Conference PaperPDF Available

Information Classification Scheme for Next Generation Access Control Models in Mobile Patient-Centered Care Systems

Authors:

Abstract and Figures

mHealth (i.e. mobile healthcare) refurbishes healthcare systems to facilitate information exchange among healthcare providers to seamlessly access remote patient-centred information of less-mobile co-morbid ageing population. Access to such information must be controlled to make the right information available to the right person at the right point of care to facilitate informed-decisions while preserving privacy. However, most Electronic Health Record (EHR) systems used for in-patient care concentrate on painting the full picture with time-consuming, lengthy free-text records on immobile devices, which is unaffordable when time is crucial. Moreover, these systems deploy off-the-shelf alert systems designed to meet traditional doctor-centred healthcare delivery approach. This paper introduces a classification scheme for access control models that balances the fine line between information availability in a speedy manner and its confidentiality in mobile solutions that fully support mHealth. This should lay sound foundation for next generation access control models for mHealth solutions suitable for various patients care contexts: inpatient care, intensive care unit, and outpatient care.
Content may be subject to copyright.
!
!
!
1!
Information*Classification*Scheme*for*Next*Generation*Access*
Control*Models*in*Mobile*Patient-Centered*Care*Systems*
*
Shada*A.*Alsalamah**
College*of*Computer*and*Information*Sciences,*King*Saud*University,*Riyadh,*Saudi*Arabia.*
Centre*of*Excellence*in*Information*Assurance,*Riyadh,*Saudi*Arabia.*
saalsalamah@ksu.edu.sa**
!
Abstract:* mHealth! (i.e.! mobile! healthcare)! refurbishes! healthcare! systems! to! facilitate! information! exchange! among!
healthcare!providers!to!seamlessly!access!remote!patient-centred!information!of!less-mobile!co-morbid!ageing!population.!
Access!to!such!information!must!be!controlled!to!make!the!right!information!available!to!the!right!person!at!the!right!point!
of!care!to! facilitate! informed-decisions!while! preserving! privacy.! However,! most! Electronic! Health! Record!(EHR)!systems!
used! for! in-patient! care!concentrate! on! painting! the! full! picture! with! time-consuming,! lengthy! free-text! records! on!
immobile!devices,!which!is! unaffordable! when! time! is!crucial.!Moreover,! these! systems! deploy!off-the-shelf!alert!systems!
designed!to!meet! traditional!doctor-centred! healthcare! delivery! approach.! This!paper! introduces! a! classification! scheme!
for! access! control! models! that! balances! the! fine! line! between! information! availability! in! a! speedy! manner! and! its!
confidentiality!in!mobile!solutions!that!fully!support!mHealth.!This!should!lay!sound!foundation!for!next!generation!access!
control!models! for! mHealth!solutions! suitable! for!various! patients!care! contexts:! inpatient! care,! intensive! care!unit,! and!
outpatient!care.!
*
Keywords:*Modern!Healthcare,*Mobile!Health,!Electronic!Health!Record,!Information!Security,!Access!Control!Model,!
Information!Classification!Scheme,!and!Authorization.!
1. Introduction!
Liz,!a!diabetic!patient,!is!hypersensitive!to!latex!protein!(widely!found!in!medical!products!such!as!gloves)!and!
has!just!given!birth!to!her!first!baby!girl.!She!is!under!the!effect!of!anaesthesia,!and!so!was!unconscious!in!the!
recovery! room! when! Dr.! Johns,! who! happens! to! be! on! call! that! busy! day,! wanted!to! see! her! for! a! routine!
check-up.!He! was! not!aware!of!Liz's!severe!allergy!to! latex!as!it! was! not!noted!on!her! bedside!medical!chart.!
Besides,!she!looked!just!fine!at! a! glance.! While! the! doctor! was! washing! his!hands! and!wearing! a!fresh!pair!of!
gloves,!he!briefly!skimmed!through!Liz's!paper-based!record!handed!in!by!the!nurse!without!spending!much!
time!on! finer! details.!Then! the! minute! he! started! with! the! physical! examination,! it! was!clear! to! everyone!in!
that!room!that!something!went!wrong!in!that!split!second.!
!!
Liz! is! not! a! typical! patient! following! a! single!treatment! journey! (also! known! as! an! integrated! care! pathway!
(MoM,! 2012),! but! a! co-morbid! patient! (i.e.! following! multiple! pathways! simultaneously! (Alsalamah!et! al,!
2016a)).! Moreover,! she!is! not! the! only!patient! Dr.! Johns!cares! for! on!a! typical! hectic! day!at! the! hospital;!he!
cares!for! tens! of! other! patients!moving! from! one!ward! to! another! and!from! one! patient's! room!to! another,!
providing!the!best!treatment!he!could!possibly!give.!Now,!what!if!any!of!those!patients!is!a!high!risk!with!HIV!
positive!results,! infected! with! a! contagious! virus,! or! experiencing! severe! allergic!reactions! to! certain!
medications!or!skin-contact!preservatives?!Also,! what!if!patients!are!diagnosed! with!more!than!one!condition!
or!disease!that!interacts!with!one!another!and!needs!special!attention!when!under!certain!circumstances!and!
which!the!doctor!must!be!aware!of!before!seeing!or!interacting!with!the!patient?!In!such!cases,!Dr.!Jones!will!
not!be!able!to!spot!those!critical! pieces!of!medical!information!within!lengthy!patients'!complete!records!in!a!
timely!manner!while!on!the!go!to!care!for!as!many!patients!as!possible!using!informed!decisions.!
!!
This!paper!aims!to!shed!some!light!on!information!access!needs!in!modern!mHealth!systems!in!general!and!in!
EHR!systems! used!for!inpatient's!care!in! particular.! Based! on!those!needs,!the!paper!identifies!key! challenges!
in!developing! access!control!models!that!are!capable!of!meeting!those!access!needs!by!balancing!the!fine!line!
between!the!provision!of!critical!information!to!the!right!person!in!a!speedy!manner!and!the!confidentiality!of!
this!information! to! preserve! patients'!privacy.! Those! challenges!define! requirements! for! the!development! of!
the! next! generation! access! control! models! for! inpatients ’! care! delivery! systems! that! fully! support! mHealth!
model.! This! is! believed! to! lay! sound! foundation! for! further! research! and! development! in! modern! mobile!
healthcare.!
!
2. Modern*Healthcare*Delivery*Models!
There! is! a! global! movement! towards! a! holistic,! integrated,! and! mobile! healthcare! model! (Alsalamah!et! al,!
2016;!Moumtzoglou,!2016)!that!places!high!pressure! on!governments!to!modernise!their! healthcare!services!
!
!
!
2!
to!cope! with! emerging! needs! of! our!ageing!population! (UNFPA,!2016).!Although!medical!advances,!increased!
child! survival,! and! improved! health! care! are! all! contributing! factors! to! today's! low! mortality! rate! (UNFPA,!
2016),! this! does! not! mean! that! older! persons! should! be! a! burden! (UNFPA,! 2016).! Older! people's! health!
conditions! require! a! more! holistic,! integrated,! and! mobile! care!as! comorbidity! is! more! common! in! older!
patients!than!in!younger! ones!(Alsalamah!et!al,!2016a).!Patients!with!comorbidity!suffer!from!more!than!one!
condition!at! a!time,!and!so! they!follow!multiple!treatment! pathways! (Alsalamah!et! al,!2016a).!Therefore,!it!is!
clear! that! healthcare! delivery! systems! need! to! cope! with! this! emerging! need! for!less-mobile! co-morbid!
patients,!and!be!ready!for!the!ageing!population,!with!modern!mobile!integrated!healthcare!services!that!can!
cope!holistically! with! a! patient!with! more!than!one! health! condition! in!an! easy!and! mobile! way! as!much! as!
possible.!!
!
Modern! integrated! mobile! healthcare! delivery! models! are! an! essential! part! of! eHealth! (i.e.! electronic!
healthcare)! (Powell,! 2009).! They! use! ICT! to! enhance! collaboration,! commu nication,! and! coordination! in! the!
health! sector! (Eysenbach,! 2001;! Powell,! 2009).! eHealth! is! an! umbrella! term! in! today's! modernisation!
movement!in!healthcare!delivery!that!incorporates!interdisciplinary!areas!involving!healthcare!and!technology!
to! improve! the! quality! of! healthcare! services! (Powell,! 2009;! Alsalamah!et! al,! 2011a;! Waegemann,! 2016).!
Incorporating! ICT! in! the! healthcare! domain! has!led! to!an! explosion! of! eHealth!interventions!within!this!field,!
ranging!from!simple! to!complex!forms.!Telemedicine!is! one!of!the!earliest! forms!of!eHealth!introduced!in! the!
1920s,! followed! by! wireless! technologies! after! the! birth! of! broadband! Internet,! and! now! wearable!
technologies,! such! as! smart! watches,! are! one! of! the! most! recently! emerging! and! widely! used! technologies!
today!in! eHealth! for! diagnostics! a nd! patient! monitoring! (Waegemann,! 2016).! These! technologies! share! one!
goal! of! facilitating! shared! informed-decisions! based! on! reliable! information! to! improve! the! quality! of! care,!
patient!safety,!and!outcomes!(Beratarbide!and!Kelsey,!2011;!Alsalamah!et!al,!2016a;!Waegemann,!2016).!!
!
2.1. mHealth*Delivery*Model!
!
mHealth!is! an! emerging!healthcare!delivery!model! in! modern!healthcare!that! has! been!maturing!since! 1995!
and!yet!has!no! standard! definition! (Waegemann,!2016;! Moumtzoglou,!2016).! Moreover,!it!is!considered!the!
one!form!of!eHealth!delivery!models!that!concentrates!on!coordinating!integrated!care!and!actively!managing!
it!remotely! in! our! world!today!(Moumtzoglou,! 2016).! However,!the! World!Health! Organization!(Koumpouros!
and!Georgoulas,!2016)!refers!to!mHealth!as:!!
!
The%spread%of%mobile%technologies%as% well% as% advancements% in% their% innovative% application%to%
address%health%priorities''%(Koumpouros!and!Georgoulas,!2016)%
!
Meanwhile,!the!National!Institutes!of!Health!(NIH,!2016)!defines!mHealth!as:!!
!
The% use% of% mobile% and% wireless% technologies% along% with% wearable% and% fixed% sensors% for% the%
improvement% of% health%outcomes,% healthcare% services,%and% health% research''%(Koumpouros!and!
Georgoulas,!2016)%%
!
Finally,!mHealth!is!expected!to!have!a!massive!impact!on!the!way!healthcare!is!delivered!in!our!modern!world,!
healthcare! policies! and! procedures,! structures! of! healthcare! organisations,! and! the! roles! of! patients! and!
healthcare!professionals!in!the!delivery!of!modern!healthcare!services!today.!
!
2.2. Holistic*Integrated*Patient-Centred*Care*Delivery*Model!
!
Traditionally,! healthcare! had! been! delivered! in! a! disease-centred! approach! that! reflects! the! needs! of! the!
disease! diagnosis,! where! care! for! the! patient! focuses! around! the! needs! of! the! professionals! treating! the!
patient! (Dawson!et! al,! 2009;! Skilton,! 2011).! However,!modern! healthcare! is! shifting!this! model! towards! an!
integrated! Patient-Centred! Care! (PCC)!that! has! a! more! holistic! view! considering!the!patient's! condition! as! a!
whole!in!contrast!to!different!healthcare!professionals!treating!each!diagnosed!disease!separately!(Al-Salamah!
et! al,! 2011b;! American!Cancer! Society,! 2008).! PCC! model! puts! the! patient! at! the! heart! of! these! health care!
services!and!tailors!care!around!the!patient's!needs!and!current!state!(DoH,!1997;!Allam,!2006;!Dawson,!2009;!
DoH,! 2010a).! Moreover,! it! encourages! healthcare! professionals! to! adapt! to! these! needs! (DoH,! 2010a)! by!
collaborating! as! a! PCC! team! (Al-Salamah! et! al,! 2011b)!and! using! shared! decision-making! processes! to!
determine! optimal! treatment! plans! for! patients! they! collaboratively! care! for!(Skilton,! 2011;! Sheard,! 2011;!
HIMSS,!2016).!!
!
Finally,! both! traditional! and! modern! treatment! delivery! approaches! have! different! attributes;! the! key!
emphasis!in!traditional!disease-centred!care!is!on!record!keeping!(Dawson!et!al,!2009),!while!the!PCC!approach!
Shada%Alsalamah%
!
!
!
3!
creates! a! “culture! of! open! information"! (DoH,! 2010a)! emphasising! accessibility! to! patient! information!
(Dawson,! 2009)!teamwork! and! collaboration!(Al-Salama!et! al,! 2011b),! and! shared! decision-making! (DoH,!
2010a;!Skilton,! 2011).! This! has! led! to! PCC! treatment! being!called!“shared!care”!of!a!patient!(Smith!and! Eloff,!
1999).!!
!
Therefore,!“shared!care”!is!the!heart!of!integrated!eHealth!services!(Allam,!2006),!and!has!been!defined!by!the!
International!Alliance!of!Patients!Organizations!as:!
!
A%collaborative%effort%consisting%of%patients,%patients'%families,%friends,%the%doctors% and% other%
health%professionals%[…]%where%patients%and%the%health%care%professionals%collaborate%as%a%team,%
share%knowledge%and%work%toward%the%common%goals%of%optimum%healing%and%recovery.”%(IAPO,!
2004)!
!
Meanwhile,!the!Institute!of!Medicine!(Baker,!2001)!defines!PCC!as:!!
%
Care%that%is%respectful% of% and% responsive%to%individual% patient% preferences,% needs,%and%values,%
and%ensuring%that%patient%values%guide%all%clinical%decisions.”%(Baker,!2001)%
!
3. Information*Access*Needs*And*Challenges*In*Patient-Centered*mHealth*!
Implementation!of!PCC!requires!shared!care!where!sharing!patient's! information!is! fundamental!and!must!be!
accessible!anywhere!and!everywhere!across!systems!and!healthcare!settings!(HIMSS,!2016).!In!an!information-
rich! shared! care! where! information! come s! from! multiple! records! and! systems,! it!may! be! overwhelming! to!
identify! key! relevant! information! needed! to! make! speedy! informed-decisions,! and! so! mHealth-supporting!
systems!need!to!be!smart!enough!to!identify!key!relevant!information!and!provide!it!in!a!user!friendly!manner!
for!speedy! access! by!the! right! PCC! team.! One! way!to! balance! between!having! speedy! access! to! information!
while!not!overwhelming!PCC!team!with!extensive!free!text! to!read!through!is! to!handpick!critical!information!
and!provide!them!as!alerts,!in!a!visible,!speedy!and!patient-centred!way.!
