Governance of Cross-Organizational Healthcare Document Exchange through Watermarking Services and Alerts

Governance of Cross-Organizational Healthcare Document Exchange through Watermarking Services and Alerts

Dickson K.W. Chiu (Dickson Computer Systems, Hong Kong), Yuexuan Wang (Tsinghua University, China), Patrick Hung (University of Ontario Institute of Technology, Canada), Vivying S.Y. Cheng (Hong Kong University of Science and Technology, Hong Kong), Kai-Kin Chan (Hong Kong Baptist University, Hong Kong), Eleanna Kafeza (Athens University of Economics and Business, Greece) and Tung (Fu-Jen Catholic University, Taiwan)
DOI: 10.4018/jssoe.2011100105
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

There is an increasing demand for sharing documents for process integration among organizations. Web services technology has recently been widely proposed and gradually adopted as a platform for supporting such an integration. There are no holistic solutions thus far that are able to tackle the various protection issues, specifically regarding the security and privacy protection requirements in cross-organizational progress integration. This paper proposes the exchange of documents through a Document / Image Exchange Platform (DIEP), replacing traditional ad-hoc and manual exchange practices. The authors show how the contemporary technologies of Web services under a Service-Oriented Architecture (SOA), together with watermarking, can help protect document exchanges with layered implementation architecture. Furthermore, to facilitate governance and regulation compliance against protection policy violation attempts, the management and the affected parties are notified with alerts for warning and possible handling. The authors discuss the applicability of the proposed platform with a physician towards security and privacy protection requirements based on the Health Insurance Portability and Accountability Act (HIPAA) in the United States, which imposes national regulations to protect individuals’ healthcare information. The proposed approach aims at facilitating the whole governance process from technical to management level with a single unified platform.
Article Preview

Introduction

In cross-organizational process integration, more and more stakeholders are involved and connected through ubiquitous wired and wireless networks (Chiu et al., 2010). Despite the automation of data exchange and processing, a vast amount of business document images have been created in electronic formats, not just for easy storage and maintenance, but also due to the requirements of laws and regulations. Furthermore, there is still an increasing need for the exchange of document images due to the fact that “a picture is worth a thousand words”. However, current exchanges are still mainly performed through uncontrolled emails, fax, or traditional ad hoc manual file transfer practices. Even with the emergence of software-initiated or software-to-software document exchanges, the governance of document exchange to ensure regulation compliance is more like a challenge than a solution because of the disparity of process and integration functions. Among various issues of regulation compliance, security and privacy protection are the most important ones, especially for healthcare, financial businesses, and legal services (Chiu et al., 2011).

To facilitate the governance of cross-organizational document exchange for the compliance with protection policies, we propose the replacement of traditional ad hoc or manual methods of exchange with a Document / Image Exchange Platform (DIEP), through which all document images are exchanged. The DIEP provides a single border check based on the Service-Oriented Architecture (SOA), and Role Based Access Control (RBAC) enables all the protection policies and auditing procedures to be effectively executed, monitored, and managed. In particular, the SOA provides a standard, open interface for the implementation and deployment of document watermarking services for auditing their exchanges. For RBAC, permissions are associated with roles, and users classified into appropriate roles thereby acquiring the roles’ permissions. In addition, roles can be granted new permissions, and permissions can be revoked from roles as needed. The significant benefit of deploying RBAC is its flexibility to meet the changing needs of organizations and document owners. Further, the conceptual model of our DIEP employs a layered approach to facilitate the design and implementation of the whole governance process from management to technical levels.

Enhanced from our previous work on limiting the exchange of structural data (Hung et al., 2007), we add the employment of watermark technologies to embed control information into documents. This enables integrity, privacy, and access control as well as for future tracking and auditing purposes. One key advantage of watermarking is that robust watermarks will normally remain in other media (e.g., printouts and copies), which is still detectable out of the DIEP system. Our framework is complementary to the traditional access control policy enforcement, but not replacing it. Although we cannot provide active violation prevention out of the DIEP, such authorized usage and leakage points can be traced, and therefore this helps deter the unauthorized usages of documents.

Additionally, in case of protection policy violation attempts, our DIEP will make use of an Alert Management System (AMS) (Kafeza et al., 2004) to notify the management and affected parties so that flexible actions could be taken for follow up and remedy. This not only possibly stops further violation of protection policies such as the unauthorized spread of documents or the spreading of maliciously tampered documents, but also facilitates high-level governance through the alert to the appropriate levels of management.

To demonstrate the advantage of our approach, we illustrate the applicability of our DIEP in healthcare process integration. In particular, the introduction of Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the U.S. provides detailed formal requirements for security and privacy protection policies.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 7: 4 Issues (2017): 3 Released, 1 Forthcoming
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing