Skip to main content
SpringerLink
Log in

Automating Consent Management Lifecycle for Electronic Healthcare Systems

  • Chapter
Medical Data Privacy Handbook

Abstract

The notion of patient’s consent plays a major role in granting access to medical data. In typical healthcare systems, consent is captured by a form that the patient has to fill-in and sign. In e-Health systems, the paper-form consent is being replaced by access control mechanisms that regulate access to medical data, while taking into account electronic content. This helps in empowering the patient with the capability of granting and revoking consent in a more effective manner. However, the process of granting and revoking consent greatly varies according to the situation in which the patient is. Our main argument is that such a level of detail is very difficult and error-prone to capture as a set of authorisation policies. In this chapter, we present ACTORS (Automatic Creation and lifecycle managemenT Of authoRisation policieS), a goal-driven approach to manage consent. The main idea behind ACTORS is to leverage the goal-driven approach of Teleo-Reactive (TR) programming for managing consent that takes into account changes regarding the domains and contexts in which the patient is providing her consent.

This chapter extends our work that appeared in the Proceedings of POLICY 2012 [3].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 299.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aboelfotoh, M., Martin, P., Hassanein, H.: A mobile-based architecture for integrating personal health record data. In: IEEE 16th International Conference on e-Health Networking, Applications and Services (Healthcom), 2014, pp. 269–274 (2014)

    Google Scholar 

  2. Asghar, M., Russello, G.: Flexible and dynamic consent-capturing. In: Camenisch, J., Kesdogan, D. (eds.) Open Problems in Network Security. Lecture Notes in Computer Science, vol. 7039, pp. 119–131. Springer, Berlin (2012)

    Chapter  Google Scholar 

  3. Asghar, M.R., Russello, G.: ACTORS: A goal-driven approach for capturing and managing consent in e-health systems. In: 2012 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 61–69 (2012)

    Google Scholar 

  4. Chan, H., Kwok, T.: A policy-based management system with automatic policy selection and creation capabilities by using a singular value decomposition technique. In: Seventh IEEE International Workshop on Policies for Distributed Systems and Networks, 2006. Policy 2006, pp. 96–99 (2006)

    Google Scholar 

  5. Clarke, R.: econsent: A critical element of trust in ebusiness. In: BLED 2002 Proceedings, p. 12 (2002)

    Google Scholar 

  6. Coiera, E., Clarke, R.: e-consent: the design and implementation of consumer consent mechanisms in an electronic environment. J. Am. Med. Inform. Assoc. 11(2), 129–140 (2004)

    Google Scholar 

  7. Communities, E.: Directive 1999/93/EC of the european parliament and of the council of 13 december 1999 on a community framework for electronic signatures (1999). http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:1999L0093:20081211:EN:PDF

  8. Curren, L., Kaye, J.: Revoking consent: a “blind spot” in data protection law? Comput. Law Secur. Rev. 26(3), 273–283 (2010)

    Article  Google Scholar 

  9. Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lupu, E., Lobo, J. (eds.) Policies for Distributed Systems and Networks. Lecture Notes in Computer Science, vol. 1995, pp. 18–38. Springer, Berlin (2001)

    Chapter  Google Scholar 

  10. Dolin, R.H., Alschuler, L., Boyer, S., Beebe, C., Behlen, F.M., Biron, P.V., Shvo, A.S.: Hl7 clinical document architecture, release 2. J. Am. Med. Inform. Assoc. 13(1), 30–39 (2006)

    Article  Google Scholar 

  11. Earp, J.B., He, Q., Stufflebeam, W., Bolchini, D., Jensen, C., et al.: Financial privacy policies and the need for standardization. IEEE Secur. Priv. 2(2), 36–45 (2004)

    Article  Google Scholar 

  12. European Communities: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, year=1995, howpublished = http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf

  13. Fu, Z.: Network management and intrusion detection for quality of network services. Ph.D.in Computer Science, North Carolina State University (2001)

    Google Scholar 

  14. Fu, Z.J., Wu, S.F.: Automatic generation of IPSec/VPN security policies in an intra-domain environment. In: 12th International Workshop on Distributed Systems: Operations & Management (2001)

    Google Scholar 

  15. Health Level Seven International: Hl7 implementation guide for cda release 2: Privacy consent directives, release 1. http://gforge.hl7.org/gf/download/frsrelease/977/10295/CDAR2_IG_CONSENTDIR_R1_N1_2013MAY.pdf (2013)

  16. Illner, S., Krumm, H., Pohl, A., Lück, I., Manka, D., Sparenberg, T.: Policy controlled automated management of distributed and embedded service systems. In: Parallel and Distributed Computing and Networks, pp. 710–715 (2005)

    Google Scholar 

  17. Illner, S., Pohl, A., Krumm, H., Luck, I., Manka, D., Sparenberg, T.: Automated runtime management of embedded service systems based on design-time modeling and model transformation. In: 2005 3rd IEEE International Conference on Industrial Informatics, INDIN ’05, pp. 134–139 (2005)

    Google Scholar 

  18. Jin, J., Ahn, G.J., Hu, H., Covington, M.J., Zhang, X.: Patient-centric authorization framework for sharing electronic health records. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT ’09, pp. 125–134. ACM, New York, NY (2009)

    Google Scholar 

  19. Johnson, M., Karat, J., Karat, C., Grueneberg, K.: Usable policy template authoring for iterative policy refinement. In: 2010 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 18–21 (2010)

    Google Scholar 

  20. Lawson, P., O’Donoghue, M.: Approaches to consent in Canadian data protection law. In: Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society, pp. 23–42 (2009) https://goo.gl/VqPUwF

