KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지

A Privacy-aware Graph-based Access Control System for the Healthcare Domain

  • Tian, Yuan (KyungHee University, Dept. Computer Engineering, Internet Computing & Network Security Lab.) ;
  • Song, Biao (KyungHee University, Dept. Computer Engineering, Internet Computing & Network Security Lab.) ;
  • Hassan, M.Mehedi. (King Saud University, Riyadh, College of Computer and Information Sciences) ;
  • Huh, Eui-Nam (KyungHee University, Dept. Computer Engineering, Internet Computing & Network Security Lab.)
  • Received : 2012.05.14
  • Accepted : 2012.09.13
  • Published : 2012.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

The growing concern for the protection of personal information has made it critical to implement effective technologies for privacy and data management. By observing the limitations of existing approaches, we found that there is an urgent need for a flexible, privacy-aware system that is able to meet the privacy preservation needs at both the role levels and the personal levels. We proposed a conceptual system that considered these two requirements: a graph-based, access control model to safeguard patient privacy. We present a case study of the healthcare field in this paper. While our model was tested in the field of healthcare, it is generic and can be adapted to use in other fields. The proof-of-concept demos were also provided with the aim of valuating the efficacy of our system. In the end, based on the hospital scenarios, we present the experimental results to demonstrate the performance of our system, and we also compared those results to existing privacy-aware systems. As a result, we ensured a high quality of medical care service by preserving patient privacy.

