trust retreat, october 8-9, 2006 emr project vanderbilt (sztipanovits, karsai, xue) stanford...
Post on 19-Dec-2015
220 views
TRANSCRIPT
TRUST Retreat, October 8-9, 2006
EMR Project
Vanderbilt (Sztipanovits, Karsai, Xue)
Stanford (Mitchell, Datta, Barth, Sundaram)
Berkeley (Bajcsy, Sastry)
Cornell (Wicker, Gerkhe, Machanavajjhala)
2
Preamble
EMR is an integrative project for motivating, testing, evaluating core TRUST research areas in:
– Model-based design for security– Formal modeling, verifying and enforcing policies– Sensor networks – Investigate “best practices” for interfacing public policy to
technology We are fully aware of the fact that EMR is a huge area
of research and EMR-TRUST is just one relatively small subproject in TRUST. We leverage our partnership with the Vanderbilt Medical Center to have a broader impact.
One related effort in the US is Microsoft’s Software Factory for HL7 compliant EMR transfer among providers.
3
The Problem
Rise in mature population– Population of age 65 and older with – Medicare was 35 million for 2003 and – 35.4 million for 2004
New types of technology– Electronic Patient Records– Telemedicine– Remote Patient Monitoring
Empower patients: – Access to own medical records– Control the information – Monitor access to medical data
Regulatory compliance
Table compiled by the U.S. Administration on
Aging based on data from the U.S. Census Bureau.
United Nations ▪ “Population Aging ▪ 2002”
2050
Percentage of Population over 60 years oldGlobal Average = 21%
4
Challenges
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
– HIPAA Privacy Rule (2003): gives US citizens Right to access their medical records Right to request amendments, accounting of disclosures, etc.
– HIPAA Security Rule (2005): requires healthcare organizations to
Protect for person-identifiable health data that is in electronic format
Complexity of privacy– Variable levels of sensitivity; “sensitive” in the eye of multiple
beholders– No bright line between person-identifiable and “anonymous”
data Complexity of access rights and policies
– Simple role-based access control is insufficient– Governing principles: “need-to-know” and “minimum
disclosure”
5
Research Platform: Patient Portal
MyHealthAtVanderbilt is a web portal for an increasing number of services for patients.
Current capabilities include – appointment management, – secure messaging, – access to EMR and– billing
Future services will/may include medication management,patient data uploads, real-time datalinks and others..
6
Overall Research Objective
Satisfying high-level requirements stated for– privacy, confidentiality,– integrity,– non-repudiation and– access control
properties of information flows in the PP system.
Focus on system architecture and policy issues - leveraging existing security technology components.
7
TRUST Research Effort in EMR
Architecture modeling and analysis Policy modeling and analysis Interfacing real-time patient data
8
Architecture Modeling and Analysis Sub-Project
Architecture analysis is conducted based on the SOA architecture framework – natural fit to the problem and to the existing implementation of MyHealthAtVanderbilt
In SOA– Workflow modeling– Policy modeling– Data modeling– Service modeling
is used to restrict and automate information flow in complex, dynamic environment.
9
Research Approach
• System Analysis• Risks and Threats Analysis • Policy Analysis
Domain analysis• VU Medical School• TRUST research groups (Vanderbilt, Stanford)
• Domain Specific Modeling Languages• Domain Specific Policy Languages• Privacy preservation
Modeling• VU Medical School• TRUST research groups (Vanderbilt, Stanford, Cornell)
• Mapping to target architecture -> recommendations
Fast prototyping• BPEL4WS tools• TRUST research groups (Vanderbilt, Stanford, Berkeley)
10
Domain Analysis
Regular meetings with Medical School– Physicians– Medical Informatics Researchers– Software engineering staff– Privacy Officer– Information Security Officer
Architecture and policy discussions Case studies Brain storming sessions
11
“Target” Architecture for Experimentation
Internal Policy Enforcement Point
S1 S2 Sn
BPEL Process Manager
External Policy Enforcement Point
PolicyRepos.
PolicyDecision Pt.
PolicyDecision Pt.
ConfigurationEngine
Partners Standards:
• BPEL• XACML• SAML• WS-Sec• …
Target ArchitectureLimitations:
• Modeling lngs?• Policy lngs?• Openness of architecture?• Tractability of analysis?
12
Modeling For Patient Portal
Workflow Models• Activities• Coordination
Service Models• Component Interface • Data Models
Policy Models• Access models• Privacy models
ModelTransformation
ModelTransformation
ModelTransformation
BPEL Process Manager PolicyRepos.
BPEL Infrastructure
PP Domain
Research Tasks: • Specification of modeling/policy languages
• Model analysis/verification methods
• Model translator specification
• Case studies
Modeling Tools
Analysis Tools
Model Translators
Technology infrastructure:
WSDLBPEL4WS XACML
13
Modeling Challenges
Development of ”correct” abstractions– How to establish clear relationship among
workflow, data and policy related abstractions?
Examples:“ A patient is allowed to make appointment only for regular hours.”
“ Physicians can access and modify medical records for those patients where they are the designated primary care physician.”
“ A nurse can read medical records only in her specialization except when the illness is marked confidential.”
Research approach:
Formal specification, experimental evaluation and evolution of modeling languages.
14
Modeling Tool
15
Architecture Challenges
Privacy/security in open, dynamic architectures– Workflows are added and modified in the system. – Structure of information flows are dynamic, data
dependent and complex. How can we guarantee and maintain privacy/security
properties? Example:A new service added to the PP to provide relevant information
for patients. Are there privacy leaks?
Research approach:Data mining of audit files and discovering leaks, not-
modeled information flows.
16
Deliverables
Suite of modeling languages and tools In-depth modeling of part of the PP and
detailed analysis of security and privacy properties
Integration with Policy Languages component Exploring privacy issues related to the
research project (e.g. privacy leaks through access to audit logs.)
17
Policy Modeling Subproject
Privacy and Utility in Patient Portals
Adam Barth*John C. Mitchell*
Anupam Datta*Sharada Sundaram*+
*+
Stanford UniversityTCS
18
Interfacing Real-time Patient Data
(See Professor Bajcsy’s Talk)
19
Impact and technology transfer
Direct connection to a major Patient Portalresearch and deployment project
Results can be generalized to a wide range of SOA applications
MyHealthAtVanderbilt; ….
20
How is TRUST making a difference here?
Vanderbilt, Stanford, Berkeley, Cornell This project would be impossible without
TRUST in every sense
21
Education and Outreach
Immediate result of the unprecedented collaboration with the Medical School are:- consideration of a CS pre-med - joint projects- co-advising students- “TRUST Fellowship” for medical informatics Ph.D.
candidates