In this chapter, the authors describe a new framework for pervasive healthcare applications where the patient’s consent has a pivotal role. In their framework, patients are able to control the disclosure of their medical data. The patient’s consent is implicitly captured by the context in which his or her medical data is being accessed. Context is expressed in terms of workflows. The execution of a task in a workflow carries information that the system uses for providing access rights accordingly to the patient’s consent. Ultimately, the patient is in charge of withdrawing consent if necessary. Moreover, the use of workflow enables the enforcement of the need-to-kwon principle. This means that a subject is authorised to access sensitive data only when required by the actual situation.
Healthcare Applications are characterised by the integration of software systems in healthcare environments. Healthcare applications seamlessly assist patients and carers in performing their tasks and provide them ubiquitous access to required information. As such, healthcare application can be considered as pervasive computing systems (Weiser, 1991). Real-world medical environments present several research challenges that need to be addressed for developing robust healthcare applications. As a showcase for our approach, in this chapter we focus on technology-assisted living, where the domains to be administered are units of personal living. Here, someone may be living alone, perhaps in sheltered housing, perhaps post-operative, perhaps with one or more disabilities, perhaps elderly and infirm. In this scenario, the healthcare applications are composed of several services to monitor the patient conditions, and to assist the patient or the carer in performing the appropriate treatments.
Monitoring the physical condition of a patient is carried out by means of body sensors. Several types of sensors are commercially available to measure blood pressure, blood sugar, pulse rate, etc. Another form of monitoring can be achieved using infra-red cameras that avoid the invasiveness of video surveillance. Combining infra-red cameras with motion detection, such as in the Irisys technology (2007), makes it possible to detect the number of people or animals such as guide dogs that are present, and to make a note of any visitors, in order to find out whether carers are visiting according to schedule. This information, together with the data gathered from sensors could be used to detect critical conditions for the patient and raise an alarm to summon help.
Healthcare applications provide to the carers and relatives visiting the patient’s home easy access to patient’s medical data. The virtualisation of the patients’ medical records allows electronic storage, transmission, display and analysis of healthcare information that can improve and streamline healthcare delivery. However, it also poses new challenges to individual privacy. Healthcare information contains sensitive personal information; i.e. it may include the details of a person’s history of diseases and treatments, history of drug use, genetic testing, sexual orientation and practices etc. Improper disclosure of this data can influence decisions about an individual’s access to credit, education and employment. Therefore, it is crucial that healthcare information systems should offer adequate protections to address these concerns.
The European standards on confidentiality and privacy in healthcare (2007) states that patient information is confidential and should not be disclosed without adequate justification. The justification for disclosure should normally be consent. However, most security models for clinical information systems are merely variations of Role-Based Access Control (RBAC) which make access decisions based on the role of the user rather than patient consent. There are some exceptions, for example the BMA policy model (Anderson, 1996a; 1996b) and Cassandra (Becker & Sewell, 2004a; 2004b). The BMA policy model is the first security model which requires the patient’s consent for accessing healthcare information. Cassandra is a trust management system designed for securing electronic health records which captures consents as special roles in the system. Nevertheless, they have some common problems. First, how to capture patient consent properly. Patient consent can be explicit, e.g. in written form, but more often is implicit, e.g. the context in which the access is being executed could carry enough information for implicitly obtain consent. In general, when the use and disclosure of patient information is for the patient’s own healthcare purposes, and provide the patient or his legal representative has been informed of what information sharing is necessary for such purposes, implicit consent is sufficient. But in the BMA model and Cassandra, the consent must be explicit. This requirement adds unnecessary workload to healthcare professionals. Second, how to ensure that the consent is obtained on a well informed basis. A valid consent requires that the patient has been informed as to what information is intended to be used or disclosed, and for which purposes. Consent that has been obtained does not imply information has been given. However, none of the current models handle this.