Expression of Security Policy in Medical Systems for Electronic Healthcare Records
This paper introduces a tool that is being developed for the expression of information security policy controls that govern electronic healthcare records. By reference to published findings, the paper introduces the theory behind the use of knowledge management for automatic and consistent security policy assertion using the formalism called the Secutype; the development of the tool and functionality is discussed; some examples of Secutypes generated by the tool are provided; proposed integration with existing medical record systems is described. The paper is concluded with a section on further work and critique of the work achieved to date.
[1] ISO 13606 Health informatics - Electronic Health Record
Communication Parts 1, 2 and 3, International Organization for
Standardization,
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=40784 (last accessed 30th January 2009)
[2] openEHR Clinical Models, The openEHR Foundation,
http://www.openehr.org/clinicalmodels/project.html (last accessed 30th
January 2009).
[3] Health Level 7 Record Information Model, www.hl7.org (last accessed
30th January 2009)
[4] Consultation on the Data Sharing Review, The Foundation for
Information Privacy Research
http://www.fipr.org/080215datasharing.pdf (last accessed 30th January
2008)
[5] R. Thomas and M. Walport, "The Data Sharing Review, " in
http://www.justice.gov.uk/docs/data-sharing-review-report.pdf (last
accessed 30th January 2009)
[6] M.Y.Becker, "Information Governance in NHS-s NPfIT: A Case for
Policy Specification," in International Journal of Medical Informatics
vol. 76 (5-6), 2006, pp. 432-437.
[7] The United Kingdom National Health Service Confidentiality Code of
Practice,http://www.dh.gov.uk/en/Managingyourorganisation/Informatio
npolicy/PatientConfidentialityAndCaldicottGuardians/DH_4100550
(last accessed 30th January 2009)
[8] University College London Research Governance
http://www.ucl.ac.uk/joint-rd-unit/ResGov (last accessed 30th January
2009)
[9] A. Slowther, P. Boynton and S. Shaw, "Research Governance: Ethical
Issues," in Journal of the Royal Society of Medicine, vol. 99 (2), 2006,
pp. 65-72
[10] E. Angell, A. J. Sutton, K. Windridge, M. Dixon-Woods, "Consistency
in Decision Making by Research Ethics Committees: a Controlled
Comparison" in Journal of Medical Ethics, BMJ Publishing Group Ltd,
vol. 32 (11), 2006, pp. 662-664
[11] N. Lea, S. Hailes, T. Austin, D. Kalra, "Knowledge Management for the
Protection of Information in Electronic Medical Records," in eHealth
Beyond the Horizon - Get IT There, Proceedings of MIE2008. IOS
Press, 2008, pp. 685-90
[12] T. Beale, "Archetypes: Constraint-Based Domain Models for
Future-Proof Information Systems," in Eleventh OOPSLA Workshop on
Behavioral Semantics: Serving the Customer (Seattle, Washington,
USA, November 4, 2002). Edited by Kenneth Baclawski and Haim
Kilov. Northeastern University, Boston, 2002, pp. 16-32
[13] M. Sloman and E. Lupu, "Security and Management Policy
Specification," IEEE Network vol. 16, 2002, pp. 10-19
[14] The JBoss Community and Application Server, http://jboss.org/ (last
accessed 30th January 2008)
[15] JBoss Seam Framework, http://seamframework.org/ (last accessed 30th
January 2009)
[16] Hibernate, http://www.hibernate.org/ (last accessed 30th January 2009)
[17] T. Austin, D. Kalra, A. Tapuria, N. Lea, D. Ingram, "Implementation of
a Query Interface for a Generic Record Server," International Journal of
Medical Informatics, Elsevier, vol. 77 (11), 2008, pp. 754-764
[1] ISO 13606 Health informatics - Electronic Health Record
Communication Parts 1, 2 and 3, International Organization for
Standardization,
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=40784 (last accessed 30th January 2009)
[2] openEHR Clinical Models, The openEHR Foundation,
http://www.openehr.org/clinicalmodels/project.html (last accessed 30th
January 2009).