!
Alerts!allow!systems!to!inform!the! right!person!with!critical!information!by!delivering!it!immediately!and!they!
can!act! on! this!accordingly!in! a! speedy! manner.!In!the!context! of! mHealth,!alerts!could!be! used! to!notify!the!
PCC! team! member,! and! so! he/! she! can! act! urgently! and! accordingly! when! every! minute! counts.! Therefore,!
alert!application! in! mHealth! can! be! classified!into! two! main!categories:! medical! alerts,!and!non-engagement!
alerts!(mHealthAlert,!2016).!The!former!type!of!alerts!is!normally!generated!by!the!caregiver,!while!the!latter!is!
not!registered!in!the!system!within!the!indicated!time!schedule!(mHealthAlert,!2016).!
4. Gap*In*The*Literature**
Although!many! solutions! were! developed! for!alerts!delivery!to! healthcare! professionals!as!part!of!the!whole!
patient's!EHR!system!at! the! hospital,!most!of!them!fail!to! fully! support!modern!healthcare!delivery! models.!
First,!traditional!EHR!incorporated!into!mHealth!supporting!systems!are!either!delivered!electronically!through!
a!big!flat!screen!on!a!moving!cart!(also!known!as!CoW:!Computer!on!Wheel),!on!a!portable!desk,!or!on!paper-
based!charts!placed!by!the!patient's!bedside.!These!delivery! methods! are! neither! mobile! nor! portable! to! suit!
mHealth.! Second,! although! some! of! today's! technologies!(see! (Alshehri!and! Raj,! 2013;! Doctor! Alert,! 2016;!
KFSHRC,!2016;!Care!Evolution,!2016;!MTBC,!2016)!are!PCC,!they!are!designed!to!meet!the!needs!of!the!client's!
side!(i.e.!patient)!of!PCC!and!not!the!provider's!side!(i.e.!PCC!Team).!For!example,!the!solution!in!(Doctor!Alert,!
2016)!aims!to!empower!the!role!of!patients!in!modern!care!delivery!by!enabling!them!through!this!technology!
to! keep! track! of! their! essential! and! critical! medical! information! for! their! own! personal! use,! provide! an!
emergency!contact,!enable!a!trusted!healthcare!professional!to!have!a!look!at! their!information! if!the! patient!
is!unconscious!(Doctor!Alert,!2016).! Moreover,!both! (KFSHRC,! 2016;!Care!Evolution,!2016),!and!(MTBC,!2016)!
add! to!the! above! list! with! the! ability! to! use! their! solution! to! submit! req uests! and! view! their! actual! records!
without!the!ability!to!control!it!or!change!its!content.!Therefore,!none!of!them!are!officially!used!in!hospitals-
official! EHR! systems!and! they! cannot!provide! a! patient-centred! alert! to! PCC! team.! In! addition,! their!
effectiveness! is! highly! dependent! on! the! patient's! decision! whether! to! download! those! applications! or! not.!
Furthermore,!there! is!no!IT!solution!in! the! market!today!that!would!allow! a! care!team!member!to!manage!a!
specific!alert,!or!even!guarantee!security,!availability,!and!speedy!access!to!patient's!alerts,!in!order!to! ensure!
maximum! effectiveness! for! doctors.! Finally,! the! literature! lacks! comprehensive! mobile! solutions! that! can!
provide!easy!and!speedy!access!to!patient-centred!alerts!to!the!care!team!on!the!go.!
5. Information*Security*In*mHealth**
Shada%Alsalamah%
!
!
!
4!
Information!security!is!a!fundamental!requirement!in!patient!medical!information!to!preserve!their!privacy!in!
mHealth.! Information! security! is! about! the! balance! between! information! availability,! confidentiality,! and!
integrity!(Calder!and!Watkins,!2008;!Whitman!and!Mattord,!2012).!On! the! one!hand,!information!sharing!is!a!
necessity!in!a!shared!environment!such!as!PCC,!and!so!it!needs!to!be!available!to!the!right!care!provider!at!the!
right!time!to!save!the!patient's!life.!On!the!other!hand,!this!information!is!highly!confidential!and!sensitive!and!
so!has!to!be!protected!at!all!times.!Nevertheless,!these!two!information!security!goals!may!be!in!direct!conflict!
(Beale,! 2004),! increasing! confidentiality! by! making! the!record! unavailable! to! the! right!person! which!renders!
the!system!insecure,!and! vice! versa.! Therefore,!achieving!information!security!in! mHealth! is!one!of!the!most!
important! yet! challenging! issues! in! modern! eHealth! (Waegemann,! 2016)!and! requires! complex! security!
mechanisms!to!balance!the!fine!line!between!those!two!information!security!goals.!*
5.1. Access*Control*Security*Mechanism*
!
Access!Control!(AC)!is!one!of!the!most!widely!used!security!mechanisms!today!to!control!users'!actions!in!any!
information!system!(Ferraiolo!et!al,!2003).!Mandatory!Access! Control! (MAC)!and!Discretionary!Access!Control!
(DAC)! are! two! mature,! widely! used,! and! fully! investigated! types! of! AC! in! the! literature! in! recent!decades!
(Whitman! and! Mattord,! 2014).! The! fundamental! difference! between! the! two! types! is! that! MAC! gives! the!
system!full!control!over!making!access! decisions!based!on!predefined!rules,!while!DAC!leaves!it!to!the!user!to!
make! that! decision! (Whitman! and! Mattord,! 2014).! In! the! context! of! mHealth,! MAC! is! mostly! suitable! to!
automate! access! requests! and! decisions,! maintain! the! right! balance! between! information! availability! and!
confidentiality! using! pre-defined! and! approved! access! rules,! and! prevent! internal! threats! by! authorised!
healthcare! professionals! making! irrational! or! malicious! access! decisions! for! personal! gain! (Whitman! and!
Mattord,!2014).!Therefore,!MAC!requires!a!classification!scheme!for!information!resources!and!people!to!rate!
them!in!order!to!define!access!rules,!on!which!the!decision!process!will!be!automated!(Whitman!and!Mattord,!
2014).!!
!
An! AC! rationalises! access! decisions! and! enforces! them! based! on! predefined! access! rules! (Alsalamah!et! al,!
2016).! It! achieves! this!using! three! basic! elements! that! are! responsible! for! the! storage,! decision,! and!
enforcement!of!these!rules!in!a!controlled!environment.! It! ensures! that! an! authenticated! user! only! accesses!
what!they!are!authorised! to! do,!and!determines!if!authorisation! should!be!granted!or! rejected! (Pipkin,! 2000;!
Ferreira!and!Correia,!2010).!Therefore,!AC!is!claimed!to!be!“the!most!fundamental!and!most!pervasive!security!
mechanism!in!use!today”!(Ferraiolo,!2003).!OASIS!eXtensible!Access!Control!Markup!Language!(XACML)!(Oasis!
Open,2013)!is! the! de-facto! AC! standard! referenced! by! ISO! standards! (ISO,! 1996).! Burnap! et! al! (2012)!
summarise!the!OASIS!XACML!architecture!as!consisting! of! three! main! elements! (see! Figure! 1):! Policy! Storage!
Point!(PSP),!Policy!Decision!Point!(PDP),!and!Policy!Enforcement!Point!(PEP).! The!PSP!stores!and!manages!the!
information!security!policies.! The!PDP!evaluates!access!requests!against!the!stored!policies!to!make!an!access!
decision!as!to!whether!the!user!is!or!is!not!allowed!to!perform!the!requested!action!on!the!target!information!
resource.!The!PEP!submits!access!requests!to!the!PDP!and!enforces!the!decision!made!by!the!PDP.!
Figure!1!Interaction!between!Access!Control!(AC)!elements!(Burnap!et!al,!2012)!
!
5.2. Access*Control*Models*
!
AC!has! been! extensively!investigated!in! the! literature,!and!a!large! number! of! different!AC!models!have! been!
delivered!(Park!and! Sandhu,! 2002;! Ferraiolo!et! al,! 2003;! Karp!et! al,! 2009).! These! AC! models! (also!known ! as!
Shada%Alsalamah%
!
!
!
5!
policy-enforcement! models)! are! efforts!to! tackle! different! aspects! of! the! information! security! problem! in!
information! systems! in! a! wid e! range! of! application! domains! (Park!and! Sandhu,! 2002;! Karp!et! al,! 2009).! AC!
models!include,!but!are!not!limited!to,!Role-based!AC!(Ferraiolo!et!al,!2003),!Team-based!AC!(Thomas,!1997),!
Identification-based!AC!(Karp!et!al,!2009),!Lattice-based!AC!(LaPadula,!1996),!Position-based!AC,!Icon-based!AC!
(Alsalamah,!2010),!Temporal!Role-based!AC!(Bertino!et!al,!2001),!and!many!more.!The!key!difference!between!
these! models! of! AC! is! the! targeted! goal(s)! of! the! balance! of! the! information! security! that! is! causing! the!
problem!(Karp!et!al,!2009).!This!is!because!each!of!them!has!been!developed!to!address!an!application-specific!
information! security! problem! with! a! particular! balance! of! information! security! goals.! For! example,! the!
Identification-based! AC! model! was! developed! in! the! early! days! of! the! mainframe,! to! preserve!integrity! in! a!
multi-user!computer!system!and!prevents!one!user!from!interfering!with!the!work!of!others!(Karp!et!al,!2009).!
Meanwhile,!the!Lattice-based!AC!model!was!developed!in!the!1970's!to!deal!with!the!confidentiality!of!military!
information!and!the!Theory!of!Lattice!is!used!to!define!the!levels!of!security!that!an!object!may!have!(based!on!
a!classification!scheme),!and!that!a!subject!may!have!access!to!(based!on!their!clearance!level)!(Sandhu,!1993;!
LaPadula,! 1996).! However,! no! matter! what! the! application! domain! targeted! by! AC! models,! they! have! a!
common! approach,! namely! that! their! access! decisions! are! made! through! a! PDP! which! uses! information!
security! rules! from! an! information! security! policy! stored! in! the! PSP! and! a! PEP! to! enforce! them! (Karp!et! al,!
2009;!Burnap!et!al,!2012).!
5.3. Access*Control*Models*In*mHealth*Systems*
!
Generally!speaking,! healthcare! systems! over! recent!decades! has! deployed!traditional!Role-Based!AC! Models!
(Ferraiolo!et!al,! 2003;! Zhang!et! al,! 2013)! on! a! “Need-to-Know”!principle! (Whitman!and! Mattord,! 2014)!as! a!
security! mechanism! in! compliance! with! the! Data! Protection! Act! 1998!!(HMSO,! 1998;! Anderson,!1996;! DoH,!
2010b;!Whitman!and!Mattord,!2014;!Alsalamah!et!al,!2016a).!According! to!Whitman!and!Mattord!(2014),! the!
“Need-to-Know”!principle! grants! access! only! to! the! specific! information! resources! required! to! perform! the!
currently!assigned!task.!Thus,!this!principle!aims!to!preserve!the!confidentiality!of!patient!medical!information!
and!identifiable! information! to! maintain!the! patient's! privacy! (HMSO,!1998)! not! only!for! outsiders! but! even!
unauthorised! practitioners.! Therefore,! “Need-to-Know''! is! considered! the! norm! as! the! most! widely!used!
security! principle! on! which! AC! models! in! healthcare! systems! worldwide! are! designed! today! (DoH,! 2010b;!
Whitman!and!Mattord,!2014).!!
!
However,!in!the!context!of!mHealth,!“Need-to-Know”!principle!should!grant!PCC!team!access!only!to!relevant!
patient's!critical!information!on! the! mobile! device!to!perform!the!currently! assigned!task,!which!is!caring! for!
the!patient,!and!not!a! general! work!function.!For!instance,! only! those!members! of!the!PCC! team! assigned! to!
the!patient! should! be!given!access!to! their!information.!However,!defining!what!the!PCC! team!actually!needs!
to!know!in!order! to!treat!a!patient!is!dynamic!and!hard!to!be!pre-defined!to!meet!the!changing!access!needs.!
This!due!to!the!fact! that!there!are! two!types!of! information!access!needs!in!modern!healthcare.!First,!routine!
treatment!points!follow! a!predefined!treatment!plan.!Second,!emergency!situations!where!life!and!death!is! a!
factor! demands! an! immediate! relaxation! of! the!deployed! access! control! model! at! regular! predefined!
treatment! points! in! a! timely! manner! to! save! the! patient's! life! (Waegemann,! 2016).! Therefore,! in! order! to!
provide! the! right! set! of! alerts! to! the! right! care! team! member! at! the! right! time! of! treatment,! a! flexible!
classification!scheme! that! classifies!both!information!(alerts)!and!people!(PCC! team! members)! is! required! for!
PCC!AC!model!that!implements!the!“Need-to-Know”!in!mHealth.!
!
6. Four-Tier*Classification*Scheme*For*PCC*AC*Models*In*mHealth**
This! paper! introduces! a! classification! scheme! that! sets! access! rules! based! on! the! following! four! key!
interrelated! elements! (as!illustrated! in! Figure! 2):!the!patient,!PCC%team!assigned! to! this! patient,! their! role!in!
the!patient's!treatment!process,!and!PC!pool!of!treatment-relevant%alerts!along!the!treatment!points.!
!
!
!
Figure!2!Patient-Centred!Alerts!Access!Control!Classification!Scheme!
Shada%Alsalamah%
!
!
!
6!
6.1. Preliminary*Requirements**
All! information! accessed! is!patient-centred!that! integrates! all! critical! information! transparently!
regarding!their!location!or!disease.!
Each! patient! is! looked! after! by! a! PCC! team! that! includes! all! specialised!healthcare! professionals!
caring!for! that! particular! patient!to!treat!his/her!disease!or! condition.!This!means!that! if! a! patient! is!
co-morbid,!then!they!may!have!more!than!one!PCC!team.!This!uses!team-based%access.!
Each!specialised!PCC!team!member!(e.g.!Oncologist)!plays!a!role!in!the!patient's!treatment!journey.!
This!uses!role-based%access.!
