RISK-AWARE INTEGRITY MANAGEMENT FRAMEWORK

FOR DISTRIBUTED HEALTHCARE SYSTEMS

Aastha MadaanResearch Fellow, WSL, IIIT-B

※ Research work done as a part of Work Package – 3 of the TRUMP Project [2]

Collaborative Healthcare Setup

Appointments/Patient information

Pathology Results

Treatment/Procedures/Problem Lists

Nursing Notes

EHR

TRUMP: REQUIREMENTS

o Collaborating & Heterogeneous Care

providers and receivers

2

Self-Intervention for Chronic Illnesses

Multi-agency Care

Disjoint/distributed agencies

Limited Resources

CHALLENGES

o Unit of Exchange of Health Information EHRs TRUMP Unit

Subjective UtilityBounded

Validity

Interrelated Utility

Divergent Aggregation

TRUMP UNITAttributesRecordId PName Age Sex Version_id

Data

Imported Worlds and ParticipationOrganization Treatment Person Person ……

…Primary care

ProviderTherapy Physician Specialist ……

…

DISTRIBUTED KNOWLEDGE REPRESENTATION FRAMEWORK

3

• Many Worlds on a Frame (MWF) Knowledge Representation framework proposed in [3], [5]

EHR UoD

Schema

AN EXAMPLE (1)

* Screenshots Source: MTech Students - TRUMP Project

AN EXAMPLE (2)

5

AN EXAMPLE (3)

6

AN EXAMPLE (4)

7

AN EXAMPLE (5)

8

AN EXAMPLE (6)

9

RISK-AWARE INTEGRITY MANAGEMENT

Integrating “Trust” and “Risk” measures with earlier proposed

Credentials based Access Control (CBAC) [4]

Flexible, bottom-up approach

Associate policies based on user credentials

Define Risk and Trust Measures

INTEGRATING TRAAC AND CBAC (1) Access control Agnostic to actual end-users Zoned Policy Model [TRAAC] Zoned Privilege Packages

11

share

deny

readu

reads

undefined

o Type of Requests Read & Share

o Data Object Policy Zones assigned

o Risk Request & Trust Requestor

o Types of Trust Obligation & Sharing

Hospital X

Department of Health

Health-care Providers

Association

Role: Heart Specialist

Role: Secretary

Role: President

12

TRAAC approach Misses CONTEXT during Trust Update

E.g in Which context was the particular violation made

TRAAC+ CBAC MWF captures the context of a given interaction

Visibility of Policies Critical to avoid unintentional violation

TRAAC+CBAC Policy viewed as a Data Element

Credentials of a user participation set

Credentials Privilege Package View applicable policies

Update of Sharing and Obligation based Trust

Assignment of Sensitivity Category Information

INTEGRATING TRAAC AND CBAC (2)

ASSOCIATING TRUST Trust Probability with which a Privilege Package is entrusted to a world

Privilege package Assertion1, Assertion2, Assertion3,…., Assertionn

Assertion Set of role(Type, Location)

Trust value Aggregation of trust values associated with each role in a the

user’s participation set

Trust across system elements

User trust in system Privacy of Information

System trust in users Authenticated information

Trust between users History of Events

Evaluating trust Risk Mitigation Strategy Obligations to be performed in a

given domain Sharing Trust & Obligation Trust 13

ASSOCIATING RISK

Risk Probability with which a data-access is granted to a World with

a Stakeholder with a Privilege Package, P

Assign Sensitivity category to Worlds

Calculate Loss sustained due to access

Undesirable Events Fake credentials of a user

Illegitimate access made by user

Risk Score = Loss * Probability of Undesirable Events

Risk Domain Type and Location of a World

Risk Mitigation Strategy ?

14

Allow

Deny

Access based On Risk

CONCERNS Emergency Access Bypassing Access Rules

Patient Owner of data or subject of data

Modelling stakeholder as a data element answer this?

Complex Information Flows Involve Delegation

Responsibility

Update Trust

15

Quantification of Risk and Trust

Revocation of Privilege Packages Boundary conditions Risk

& Trust

Risk Mitigation Strategies and Obligation Trust Delegation

Visualization of Risk Access granted to a stakeholder

REFERENCES1. Burnett, C., Chen, L., Norman, T.~J. and Edwards, P. (2014). TRAAC: Trust and Risk Aware

Access Control. Proceedings of the 12th Annual Conference on Privacy, Security and Trust (PST2014), Toronto, Canada.

2. Burnett, C., Edwards, P., Norman, T. J., Chen, L., Rahulamathavan, Y., Jaffray, M., & Pignotti, E. (2013). TRUMP: A Trusted Mobile Platform for Self-management of Chronic Illness in Rural Areas. In Trust and Trustworthy Computing (pp. 142-150). Springer Berlin Heidelberg.

3. Chinmay Jog, Sweety Agrawal, Srinath Srinivasa. Distributing a Trust Framework for Utilitarian Data Exchanges in Inter-Organizational Collaborations. Proceedings of the Second ACM iKDD Conference on Data Sciences (CoDS 2015), March 2015, Bangalore, India.

4. Sweety Agrawal, Chinmay Jog, Srinath Srinivasa. Integrity Management in a Trusted Utilitarian Data Exchange Platform. Proceedings of the 13th International Conference on Ontologies, Databases and Applications of Semantics (ODBASE 2014), Amantea, Italy, October 2014.

5. Srinath Srinivasa, Sweety Agrawal, Chinmay Jog and Jayati Deshmukh. Characterizing Open Utilitarian Knowledge. Proceedings of the First IKDD Conference on Data Sciences (CoDS 2014), New Delhi, India, March 2014. 16