Abstract
The notion of patient’s consent plays a major role in granting access to medical data. In typical healthcare systems, consent is captured by a form that the patient has to fill-in and sign. In e-Health systems, the paper-form consent is being replaced by access control mechanisms that regulate access to medical data, while taking into account electronic content. This helps in empowering the patient with the capability of granting and revoking consent in a more effective manner. However, the process of granting and revoking consent greatly varies according to the situation in which the patient is. Our main argument is that such a level of detail is very difficult and error-prone to capture as a set of authorisation policies. In this chapter, we present ACTORS (Automatic Creation and lifecycle managemenT Of authoRisation policieS), a goal-driven approach to manage consent. The main idea behind ACTORS is to leverage the goal-driven approach of Teleo-Reactive (TR) programming for managing consent that takes into account changes regarding the domains and contexts in which the patient is providing her consent.
This chapter extends our work that appeared in the Proceedings of POLICY 2012 [3].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aboelfotoh, M., Martin, P., Hassanein, H.: A mobile-based architecture for integrating personal health record data. In: IEEE 16th International Conference on e-Health Networking, Applications and Services (Healthcom), 2014, pp. 269–274 (2014)
Asghar, M., Russello, G.: Flexible and dynamic consent-capturing. In: Camenisch, J., Kesdogan, D. (eds.) Open Problems in Network Security. Lecture Notes in Computer Science, vol. 7039, pp. 119–131. Springer, Berlin (2012)
Asghar, M.R., Russello, G.: ACTORS: A goal-driven approach for capturing and managing consent in e-health systems. In: 2012 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 61–69 (2012)
Chan, H., Kwok, T.: A policy-based management system with automatic policy selection and creation capabilities by using a singular value decomposition technique. In: Seventh IEEE International Workshop on Policies for Distributed Systems and Networks, 2006. Policy 2006, pp. 96–99 (2006)
Clarke, R.: econsent: A critical element of trust in ebusiness. In: BLED 2002 Proceedings, p. 12 (2002)
Coiera, E., Clarke, R.: e-consent: the design and implementation of consumer consent mechanisms in an electronic environment. J. Am. Med. Inform. Assoc. 11(2), 129–140 (2004)
Communities, E.: Directive 1999/93/EC of the european parliament and of the council of 13 december 1999 on a community framework for electronic signatures (1999). http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:1999L0093:20081211:EN:PDF
Curren, L., Kaye, J.: Revoking consent: a “blind spot” in data protection law? Comput. Law Secur. Rev. 26(3), 273–283 (2010)
Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lupu, E., Lobo, J. (eds.) Policies for Distributed Systems and Networks. Lecture Notes in Computer Science, vol. 1995, pp. 18–38. Springer, Berlin (2001)
Dolin, R.H., Alschuler, L., Boyer, S., Beebe, C., Behlen, F.M., Biron, P.V., Shvo, A.S.: Hl7 clinical document architecture, release 2. J. Am. Med. Inform. Assoc. 13(1), 30–39 (2006)
Earp, J.B., He, Q., Stufflebeam, W., Bolchini, D., Jensen, C., et al.: Financial privacy policies and the need for standardization. IEEE Secur. Priv. 2(2), 36–45 (2004)
European Communities: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, year=1995, howpublished = http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
Fu, Z.: Network management and intrusion detection for quality of network services. Ph.D.in Computer Science, North Carolina State University (2001)
Fu, Z.J., Wu, S.F.: Automatic generation of IPSec/VPN security policies in an intra-domain environment. In: 12th International Workshop on Distributed Systems: Operations & Management (2001)
Health Level Seven International: Hl7 implementation guide for cda release 2: Privacy consent directives, release 1. http://gforge.hl7.org/gf/download/frsrelease/977/10295/CDAR2_IG_CONSENTDIR_R1_N1_2013MAY.pdf (2013)
Illner, S., Krumm, H., Pohl, A., Lück, I., Manka, D., Sparenberg, T.: Policy controlled automated management of distributed and embedded service systems. In: Parallel and Distributed Computing and Networks, pp. 710–715 (2005)
Illner, S., Pohl, A., Krumm, H., Luck, I., Manka, D., Sparenberg, T.: Automated runtime management of embedded service systems based on design-time modeling and model transformation. In: 2005 3rd IEEE International Conference on Industrial Informatics, INDIN ’05, pp. 134–139 (2005)
Jin, J., Ahn, G.J., Hu, H., Covington, M.J., Zhang, X.: Patient-centric authorization framework for sharing electronic health records. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT ’09, pp. 125–134. ACM, New York, NY (2009)
