genome.tugraz.atgenome.tugraz.at/medicalinformatics/wintersemester2013holzinger/11_lv... ·...
TRANSCRIPT
![Page 1: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/1.jpg)
1
![Page 2: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/2.jpg)
2
![Page 3: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/3.jpg)
3
![Page 4: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/4.jpg)
4
![Page 5: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/5.jpg)
5
![Page 6: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/6.jpg)
6
![Page 7: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/7.jpg)
7
![Page 8: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/8.jpg)
Slide11‐1:KeyChallenges• DataintheCloud,• mobilesolutions,thetrendtowardssoftware‐as‐a‐service,and• themassiveincreaseintheamountofdata……inthemedicalarearequirealotoffutureeffortinPrivacy,DataProtection,SecurityandSafety.Thechallengesofdataintegration,datafusionandtheincreaseduseofdataforsecondaryuseputtheseissuesfroma“nice‐to‐have”intothekeyinterest.Example:InJanuary2013,theUSDepartmentofHealthandHumanServicesreleasedtheOmnibusFinalRule,whichsignificantlymodifiedtheprivacyandsecuritystandardsundertheHealthInsurancePortabilityandAccountabilityAct(HIPAA).Thesenewregulationsweredrivenbyaneedtoensuretheconfidentiality,integrity,andsecurityofpatients’protectedhealthinformation(PHI)inelectronichealthrecords(EHRs)andaddressestheseconcernsbyexpandingthescopeofregulationsandincreasingpenaltiesforPHIviolations(Wang&Huang,2013).
8
![Page 9: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/9.jpg)
According toaclassicsurveybyAmalberti etal.(2005)wecandeterminebetweenveryriskyenterprises,typicallyHimalayamountaineeringandrelativelysaveenterpriseswithlowrisk,typicallycommerciallarge‐jetaviation.Themedicalareaisinbetween,withatendencytotheHimalayadependingonthehealtharea.
9
![Page 10: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/10.jpg)
These arethestudyresultspresentedbyAmalberti (2005),rangingfromveryunsave toultrasave.Inmanyclinicaldomains,suchastraumasurgery,therateofseriouscomplicationsisrelativelyhigh,butnotallcomplicationsarerelatedtomedicalerrors.Incontrast,somehealthcaresectors,e.g.gastroenterologic endoscopy,areverysafe.
Thesizeoftheboxrepresentstherangeofriskinwhichagivenbarrierisactive.Reductionofriskbeyondthemaximumrangeofabarrierpresupposescrossingthisbarrier.Shadedboxesrepresentthe5systembarriers.ASAAmericanSocietyofAnesthesiologists.
10
![Page 11: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/11.jpg)
Slide11‐4Definitions:Privacy,Security‐ SafetyPrivacy=includetheindividualrightsofpeopletoprotecttheirpersonallifeandmattersfromtheoutsideworld;Safety=anyprotectionfromharm,injury,ordamage;aweightingprocessreflectshowcomfortableanorganizationdealswithitsriskexposure.Accidentratesinhealthcarecurrentlyrangefrom10‐1to10‐7eventsperexposure(Amalberti,Auroy,Berwick&Barach,2005).Security=(intermsofcomputer,data,informationsecurity)meansprotectingfromunauthorizedaccess,use,modification,disruptionordestructionetc.;Agoodexamplefortheseissuesistheelectronichealthrecordin→Slide11‐26:Thepatientdatamustbeconfidential,secureandsafe,whilstatthesametimeitmustbeusable,useful,accurate,up‐to‐dateandaccessible.
11
![Page 12: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/12.jpg)
12
Aswehavealreadyheardinlecture7,theInstituteofMedicine(IOM)releasedareportin1999entitled‘‘ToErrisHuman:BuildingaSaferHealthSystem’’.TheIOMreportcalledfora50%reductioninmedicalerrorsover5years.Itsgoalwastobreakthecycleofinactionregardingmedicalerrorsbyadvocatingacomprehensiveapproachtoimprovepatientsafety.Thehealthcareindustryrespondedwithawiderangeofpatientsafetyeffortsandsafetywasatopicforresearchers(Figure11‐3).Hospitalinformationsystemsvendorsadoptedsaferpracticesandemphasizedthatsafetywasalsonowapriorityforthem(Stelfox etal.,2006).However,sofarnocomprehensivenationwidemonitoringsystemexistsforpatientsafety,andarecenteffortbytheAgencyforHealthcareResearchandQuality(AHRQ)togetanationalestimatebyusingexistingmeasuresshowedlittleimprovement(Leape &Berwick,2005).KohnL.T.,Corrigan,J.M.,Donaldson,M.S.(1999):ToErrisHuman:BuildingaSaferHealthSystem,NationalAcademyPress,Washington(DC)
![Page 13: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/13.jpg)
FiveyearsaftertheIOMreport
ChangesinpatientsafetypublicationsAlargeshiftinthenumberofpatientsafetypublicationsfollowedthereleaseoftheIOMreport(fig1).Anaverageof59patientsafetyarticleswerepublishedper100000MEDLINEpublicationsinthe5yearsbeforetheIOMreport;thisincreasedto164articlesper100000MEDLINEpublicationsinthe5yearsafterpublicationofthereport(p,0.001).Evenaftercontrollingforanexisting3%perquarterupwardtrend(p,0.001),therateofpatientsafetypublicationsincreasedimmediatelyafterthereleaseoftheIOMreportby64%(p,0.001).Significantlyincreasedratesofpublicationwereobservedforalltypesofpatientsafetyarticles(table1).RatesofpatientsafetypublicationsinthetopgeneralmedicaljournalsmirroredthoseinMEDLINEindexedjournals,averagingfourarticlesper100000MEDLINEpublicationsbeforetheIOMreportand13articlesper100000MEDLINEpublicationsaftertheIOMreport(p,0.001).
13
![Page 14: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/14.jpg)
Herewesethat thereportstimulatedresearchtoacertainextent.
14
![Page 15: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/15.jpg)
http://www.scientificamerican.com/blog/post.cfm?id=deaths‐from‐avoidable‐medical‐error‐2009‐08‐10
15
![Page 16: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/16.jpg)
Ötzi theIceman(Similaun Man)istheoldestpreservednaturalmummyofamanwholivedaround3300BC
16
![Page 17: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/17.jpg)
Asyoucanstillreadinthenewspaperswrong‐sitesurgeryisstillabigissue,oras{Manjunath,2010#4665}putitforwarditisaclearandconstantfear.