Keywords

References

  1. Gerardo Canfora, Elisa Costante, Igino Pennino, and Corrado Aaron Visaggio, "A three-layered model to implement data privacy policies", Computer Standards & Interfaces, Elsevier Science Publisher, pp.398-409, 2008.
  2. Berkeley biological open source project, http://www.berkeleybop.org/ (Accessed: 2 Sep, 2010)
  3. Ontology of Clinical Research (OCRe), http://bioportal.bioontology.org/ (Accessed: 10 Sep, 2010).
  4. Paolo Guarda and Nicola Zannone, "Towards the development of privacy-aware systems", Information and Software Technology, Butterworth-Heinemann, pp.337-350. 2009.
  5. JiWon Byun, Elisa Bertino, and Ninghui Li, "Purpose based access control of complex data for privacy protection", Symposium on Access Control Models and Technologies, ACM, pp.102-110, 2005.
  6. Stefan Sackmann, Jens Struker, and Rafael Accorsi, "Personalization in privacy-aware highly dynamic systems", Communications of the ACM, pp.32-38, 2006.
  7. E.Bertino, J.-W.Byun and N.Li, "Privacy-preserving database systems", in: FOSAD, vol.3655, pp.178-206, 2005.
  8. A. Tumer, A. Dogac and H. Toroslu, "A Semantic based privacy framework for web services", in Proc. of ESSW'03, 2003.
  9. Peter Bodorik, Dawn Jutla and Mike Xuehai Wang, "Consistent privacy preferences (CPP): model, semantics, and properties", Symposium on Applied Computing, ACM New York, pp.2368-2375, 2008.
  10. D.M. Eyers, J. Bacon and K. Moody, "OASIS role-based access control for electronic health records," Software, IEE Proceedings, vol. 153, issue. 1, pp.16-23, 2006. https://doi.org/10.1049/ip-sen:20045038
  11. Thomas C. Rindfleisch, "Privacy, Information Technology, and Health Care", Commun. ACM, vol. 40, no. 8, pp. 92-100, 1997. https://doi.org/10.1145/257874.257896
  12. Divakaran Liginlal, Inkook Sim and Lara Khansa, "How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management", Computers & Security, vol.28, pp.215-228. https://doi.org/10.1016/j.cose.2008.11.003
  13. Westin A.F., Privacy and Freedom, Atheneum, Newyork, 1967.
  14. Calvin S.Powers, Paul Ashley and Matthias Schunter, "Privacy Promises, Access Control, and Privacy Management," IEEE Computer Society, pp13, 2002.
  15. Maxwell J.Mehlman, J.D., "Emerging Issues: The Privacy of Medical Records,"
  16. Electronic medical record http://en.wikipedia.org/wiki/Electronic_medical_record#Privacy (Accessed: 3 Sep,2009).
  17. Sandhu, R., Coyne, E.J., Feinstein H.L. and Youman, C.E. (August 1996), Role-Based Access Control Models, IEEE Computer, vol. 29, no. 2, pp. 38-47. https://doi.org/10.1109/2.485845
  18. James M. Humber and Robert F. Almeder, "Privacy and health care(Biomedical Ethics Reviews)", Humana Press, 2001.
  19. Janet Colwell, EHR era ushers in stricter privacy, security, from the April ACP Internist, copyright at 2010 by the American College of PhysiciansApril, (Accessed: 23 May, 2010).
  20. Q. He., "Privacy enforcement with an extended role-based access control model. NCSU Computer Science Technical Report" TR-2003-09, Feb 2003.
  21. Ji-Won Byun, Ninghui Li, "Purpose Based Access Control for Privacy Protection in Relational Database," Springer Berlin/Heidelberg, vol. 17, no. 4, pp.603-619, Jul 2008,.
  22. Fabio Massacci, John P Mylopoulos and Nicola Zannone, "Hierarchical hippocratic databases with mnimal disclosure for virtual organizations," Springer-Verlag New York, Inc. Secaucus, NJ, USA, pp.370-387.
  23. Georgios V. Lioudakis, Eleftherios A. Koutsoloukas, Nikolaos L. Dellas, Nikolaos Tselikas, Sofia Kapellaki, George N. Prezerakos, Dimitra I. Kaklamani, and Iakovos S. Venieris, "A middleware architecture for privacy protection," Computer Networks:The International Journal of Computer and Telecommunications Networking, Elsevier North-Holland, Inc, pp.4679-4696, 2007
  24. M.Hilty, D.A.Basin, A.Pretschner, On obligations, in Proc. of ESORICS'05, vol. 3679, pp.98-117, 2005.
  25. David F. Ferraiolo, Ravi S. Sandhu, Serban Gavrila, D. Richard Kuhn, and Ramaswamy Chandramouli. "Proposed NIST standard for role-based access control," ACM Transactions on Information and Systems Security, vol. 4, no. 3, pp. 224-274. https://doi.org/10.1145/501978.501980
  26. L.Sweeney, "k-anonymity: a model for protecting privacy, International Journal on Uncertainty," Fuzziness and Knowledge-based Systems, vol. 10, no. 5, pp.557-570, 2002. https://doi.org/10.1142/S0218488502001648