Johnson, M., Karat, J., Karat, C., Grueneberg, K.: Usable policy template authoring for iterative policy refinement. In: 2010 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 18–21 (2010)
Lawson, P., O’Donoghue, M.: Approaches to consent in Canadian data protection law. In: Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society, pp. 23–42 (2009) https://goo.gl/VqPUwF
Luger, E., Rodden, T.: An informed view on consent for ubicomp. In: Proceedings of the 2013 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp ’13, pp. 529–538. ACM, New York, NY (2013)
Luger, E., Rodden, T.: Terms of agreement: rethinking consent for pervasive computing. Interact. Comput. 25(3), 229–241 (2013) doi:10.1093/iwc/iws017
Malone, P., McLaughlin, M., Leenes, R., Ferronato, P., Lockett, N., Guillen, P.B., Heistracher, T., Russello, G.: ENDORSE: a legal technical framework for privacy preserving data management. In: Proceedings of the 2010 Workshop on Governance of Technology, Information and Policies, pp. 27–34. ACM (2010)
Marinovic, S., Twidle, K., Dulay, N., Sloman, M.: Teleo-reactive policies for managing human-centric pervasive services. In: Network and Service Management (CNSM), 2010 International Conference on, pp. 80–87 (2010)
McDonald, A.M., Cranor, L.F.: Cost of reading privacy policies, the. ISJLP 4, 543 (2008)
McNair, L., Costello, A.: Electronic informed consent: a new industry standard (2014) http://www.wcgclinical.com/wp-content/uploads/2014/03/eConsent-White-Paper_FINAL.pdf
Mont, M.C., Pearson, S., Kounga, G., Shen, Y., Bramhall, P.: On the management of consent and revocation in enterprises: setting the context. HP Laboratories, Technical Report HPL-2009-49 (2009)
Nilsson, N.J.: Teleo-reactive programs for agent control. J. Artif. Intell. Res. 1, 139–158 (1994)
Nissenbaum, H.: Privacy in context: technology, policy, and the integrity of social life. Stanford University Press, Stanford (2009)
OASIS Standard: eXtensible Access Control Markup Language (XACML) Version 3.0. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf (2013)
O’Keefe, C.M., Greenfield, P., Goodchild, A.: A decentralised approach to electronic consent and health information access control. J. Res. Pract. Inf. Technol. 37(2), 161–178 (2005)
Pruski, C.: e-CRL: A rule-based language for expressing patient electronic consent. In: Second International Conference on eHealth, Telemedicine, and Social Medicine, 2010. ETELEMED ’10, pp. 141–146 (2010)
Report of the Secretary’s advisory committee on automated personal data systems. U.S. Department of Health, Education & Welfare, Records, Computers, and the Rights of Citizens (1973)
Russello, G., Dong, C., Dulay, N.: Authorisation and conflict resolution for hierarchical domains. In: Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, 2007. POLICY ’07, pp. 201–210 (2007)
Russello, G., Dong, C., Dulay, N.: Consent-based workflows for healthcare management. In: IEEE Workshop on Policies for Distributed Systems and Networks, 2008. POLICY 2008, pp. 153–161 (2008)
Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
Schwartz, P.M.: The eu-us privacy collision: a turn to institutions and procedures (2013)
Schwartz, P.M., Solove, D.J.: The PII problem: privacy and a new concept of personally identifiable information. NYUL Rev. 86, 1814 (2011)
Solove, D.J.: Introduction: Privacy self-management and the consent dilemma. Harv. Law Rev. 126, 1880 (2012)
Turow, J., Feldman, L., Meltzer, K.: Open to exploitation: America’s shoppers online and offline (2005)
Twidle, K., Dulay, N., Lupu, E., Sloman, M.: Ponder2: a policy system for autonomous pervasive environments. In: International Conference on Autonomic and Autonomous Systems, pp. 330–335 (2009)
Whitley, E.A.: Informational privacy, consent and the “control” of personal data. Inf. Secur. Tech. Rep. 14(3), 154–159 (2009)
Wuyts, K., Scandariato, R., Verhenneman, G., Joosen, W.: Integrating patient consent in e-Health access control. Int. J. Secure Softw. Eng. IGI Global 2(2), 1–24 (2011). Partner: KUL; project: NESSoS
Zhou, X., Demetriou, S., He, D., Naveed, M., Pan, X., Wang, X., Gunter, C.A., Nahrstedt, K.: Identity, location, disease and more: inferring your secrets from android public resources. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 1017–1028. ACM, New York (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Asghar, M.R., Russello, G. (2015). Automating Consent Management Lifecycle for Electronic Healthcare Systems. In: Gkoulalas-Divanis, A., Loukides, G. (eds) Medical Data Privacy Handbook. Springer, Cham. https://doi.org/10.1007/978-3-319-23633-9_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-23633-9_14
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23632-2
Online ISBN: 978-3-319-23633-9
eBook Packages: Computer ScienceComputer Science (R0)