17
![Page 18: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/18.jpg)
TheECMmedicalversionconsistsof20codes,dividedintofourcategories(Fig.1),frequentlyusedinamedicalenvironmenttoclassifytheunderlyingcausesoftheadverseevents[11].
II.EXTENDEDEINDHOVENCLASSIFICATIONMODELAlargenumberofdifferentsystemshavebeenusedtoclassifyeventsregardingtopatientsafety[10].Manyofthemethodsusedtoanalyzepatientsafetywereadaptedfromrisk‐managementtechniquesinindustries,especiallyinhigh‐riskindustriessuchasthechemical,nuclearpowerandaviationindustry[5].TheEindhovenClassificationModel(ECM)wasoriginallydevelopedtomanagehumanerrorinthechemicalprocessindustryandwasthenappliedtovariousotherindustries,suchassteelindustry,energyproductionandinhealthcare.TheECMmedicalversionconsistsof20codes,dividedintofourcategories(Fig.1),frequentlyusedinamedicalenvironmenttoclassifytheunderlyingcausesoftheadverseevents[11].
18
![Page 19: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/19.jpg)
Slide11‐11AdverseeventreportingandlearningsystemHereweseetheAEMI(AdverseEventsinMedicalImaging)systemdevelopedby(Rodriguesetal.,2010),whichintendstoreducetheamountoftimeandmanuallaborrequiredforanalyis.TheAEMIarchitectureincludestreemodules:1)AdverseEventsReportingFormsinMedicalImaging(AERFMI),2)AdverseEventsManagerReportsinMedicalImaging(AERMMI)and3)KnowledgeManagerAdverseEventsinMedicalImaging(AEKMMI).AERFMIprovidestheWebinterfaceforadverseeventsregistration.Theeffortonthisinterfacewasfocusedinitsusability.AERMMIisalsoWebbasedandaimstoenabletheindividualanalysisofeachadverseeventrecordedbyAERFMIandprovidessomerelevantstatisticsrelatedtothevariouseventsregistered.AEKMMIisaJavaapplication.ThismoduleusesthedatafromthesystemdatabasetocreateaKnowledgeBase(KB)basedontheEECMusingthelogicprogramminglanguageProlog(Rodriguesetal.,2010).
19
![Page 20: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/20.jpg)
Slide11‐12Review:FrameworkforunderstandinghumanerrorInlecture7wediscussedaframeworkfordemonstratinghowhumanerror–resultinginadverseevents– arise.Remember,theframeworkconsistsofthreecomponents:1)Humanfallibilityaddressesthefundamentalsensory,cognitive,andmotorlimitationsofhumansthatpredisposethemtoerror;2)Contextreferstosituationalvariablesthatcanaffectthewayinwhichhumanfallibilitybecomesmanifest;and3)BarriersconcerningthevariouswaysInwhichhumanerrorscanbecontained;Wewillnowfocusononeparticularissueinthethirdcomponent:Thenextslideshowsthefamous“Swisscheese”modelofaccidentcausation.
20
![Page 21: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/21.jpg)
Slide11‐13Reason(1997)SwissCheeseModelThe“Swisscheese”modelofaccidentcausationemphasizesthatadverseeventsoccurwhenactivefailuresalignwithgapsorweaknessesinthesystemspermittinganerrortogountrapped anduncompensated(Sundt,Brown&Uhlig,2005).Themodelwasoriginallydevelopedby(Reason,1997),andagoodreadingis(Reason,2000).
21
![Page 22: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/22.jpg)
Slide11‐14Riskmanagement‐ FAASystemSafetyWewilltalkaboutriskmanagementalsointhelastlecture,butweneedthedefinitionsnowforacommonunderstanding,andlookattheimagetoprightintheslide:Totalrisk=identified+unidentifiedrisks.Identifiedrisk=determinedthroughvariousanalysistechniques.Thefirsttaskofsystemsafetyistoidentify,withinpracticallimitations,allpossiblerisks.Thisstepprecedesdeterminethesignificanceoftherisk(severity)andthelikelihoodofitsoccurrence(hazardprobability).Thetimeandcostsofanalysisefforts,thequalityofthesafetyprogram,andthestateoftechnologyimpactthenumberofrisksidentified.Unidentifiedriskistherisknotyetidentified.Someunidentifiedrisksaresubsequentlyidentifiedwhenamishapoccurs.Someriskisneverknown.Unacceptableriskisthatriskwhichcannotbetoleratedbythemanagingactivity.Itisasubsetofidentifiedriskthatmustbeeliminatedorcontrolled.Acceptableriskisthepartofidentifiedriskthatisallowedtopersistwithoutfurtherengineeringormanagementaction.Makingthisdecisionisadifficultyetnecessaryresponsibilityofthemanagingactivity.Thisdecisionismadewithfullknowledgethatitistheuserwhoisexposedtothisrisk.Residualriskistheriskleftoveraftersystemsafetyeffortshavebeenfullyemployed.Itisnotnecessarilythesameasacceptablerisk.Residualriskisthesumofacceptableriskandunidentifiedrisk.Thisisthetotalriskpassedontotheuser.
22
![Page 23: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/23.jpg)
Slide11‐15ImprovingSafetywithIT– ExampleMobilePatientsafetyinhealthcareistheequivalentofsystemssafetyinindustry,whichisusuallybuiltinfoursteps:(1)measuringriskandplanningtheidealdefensemodel,(2)assessingthemodelagainsttherealbehaviorofprofessionals,andmodifyingthemodelorinducingachangeinbehaviorwhentherearegaps,(3)adoptingabettermicro‐ andmacro‐organization,(4)graduallyre‐introducingwithintheratherrigid,prescriptivesystembuiltinsteps1–3somelevelofresilienceenablingittoadapttocrisesandexceptionalsituations.Inthisslideweseeanexampleofamobilesystemscreeningforlaboratoryabnormalities,forexample,hypokalemiaandadecreasinghaematocrit,wouldrequireurgentactionbutoccurrelativelyinfrequently,oftenwhenaclinicianisnotathand,andsuchresultscanbeburiedamidlesscriticaldata.Suchmobilesystemscanidentifyandrapidlycommunicatetheseproblemstocliniciansautomatically(Bates&Gawande,2003).