Alerts!that!each!PCC!team!member!needs!to!gain!access!to!in!order!to!play!their!role!in!the!current!
treatment!point!along!the!treatment!path!should!be!shown.!This!uses!a!treatment-oriented%alert%feed.!
!
7. Implementation*Of*The*Proposed*AC*Scheme*
Patient! care! in! a! hospital!mainly! falls! into!three! various! contexts:! intensive% care% unit,! inpatient%care,! and!
outpatient%care.!All!contexts!have!the! same!access!needs!on!a!“Need-to-Know”!basis,!but!they! differ! in!terms!
of!how!frequently!this!access!is!needed,!which!highly!depends!on!three!factors:!the! speed!of!this!information!
getting!changed,!how! frequently! this! information! needs! to! be! accessed,! and! the! level! of! urgency.! The!
proposed!scheme! has!been!developed!and! deployed!in!a! prototype! system!implementation!(Alsalamah!et! al,!
2016b),!and!is!planned!to!be!tested!through!three!pilot!studies!each!falling!into!one!of!the!above!contexts.!
Inpatient!care! has! the! balance!between! slow! outpatient!care!and! hectic! care! within!an!intensive!care!unit!in!
which!there! is!a! high! urgency! element! where! vital! sign! readings! are! recorded!every! hour.! Based! on! this,!the!
scheme!is!being! developed! (Alsalamah!et!al,!2016b)!to!provide!patient!alerts!to!his/!her!care! team! members!
on!the! go! using!a! wearable! mobile!device! that! is! attached! to!those! doctors! at! all!times!for! accessibility! and!
ease!of!use!while! freeing! their! hands! for!treatment!provision! (Alsalamah! et! al,! 2016b).! It! encompasses! four!
interrelated! elements:! Smart! wearable! wristwatch! with! an! embedded! application,! Bluetooth! wireless!
connection,!using!Beacons!technology,!along!with!the!patient-centred!alerts!access!control!scheme!(Alsalamah!
et! al,! 2016b).! The! solution! is! designed! for! use! on! a! smart! wristwatch! for! mobility! and! it! utilizes! wireless!
communication!via! embedded! Bluetooth!signals!in!a!Beacon!technology!to!show! those!alerts!wirelessly!while!
restricting! access! to! patient! information! to! the! absolute! minimum! on! a! “Need-to-Know”!basis! to! preserve!
patient!privacy!(see!Figure!3)!(Alsalamah!et!al,!2016b).!!
!
Figure!3!``Watch''%my%Health!proposed!solution!and!its!elements!(Alsalamah!et!al,!2016b)!
!
This!solution!is!practical!for!busy!doctors!to!achieve!this!goal.!This!is!mainly!due!to!the!fact!that!alerts!could!be!
shown!to!doctors!on! the!go!on!a!wearable! mobile!device!that!is!attached! to!them!at!all!times!for!accessibility!
and! ease! of!use,! while! freeing! doctors’! hands! for! treatment! provision.! This! also! maintains! the! privacy! of!
patients!information!as!each! smart!wristwatch!is!meant!for!doctors’!personal!use!and!has!a!better!chance!of!
protecting!the!confidentiality!of!such! sensitive! information! than! having! it! displayed!on!a! desktop! with! a! 15-
inch! wide! flat! screen! in! a! room ! full! of! other! healthcare! providers,! supporting ! personnel,! and! even! patients.!
Shada%Alsalamah%
!
!
!
7!
Finally,!Watch”%my%Health!would!help!provide!the!best!treatment!possible!based!on!informed!decisions!at!the!
right! time! to! the! patient! while! avoiding! complications! and! life-threatening! situations! because! of! lack! of!
information! availability! (Alsalam ah! et! al,! 2016b).! Although! “Watch”% my% Health!shows! the! potential! for! the!
proposed!AC!scheme,!testing!scenarios!of!the!application!were!predefined!as!part!of!the!software!engineering!
methodology!adopted.!Therefore,!it!is!not!yet! comprehensive!enough! as! it! has! not! been!tested!in! a! real-life!
medical! scenario! where! patients! are! co-morbid.! Consequently,! the! scheme! would! need! further! testing! for!
validation!for!inpatient!care!contexts!along!with!the!two!other!contexts.!
!
8. Conclusion*
There!is!a!global!shift!towards!holistic,!integrated!Patient-Centred!(PC),!and! mobile!healthcare!services,!and!a!
number! of! healthcare! delivery! models! are! emerging! to! support! this! modernisation! movement.! This! paper!
highlights! a! number! of! key! issues! in! current! solutions! in! modern! healthcare.! First! and! foremost,! patients’!
records!are!hard!to!read!because!of!lengthy!free!text!in!both!paper!and!electronic!formats,!which!necessitates!
a!time-consuming!reading!task,!time!which!healthcare!professionals!cannot!afford!to!lose!in!order!to!save!the!
patient's! life.! Furthermore,! typical! alert! systems! do! not! fully! support! PC!mHealth! as! they! fall! short! of!
empowering!the!PC!Care!(PCC)!team!and!preserving!the!privacy!of!patients;!viewing!alerts!must!reach!the!right!
healthcare! professional!caring! for! the! patient.! The! paper! also! highlights! emerging! information! access! needs!
that!hinder!full!adoption!of!mHealth!using!traditional,!inflexible!Access!Control!(AC)!models.!!
!
AC!models!are!one!of!the!fundamental!information!security!mechanisms!used!in!healthcare!today! to!balance!
the! fine! line! between! information! availability! (i.e.! to! meet! access! needs)! while! preserving! patient's!
confidentiality.! Therefore,! AC! models! need! to! comply! with! Data! Protection! Act! 1998! by! granting! access!to!
information! strictly! on! a! “Need-to-Know''! basis! in! healthcare! systems.! Implementation! of! this! model! has! to!
meet!the!access!needs!of!the!system! deploying!this!model.!Therefore,! this!paper!introduces!a! novel!four-tier!
classification!scheme!for!AC!models!suitable!for!holistic,!integrated!PC,!mHealth!that!would!meet!the!identified!
needs!in!this!challenging!health!delivery!model.!This! classification! scheme!grants!PCC!team!member!access!to!
a!patient's!information!based!on!the!following!four!rules:!firstly,!the!information!is!patient-centred!and!neither!
disease!nor!profession-centred.!Secondly,!it!is!provided!only!to!the!PCC!team!assigned!to!this!particular!patient!
only!if! the!member!has!a!role! to!play!in!the! treatment!point,!and!finally,! only!critical!information! relevant!to!
the!treatment!pathway!is!provided.!!
!
However,!the! classification!scheme!alone!is! insufficient!without!solutions!implementing! it,! bearing!in! mind!a!
number! of! requirements! that! would! complement! this! scheme! in! meeting! access! needs! in! mHealth.! These!
solutions!should!be,!first,!portable,!mobile,!and!wearable!to!be!used!on!the!go.!Second,!they!should!be!capable!
of!retrieving! critical! information!(as! critical! alerts)!in! a! speedy! manner.! Third,!they! should! display! alerts! in! a!
visible! and! user-friendly! manner,! and! finally,! they! must! deploy! a! highly! secure! access! control! model! on! a!