  27. D.Ferraiolo and R.Kuhn, "Role-Based Access Controls," in Proc. 15th NIAR-NCSC Nat'l Computer Security Conf., Nat'l Inst.Standards and Technology, pp.554-563, 1992.
  28. Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A., "TROPOS: An agent-oriented software development methodology." JAAMAS, vol. 8, no.3, pp.203-236, 2004
  29. Mor Peleg, Dizza Beimel, Dov Dori and Yaron Denekamp, "Situation-Based Access Control: Privacy management via modeling of patient data access scenarios", Journal of Biomedical Informatics, vol. 41, pp. 1028-1040, 2008. https://doi.org/10.1016/j.jbi.2008.03.014
  30. Elisa Bertino, "RBAC models-concepts and trends", Computers\& Security, vol. 22, Issue. 6, pp.511-514, Sep 2003,. https://doi.org/10.1016/S0167-4048(03)00609-6
  31. R. Sandhu, "Role Hierarchies and Constraints for Lattice-based Access Controls", in E. Bertino, H. Kurth, G. Martella, and E. Montolivo Eds., Computer Security- Esorics'96, LNCS N.1146, pp.65-79.
  32. Stephen S. Yau, Yin Yin, "a privacy preserving repository for data integration across data sharing services," IEEE Transactions on Services Computing, vol. 1, Issue 3, pp.130-140, Jul 2008. https://doi.org/10.1109/TSC.2008.14
  33. Yuan Tian, Biao Song, Eui-Nam Huh, "Relationship based privacy management for ubiquitous society," ICCSA, vol. 1, pp.853-867, 2009:.
  34. Yuan Tian, Biao Song, Eui-Nam Huh, "A novel graph-based privacy policy management system, management and service science," International Conference, pp.1-4, 2009.
  35. Josep Domingo-Ferrer, Yucel Saygin, "ecent progress in database privacy", Date\& Knowledge Engineering vol. 68, 1157-1159, 2009. https://doi.org/10.1016/j.datak.2009.06.002
  36. Yuan Tian, Biao Song, Eui-Nam Huh, "A Purpose-based Privacy-aware System using Privacy Data Graph"
  37. Ontologycomparision, (Accessed: 2 Sep, 2010)
  38. Andreas Pfitzmann and Marit Koehntopp. Anonymity, unobservability, and pseudonymity -a proposal for terminology. In Hannes Federrath, editor, Proceedings Workshop on Design, Issues in Anonymity and Unobservability, volume LNCS 2009. Springer Verlag, 2001.
  39. Marc Langheinrich, Privacy by Design - Principles of Privacy-Aware Ubiquitous Systems, Lecture Notes In Computer Science; Vol. 2201, Proceedings of the 3rd international conference on Ubiquitous Computing, Atlanta, Georgia, USA, pp.273-291.
  40. Fair Information Practices, http://whatis.techtarget.com/definition/0,sid9_gci213501,00.html (Accessed: 3 Dec,2009).
  41. US Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, Chapter IV: Recommended Safeguards for Administrative Personal Data Systems (1973).
  42. A Review of the Fair Information Principles: The Foundation of Privacy Public Policy, l (Accessed: 3 Dec,2009).
  43. Lorenzo D. Martino, Qun Ni, Dan Lin and Elisa Bertino. "Multi-domain and Privacy-aware Role Based Access Control in eHealth." In the International Conference on Pervasive Computing Technologies for Healthcare, Jan 2008.
  44. Reid, Jason F. and Cheong, Ian and Henricksen, Matthew P. and Smith, Jason "A Novel Use of RBAC to Protect Privacy in Distributed Health Care Information System"s. in 8th Australasian Conference on Information Security and Privacy, Jul Wollongong..
  45. COPPA Safe Harbors discussed, Cybertelecom Federal Internet Law \& Policy - an Educational Project. Krohn & Moss Consumer Law Center, (Accessed: 22 Dec,2009).
  46. EHR, (Accessed: 3 Mar, 2011)
  47. Lorrie Faith Cranor, Praveen Guduru, Manjula Arjula, User Interfaces for Privacy Agents, ACM Transactions on Computer-Human Interaction, Vol.13, No.2, June 2006, pp. 135-178. https://doi.org/10.1145/1165734.1165735
  48. Scott Lederer, Jennifer Mankoff, Anind K. Dey, Who wants to know what when? privacy preference determinants in ubiquitous computing, Conference on Human Factors in Computing Systems, Ft. Lauderdale, Florida, USA, 2003, pp. 724 - 725.
  49. Robert W. Proctor, Kim-Phuong L. Vu, and M. Athar Ali, Usability of User Agents for Privacy-Preference Specification, Human Inerface, Part 2, HCII2007, LNCS 4558, Springer Berlin/Heidelberg, 2007, pp. 766-776.
  50. Qun Ni, Elisa Bertino and Jorge Lobo. Privacy-aware RBAC - Leveraging RBAC for Privacy, IEEE Security \& Privacy Magazine, Volume 7, Number 4, pp. 35-43, July/August 2009. https://doi.org/10.1109/MSP.2009.102
  51. Semantic Web Applications in Neuromedicine,