23
![Page 24: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/24.jpg)
24
Slide11‐16:EnhancingPatientSafetywithubiquitousdevicesThisisanotherexampleonhow,forexamplewrongsitesurgerycanbeavoided:PatientscheckinattheHospital– inadditiontoanordinarywristbandanRFIDtransponderissupplied.Patientdataisenteredviaourapplicationatthecheck‐in‐point,anypreviouspatientdatacanberetrievedfromtheHIS.Fromthisinformation,uncriticalbutimportantdata(suchasname,bloodtype,allergies,vitalmedicationetc.)istransferredtothewristband’sRFIDtransponder.TheElectronicPatientRecord(EPR)iscreatedandstoredatthecentralserver.Fromthistimethepatientiseasilyandunmistakablyidentifiable.Allinformationcanbereadfromthewristband’stransponderorcanbeeasilyretrievedfromtheEPRbyidentifyingthepatientwithareader.Incontrasttomanualidentification,automaticprocessesarelesserror‐prone.Unlikebarcodes,RFIDtransponderscanbereadwithoutlineofsight,throughthehumanbodyandmostothermaterials.Thisenablesphysiciansandnursestoretrieve,verifyandmodifyinformationintheHospitalaccuratelyandinstantly.Inaddition,thissystemprovidespatientidentificationandpatientdata– evenwhenthenetworkiscrashed(Holzinger,Schwaberger &Weitlaner,2005)
![Page 25: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/25.jpg)
Slide11‐17:SecurityProblemsofubiquitouscomputingSecurityrequiresconfidentiality(akasecrecy),integrityandavailability.Allotherrequirementssuchasnon‐repudiationcanbetracedbacktooneofthesethreerequirements.Non‐repudiation,forinstance,canbeseenasaspecialcaseofintegrity,i.e.theintegrityoflogdatarecording.Themostwell‐knownsecurityrequirementisconfidentiality.Itmeansthatusersmayobtainaccessonlytothoseobjectsforwhichtheyhavereceivedauthorization,andwillnotgetaccesstoinformationtheymustnotsee.Theintegrityofthedataandprogramsisjustasimportantasconfidentialitybutindailylifeitisfrequentlyneglected.Integritymeansthatonlyauthorizedpeoplearepermittedtomodifydata(orprograms).Secrecyofdataiscloselyconnectedtotheintegrityofprogramsofoperatingsystems.Iftheintegrityoftheoperatingsystemiscompromised,thentheintegrityofthedatacannolongerbeguaranteed.Thereasonisthatapartoftheoperatingsystem(i.e.thereferencemonitor)checksforeachaccesstoaresourcewhetherthesubjectisauthorizedtoperformtherequestedoperation.Sincetheoperatingsystemiscompromisedthereferencemonitorisnolongertrustworthy.Itisthenobviousthatsecrecyofinformationcannotbeguaranteedanylongerifthismechanismisnotworking.Forthisreasonitisimportanttoprotecttheintegrityofoperatingsystemsjustasproperlyasthesecrecyofinformation.ItisthroughtheInternetthatmanyusershavebecomeawarethatavailabilityisoneofthemajorsecurityrequirementsforcomputersystems.Availabilityisdefinedasthereadinessofasystemforcorrectservice.Withgrowingubiquitouscomputinginhealthcaresecurityproblemsareincreasing(Weippl,Holzinger&Tjoa,2006):1)Protectionprecautions:vulnerabilitytoeavesdropping,trafficanalysis,spoofinganddenialofservice.Securityobjectives,suchasconfidentiality,integrity,availability,authentication,authorization,nonrepudiationandanonymityarenotachievedunlessspecialsecuritymechanismsareintegratedintothesystem.2)Confidentiality:thecommunicationbetweenreaderandtagisunprotected,exceptofhigh‐endsystems(ISO14443).Consequently,eavesdropperscanlisteniniftheyareinimmediatevicinity.3)Integrity:Withtheexceptionofhigh‐endsystemswhichusemessageauthenticationcodes(MACs),theintegrityoftransmittedinformationcannotbeassured.Checksums(cyclicredundancychecks,CRCs)areused,butprotectonlyagainstrandomfailures.Thewritabletagmemorycanbemanipulatedifaccesscontrolisnotimplemented.
25
![Page 26: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/26.jpg)
Slide11‐18ClinicalExample:Context‐awarepatientsafety1/2(Bardram &Norskov,2008)developedacontextawarepatientsafetyandinformationsystem(CAPSIS)designedforuseduringsurgery,designedtomonitorwhatisgoingonintheoperatingroom(OR).Thisinformationisusedtodisplaymedicaldatatothecliniciansattheappropriatetime,andtoissuewarningsifanysafetyissuesaredetected.CAPSISwasimplementedusingtheJavaContext‐AwarenessFramework(JCAF)andmonitorssuchinformationasthestatusoftheoperation;thestatusandlocationofthepatient;thelocationofthecliniciansintheoperatingteam;andequipment,medication,andbloodbagsusedintheoperatingroom.ThisinformationisacquiredandhandledbytheJCAFcontextawarenessinfrastructure,andaspecialsafetyservice,implementedbymeansoftheJavaExpertSystemShell(Jess),isusedforoverallreasoningonwhatactionsshouldbetakenorwhatwarningsshouldbeissued.CAPSISdiffersfromotherpatientsafetysystemsinbeingdesignedtomonitoreverything(orasmanythingsaspossible)intheOR,andthereforetobecapableofreasoningacrosstheentiregamutoffactspertainingtothesituationintheOR.Itthussupplementshumanvigilanceonsafetybyprovidingamachinecounterpartthatiscapableofdrawinginferences(Bardram &Norskov,2008).
26
![Page 27: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/27.jpg)
Slide11‐19ClinicalExample:Contextawarepatientsafety2/2ThisslideshowstheuserinterfaceoftheCAPSISsystem,whichconsistsof4windows:(A)isthemainpatientsafetywindow,whichprovidesanoverviewofthepatient’ssafetystatusfortheoperationinquestion;(B)showsthepatient’smedicalrecord;(C)showsthepatient’smedicalimages;and(D)showstherelevantchecklistforthegivensurgicalprocedure.Thepatientsafetywindow(A)iscomposedofthreepanels:thepatientpanel,thestaffpanelandthepatientsafetypanel.Thepatientpanelaggregatesimportantinformationaboutthecurrentpatientandsurgery,includingthepatient’sname,socialsecuritynumber(SSN),allergies(CAVE),picture,scheduledsurgery,andcurrentstatusandlocation.Themainpurposeofthisframeistohelpthesurgicalstaffavoidthethreebigwrongs:wrongpatient,wrongprocedureandwrongsurgicalsite,aswellaspresentingvitalinformationonthesafetyofthepatientsuchastheCAVElistandpatientstatus(Bardram &Norskov,2008).
