Mike A. Lockyer

A model of accountability, confidentiality and override for healthcare and other applications

A UML model of Authorisation is described, which was developed for an Electronic Medical Records application in collaboration with the UK NHS Information Authority. The model is an enhancement of the UK Healthcare Model (HcM), in that it provides extra classes for use with HcM classes. It provides powerful confidentiality specification capabilities, which can also be used in other applications. A Role (actually called AgentActivityType for consistency with the HcM) may be directly associated with an Accountability. An Accountability is an agreement where one Party commissions a second Party to undertake Activities under the authority of that Accountability. Four types of Confidentiality Permission are defined which allow access to data items (SubjectPhenomena), or to data items with specific types (SubjectPhenomenonType). Access can be granted to individual Agents, or to AuthorizedAgents acting in specified Roles. A model of override allows the Confidentiality Permissions to be overridden in a strictly controlled way. Override facilities are granted to Agents by establishing appropriate Accountabilities, and any use of override is logged. Access to data can be granted to groups of Agents, and to group of Roles. Establishing access rights for a group involves defining a set of Confidentiality Permissions for the group. The Authorisation Model is illustrated throughout the paper by examples from healthcare. In particular a demanding scenario (child abuse) is presented. In this scenario complex restrictions must be placed on the data, which might result in inappropriate actions if clinicians and other professionals are denied access to the data.

An automated student diagram assessment system

The teaching of systems analysis and design diagramming methods commonly utilises Computer Aided Software Engineering (CASE) tools to provide a way for students to actively practice the subject. However, many versions of these tools do not cater for the academic users who will require assistance in the underlying methods as well as the usage of the tool. The automated diagram comparison system developed at the University of Teesside can be used by students to compare a diagram that they consider to be a solution to a given problem against a model answer, and receive feedback commenting on their solution, which strengthens their understanding of the subject. This paper outlines a framework for such interactive learning, describes the use of the diagram comparison system, and highlights the benefits for the student.

The tees confidentiality model: an authorisation model for identities and roles

We present a model of authorisation that is more powerful than Role Based Access Control (RBAC), and is suitable for complex web applications in addition to computer systems administration. It achieves its functionality by combining Identity Based Access Control (IBAC) and RBAC in novel ways. A particular feature of the model is a rigorous definition of override, for granting access to data and resources in exceptional circumstances. Despite its power, the model can be implemented by a single algorithm, as an extension to RBAC. The basis of the model is a new concept of permission, which we call Confidentiality Permission. There are five types of confidentiality permission, for granting access rights for identities and roles; also negative confidentiality permissions, for denying access to data and resources, exist. A single concept of Collection is used for structuring roles, identities, resource and resource type, although the RBAC general and limited role hierarchies can be used if desired. Confidentiality permissions may be defined to inherit within collections, thereby providing a mechanism for confidentiality permission assignment; however confidentiality permissions may be assigned in other ways that do not depend on collections. We use a demanding scenario from Electronic Health Records to illustrate the power of the model. We have produced several demonstrators, one of which utilises the model to control data retrieval from commercial GP and Social Services systems.

Systems development methods guidance and CASE: integration between CASE and CAL

The paper presents the first stage of work in enhancing CASE tools in the general area of student guidance for methods and techniques. A comparison is made between the integration of CASE and CAL and the incorporation of learning features within CASE. This shows how the merging of CASE and CAL produces enhanced learning for students. Particular attention is given to the creation of automated walkthroughs, which are shown to be a useful technique for supporting CAL within CASE. Extensions to a CASE tool are described that simplify the creation and use of such walkthroughs, and these are evaluated with reference to learning strategies.

Empirical Methodologies for Web Engineering

We review a range of data generation methods and empirical research strategies of potential usefulness to web engineering research. The various strategies do not all share the same underlying philosophy about knowledge and how it can be acquired. We therefore explain two contrasting philosophical paradigms: positivism and interpretivism. We suggest that empirical web engineering should use a plurality of research strategies and data generation methods, and recognise the potential usefulness of both positivism and interpretivism. Finally we discuss the implications of such a plurality.