[3] Health Level 7 Record Information Model, www.hl7.org (last accessed
30th January 2009)
[4] Consultation on the Data Sharing Review, The Foundation for
Information Privacy Research
http://www.fipr.org/080215datasharing.pdf (last accessed 30th January
2008)
[5] R. Thomas and M. Walport, "The Data Sharing Review, " in
http://www.justice.gov.uk/docs/data-sharing-review-report.pdf (last
accessed 30th January 2009)
[6] M.Y.Becker, "Information Governance in NHS-s NPfIT: A Case for
Policy Specification," in International Journal of Medical Informatics
vol. 76 (5-6), 2006, pp. 432-437.
[7] The United Kingdom National Health Service Confidentiality Code of
Practice,http://www.dh.gov.uk/en/Managingyourorganisation/Informatio
npolicy/PatientConfidentialityAndCaldicottGuardians/DH_4100550
(last accessed 30th January 2009)
[8] University College London Research Governance
http://www.ucl.ac.uk/joint-rd-unit/ResGov (last accessed 30th January
2009)
[9] A. Slowther, P. Boynton and S. Shaw, "Research Governance: Ethical
Issues," in Journal of the Royal Society of Medicine, vol. 99 (2), 2006,
pp. 65-72
[10] E. Angell, A. J. Sutton, K. Windridge, M. Dixon-Woods, "Consistency
in Decision Making by Research Ethics Committees: a Controlled
Comparison" in Journal of Medical Ethics, BMJ Publishing Group Ltd,
vol. 32 (11), 2006, pp. 662-664
[11] N. Lea, S. Hailes, T. Austin, D. Kalra, "Knowledge Management for the
Protection of Information in Electronic Medical Records," in eHealth
Beyond the Horizon - Get IT There, Proceedings of MIE2008. IOS
Press, 2008, pp. 685-90
[12] T. Beale, "Archetypes: Constraint-Based Domain Models for
Future-Proof Information Systems," in Eleventh OOPSLA Workshop on
Behavioral Semantics: Serving the Customer (Seattle, Washington,
USA, November 4, 2002). Edited by Kenneth Baclawski and Haim
Kilov. Northeastern University, Boston, 2002, pp. 16-32
[13] M. Sloman and E. Lupu, "Security and Management Policy
Specification," IEEE Network vol. 16, 2002, pp. 10-19
[14] The JBoss Community and Application Server, http://jboss.org/ (last
accessed 30th January 2008)
[15] JBoss Seam Framework, http://seamframework.org/ (last accessed 30th
January 2009)
[16] Hibernate, http://www.hibernate.org/ (last accessed 30th January 2009)
[17] T. Austin, D. Kalra, A. Tapuria, N. Lea, D. Ingram, "Implementation of
a Query Interface for a Generic Record Server," International Journal of
Medical Informatics, Elsevier, vol. 77 (11), 2008, pp. 754-764
@article{"International Journal of Business, Human and Social Sciences:56068", author = "Nathan C. Lea and Tony Austin and Stephen Hailes and Dipak Kalra", title = "Expression of Security Policy in Medical Systems for Electronic Healthcare Records", abstract = "This paper introduces a tool that is being developed for the expression of information security policy controls that govern electronic healthcare records. By reference to published findings, the paper introduces the theory behind the use of knowledge management for automatic and consistent security policy assertion using the formalism called the Secutype; the development of the tool and functionality is discussed; some examples of Secutypes generated by the tool are provided; proposed integration with existing medical record systems is described. The paper is concluded with a section on further work and critique of the work achieved to date.
", keywords = "Information Security Policy, Electronic Healthcare
Records, Knowledge Management, Archetypes, Secutypes.", volume = "3", number = "5", pages = "426-5", }