“Need-to-Know” principle!that!can!balance! the!fine!line!between! the!availability!of! patient!information!while!
preserving!his/her! privacy! using! the! proposed! classification!scheme.!Ultimately,!it!is! believed! that!this! paper!
lays! a! sound! foundation! in! identifying! key! challenges! and! needs! in! terms! of! solutions! attempting! to! fully!
support!the!delivery!of!eHealth!services!in!general!and!mHealth!in!particular!for!inpatients.!This!is!to!facilitate!
the!provision!of!the!best!treatment!possible!based!on!informed!decisions!at!the!right!time!to!the!patient,!while!
avoiding!complications!and!life-threatening!situations!because!of!lack!of!information!availability.!
!
Acknowledgments*
*
The!author!would!like!to!express!her!gratitude!for!the!valuable!input!of!Ms.!Karl!Dedene!Bayal!-GP!Nurse-,!and!
Ms.!Alfutaimany,!Ms.!Aldayel,!Ms.!Alashaikh,!Ms.!Alqahtanni,!and!Ms.!Alsabti.!
!
References**
!
Map! of! Medicine! (MoM)! (2012),! Map% of% Medicine,! [Online].! Available:!
http://www.mapofmedicine.com/solution/whatisthemap/!!
S.!Alsalamah,! H.!Alsalamah,!A.! W.! Gray,!and!J.! Hilton!(2016a),!Information%Security%Threats%in%Patient-Centred%
Healthcare,!A.!Moumtzoglou,!Ed.!IGI!Global,!January.!!
A.!S.! Moumtzoglou! (2016),!Tailored%M-Health%Communication%in%Patient-Centered%Care,! A.! Moumtzoglou,!Ed.!
IGI!Global,!January.!!
United!Nations!Population!Fund!(UNFPA)!(2016),!Population% Ageing:%A%Celebration%and%a%Challenge,! [Online].!
Available:!http://www.unfpa.org/pds/ageing.html!!!
J.! Powell!(2009),! Integrating% healthcare% with% ICT,!in! Integrating% Healthcare% with% Information% and%
Communications%Technology,! 1st!ed.,! W.! Currie! and! D.! Finnegan,! Eds.! Oxford:! Radcliffe! Publishing!Ltd,! ch.! 4,!
pp.!8594.!!!
Shada%Alsalamah%
!
!
!
8!
G.!Eysenbach!(2001),!What%is%e-health?!J%Med%Internet%Research,!vol.!3,!no.!2.!!!
S.!Alsalamah,!W.A.!Gray,!and!J.!Hilton!(2011a),!Sharing%Patient%Medical%Information%among%Healthcare%Team%
Members% while% Sustaining% Information% Security,”% in! Proceedings! of! the! 15th! International! Symposium! on!
Health!Information!Management!Research!(ISHIMR),!P.! A.! Bath,!T.!Mettler,!D.!Raptis,!and! B.!A.!Sen,! Eds.,! no.!
September.!Zurich:!University!of!Zurich,!University!of!St.!Gallen!and!University!of!Sheffield,!pp.!553554.!
C.! P.! Waegemann!(2016),! mHealth:% History,%A nalysis,% and% Implementation,! A.! Moumtzoglou,! Ed.! IGI! Global,!
January.!!
E.!Beratarbide!and! T.!Kelsey!(2011),!“eHealth!Governance,! A!Key!Factor!for! Better!Health!Care,”!Ethical%Issues%
and%Security%Monitoring%Trends%in%Global%Healthcare,!no.!c,!pp.!7292.!!
Y.! Koumpouros! and! A.! Georgoulas! (2016),! “mHealth! R&D! Activities! in! Europe,”! M-Health% Innovations% for%
Patient-%Centered%Care,!pp.!2051.!!
National! Institutes! of! Health! (NIH)! (2016),! “Who% We% Are% —% National% Institutes% of% Health% (NIH)’.”! [Online].!
Available:!http://www.nih.gov/about-nih/who-we-are!!
A.!Skilton!(2011),! “Using!Team!Structure!to!Understand!and!Support!the!Needs! of! Distributed! Healthcare!
Teams,”!PhD!Thesis,!Cardiff!University.!
J.!Dawson,!B.!Tulu,!and!T.!A.!Horan!(2009),!“Towards%Patient-Centered%Care:% The% Role% of%E-Health%in% Enabling%
Patient%Access%to%Health%Information,”%in!Patient-Centered%E-Health,!E.!V.!Wilson,!Ed.!London:!IGI!Global.!!
H.!Al-Salamah,!W.!A.!Gray,!and!D.!Morrey!(2011b),!“Velindre!Healthcare! Integrated! Care!Pathway,”!in!Taming%
the%Unpredictable%Real%World%Adaptive%Case%Management:%Case%Studies%and%Practical%Guidance,!L.!Fischer,!Ed.!
Lighthouse!Point:!Future!Strategies!Inc.,!p.!227.!!
American! Cancer! Society! (2008),! “Holistic! Medicine.”! [Online]! Available! at:!
http://www.cancer.org/Treatment/TreatmentsandSideEffects/ComplementaryandAlternativeMedicine/MindB
odyandSpirit/holistic-medicine.!
Department!of!Health!(DoH)!(1997),!The%new%NHS:%modern,%dependable.!London:!HMSO.!
O.!Allam!(2006),“A!Holistic!Analysis!Approach!to!Facilitating!Communication! between! General! Practitioners!
and!Cancer!Care!Teams,”!PhD!Thesis,!PhD!Thesis,!Cardiff!University,!Cardiff,!UK,!Cardiff.!!
Department!of!Health!(DoH)!(2010a),!Equity%and%excellence:%Liberating%the%NHS.!London:!HMSO,!2010.!
Katherine!Sheard,!General%Practitioner.!Personal!Communication,!April!2011.!
Healthcare!Information!and!Management!Systems!Society!(HIMSS),!(2016),!“Patient!Engagement!—!Health!IT!
Topics! —! HIMSS.”! [Online].! Available:!
http://www.himss.org/ResourceLibrary/ContentReg.aspx?ItemNumber=33952!
E.! Smith! and! J.! H.! Eloff!(1999),! “Security! in! health-care! information! systemscurrent! trends.”! International%
journal%of%medical%informatics,!vol.!54,!no.!1,!pp.!3954,!Apr.!!
International!Alliance!of!Patient’!Organizations!(IAPO)!(2004),!“What!is!Patient-Centred!Healthcare?!A!Review!
of!Definitions!and!Principles,”!International!Alliance!of!Patient’!Organizations,!London,!Technical!Report!11.!!
A.!Baker!(2001),!“Crossing! the! quality! chasm:! A! new! health! system! for! the! 21st! century,”! BMJ,! vol.!323,! no.!
7322,!p.!1192.!!
mHealthAlert! (2016),! “Mobile! App! and! Desktop.”! [Online].! Available:!
http://www.mhealthalert.com/app_devices.html!!
S.!Alshehri!and!R.K.!Raj!(2013),“Secure!access!control!for!health!information!sharing! systems,”!in! Healthcare%
Informatics%(ICHI).%IEEE%Inter-%national%Conference%on.!IEEE,!2013,!pp.!277286.!!
Doctor! Alert! (2016),! “Doctor! Alert-! The! App.”! [Online].! Available:! http://www.doctoralert-
app.com/en/medical-app!
King! Faisal! Specialist! Hospital! &! Research! Centre!(KFSHRC)! (2016),! “Sehaty.”! [Online].! Available:!
http://www.kfshrc.edu.sa/ar/home?Language=English!!
Care! Evolution! (2016),!“Collaborative! Family! Health! Record! (cFHR)”! [Online].! Available:!
http://www.careevolution.com.!
MTBC! Personal! Health! Record! (PHR)! (2016)! “MTBC! PHR! APK!for! Andriod.”! [Online].! Available:!
http://www.androidapps.biz/app/com.phr!!
A.!Calder!and!S.!Watkins!(2008),!IT%governance:%a%manager’s%guide%to%data%security%and%ISO%27001/%ISO%27002,!
4th!ed.!London:!Kogan!Page!Limited,!April.!!
M.!E.!Whitman!and!H.!J.!Mattord!(2012),!Principles%of%information%security.!Boston:!Course!Technology.!!
T.! Beale!(2004),! “The! Health! Record! -! Why! is! it! so! hard?”! in! IMIA% Yearbook% of% Medical% Informatics% 2005:%
Ubiquitous%Health%Care%Systems,!R.!Haux!and!C.!Kulikowski,!Eds.,!Stuttgart,!pp.!301304.!!
D.! F.! Ferraiolo,! D.! R.! Kuhn,! and! R.! Chandramouli!(2003),! Role-Based% Access% Control.! Boston:! Artech! House!
computer!security!series.!
M.! E.! Whitman!and! H.! J.! Mattord!(2014),! Management%of% Information% Security,% 4% ed.! Stamford,! CT,! United!
States:!Cengage!Learning.!
D.!L.!Pipkin!(2000),!Information%Security%Protecting%the%Global%Enterprise.!New!Jerseyn:!Prentice!Hall.!
Shada%Alsalamah%
!
!
!
9!
A.!Ferreira!and!R.!Correia!(2010),!“Access!Control!in!Healthcare:!the!methodology!from!legislation!to!practice,”!
in!13th%World%Congress%on%Medical%and%Health%Informatics,%(Medinfo),!Cape!Town,!pp.!666–!670.!!
OASIS! Open!(2013),! “OASIS! eXtensible! Access! Control! Markup! Language! (XACML)-! Version! 3.0.”![Online].!
Available:!http://docs.oasis-!open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf!!!
International!Organization!for!Standardization!(ISO)!(1996),!“ISO/IEC!10181-!3:1996!–!Information!technology!–!
Open! Systems! Interconnection! –! Security! frameworks! for! open! systems:! Access! control! framework,”! ISO,!
Geneva,!Switzerland,!Technical!Report.!!
P.!R.!Burnap,!I.!Spasic,!W.!A.!Gray,!J.!C.!Hilton,!O.!F.!Rana,!and!G.!El-!wyn!(2012),!“Protecting!patient!privacy!in!
distributed!collaborative!healthcare!environments!by!retaining!access!control!of! shared! information,”!in! 14th%
International%Conference%on%Collaboration%Technologies%and%Systems%(CTS),%2012,!Denver,!2012,!pp.!490497.!!!
J.! Park! and! R.! Sandhu!(2002),! “Towards! usage! control! models:! beyond! traditional! access! control,”! in!
Proceedings%of%the%seventh%ACM%symposium%on%Access%control%models%and%technologies,!ser.!SACMAT!!’02.!New!
York,!NY,!USA:!ACM.!pp.!5764.!!
A.!H.! Karp,!H.!Haury,! and!M.!H.!Davis!(2009),!“From! ABAC! to! ZBAC:! The! Evolution!of!Access!Control!Models,”!
HP!Laboratories,!Technical!Report.!!!
R.!K.!Thomas!(1997),!“Team-based!access!control!(tmac):!A!primitive!for!applying!role-based!access!controls!in!
collaborative!environments,”!in! Proceedings% of%the%Second%ACM%Workshop%on%Role-based% Access%Control,!ser.!
RBAC!’97.!New!York,!NY,!USA:!ACM.!pp.!1319.!!
Len! LaPadula! (1996),! “Secure! Computer! Systems:! Mathematical! Foundations,”! Technical! Report.! [Online].!
Available:!http://www.albany.edu/acc/courses/ia/classics/belllapadula1.pdf!!!
S.!Alsalamah!(2010),!Towards%Information%Sharing%in%Virtual%Organisations:%The%Development%of%an%Icon-based%
Information%Control%Model.%Saarbru&̈cken:&LAP!Lambert!Academic!Publishing.!!!
E.!Bertino,!P.!A.!Bonatti,!and!E.!Ferrari!(2001),!“TRBAC:! A!Temporal! Role-based!Access!Control!Model,”!ACM%
Trans.%Inf.%Syst.%Secur.,!vol.!4,!no.!3,!pp.!191233,!Aug.!2001.!!
R.!Sandhu!(1993),!“Lattice-based!access!control!models,”!Computer,!vol.!26,!no.!11,!pp.!919,!November.!
R.!Zhang,!L.!Liu,!and!R.!Xue!(2013),!“Role-based!and!time-bound!access!and!management!of!ehr!data,”!Security%
and%Communication%Networks.!!!!
Her! Majesty!Stationery! Office!(HMSO)! (1998),! Data% Protection% Act% 1998,! [Online].!
http://www.legislation.gov.uk/ukpga/1998/29/section/7!
R.!J.!Anderson!(1996),!“Security!in!Clinical!Information!Systems,”!London,!p.!32.!!
Department! of! Health!(DoH)! (2010b),! “Caldicott! Guardian! Manual! 2010,”! Department! of! Health,! Technical!
Report.!!!
S.!Alsalamah,!A.!Alfutaimany,!L.!Alashaikh,!G.!Aldayel,!M.!Alqahtanni,!and!S.!Alsabti!(2016b),!“A! smart!mobile!
patient-centred! alert! system! using! a! smart! watch! and! beacon! technology,”! in! Presented% in% the% 3rd% ACM-W%
Europe%Celebration%of%Women%in%Computing%(womENcourage%2016),%September%12-13,!Linz,!Austria.!!
Shada%Alsalamah%
... Shift from disease-centered care to one that is patient-centered [20] The digital transformation of healthcare using emerging technologies, such as ICT, cloud computing, Internet of Things (IoT), and mobile and wearable devices, has the potential to enhance health outcomes by improving medical diagnosis, data-based treatment decisions, digital therapeutics, clinical trials, self-management of care, and person-centered care, as well as create more evidence-based knowledge, skills, and competence for professionals to support health care. Electronic Healthcare (eHealth) plays an increasingly significant role in shaping modern healthcare in such areas as mobile health (mHealth), ubiquitous healthcare (uHealthcare), telemedicine, and virtual healthcare. ...
... All of the frameworks care to store transactions in relation to a patient's medical information that needs to be accessed to make an informed decision about the best treatment options. This blockchain is distributed among EMR systems at various healthcare settings based on permissioned blockchain solutions which allow access to only invited, and hence verified users, which complies with information security and data protection laws and regulations for medical record [27]. ...