  21. Luger, E., Rodden, T.: An informed view on consent for ubicomp. In: Proceedings of the 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp ’13, pp. 529–538. ACM, New York, NY (2013)

    Google Scholar 

  22. Luger, E., Rodden, T.: Terms of agreement: rethinking consent for pervasive computing. Interact. Comput. 25(3), 229–241 (2013) doi:10.1093/iwc/iws017

    Article  Google Scholar 

  23. Malone, P., McLaughlin, M., Leenes, R., Ferronato, P., Lockett, N., Guillen, P.B., Heistracher, T., Russello, G.: ENDORSE: a legal technical framework for privacy preserving data management. In: Proceedings of the 2010 Workshop on Governance of Technology, Information and Policies, pp. 27–34. ACM (2010)

    Google Scholar 

  24. Marinovic, S., Twidle, K., Dulay, N., Sloman, M.: Teleo-reactive policies for managing human-centric pervasive services. In: Network and Service Management (CNSM), 2010 International Conference on, pp. 80–87 (2010)

    Google Scholar 

  25. McDonald, A.M., Cranor, L.F.: Cost of reading privacy policies, the. ISJLP 4, 543 (2008)

    Google Scholar 

  26. McNair, L., Costello, A.: Electronic informed consent: a new industry standard (2014) http://www.wcgclinical.com/wp-content/uploads/2014/03/eConsent-White-Paper_FINAL.pdf

  27. Mont, M.C., Pearson, S., Kounga, G., Shen, Y., Bramhall, P.: On the management of consent and revocation in enterprises: setting the context. HP Laboratories, Technical Report HPL-2009-49 (2009)

    Google Scholar 

  28. Nilsson, N.J.: Teleo-reactive programs for agent control. J. Artif. Intell. Res. 1, 139–158 (1994)

    Google Scholar 

  29. Nissenbaum, H.: Privacy in context: technology, policy, and the integrity of social life. Stanford University Press, Stanford (2009)

    Google Scholar 

  30. OASIS Standard: eXtensible Access Control Markup Language (XACML) Version 3.0. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf (2013)

  31. O’Keefe, C.M., Greenfield, P., Goodchild, A.: A decentralised approach to electronic consent and health information access control. J. Res. Pract. Inf. Technol. 37(2), 161–178 (2005)

    Google Scholar 

  32. Pruski, C.: e-CRL: A rule-based language for expressing patient electronic consent. In: Second International Conference on eHealth, Telemedicine, and Social Medicine, 2010. ETELEMED ’10, pp. 141–146 (2010)

    Google Scholar 

  33. Report of the Secretary’s advisory committee on automated personal data systems. U.S. Department of Health, Education & Welfare, Records, Computers, and the Rights of Citizens (1973)

    Google Scholar 

  34. Russello, G., Dong, C., Dulay, N.: Authorisation and conflict resolution for hierarchical domains. In: Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, 2007. POLICY ’07, pp. 201–210 (2007)

    Google Scholar 

  35. Russello, G., Dong, C., Dulay, N.: Consent-based workflows for healthcare management. In: IEEE Workshop on Policies for Distributed Systems and Networks, 2008. POLICY 2008, pp. 153–161 (2008)

    Google Scholar 

  36. Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  37. Schwartz, P.M.: The eu-us privacy collision: a turn to institutions and procedures (2013)

    Google Scholar 

  38. Schwartz, P.M., Solove, D.J.: The PII problem: privacy and a new concept of personally identifiable information. NYUL Rev. 86, 1814 (2011)

    Google Scholar 

  39. Solove, D.J.: Introduction: Privacy self-management and the consent dilemma. Harv. Law Rev. 126, 1880 (2012)

    Google Scholar 

  40. Turow, J., Feldman, L., Meltzer, K.: Open to exploitation: America’s shoppers online and offline (2005)

    Google Scholar 

  41. Twidle, K., Dulay, N., Lupu, E., Sloman, M.: Ponder2: a policy system for autonomous pervasive environments. In: International Conference on Autonomic and Autonomous Systems, pp. 330–335 (2009)

    Google Scholar 

  42. Whitley, E.A.: Informational privacy, consent and the “control” of personal data. Inf. Secur. Tech. Rep. 14(3), 154–159 (2009)

    Article  Google Scholar 

  43. Wuyts, K., Scandariato, R., Verhenneman, G., Joosen, W.: Integrating patient consent in e-Health access control. Int. J. Secure Softw. Eng. IGI Global 2(2), 1–24 (2011). Partner: KUL; project: NESSoS

    Google Scholar 

  44. Zhou, X., Demetriou, S., He, D., Naveed, M., Pan, X., Wang, X., Gunter, C.A., Nahrstedt, K.: Identity, location, disease and more: inferring your secrets from android public resources. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 1017–1028. ACM, New York (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, The University of Auckland, Auckland, New Zealand

    Muhammad Rizwan Asghar & Giovanni Russello

Authors
  1. Muhammad Rizwan Asghar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giovanni Russello
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Muhammad Rizwan Asghar .

Editor information

Editors and Affiliations

  1. IBM Research - Ireland, Mulhuddart, Dublin, Ireland

    Aris Gkoulalas-Divanis

  2. Cardiff University, Cardiff, United Kingdom

    Grigorios Loukides

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Asghar, M.R., Russello, G. (2015). Automating Consent Management Lifecycle for Electronic Healthcare Systems. In: Gkoulalas-Divanis, A., Loukides, G. (eds) Medical Data Privacy Handbook. Springer, Cham. https://doi.org/10.1007/978-3-319-23633-9_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-23633-9_14

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-23632-2

  • Online ISBN: 978-3-319-23633-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation