PRIMA (Privacy Management Architecture) - Overview
In Healthcare today, there isn't necessarily a correlation between adoption of privacy policies and adequate patient privacy protection. The protection mechanisms in place at Healthcare entities are under-utilized, and often by-passed, in order to deliver care. Exception-based access, normally Break-The-Glass scenarios, is a general rule in Healthcare, rather than an infrequent occurrence.
This current state of affairs appears to put the patient at risk, to engender a false sense of privacy while purporting compliance with regulation, to undermine the notion of empowering the patient and to make consent to a policy is meaningless; as consent is no longer valid when the policy itself is not valid. In this context, the existence of a policy insignificant because it is not a genuine reflection of company s privacy practices.
In this work we propose PRIMA, a PRIvacy Management Architecture for healthcare systems, which addresses this problem of the circumvention of policy. PRIMA utilizes the actual practices of the organizations (embodied in the audit logs) to perform policy refinement. The system's advantages are that: 1) it fits to the clinical workflow and does not require the workflow to fit to it, i.e. it does not impede the clinical workflow, 2) it enables precise (or rather more realistic) definitions of purposes, criteria for exception-based accesses and categories of authorized users, and 3) it enables improved privacy protection for the patient.
PRIMA (Privacy Management Architecture) - Publications
This current state of affairs appears to put the patient at risk, to engender a false sense of privacy while purporting compliance with regulation, to undermine the notion of empowering the patient and to make consent to a policy is meaningless; as consent is no longer valid when the policy itself is not valid. In this context, the existence of a policy insignificant because it is not a genuine reflection of company s privacy practices.
In this work we propose PRIMA, a PRIvacy Management Architecture for healthcare systems, which addresses this problem of the circumvention of policy. PRIMA utilizes the actual practices of the organizations (embodied in the audit logs) to perform policy refinement. The system's advantages are that: 1) it fits to the clinical workflow and does not require the workflow to fit to it, i.e. it does not impede the clinical workflow, 2) it enables precise (or rather more realistic) definitions of purposes, criteria for exception-based accesses and categories of authorized users, and 3) it enables improved privacy protection for the patient.
PRIMA (Privacy Management Architecture) - Publications
- Tyrone Grandison, Sean Thorpe. "Using A Policy Spaces Auditor to Check for Temporal Inconsistencies in Healthcare Audit Log Files". Symposium of Health Informatics in Latin America And The Caribbean (SHILAC) 2013. Cancun, Mexico. August 14, 2013.
- Rafae Bhatti, Dadong Wan. "Avoiding Healthcare Privacy Breaches through Integrated Audit and Access Control". Journal HIM, Vol 26, No 4, pp 32-36, 2012.
- Rafae Bhatti, Tyrone Grandison. "Improving Security Policy Coverage in Healthcare". In "Certification and Security in Health-Related web applications: Concepts and Solutions". Editors: Anargyros Chryssanthou, Iraklis Varlamis, Ioannis Apostolakis. IGI Global. 2010.
- Tyrone Grandison, Rafae Bhatti. "Regulatory Compliance and the Correlation to Privacy Protection in Healthcare". International Journal of Computational Models and Algorithms in Medicine. Special Issue on Privacy and Security Issues for Medical Data. March 2010.
- Claudio A. Ardagna, Sabrina De Capitani di Vimercati, Sara Foresti, Tyrone W. Grandison, Sushil Jajodia, and Pierangela Samarati. "Access control for smarter healthcare using policy spaces." Computers & Security 29, no. 8 (2010): 848-858.
- Claudio A. Ardagna, Sabrina De Capitani di Vimercati, Tyrone Grandison, Sushil Jajodia, Pierangela Samarati. "Regulating Exceptions in Healthcare using Policy Spaces". To appear in the Proceedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSEC) 2008. London, United Kingdom. July 2008.
- Rafae Bhatti, Tyrone Grandison. "Towards Improved Privacy Policy Coverage in Healthcare Using Policy Refinement". The Proceedings of the 4th VLDB Workshop on Secure Data Management 2007. Vienna, Austria, Sept 2007.
- Tyrone Grandison, John Davis. "The Impact of Industry Constraints on Model-Driven Data Disclosure Controls". The Proceedings of the 1st International Workshop on Model-Based Trustworthy Health Information Systems (MOTHIS) 2007, Nashville, Tennessee. Sept 2007.