Bernd Blobel

Authorisation and access control for electronic health record systems

Enabling the shared care paradigm, centralised or even decentralised electronic health record (EHR) systems increasingly become core applications in hospital information systems and health networks. For realising multipurpose use and reuse as well as inter-operability at knowledge level, EHR have to meet special architectural requirements. The component-oriented and model-based architecture should meet international standards. Especially in extended health networks realising inter-organisational communication and co-operation, authorisation cannot be organised at user level anymore. Therefore, models, methods and tools must be established to allow formal and structured policy definition, policy agreements, role definition, authorisation and access control. Based on the authors international engagement in EHR architecture and security standards referring to the revision of CEN ENV 13606, the GEHR/open EHR approach, HL7 and CORBA, models for health-specific and EHR-related roles, for authorisation management and access control have been developed. The basic concept is the separation of structural roles defining organisational entity-to-entity relationships and enabling specific acts on the one hand, and functional roles bound to specific activities and realising rights and duties on the other hand. Aggregation of organisational, functional, informational and technological components follows specific rules. Using UML and XML, the principles as well as some examples for analysis, design, implementation and maintenance of policy and authorisation management as well as access control have been practically implemented.

A development framework for semantically interoperable health information systems

BACKGROUND Semantic interoperability is a basic challenge to be met for new generations of distributed, communicating and co-operating health information systems (HIS) enabling shared care and e-Health. Analysis, design, implementation and maintenance of such systems and intrinsic architectures have to follow a unified development methodology. METHODS The Generic Component Model (GCM) is used as a framework for modeling any system to evaluate and harmonize state of the art architecture development approaches and standards for health information systems as well as to derive a coherent architecture development framework for sustainable, semantically interoperable HIS and their components. The proposed methodology is based on the Rational Unified Process (RUP), taking advantage of its flexibility to be configured for integrating other architectural approaches such as Service-Oriented Architecture (SOA), Model-Driven Architecture (MDA), ISO 10746, and HL7 Development Framework (HDF). RESULTS Existing architectural approaches have been analyzed, compared and finally harmonized towards an architecture development framework for advanced health information systems. CONCLUSION Starting with the requirements for semantic interoperability derived from paradigm changes for health information systems, and supported in formal software process engineering methods, an appropriate development framework for semantically interoperable HIS has been provided. The usability of the framework has been exemplified in a public health scenario.

Modelling privilege management and access control.

OBJECTIVES For establishing trustworthiness in advanced architectures for future-proof health information systems being open, flexible, scaleable, portable, and semantically interoperable, security and privacy services needed must be designed as an inherent part of the architecture. Such architecture has to meet the paradigms of distribution, component orientation, formal modelling, separation of logical and technological aspects, etc. METHODS In model-driven architectures components providing security and privacy services have to be specified using the same methodology of formal models with meta-languages as expression means, as deployed in computational, technical, or medical domains. The resulting approach must be based on the ISO Reference Model-Open Distributed Processing. RESULTS Currently, standards developing organisation are defining emerging tasks and standards for semantic interoperability and trustworthy collaboration for advanced health information systems. Communication security issues have been specified and implemented, while application security challenges such as privilege management and access control are still under development. Therefore, a series of formal models have been developed by the authors covering, e.g. domains, service delegation, claims control, policies, roles, authorisations, and access control. The required models are introduced and interpreted in a generic way. The crucial concept of security policy and its relationship to the other concepts has been considered in detail. CONCLUSION Based on formal models, security services can be integrated into advanced systems architectures enabling semantic interoperability in the context of trustworthiness of communication and co-operation.

Application of the component paradigm for analysis and design of advanced health system architectures

Based on the component paradigm for software engineering as well as on a consideration of common middleware approaches for health information systems, a generic component model has been developed supporting analysis, design, implementation and harmonisation of such complex systems. Using methods like abstract automatons and the Unified Modelling Language (UML), it could be shown that such components enable the modelling of real-world systems at different levels of abstractions and granularity, so reflecting different views on the same system in a generic and consistent way. Therefore, not only programs and technologies could be modelled, but also business processes, organisational frameworks or security issues as done successfully within the framework of several European projects.

Architectural Approach to eHealth for Enabling Paradigm Changes in Health

OBJECTIVES For improving safety and quality of care as well as efficiency of health delivery under the well-known burdens, health services become specialized, distributed, and therefore collaborative, thereby changing the health service paradigm from organization-centered over process-controlled to personal health (pHealth). METHODS Personalized eHealth services provided independent of time and location have to be based on advanced technical paradigms of mobile, pervasive and autonomous computing, enabling ubiquitous health services. Personalized eHealth systems require a multidisciplinary approach including medicine, informatics, biomedical engineering, bioinformatics and the omics disciplines but also legal and regulatory affairs, administration, security, privacy and ethics, etc. Interoperability between different components of the intended system must be provided through an architecture-centric, model-driven, formalized process. RESULTS In order to analyze, design, specify, implement and maintain such an interactive environment impacted by so many different domains, a formal and unified methodology for system analysis and design has been developed and deployed, based on an overall architectural framework. The paper introduces the underlying paradigms, requirements, architectural reference models, modeling and formalization principles as well as development processes for comprehensive service-oriented personalized eHealth interoperability chains, thereby exploiting all interoperability levels up to service interoperability. A special focus is put on ontologies and knowledge representation in the context of eHealth and pHealth solutions. Furthermore, EHR solutions, security requirements, existing and emerging standards, and educational challenges for realizing personalized pHealth are briefly discussed. CONCLUSION For personal health, bridging between disciplines including ontology coordination is the crucial demand. All aspects of the design and development process have to be considered from an architectural viewpoint.