27
![Page 28: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/28.jpg)
Slide11‐20PatientSafetyPatientsafetyinhealthcareistheequivalentofsystemssafetyinindustry,whichisusuallybuiltinfoursteps:(1)measuringriskandplanningtheidealdefensemodel,(2)assessingthemodelagainsttherealbehaviorofprofessionals,andmodifyingthemodelorinducingachangeinbehaviorwhentherearegaps,(3)adoptingabettermicro‐ andmacro‐organization,(4)graduallyre‐introducingwithintheratherrigid,prescriptivesystembuiltinsteps1–3somelevelofresilienceenablingittoadapttocrisesandexceptionalsituations.Thedevelopmentofpatientsafetyhasnowherenearreachedstep4exceptinspecificareassuchasbloodtransfusionorlaboratorytesting.Evenstep1hasnotbeencompleted(Amalberti etal.,2011).
28
![Page 29: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/29.jpg)
Slide11‐21TypesofadverseeventsinmedicineandcareAnerrormayormaynotcauseanadverseevent.Adverseeventsareinjuriesthatresultfromamedicalinterventionandareresponsibleforharmtothepatient(death,life‐threateningillness,disabilityatthetimeofdischarge,prolongationofthehospitalstay,etc.).Forexample,anearmiss(Number6inthisslide)isanadverseeventthateitherresolvesspontaneouslyorisneutralizedbyvoluntaryactionbeforetheconsequenceshavetimetodevelop.Adverseeventsmaybeduetomedicalerrors,inwhichcasetheyarepreventable,ortofactorsthatarenotpreventable;so,theoccurrenceisalwaysacombinationofhumanfactorsandsystemfactors(Garrouste‐Orgeas etal.,2012).
29
![Page 30: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/30.jpg)
Slide11‐22Safety,Security‐>TechnicalDependabilityDependabilityconsistsofthreeparts:thethreatsto,theattributesof,andthemeansbywhichdependabilityisattained,asshowninthisslide.Computingsystemsarecharacterizedbyfivefundamentalproperties:functionality,usability,performance,cost,anddependability.Dependabilityofacomputingsystemistheabilitytodeliverservicethatcanjustifiablybetrusted.Thetrust‐factorisperceivedbytheusers(rememberthePreviousExposuretoTechnology,PET‐Factor(Holzinger,Searle&Wernbacher,2011)),andauserisanothersystem(human)thatinteractswiththeformerattheserviceinterface.Thefunctionofasystemiswhatthesystemisintendedtodo,andisdescribedbythefunctionalspecification.Correctserviceisdeliveredwhentheserviceimplementsthesystemfunction.Asystemfailureisaneventthatoccurswhenthedeliveredservicedeviatesfromcorrectservice.Afailureisthusatransitionfromcorrectservicetoincorrectservice,i.e.,tonotimplementingthesystemfunction.Thedeliveryofincorrectserviceisasystemoutage.Atransitionfromincorrectservicetocorrectserviceisservicerestoration.Basedonthedefinitionoffailure,an3alternatedefinitionofdependability,whichcomplementstheinitialdefinitioninprovidingacriterionforadjudicatingwhetherthedeliveredservicecanbetrustedornot:theabilityofasystemtoavoidfailuresthataremorefrequentormoresevere,andoutagedurationsthatarelonger,thanisacceptabletotheuser(s).Intheoppositecase,thesystemisnolongerdependable:itsuffersfromadependabilityfailure,thatisameta‐failure(Avizienis,Laprie &Randell,2001).
30
![Page 31: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/31.jpg)
Slide11‐23Typesoffaults:Design– Physical– InteractionCombiningtheelementaryfaultclassesleadstothetreeinthisslide:Theleavesofthetreeleadintothreemajorfaultclassesforwhichdefensesneedtobedevised:designfaults,physicalfaults,interactionfaults.Theboxesinthisslidepointatgenericillustrativefaultclasses.Non‐maliciousdeliberatefaultscanariseduringeitherdevelopmentoroperation.Duringdevelopment,theyresultgenerallyfromtradeoffs,eithera)aimedatpreservingacceptableperformanceandfacilitatingsystemutilization,orb)inducedbyeconomicconsiderations;suchfaultscanbesourcesofsecuritybreaches,intheformofcovertchannels.Non‐maliciousdeliberateinteractionfaultsmayresultfromtheactionofanoperatoreitheraimedatovercominganunforeseensituation,ordeliberatelyviolatinganoperatingprocedurewithouthavingrealizedthepossiblydamagingconsequencesofhisorheraction.Non‐maliciousdeliberatefaultssharethepropertythatoftenitisrecognizedthattheywerefaultsonlyafteranunacceptablesystembehavior,thusafailure,hasensued;thespecifier(s),designer(s),implementer(s)oroperator(s)didnotrealizethattheconsequenceofsomedecisionoftheirswasafault(Avizienis,Laprie &Randell,2001).
31
![Page 32: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/32.jpg)
Slide11‐24ATwo‐TieredSystemofMedicineThistableby(Amalberti,Auroy,Berwick&Barach,2005)showadetailedcomparisonofthese2possibletiersofhealthcare.Physiciantrainingwouldhavetoaccommodatethis2‐tieredapproach,andpatientswouldhavetounderstandthataggressivetreatmentofhigh‐riskdiseasemayrequireacceptanceofgreaterriskandnumberofmedicalerrorsduringclinicaltreatment.
32
![Page 33: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/33.jpg)
Slide11‐25TowardastrategicviewonsafetyinhealthcareAnimprovedvisionbyleadershipofthesafetyanddangersofhealthcareisneededtooptimizetherisk–benefitratio.Stratificationcouldleadto2tiersor“speeds”ofmedicalcare,eachwithitsowntypeandlevelofsafetygoals.This2‐tiersystemcoulddistinguishbetweenmedicaldomainsthatarestableenoughtoreachcriteriaforultrasafety andthosethatwillalwaysdealwithunstableconditionsandarethereforeinevitablylesssafe.Formedicine,high‐reliabilityorganizationsmayofferasoundsafetymodelandHigh‐reliabilityorganizationsarethosethathaveconsistentlyreducedthenumberofexpectedor“normal”accidents(accordingtothenormalaccidenttheory)throughsuchmeansaschangetocultureandtechnologicadvances,despiteaninherentlyhigh‐stress,fast‐pacedenvironment(Amalberti,Auroy,Berwick&Barach,2005).
