Abstract
Ensuring interoperability across different healthcare providers becomes an important issue with a potentially large return on investment (ROI) potential when multiple healthcare providers are collaborating in an e-Health system. In cross-context communications, the same information can be expressed by means of different types or values. This chapter proposes a new architecture for cross-context identity management in the e-Health application domain, aiming to improve interoperability between healthcare providers when context-specific information, such as patients’ identifiers, is transferred from one context to another. Furthermore, an algorithm for issuing and converting context-specific identifiers, based on cryptographic techniques, is presented. How the proposed cross-context interoperability service can be integrated in a real-word e-Health system is explained with a use case scenario.
TopIntroduction
During the last years, both industry and research communities are witnessing a growing interest in the technological evolution of electronic health (e-Health) systems, such as Google Health (GoogleHealth, 2009) and Microsoft software and solutions for the health industry (MicrosoftHealth, 2009a, 2009b). The goals of these systems are threefold, primarily, to provide ubiquitous access to lifelong clinical records of a patient to all relevant stakeholders, including the patient, anytime, anywhere, on any device; in addition, to integrate and enrich the clinical, medical and operational knowledge to support lifelong health guidance of citizens within a community, region, and country; moreover, to streamline the workflow into shared clinical and operational pathways in order to enable disease management and optimally support the clinical process. Combining these three goals facilitates inter-professional collaboration, while guaranteeing the privacy of the patient.
The major technical challenges facing e-Health services are facilitating efficiency, information retrieval and availability, and cross-context interoperability, without compromising the patient’s privacy. The rapid aging of populations, combined with pressure on budgets for healthcare delivery, and technological advances are the driving forces behind these challenges. Hence, in the realm of e-Health, security and privacy issues have a deep impact. Privacy refers to the protection of entities’ private information. Security techniques, such as access control mechanisms, are adopted in e-Health systems to ensure that only involved and properly authorized parties have access to sensitive data.
From Provider-Centric Towards User-Centric System in a Single Healthcare Provider
Traditional e-Health solutions were mainly concerned with a limited view of patient information, taking a provider-centric approach, and mostly limited to a single provider. A paradigm shift is taking place in the e-Health domain, with an evolution from provider-centric towards user-centric healthcare. In the user-centric system, the transparency of the health care decision making and information flow is significantly increased from the patient’s perspective.
The adoption of user-centric federated identity management (FIM) systems can help keep the number of parties dealing with a person’s healthcare information as small as possible. For example, the circle of trusted parties should not be extended or broken by moving from a paper-based to an e-based Health administration. A patient expects a trust relation with medics; however, as in the past with a doctor’s secretary, the trust with a system administrator may not be the same as with medics.
In provider-centric identity and information management systems, data is hosted and managed by a service provider using a central repository. This has various advantages from the service provider’s point of view, such as being cost effective and easily scalable. The disadvantage is that by applying such an approach, the user loses control over his or her personal information. The user can regain this control with a user-centric identity management (IDM) system.
In user-centric IDM, the user is put in the centre of interest and is given control over personal information, and access to logs on information that was exchanged across and inside the healthcare contexts. In particular, this means that the user can influence or even specify the policies that must be enforced when service providers wish to process his information, and that he can verify whether information has been exchanged without his personal consent. This has the obvious advantage of better protecting the privacy of each individual user. However, responsibility for storing and updating correct data then lies with the user.
Key Terms in this Chapter
Privacy: Privacy is the right of an entity - in this context usually a natural person - to decide when and on what terms its attributes should be revealed. In an IDM context, privacy is mostly used as a synonym of informational privacy, i.e., the interest of a natural person to control, or at least significantly influence the handling of data about themselves, also taking into account the nature of the applicable attributes and the entity in charge of data management.
Context: Context is a sphere of activity, a geographic region, a communication platform, and an application, a logical or physical domain. Practically, a context is only relevant in an interaction. Cross-context refers to activities spanning over two or more contexts.
Identifier: An identifier is an attribute or a set of attributes of an entity which uniquely identifies the entity within a certain context. An entity may have multiple distinct identifiers referring to it. Identifiers uniquely identify an entity, while characteristics do not need to. However, it should be noted that identifiers can consist of a combination of attributes, whereas characteristics are always one single attribute.
Access Control: Access control is the protection of resources with technical, regulatory and organisational measures against access or use by unauthorised entities.
Identity Management (IDM): Identity management is the managing of partial identities of entities, i.e., Definition, designation and administration of identity attributes as well as choice of the partial identity to be (re-) used in a specific context.
Authentication: Authentication is the corroboration of a claimed set of attributes or facts with a specified, or understood, level of confidence.
Pseudonym: A Pseudonym is an arbitrary identifier of an identifiable entity, by which a certain action can be linked to this specific entity. The entity that may be identified by the pseudonym is the pseudonym holder. A pseudonym is typically a fictitious name that can refer to an entity without using any of its identifiers. As identifiers, pseudonyms are context-bound, and one pseudonym is not necessarily valid across multiple identity management systems. An entity is pseudonymous if it relies on a pseudonym as identifier. The procedure by which all person-related data within a data record is replaced by one pseudonym is pseudonymisation.
Trusted Third Party (TTP): A trusted third party is an entity trusted by multiple other entities within a specific context and which is alien to their internal relationship.
Identification: Identification is the process of using claimed or observed attributes of an entity to deduce who the entity is. The term identification is also referred to as entity authentication. The identification of an entity within a certain context enables another entity to distinguish between the entities it interacts with.
Authorisation: Authorisation refers to the permission of an authenticated entity to perform a defined action or to use a defined service/resource; the process of determining, by evaluation of applicable permissions, whether an authenticated entity is allowed to have access to a particular resource. Usually, authorisation is in the context of authentication. Permission is granted or denied based on the result of data or entity authentication, and the permitted activities, as defined within the system. Once an entity is authenticated, it may be authorised to perform different types of access, each of which is referred to as a role.