A model driven approach for the German health telematics architectural framework and security infrastructure

Shared care concepts such as managed care and continuity of care are based on extended communication and cooperation between different health professionals or between them and the patient respectively. Health information systems and their components, which are very different in their structure, behavior, data and their semantics as well as regarding implementation details used in different environments for different purposes, have to provide intelligent interoperability. Therefore, flexibility, portability, and future orientation must be guaranteed using the newest development of model driven architecture. The ongoing work for the German health telematics platform based on an architectural framework and a security infrastructure is described in some detail. This concept of future proof health information networks with virtual electronic health records as core application starts with multifunctional electronic health cards. It fits into developments currently performed by many other developed countries.

Electronic signatures for long-lasting storage purposes in electronic archives

Communication and co-operation in healthcare and welfare require a certain set of trusted third party (TTP) services describing both status and relation of communicating principals as well as their corresponding keys and attributes. Additional TTP services are needed to provide trustworthy information about dynamic issues of communication and co-operation such as time and location of processes, workflow relations, and system behaviour. Legal and ethical requirements demand securely stored patient information and well-defined access rights. Among others, electronic signatures based on asymmetric cryptography are important means for securing the integrity of a message or file as well as for accountability purposes including non-repudiation of both origin and receipt. Electronic signatures along with certified time stamps or time signatures are especially important for electronic archives in general, electronic health records (EHR) in particular, and especially for typical purposes of long-lasting storage. Apart from technical storage problems (e.g. lifetime of the storage devices, interoperability of retrieval and presentation software), this paper identifies mechanisms of e.g. re-signing and re-stamping of data items, files, messages, sets of archived items or documents, archive structures, and even whole archives.

Ontology driven health information systems architectures enable pHealth for empowered patients.

The paradigm shift from organization-centered to managed care and on to personal health settings increases specialization and distribution of actors and services related to the health of patients or even citizens before becoming patients. As a consequence, extended communication and cooperation is required between all principals involved in health services such as persons, organizations, devices, systems, applications, and components. Personal health (pHealth) environments range over many disciplines, where domain experts present their knowledge by using domain-specific terminologies and ontologies. Therefore, the mapping of domain ontologies is inevitable for ensuring interoperability. The paper introduces the care paradigms and the related requirements as well as an architectural approach for meeting the business objectives. Furthermore, it discusses some theoretical challenges and practical examples of ontologies, concept and knowledge representations, starting general and then focusing on security and privacy related services. The requirements and solutions for empowering the patient or the citizen before becoming a patient are especially emphasized.

Enhanced Semantic Interoperability by Profiling Health Informatics Standards

OBJECTIVES Several standards applied to the healthcare domain support semantic interoperability. These standards are far from being completely adopted in health information system development, however. The objective of this paper is to provide a method and suggest the necessary tooling for reusing standard health information models, by that way supporting the development of semantically interoperable systems and components. METHODS The approach is based on the definition of UML Profiles. UML profiling is a formal modeling mechanism to specialize reference meta-models in such a way that it is possible to adapt those meta-models to specific platforms or domains. A health information model can be considered as such a meta-model. RESULTS The first step of the introduced method identifies the standard health information models and tasks in the software development process in which healthcare information models can be reused. Then, the selected information model is formalized as a UML Profile. That Profile is finally applied to system models, annotating them with the semantics of the information model. The approach is supported on Eclipse-based UML modeling tools. The method is integrated into a comprehensive framework for health information systems development, and the feasibility of the approach is demonstrated in the analysis, design, and implementation of a public health surveillance system, reusing HL7 RIM and DIMs specifications. CONCLUSIONS The paper describes a method and the necessary tooling for reusing standard healthcare information models. UML offers several advantages such as tooling support, graphical notation, exchangeability, extensibility, semi-automatic code generation, etc. The approach presented is also applicable for harmonizing different standard specifications.

Using trusted third parties for secure telemedical applications over the WWW: the EUROMED-ETS approach.

This paper reports on the results obtained by the pilot operation of Trusted Third Parties (TTP) for secure telemedical applications over the WWW. The work reported on herein was carried out within the context of EUROMED-ETS, a R&D project funded by the INFOSEC office of Directorate General XIII of the European Union. The paper discusses the platform used, the security needs of the specific application, the TTP solution provided, the steps taken in order to implement the solution at a pilot scale and the results of the pilot operation; it is compiled using material included in the project deliverables.