EMR Project
Vanderbilt (Sztipanovits, Karsai, Xue)
Stanford (Mitchell, Datta, Barth, Sundaram)
Berkeley (Bajcsy, Sastry)
Cornell (Wicker, Gerkhe, Machanavajjhala)
TRUST Retreat, October 8-9, 2006
Preamble

EMR is an integrative project for motivating, testing,
evaluating core TRUST research areas in:
–
–
–
–


Model-based design for security
Formal modeling, verifying and enforcing policies
Sensor networks
Investigate “best practices” for interfacing public policy to
technology
We are fully aware of the fact that EMR is a huge area
of research and EMR-TRUST is just one relatively
small subproject in TRUST. We leverage our
partnership with the Vanderbilt Medical Center to have
a broader impact.
One related effort in the US is Microsoft’s Software
Factory for HL7 compliant EMR transfer among
providers.
2
The Problem

Rise in mature population
–
–
–

New types of technology
–
–
–

Electronic Patient Records
Telemedicine
Remote Patient Monitoring
Table compiled by the U.S. Administration on
Aging based on data from the U.S. Census
Bureau.
2050
Empower patients:
–
–
–

Population of age 65 and older with
Medicare was 35 million for 2003 and
35.4 million for 2004
Access to own medical records
Control the information
Monitor access to medical data
Regulatory compliance
Percentage of Population over 60 years old
Global Average = 21%
United Nations ▪ “Population Aging ▪ 2002”
3
Challenges

Health Insurance Portability and Accountability Act of
1996 (HIPAA)
–
HIPAA Privacy Rule (2003): gives US citizens


–
HIPAA Security Rule (2005): requires healthcare
organizations to


Protect for person-identifiable health data that is in electronic
format
Complexity of privacy
–
–

Right to access their medical records
Right to request amendments, accounting of disclosures, etc.
Variable levels of sensitivity; “sensitive” in the eye of multiple
beholders
No bright line between person-identifiable and “anonymous”
data
Complexity of access rights and policies
–
–
Simple role-based access control is insufficient
Governing principles: “need-to-know” and “minimum
disclosure”
4
Research Platform: Patient
Portal


MyHealthAtVanderbilt is a web portal for an
increasing number of services for patients.
Current capabilities include
–
–
–
–

appointment management,
secure messaging,
access to EMR and
billing
Future services will/may include
medication management,
patient data uploads, real-time data
links and others..
5
Overall Research Objective

Satisfying high-level requirements stated for
–
–
–
–

privacy, confidentiality,
integrity,
non-repudiation and
access control
properties of information flows in the PP
system.
Focus on system architecture and policy
issues - leveraging existing security
technology components.
6
TRUST Research Effort in EMR



Architecture modeling and analysis
Policy modeling and analysis
Interfacing real-time patient data
7
Architecture Modeling and
Analysis Sub-Project


Architecture analysis is conducted based on
the SOA architecture framework – natural fit to
the problem and to the existing
implementation of MyHealthAtVanderbilt
In SOA
–
–
–
–
Workflow modeling
Policy modeling
Data modeling
Service modeling
is used to restrict and automate information
flow in complex, dynamic environment.
8
Research Approach
• System Analysis
• Risks and Threats Analysis
• Policy Analysis
• Domain Specific Modeling
Languages
• Domain Specific Policy
Languages
• Privacy preservation
• Mapping to target
architecture ->
recommendations
Domain analysis
• VU Medical School
• TRUST research groups
(Vanderbilt, Stanford)
Modeling
• VU Medical School
• TRUST research groups
(Vanderbilt, Stanford, Cornell)
Fast prototyping
• BPEL4WS tools
• TRUST research groups
(Vanderbilt, Stanford, Berkeley)
9
Domain Analysis

Regular meetings with Medical School
–
–
–
–
–



Physicians
Medical Informatics Researchers
Software engineering staff
Privacy Officer
Information Security Officer
Architecture and policy discussions
Case studies
Brain storming sessions
10
“Target” Architecture for
Experimentation
Partners
Policy
Decision Pt.
External
Policy Enforcement Point
Policy
Repos.
BPEL Process Manager
Policy
Decision Pt.
S2
Configuration
Engine
• BPEL
• XACML
• SAML
• WS-Sec
•…
Target Architecture
Limitations:
Internal
Policy Enforcement Point
S1
Standards:
Sn
• Modeling lngs?
• Policy lngs?
• Openness of
architecture?
• Tractability of
analysis?
11
Modeling For Patient Portal
Technology
infrastructure:
PP Domain
Workflow Models
• Activities
• Coordination
Service Models
Policy Models
• Component Interface
• Data Models
• Access models
• Privacy models
Modeling Tools
Analysis Tools
Model
Transformation
Model
Transformation
BPEL4WS
BPEL Process Manager
WSDL
Model
Transformation
XACML
Policy
Repos.
Model Translators
Research Tasks:
• Specification of
modeling/policy languages
• Model analysis/verification
methods
BPEL Infrastructure
• Model translator specification
• Case studies
12
Modeling Challenges

Development of ”correct” abstractions
–
How to establish clear relationship among
workflow, data and policy related abstractions?
Examples:
“ A patient is allowed to make appointment only for regular hours.”
“ Physicians can access and modify medical records for those
patients where they are the designated primary care physician.”
“ A nurse can read medical records only in her specialization except
when the illness is marked confidential.”
Research approach:
Formal specification, experimental evaluation and
evolution of modeling languages.
13
Modeling Tool
14
Architecture Challenges

Privacy/security in open, dynamic
architectures
Workflows are added and modified in the system.
– Structure of information flows are dynamic, data
dependent and complex.
How can we guarantee and maintain privacy/security
properties?
Example:
–
A new service added to the PP to provide relevant information
for patients. Are there privacy leaks?
Research approach:
Data mining of audit files and discovering leaks, notmodeled information flows.
15
Deliverables




Suite of modeling languages and tools
In-depth modeling of part of the PP and
detailed analysis of security and privacy
properties
Integration with Policy Languages component
Exploring privacy issues related to the
research project (e.g. privacy leaks through
access to audit logs.)
16
Policy Modeling Subproject
Privacy and Utility in
Patient Portals
Adam Barth*
John C. Mitchell*
Anupam Datta*
Sharada Sundaram*+
* Stanford University
+ TCS
17
Interfacing Real-time Patient Data
(See Professor Bajcsy’s Talk)
18
Impact and technology transfer



Direct connection to a major Patient Portal
research and deployment project
Results can be generalized to a wide range
of SOA applications
MyHealthAtVanderbilt; ….
19
How is TRUST making a
difference here?


Vanderbilt, Stanford, Berkeley, Cornell
This project would be impossible without
TRUST in every sense
20
Education and Outreach

Immediate result of the unprecedented
collaboration with the Medical School are:
-
consideration of a CS pre-med
joint projects
co-advising students
“TRUST Fellowship” for medical informatics Ph.D.
candidates
21
Descargar

Slide 1