Conference Paper
Full-text available
Blockchain technology is a ledger system that is popularly known as the backbone of the Bitcoin cryptocur-rency. Since its conception, the potential beneficial applications of blockchain in other digital sectors have been lauded in the literature, and related challenges have been disputed. In this study, the literature is reviewed for frameworks and use cases that fully realize the applicability of blockchain beyond financial applications and cryptocurrencies. A network analysis of the literature was performed to identify the most popularly documented digital sectors in this context, which include the Internet of Things (IoT), healthcare, supply chain management, and government sectors. For each sector, this review documents use cases in which an attempt is made to implement blockchain solutions. The main purpose of this paper is to probe each sector for the growing maturity of blockchain technology and to document the unique benefits and challenges arising from the use of this technology. The findings show that despite the growing reputation of blockchain technology, its implementation within these four sectors remains in infancy because the use cases lack concrete evaluations of its effectiveness and plausibility. Nevertheless, the categorization of current blockchain use cases demonstrates current applications and sector-specific concerns that suggest future directions for further research.
Conference Paper
Full-text available
Mass Disasters are on the increase leaving behind unidentified victims from around the globe, which makes victim identification challenging to Disaster Victim Identification (DVI) teams. Such identification is done by matching Ante-Mortem (AM) and Post-Mortem (PM) records of a primary identifier. Although DNA, Fingerprints and Teeth are the primary identifiers used by DVI teams following INTERPOL standards, teeth are considered the most robust and could survive inhumation well. Nevertheless, inconsistent dental codes across countries, poor quality of AM dental records, and sometimes the absence of digital formats are major challenges hindering victims’ identification in a timely manner. Using qualitative and quantitative methods this paper identifies the requirements for universal dental data record and unification ecosystems and proposes a blockchain-based design where inconsistent primary dental records can be automatically converted into a DVI INTERPOL standards, stored in a distributed ledger among international DVI teams to help them bring justice to today’s global victims.
Chapter
Full-text available
Healthcare is taking an evolutionary approach towards the adoption of Patient-Centred (PC) delivery approach, which requires the flow of information between different healthcare providers to support a patient's treatment plan, so the Care Team (CT) can seamlessly and securely access relevant information held in the different discrete Legacy Information Systems (LIS). Each of these LIS deploys an organisational-driven information security policy that meets its local information sharing context needs. Nevertheless, incorporating these LIS in collaborative PC care brings multiple inconsistent policies together, which raises a number of information security threats that can block the CT access to critical information across a patient's treatment journey. Using an empirical study, this chapter identifies information security threats that can cause the issue, and defines a common collaboration-driven information security design. Finally, it identifies requirements in LIS to address the inconsistent policies in modern PC collaborative environments that would help improve the quality of care.
Conference Paper
Full-text available
Access control and privacy policies change during the course of collaboration. Information is often shared with collaborators outside of the traditional “perimeterized” organizational computer network. At this point the information owner (in the legal data protection sense) loses persistent control over their information. They cannot modify the policy that controls who accesses it, and have that enforced on the information wherever it resides. However, if patient consent is withdrawn or if the collaboration comes to an end naturally, or prematurely, the owner may be required to withdraw further access to their information. This paper presents a system that enhances the way access control technology is currently deployed so that information owners retain control of their access control and privacy policies, even after information has been shared.
Article
Role-based access control (RBAC) models are receiving increasing attention as a generalized approach to access control. Roles may be available to users at certain time periods, and unavailable at others. Moreover, there can be temporal dependencies among roles. To tackle such dynamic aspects, we introduce Temporal-RBAC (TRBAC), an extension of the RBAC model. TRBAC supports periodic role enabling and disabling---possibly with individual exceptions for particular users---and temporal dependencies among such actions, expressed by means of role triggers. Role trigger actions may be either immediately executed, or deferred by an explicitly specified amount of time. Enabling and disabling actions may be given a priority, which is used to solve conflicting actions. A formal semantics for the specification language is provided, and a polynomial safeness check is introduced to reject ambiguous or inconsistent specifications. Finally, a system implementing TRBAC on top of a conventional DBMS is presented.
Article
Security and privacy are widely recognized as important requirements for access and management of electronic health record (EHR) data. In this paper, we argue that EHR data need to be managed with customizable access control in both spatial and temporal dimensions. We present a role-based and time-bound access control (RBTBAC) model that provides more flexibility in both roles (spatial capability) and time (temporal capability) dimensions to control the access of sensitive data. Through algorithmic combination of role-based access control and time-bound key management, our RBTBAC model has two salient features. First, we have developed a privacy-aware and dynamic key structure for role-based privacy aware access and management of EHR data, focusing on the consistency of access authorization (including data and time interval) with the activated role of user. In addition to role-based access, a path-invisible EHR structure is built for preserving privacy of patients. Second, we have employed a time tree method for generating time granule values, offering fine granularity of time-bound access authorization and control. Our initial experimental results show that tree-like time structure can improve the performance of the key management scheme significantly, and RBTBAC model is more suitable than existing solutions for EHR data management because it offers high-efficiency and better security and privacy. Copyright © 2013 John Wiley & Sons, Ltd.
Article
This chapter provides a conceptual foundation by exploring the existing literature on traditional healthcare, patient-centered healthcare, and the progression of e-health in enabling the movement towards patient-centered care. This chapter also discusses enhancing the relationship between the patient and the healthcare provider through e-health. We conclude with a discussion of the future of patient-centered e-health and future research opportunities in this area.
Conference Paper
In this paper we develop the concept of Usage Control (UCON) that encompasses traditional access control, trust management, and digital rights management and goes beyond them in its definition and scope. While usage control concepts have been mentioned off and on in the security literature for some time, there has been no systematic treatment so far. By unifying these three areas UCON offers a promising approach for the next generation of access control. Traditional access control has focused on a closed system where all users are known and primarily utilizes a server-side reference monitor within the system. Trust management has been introduced to cover authorization for strangers in an open environment such as the Internet. Digital rights management has dealt with client-side control of digital information usage. Each of these areas is motivated by its own target problems. Innovations in information technology and business models are creating new security and privacy issues which require elements of all three areas. To deal with these in a systematic unified manner we propose the new UCON model. UCON enables finer-grained control over usage of digital objects than that of traditional access control policies and models. For example, print once as opposed to unlimited prints. Unlike traditional access control or trust management, it covers both centrally controllable environment and an environment where central control authority is not available. UCON also deals with privacy issues in both commercial and non-commercial environments. In this paper we first discuss access control, trust management, and digital rights management and describe general concepts of UCON in the information security discipline. Then we define components of the UCON model and discuss how authorizations and access controls can be applied in the UCON model. Next we demonstrate some applications of the UCON model and develop further details. We use several examples during these discussions to show the relevance and validity of our approach. Finally we identify some open research issues.
Conference Paper
In this paper, we introduce the notion of TeaM-based Access Control (TMAC) as an approach to applying rolebased access control in collaborative environments. Our focus is on collaborative activity that is best accomplished through organized teams. Thus, central to the TMAC approach is the notion of a “team” as an abstraction that encapsulates a collection of users in specific roles with the objective of accomplishing a specific task or goal. We were led to the idea of TMAC when our investigations revealed two interesting requirements for certain collaborative environments. The first was the need for a hybrid access control model that incorporated the advantages of broad, role-based permissions across object types, yet required fine-grained, identity-based control on individual users in certain roles and to individual object instances. The second was a need to distinguish the passive concept of permission assignment from the active concept of context-based permission activation. It remains to be seen whether these requirements should lead to yet another variation of one or more models of RBAC, or whether such requirements and