Article Preview
TopIntroduction
In cross-organizational process integration, more and more stakeholders are involved and connected through ubiquitous wired and wireless networks (Chiu et al., 2010). Despite the automation of data exchange and processing, a vast amount of business document images have been created in electronic formats, not just for easy storage and maintenance, but also due to the requirements of laws and regulations. Furthermore, there is still an increasing need for the exchange of document images due to the fact that “a picture is worth a thousand words”. However, current exchanges are still mainly performed through uncontrolled emails, fax, or traditional ad hoc manual file transfer practices. Even with the emergence of software-initiated or software-to-software document exchanges, the governance of document exchange to ensure regulation compliance is more like a challenge than a solution because of the disparity of process and integration functions. Among various issues of regulation compliance, security and privacy protection are the most important ones, especially for healthcare, financial businesses, and legal services (Chiu et al., 2011).
To facilitate the governance of cross-organizational document exchange for the compliance with protection policies, we propose the replacement of traditional ad hoc or manual methods of exchange with a Document / Image Exchange Platform (DIEP), through which all document images are exchanged. The DIEP provides a single border check based on the Service-Oriented Architecture (SOA), and Role Based Access Control (RBAC) enables all the protection policies and auditing procedures to be effectively executed, monitored, and managed. In particular, the SOA provides a standard, open interface for the implementation and deployment of document watermarking services for auditing their exchanges. For RBAC, permissions are associated with roles, and users classified into appropriate roles thereby acquiring the roles’ permissions. In addition, roles can be granted new permissions, and permissions can be revoked from roles as needed. The significant benefit of deploying RBAC is its flexibility to meet the changing needs of organizations and document owners. Further, the conceptual model of our DIEP employs a layered approach to facilitate the design and implementation of the whole governance process from management to technical levels.
Enhanced from our previous work on limiting the exchange of structural data (Hung et al., 2007), we add the employment of watermark technologies to embed control information into documents. This enables integrity, privacy, and access control as well as for future tracking and auditing purposes. One key advantage of watermarking is that robust watermarks will normally remain in other media (e.g., printouts and copies), which is still detectable out of the DIEP system. Our framework is complementary to the traditional access control policy enforcement, but not replacing it. Although we cannot provide active violation prevention out of the DIEP, such authorized usage and leakage points can be traced, and therefore this helps deter the unauthorized usages of documents.
Additionally, in case of protection policy violation attempts, our DIEP will make use of an Alert Management System (AMS) (Kafeza et al., 2004) to notify the management and affected parties so that flexible actions could be taken for follow up and remedy. This not only possibly stops further violation of protection policies such as the unauthorized spread of documents or the spreading of maliciously tampered documents, but also facilitates high-level governance through the alert to the appropriate levels of management.
To demonstrate the advantage of our approach, we illustrate the applicability of our DIEP in healthcare process integration. In particular, the introduction of Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the U.S. provides detailed formal requirements for security and privacy protection policies.