33
![Page 34: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/34.jpg)
34
Slide11‐26RequirementsofanelectronicpatientrecordRemembertherequirementstoapatientrecordfromtheviewpointofensuringprivacy:Thepatientdatamustbeconfidential,secureandsafe,whileatthesametimemustbeusable,useful,accurate,up‐to‐dateandaccessible.
![Page 35: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/35.jpg)
Slide11‐27Pseudonymization ofInformationforPrivacy1/8Anexcellentpaperby(Neubauer &Heurix,2011)shallprovideagoodteachingexample,inthefollowingconsistingof8slides.Protectionofthepatients’dataprivacycanbeachievedwithtwodifferenttechniques,anonymization andencryption,whichunfortunatelybothsufferfrommajordrawbacks:Whileanonymization – theremovaloftheidentifierfromthemedicaldata– cannotbereversedandthereforepreventsprimaryuseoftherecordsbyhealthcareproviderswhoobviouslyneedtoknowthecorrespondingpatient(asaminorpoint,patientscannotbenefitfromtheresultsgainedinclinicalstudiesbecausetheycannotbeinformedaboutnewfindingsetc.),encryptionofthemedicalrecordspreventsthemfrombeingusedforclinicalresearch(secondaryuseofclinicaldata).Atleastwithouttheexplicitpermissionofthepatient,whohastodecryptthedataand,indoingso,revealsheridentity.Consideringthatsomemedicalrecordscanbeverylarge,encryptioncanalsobeseenasatime‐consumingoperation.Amethodthatresolvestheseissuesispseudonymization,whereidentificationdataistransformedandthenreplacedbyaspecifier thatcannotbeassociatedwiththeidentificationdatawithoutknowingacertainsecret.Pseudonymization allowsthedatatobeassociatedwithapatientonlyunderspecifiedandcontrolledcircumstances(Neubauer &Heurix,2011).Aimedtoprovideapseudonymization service,PIPE(Pseudonymization ofInformationforPrivacyine‐Health)canbeappliedtodifferentscenarios:Inthelocalscenario,thePIPEserverpseudonymizes onlyrecordsstoredinthelocal(health)datarepositoryandmakesthemavailabletoalocal(healthcareprovider’s)workstationwherebothpatientandhealthcareproviderinteractwiththepseudonymization serveraspartofahealthcareproviderenvironment(e.g.,withahospitalinformationsystem).Inanalternativecentralscenario,thePIPEpseudonymization serverisresponsibleforprovidinglinkinginformationtodifferenthealthrecordsstoredatdistributedlocations.Intheslidetwoseparatehealthcareproviderenvironmentsexistwheretheindividualworkstationshavedirectaccesstotheirlocaldatarepositories.Viathepseudonymization service,thehealthcareprovidersareabletoaccessrecordsofotherdomainsiftheyareexplicitlyauthorizedtodoso.Inthisscenario,thepatientalsohastheopportunitytoretrievetherecordsathome(Neubauer &Heurix,2011).
35
![Page 36: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/36.jpg)
Slide11‐28Pseudonymization ofInformationforPrivacy2/8ThePIPEprotocolusesacombinationofsymmetricandasymmetriccryptographickeystorealizealogicalmulti‐tierhullmodelwiththreedifferentlayers,whereeachlayerisresponsibleforonestepinthedataaccessprocess.Theuserhastopassalllayersinordertoretrievetheactualhealthdatarecords.Theouterpublicandouterprivatekeysformtheouterlayer,theauthenticationlayer,whichisresponsibleforunambiguouslyidentifyingthecorrespondinguser.Togetherwiththeuser’sidentifier,theouterprivatekeyrepresentstheauthenticationcredentials,whicharestoredalongwiththeserver’spublickeyontheuser’ssmartcard.IncombinationwiththecorrectPIN,thesmartcardprovidestwo‐factorauthentication,wheretheauthenticationprocedureinvolvesboththeuser’sandthePIPEserver’souterkeypair,theuser’sidentifier,andtworandomlyselectedchallenges.Themiddlelayer,theauthorizationlayer,consistsoftheuser’sinnerasymmetrickeypair andtheinnersymmetrickey.Whiletheuser’souterprivatekeyiscreatedonthesmartcardwhenthecardisissuedtotheuserandneveractuallyleavesthecard,theotherkeysarestoredinthepseudonymizationdatabasewherethesecretkeysarestoredencrypted:theinnersymmetrickeyisencryptedwiththeinnerpublickey,whiletheinnerprivatekeyisencryptedwiththeouterpublickey(Neubauer &Heurix,2011).
36
![Page 37: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/37.jpg)
Slide11‐29Pseudonymization ofInformationforPrivacy3/8accessrights.Incontrasttoauthorizedusers,anaffiliateduser,e.g.,acloserelative,isentrustedwiththedataowner’sinnerprivatekeyandisthereforeabletodecryptthedataowner’sinnersymmetrickey,grantingtheaffiliateduserfullaccesstoall1Pseudonymsarestoredincleartext whenmappedtoaparticularrecordwhilethelinkbetweenthemishiddenbystoringthepseudonymsencryptedinasinglerelation.2Byaffiliationsviakey‐sharing,theaffiliateduserisgrantedaccesstotherootpseudonymsaswell.datacorrespondingtothedataowner.Therefore,theaffiliateduserisabletodecryptthelinksbetweenallrootandsharedpseudonymsrelatedtothedataowner.Theconceptualdatamodelisdepictedininthisslide:Theidentificationandhealthpseudonymsalwaysforma1:1relationshipandarereferencedwiththeircorrespondingdocumenttypewherethisreferenceisstoredincleartext (record/pseudonymmapping).Thelinkbetweentheidentificationandhealthpseudonymsisstoredencryptedwiththeuser’sinnersymmetrickey(pseudonym/pseudonymmapping):whiletherootpseudonymsareencryptedwiththedataowner’s(patient’s)innersymmetrickeyonly,thesharedpseudonymsareencryptedwithboththedataowner’sandtheauthorizeduser’s(healthprofessional’s)innersymmetrickeysothatbothusersareabletodecryptthemusingtheircorrespondingciphertexts.Thelinkbetweentheidentificationandhealthrecordishiddenandrepresentedbythelinkbetweenidentificationandhealthpseudonyms.Eachhealthrecordisassignedexactlyoneroothealthpseudonymwhileeachidentificationrecordhasmultiplerootpseudonyms,dependingonthenumberofhealthrecords,duetothe1:1relationship.Thehealthrecordisassignedanumberofsharedhealthpseudonymsaccordingtothenumberofindividualauthorizationsforthatparticularhealthrecord(Neubauer &Heurix,2011).
