HCOs) migrate to
                  electronic systems, they must ensure compliance
                  with complex data protection legislation, such as
                  the Health Insurance Portability and
                  Accountability Act (HIPAA). Legislation specifies
                  rules that must be enforced, but regulatory
                  Language is often imprecise, forcing HCOs to
                  define local policies and procedures, as well as
                  specific enforcement technologies. It is difficult
                  for HCOs to ensure requirements are correctly
                  translated across the enterprise, a problem
                  compounded by the constant growth and evolution of
                  deployed information technology (IT), such as
                  clinical information systems (CISs). The
                  consequence is that HCOs frequently rely on ad hoc
                  IT configurations, which are unverified and
                  potentially conflict with an HCO's policy. We
                  introduce a solution to these challenges by
                  integrating HIPAA policy rules with a domain
                  specific model-integrated computing suite,
                  tailored to the clinical enterprise. We present a
                  detailed description of the policy-modeling
                  process, the enforcement mechanism, and illustrate
                  how to implement several policies, including
                  mandatory access control and emergency access. All
                  policies are formally specified through Prolog,
                  but their enforcement is dependent on when their
                  compliance can be evaluated. Static policies are
                  enforced at design-time by mapping them to the
                  structural constraints of system models. In
                  contrast, dynamic policy rules, enforced at
                  run-time, are loaded into a Prolog-based Policy
                  Decision Point and Policy Enforcement Point, our
                  extension to the standard SOA execution platform,
                  which controls access to all services reliant upon
                  protected health information. },
        URL = {http://www.truststc.org/pubs/475.html}
    }
    

Posted by Jessica Gamble on 23 Jan 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.