EHR and EPR confidentiality based on accountability and consent: tools for the Caldicott Guardian

The primary care-based electronic health record (EHR) and the electronic patient record (EPR) are key features of the UK National Health Service (NHS) Information Strategy. We propose a model for EHR/EPR confidentiality - that is, for restricting access to their contents to authorized users, assuming secure transmission of data. We summarize a UML model for EHR/EPR confidentiality which is consistent with the NHS Healthcare Model. A prototype implementation of the model based on OODB and Internet techniques is described. The work is intended as a contribution to the development of confidentiality systems for the EHR and EPR, and also of computerized tools for Caldicott Guardians to specify and implement privacy policies and procedures.

Automated Computational Cognitive-Modeling: Goal-Specific Analysis for Large Websites

The information architecture of websites is the most important remaining source of usability problems. Therefore, this research explores automated cognitive computational analysis of the information architecture of large websites as a basis for improvement. To support goal-specific analysis, an enhanced model of web navigation was implemented with a novel database-oriented approach. Web navigation was simulated on the information architecture of two large sites. With the improved labeling system of the information architecture, simulation results showed a significant reduction in navigation problems. The results of two experiments demonstrate that sites with improved information architecture result in better outcomes of user information retrieval. Our database-oriented approach is extensible, allowing non-goal-specific analysis, modeling of nontext media content, and analysis of the organization- and navigation systems of information architectures.

The Tees Confidentiality Model: Mechanisms for implementing the sealed envelope

This paper offers mechanisms capable of implementing the authorization functionality to be supported by the NHS Care Records Service. The patient-confidentiality model for the Care Records Service includes restricting access to data by placing the data in a Sealed Envelope; providing access to data based on Legitimate Relationship, and other concepts; and the overriding of access restrictions in extraordinary or emergency situations. We informally show through examples how the Tees Confidentiality Model, a sophisticated model of authorization, can be used to implement Care Records Service authorization functionality to the level currently proposed, and also to much greater levels if they ever were to be required. The mechanisms discussed include using a range of permission types, called Confidentiality Permission Types; processing Confidentiality Permissions in a defined order according to complexity of type; using negative permissions to deny access; and providing override mechanisms for negative permissions.

Authorisation Models for Complex Computing Applications

This paper presents the Tees Confidentiality Model, an authorisation model which is suitable for complex web applications in addition to computer systems administration. It achieves its functionality by combining Identity-Based Access Control (IBAC) and Role-Based Access Control (RBAC) in novel ways. The model is based on a range of permission types, called Confidentiality Permission Types, which are processed in a defined order. Confidentiality Permissions may have negative values (ie they may deny access), and may be overridden by authorised users in carefully specified ways. A single concept of Collection is used for structuring roles, identities, resource and resource type, although the RBAC general and limited role hierarchies can be used if desired. Confidentiality permissions may be defined to inherit within collections, thereby providing a mechanism for confidentiality permission assignment. We use a demanding scenario from Electronic Health Records to illustrate the power of the model.

Functionality and implementation issues for complex authorisation models

The concepts and benefits of Role-Based Access Control (RBAC) are first reviewed. As an example of enhanced authorisation functionality, the Tees Confidentiality Model (TCM), which is an authorisation model suitable for complex web applications in addition to computer systems administration is then presented. The TCM is based on a range of permission types, called Confidentiality Permission Types, which are processed in a defined order. Confidentiality permissions may have negative values (i.e. they may deny access), and may be overridden by authorised users in carefully specified ways. An arbitrary number of Authorisation Classifiers for users and protected objects may be specified. Confidentiality Permission Types are defined in terms of classifiers. A single concept of Collection is used for structuring classifier values, including roles, although the RBAC general and limited role hierarchies can be used if desired. Confidentiality permissions specify inheritance within collections, thereby providing a mechanism for confidentiality permission assignment. A demanding scenario from electronic health records is used to illustrate the power of the model.