37
![Page 38: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/38.jpg)
Slide11‐30Pseudonymization ofInformationforPrivacy4/8ThisslideshowstheUserauthentication,whichinvolvesthemutualauthenticationoftheuserusingthesmartcardandtheserver,involvingtheirouterkeypair andtwononces (randomlyselectednumbersusedonce)asuser/serverchallenges.Oncebothidentitiesareconfirmed,theuser’sinnerprivatekeyisretrievedfromthepseudonymization databaseandtransferredtotheuser’ssmartcardtobedecryptedwiththeuser’souterprivate3TransportLayerSecurity.key.Withthedecryptedinnerprivatekey,theuser’sinnersymmetrickeycanbedecryptedwithintheHSMatthepseudonymization serverandbecachedforfurtheroperationsalongwiththeuser’sinnerprivatekey.Inaddition,asessionkeyisgeneratedattheHSMandsecurely(viaencryption)transportedtotheuser’ssmartcardsothatthekeyappearsincleartext onlyonthesmartcardandHSM(Neubauer &Heurix,2011).
38
![Page 39: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/39.jpg)
Slide11‐31Pseudonymization ofInformationforPrivacy5/8Toretrieveaparticularhealthrecord,theuserfirstneedstoqueryfortheparticularencryptedpseudonymsbycreatingakeywordusingthekeywordtemplates,retrievingthecorrespondingkeywordidentifier,andqueryingfortheencryptedidentifiertofindmatchingencryptedpseudonyms,i.e.,theencryptedpseudonymmappingsassociatedwiththeencryptedkeywordidentifier.Thepseudonympairsarethendecryptedwiththeuser’sinnersymmetrickeyandtheplaintextpseudonymsthenusedtoretrievethecorrespondingidentificationandhealthrecords,whicharetransferredtotheusertobedisplayed(possiblymerged).Optionally,thepseudonymsandkeywordidentifierarealsotransferredtotheuser(rootpseudonymsforauthorizations).Therecordretrievalprocedureisthesameforthepatientasdataowner,healthcareproviderasauthorizeduser,andrelativeasaffiliateduser,withthedifferencethatthepatientandrelativebothqueryforthepatient’srootpseudonyms,whilethehealthcareproviderreliesonthesharedpseudonyms(Neubauer &Heurix,2011).
39
![Page 40: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/40.jpg)
Slide11‐32Pseudonymization ofInformationforPrivacy6/8Toprovideatrustedhealthcareproviderwiththeknowledgeofthelinkbetweenthepatient’sidentificationrecordandaparticularhealthrecord,anewsharedpseudonympairiscreatedasauthorizationrelation.Thepatientfirsthastoretrievetherootpseudonympairandkeywordidentifiercorrespondingtothehealthrecordheorsheintendstosharewiththehealthcareprovider.Furthermore,boththepatientasdataownerandthehealthcareproviderasauthorizeduserhavetobeauthenticatedatthesameworkstationsothatbothuseridentifiersareavailableattheclientside,whilebothinnersymmetrickeysarecachedattheHSMofthepseudonymization server.Therootpseudonympairisthentransferredtothepseudonymization serveralongwithbothuseridentifiersandthekeywordidentifier,andthecorrespondingrecordidentifiersretrievedusingthecleartext record/pseudonymmappings.Theserverthenrandomlyselectsanewshared pseudonympair,whichisfirstencryptedwithbothusers’innersymmetrickeys(alongwithbothidentifiersandthekeywordidentifier)andthenstorestheminthedatabaseasauthorizationrelation.Finally,thecleartextpseudonymsarethenreferencedwiththeretrievedrecordidentifierstocreatetwonewrecord/pseudonymmappings(Neubauer &Heurix,2011).
40
![Page 41: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/41.jpg)
Slide11‐33Pseudonymization ofInformationforPrivacy7/8Aswithauthorizations,auseraffiliationrequiresthatboththepatientasdataownerandthetrustedrelativeasaffiliateduserareauthenticatedatthesameworkstation.Thenbothuseridentifiersaretransferredtothepseudonymizationserverwheretheyareencryptedwithbothusers’innersymmetrickeys.Inaddition,thepatient’sinnerprivatekeyisalsoencryptedwiththerelative’sinnersymmetrickey,andallelementsarestoredinthepseudonymization metadatastorageasaffiliationrelation(Neubauer &Heurix,2011).
41
![Page 42: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/42.jpg)
Slide11‐34Pseudonymization ofInformationforPrivacy8/8Finally,fromtheviewpointofthepatientasdataowner,healthdatastoragefirstrequiresthatan‘old’rootidentificationpseudonymisretrievedasreferencetotheidentificationrecord.Furthermore,thepatientcreatesanewkeywordandentersthenewhealthrecordintotheworkstation.Thenthepseudonym,newkeyword,newhealthrecord,anduseridentifieraretransferredtothepseudonymizationserver,wherethekeywordisstored(anditsidentifierdeterminedbythedatabaseengine)andtheidentificationrecordidentifierretrieved.Thenewrecordisstoredinthehealthrecordsdatabaseanditsrecordidentifierreturnedtotheserver.Then,theservercreatesanewrootpseudonympairandstoresitencryptedwiththekeywordidentifieranduseridentifierasrootaccess,aswellasthecleartextrecord/pseudonymmappings(Neubauer &Heurix,2011).
42
![Page 43: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/43.jpg)
Slide11‐35Example:privatepersonalhealthrecordAstheawarenessofpatientsfortheirmedicaldataincreases,thereisatrendofprivatepersonalhealthrecords,sometimescalledhealthvaults.Anexamplecanbeseeninhttp://healthbutler.comInthefollowingfourslideswelookatthetechnologicalconceptofsuchapersonalhealthrecordsystem.Inthisconceptwewillgettoknowaveryinterestingconcept:Mashups.
43
![Page 44: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/44.jpg)
Slide11‐36Example:ConceptofaPersonalHealthRecordSystem1/4PHRsthatusecentralizeddatastoresdonotofferstakeholdersachoiceinservices,datastorage,oruserrequirements.However,variousstakeholdershavevaryingskills,requirements,andresponsibilities,whichasingleapplicationcannotsatisfy.Consequently,personalizationisrequiredwheresuchaheterogeneousmixofstakeholdersexists.TheconceptofMashups (Auinger etal.,2009)letuserscreateapplicationstosuittheirindividualrequirements.Enduserscanusemashupmakerstointegratevariousresources.Mashupmakersletuserscreatepersonalizedapplicationswithlowercoststhantraditionalintegrationprojects,inwhichasingleapplicationmustincorporatemanyusers’needs.AstheexplosionofWebmashups availableontheProgrammableWeb(www.programmableweb.com)show,manyusersarefindingnewanddiversewaystosatisfyindividualrequirements.ThisslideshowstheconceptualarchitectureofasystemcalledSqwelch (Fox,Cooley&Hauswirth,2011):Withinthearchitecture,therearethreecomponents:1)Compositionservicesprovidemechanismsformodelingwidgetsandengagingwiththestakeholdercommunityindevelopingmashups.2)Hostingservicesprovidemechanismsformanagingtheenvironment,customizingmashupcontainers,anddeployingmashups.3)Infrastructureservicesformthebasisofthemashupmaker,includingdiscoveryservices,socialnetworkingcapabilities,securityandtrust,widgetinteraction,andmanagement.
44
![Page 45: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/45.jpg)
Slide11‐37Exampleforcomponentrelationships2/4HereweseetheSqwelch componentrelationships:Thecomponentsworkincooperationandfulfillspecificrolestoenableheterogeneouswidgetsanduserstocollaborateinatrustedway:Whenregisteringwidgets,developerscreatemodelreferencesthatarestoredforfutureuseinthediscoveryandmediationcomponents.Duringamashup’s execution,thesocialnetworkingcomponentdeterminesthedestinationsfordataifusersarecollaborating,whichinturnusestrustandimportanceasameansofcontrollingdataaccess.Modelreferencesareusedtotransformdata,andcomponentinteractionisprovidedaspublish–subscribetolooselycoupletheremoteresources(Webwidgets)(Fox,Cooley&Hauswirth,2011).
45
![Page 46: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/46.jpg)
Slide11‐38Widgetcollaborationsequence3/4HereweseetheWidgetcollaborationsequence.WidgetscommunicatewiththeSqwelch serverusingHTML5standards.Sqwelch alertsusersifwidgetsaren’ttrusted.Thediagramshowsthecallstobemadebywidgets,theexecutionhost(Sqwelchdefault.html),andtheserver(Sqwelch.com)inenablingtrustedpublish–subscribebetweenheterogeneouswidgets.Inourexample,thepublishingwidgetcouldbethesensorviewerwidgetandthesubscribingwidgetcouldbethesensorfilterwidget.Wemustconsidersomeimportantpoints(Fox,Cooley&Hauswirth,2011):1)TheHTML5postMessage syntaxisusedtopublishdatapayloadsfromwidgetsandfromtheSqwelch mainpage.HTML5eventlistenerfunctionsarerequiredinsubscribingwidgetstolistenforincomingpayloads.2)Thepayloadssempublishpost returnsarethoseexpectedbythesubscribingwidgets(payload),basedontheoriginalpublishedpayload.3)Payloadasreceivedbythesubscribingwidgetwillbeacombinationofdefaultvaluestheuserspecifiesandrealvalues,dependingontheimportanceassociatedwiththerealdataandthetrustspecifiedforthesubscribingwidget.4)Ifthewidgetisn’ttrusted,Sqwelch alertstheuserandprovidesaviewofthedataelementsthesubscribingwidgethasrequested.Thiswillhappenonlyonceforeachwidgetinthecurrentsession.
46
![Page 47: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/47.jpg)
Slide11‐39Usercollaborationsequence4/4Finally,heretheUsercollaborationsequenceisdepicted:Pollingisusedbysubscribingmashups deployedbycaregiverstoretrievedatapublishedbythepatient.Sqwelch alertsthecaregiverifthepatientdoesn’ttrusthimorher.Thesequencesinclude(Fox,Cooley&Hauswirth,2011):1)Thepollingcodeisrunonthehostingmashupwebpage,retrievingdataforallsocialwidgetsinthecurrentpageusinggetsocialsubscriptions.2)ThehostingmashupwebpagereturnswiththelatestheartratereadingsforMary.3)IfMarydoesn’ttrusteitherthewidgetorJohn,thepayloadwillcontainstatic,user‐definedinformation,andMarywillbealerted.
47
![Page 48: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/48.jpg)
Slide11‐40SecurityandPrivacyofsomePHR’sThisworkby(Carrión,Fernández‐Alemán &Toval,2011)isinterestingfortworeasons:1)itprovidesagoodoverviewofsomepersonalhealthrecordsand2)itshowstowhatextenttheyaddressedsecurityandprivacyissues.Thefigureshowsscoresastwooverlappinghistograms:Ingeneral,quiteagoodlevelcanbeobservedinthecharacteristicsanalyzed.Nevertheless,someimprovementscouldbemadetocurrentPHRprivacypoliciestoenhancespecificcapabilitiessuchas:themanagementofotherusers’data,thenotificationofchangesintheprivacypolicytousersandtheauditofaccessestousers'PHRs.Thecharacteristicsonhowtheyreachedthesescorescanbeinferredfromthefollowingslides.
48
![Page 49: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/49.jpg)
Slide11‐419SecurityCharacteristicstoanalyzePHR’s1/2Carrión,Fernández‐Alemán &Toval (2011)definedninecharacteristicstoanalyzethePersonalHealthRecords:Privacypolicy,location,Datasource,Datamanaged,Accessmanagement,Accessaudit,Dataaccessedwithouttheuser'spermission,Securitymeasures,ChangesinprivacypolicyandStandards:PrivacyPolicyLocation.ThischaracteristicisrelatedtothequestionWhereisthePrivacyPolicyonthePHRwebsite?PHRsshouldprovideaPrivacyPolicywhichdescribeshowusers'dataareusedinorderforuserstobeinformed.ThePrivacyPolicyshouldbeeasilyaccessiblebyusers.ThedifficultyofPrivacyPolicyaccessisassessedbycountingthenumberoflinksclicked.Thevaluesthatthischaracteristicmaytakeare:0.ThePrivacyPolicyisnotvisibleornotaccessible.1.ThePrivacyPolicyisaccessedbyclickingonelink.2.ThePrivacyPolicyisaccessedbyclickingtwoormorelinks.DataSource.ThischaracteristicisrelatedtothequestionWheredousers’PHRdataproceedfrom?Generally,theuserishis/herdatasource,buttherearePHRswhichdonotonlyusethissource.Somecontacttheusers'healthcareproviders,othersallowotherusersanddifferentprogramstoenterusers'dataandothersuseself‐monitoringdevicestoobtainusers'data.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.User.2.Userhealthcareprovider.3.Userandhis/herhealthcareproviders.4.User,otherauthorizedusersandotherservices/programs.5.Self‐monitoringdevicesconnectedwiththeuser.DataManaged.ThischaracteristicisrelatedtothequestionWhodothedatamanagedbytheusersbelongto?Theuserscanmanagetheirowndata,buttheycansometimesmanageotherusers'data,suchasthatoftheirfamily.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.Datauser.2.Datauserandhis/herfamilydata.Accessmanagement.ThischaracteristicisrelatedtothequestionWhocanobtainaccessgrantedbytheusers?TheusersdecidewhocanaccesstheirPHRdata.ThePHRsystemsanalyzedallowaccesstobegiventodifferentroles.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.Otherusersandservices/programs.2.Healthcareprofessionals.3.Otherusers.4.Otherusers,healthcareprofessionalsandservices/programs.Tobecontinuedonthenextslide.
49
![Page 50: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/50.jpg)
Slide11‐429SecurityCharacteristicstoanalyzePHR’s2/2Accessaudit.ThischaracteristicisrelatedtothequestionCanusersseeanauditofaccessestotheirPHRs?Thevaluesthatthischaracteristicmaytakeare:0.No.1.Yes.Dataaccessedwithouttheuser'spermission.ThischaracteristicisrelatedtothequestionWhatdataareaccessedwithouttheuser'sexplicitconsent?ThePHRsystemstypicallyaccesscertaindatarelatedtotheusersinordertoverifythateverythingiscorrect.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.Informationrelatedtotheaccesses.2.De‐identifieduserinformation.3.Informationrelatedtotheaccessesandde‐identifieduserinformation.4.Informationrelatedtotheaccessesandidentifieduserinformation.Securitymeasures.ThischaracteristicisrelatedtothequestionWhatsecuritymeasuresareusedinPHRsystems?Therearetwotypesofsecuritymeasures:physicalmeasuresandelectronicmeasures.Thephysicalsecuritymeasuresarerelatedtotheprotectionoftheserversinwhichthedataarestored.Theelectronicsecuritymeasuresarerelatedtohowstoredandtransmitteddataareprotected,forexample,byusingaSecureSocketsLayer(SSL)scheme.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.Physicalsecuritymeasures.2.Electronicsecuritymeasures.3.Physicalsecuritymeasuresandelectronicsecuritymeasures.ChangesinPrivacyPolicy.ThischaracteristicisrelatedtothequestionArechangesinprivacypolicynotifiedtousers?ChangesinPrivacyPolicyshouldbenotifiedtousersinordertomakethemawareofhowtheirdataaremanagedbythePHRsystem.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.Changesarenotifiedtousers.2.Changesareannouncedonhomepage.3.Changesarenotifiedtousersandchangesareannouncedonhomepage.4.Changesmaynotbenotified.Standards.ThischaracteristicisrelatedtothequestionArePHRsystemsbasedonprivacyandsecuritystandards?ThePHRsystemsanalyzeduseorarebasedontwostandards:theHealthInsurancePortabilityandAccountabilityAct(HIPAA)andtheHealthOntheNetCodeofConduct(HONcode).Thevaluesthatthischaracteristicmaytakeare:UsablePrivacyandSecurityinPersonalHealthRecords410.Notindicated.1.HIPAAismentioned.2.SystemiscoveredbyHONcode.3.HIPAAismentionedandsystemiscoveredbyHONcode (Carrión,Fernández‐Alemán&Toval,2011).
50
![Page 51: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/51.jpg)
Slide11‐43OverviewPersonalHealthRecords(PHR)Thelastslideshowsthesummaryoftheresearchedpersonalhealthrecords(Carrión,Fernández‐Alemán &Toval,2011).Note:By2013theGoogleHealthrecordisnotlongerinoperation:GoogleHealthhasbeenpermanentlydiscontinued.AlldataremaininginGoogleHealthuseraccountsasofJanuary2,2013hasbeensystematicallydestroyed,andGoogleisnolongerabletorecoveranyGoogleHealthdataforanyuser,see:http://www.google.com/intl/en_us/health/aboutSeealsothisblog:http://googleblog.blogspot.co.at/2011/06/update‐on‐google‐health‐and‐google.html
51
![Page 52: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/52.jpg)
Slide11‐44EthicalIssues‐ duringQualityImprovementHereasummaryofethicalissuesbyaworkof(Tapp etal.,2009):TheyidentifiedtheexperiencesofprofessionalsinvolvedinplanningandperformingQIprogrammes inEuropeanfamilymedicineontheethicalimplicationsinvolvedinthoseprocesses.Forthispurposetheusedfourfocusgroupswith29generalpractitioners(GPs)andadministratorsofgeneralpracticequalityworkinEurope.TwofocusgroupscomprisedEQuiP membersandtwofocusgroupscomprisedattendeestoaninvitationalconferenceonQIinfamilymedicineheldbyEQuiP inBarcelona.Fouroverarchingthemeswereidentified,includingimplicationsofusingpatientdata,prioritizingQIprojects,issuessurroundingtheethicalapprovaldilemmaandtheimpactofQI.Eachthemewasaccompaniedbyanidentifiedsolution.Practicalimplications– Prioritising isnecessaryandindoingthatGPsshouldensurethatavarietyofworkisconductedsothatsomepatientgroupsarenotneglected.TransparencyandflexibilityonvariouslevelsisnecessarytoavoidharmfulconsequencesofQIintermsofbureaucratisation,increasedworkloadandburnoutonpartoftheGPandharmfuleffectsonthedoctor‐patientrelationship.ThereisaneedtoaddressthesystemofapprovalfornationalQIprogrammes andQIprojectsutilising moresophisticatedmethodologies(Tapp etal.,2009).
52
![Page 53: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/53.jpg)
53
![Page 54: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/54.jpg)
54
My DEDICATION is to make data valuable … Thank you!
![Page 55: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/55.jpg)
55
![Page 56: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/56.jpg)
56
![Page 57: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/57.jpg)
57
![Page 58: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/58.jpg)
58
![Page 59: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/59.jpg)
59
![Page 60: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/60.jpg)
60
![Page 61: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/61.jpg)
61
![Page 62: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/62.jpg)
62
![Page 63: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/63.jpg)
test
63
![Page 64: genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... · Example: In January 2013, the US Department of Health and Human Services ... various other](https://reader033.vdocuments.us/reader033/viewer/2022041921/5e6c0328d390ba7137124a90/html5/thumbnails/64.jpg)
64
MyDEDICATIONistomakedatavaluable …Thankyou!