Abstract
e-Health applications enable one to acquire, process, and share patient medical data to improve diagnosis, treatment, and patient monitoring. Despite the undeniable benefits brought by the digitization of health systems, the transmission of and access to medical information raises critical issues, mainly related to security and privacy. While several security mechanisms exist that can be applied in an e-Health system, they may not be adequate due to the complexity of involved workflows, and to the possible inherent correlation among health-related concepts that may be exploited by unauthorized subjects. In this article, we propose a novel methodology for the validation of security and privacy policies in a complex e-Health system, that leverages a formal description of clinical workflows and a semantically enriched definition of the data model used by the workflows, in order to build a comprehensive model of the system that can be analyzed with automated model checking and ontology-based reasoning techniques. To validate the proposed methodology, we applied it to two case studies, subjected to the directives of the EU GDPR regulation for the protection of health data, and demonstrated its ability to correctly verify the fulfillment of desired policies in different scenarios.
- Rajeev Alur, Costas Courcoubetis, and David Dill. 1993. Model-checking in dense real-time. Information and Computation 104, 1 (1993), 2–34. Google Scholar
Digital Library
- Rajeev Alur and David L. Dill. 1994. A theory of timed automata. Theoretical Computer Science 126, 2 (1994), 183–235. Google Scholar
Digital Library
- F. Amato, V. Casola, G. Cozzolino, A. De Benedictis, and F. Moscato. 2019. Exploiting workflow languages and semantics for validation of security policies in IoT composite services. IEEE Internet of Things Journal (2019), 1–1. DOI:https://doi.org/10.1109/JIOT.2019.2960316Google Scholar
- Muhammad Asim, Artsiom Yautsiukhin, Achim D. Brucker, Thar Baker, Qi Shi, and Brett Lempereur. 2018. Security policy monitoring of BPMN-based service compositions. Journal of Software: Evolution and Process 30, 9 (2018), e1944.Google Scholar
Cross Ref
- Hasiba Attia, Laid Kahloul, Saber Benharzallah, and Samir Bourekkache. 2019. Using hierarchical timed coloured Petri nets in the formal study of TRBAC security policies. International Journal of Information Security 19 (2020), 163–187. DOI:https://doi.org/10.1007/s10207-019-00448-9Google Scholar
- David Basin, Felix Klaedtke, Samuel Müller, and Eugen Zălinescu. 2015. Monitoring metric first-order temporal properties. Journal of the ACM 62, 2 (May 2015), Article 15, 45 pages. DOI:https://doi.org/10.1145/2699444 Google Scholar
Digital Library
- Gerd Behrmann, Alexandre David, and Kim G. Larsen. 2004. A tutorial on UPPAAL. Formal Methods for the Design of Real-time Systems. Springer, 200–236.Google Scholar
- S. Chenthara, K. Ahmed, H. Wang, and F. Whittaker. 2019. Security and privacy-preserving challenges of e-health solutions in cloud computing. IEEE Access 7 (2019), 74361–74382. DOI:https://doi.org/10.1109/ACCESS.2019.2919982Google Scholar
Cross Ref
- Junho Choi, Chang Choi, SungHwan Kim, and Hoon Ko. 2019. Medical information protection frameworks for smart healthcare based on IoT. In Proceedings of the 9th International Conference on Web Intelligence, Mining and Semantics (WIMS’19). Association for Computing Machinery, New York, NY, Article 29, 5 pages. DOI:https://doi.org/10.1145/3326467.3326496 Google Scholar
Digital Library
- Peter R. Croll. 2011. Determining the privacy policy deficiencies of health ICT applications through semi-formal modelling. International Journal of Medical Informatics 80, 2 (2011), e32–e38. DOI:https://doi.org/10.1016/j.ijmedinf.2010.10.006. Special Issue: Security in Health Information Systems.Google Scholar
Cross Ref
- Salvatore Cuomo, Francesco Maiorano, and Francesco Piccialli. 2018. Remarks of social data mining applications in the Internet of data. In International Conference on Network-Based Information Systems. Springer, 944–951.Google Scholar
- European Commission. [n.d.]. General Data Protection Regulation. Retrieved January 23, 2020 from https://gdpr-info.eu/.Google Scholar
- Bahar Farahani, Mojtaba Barzegari, Fereidoon Shams Aliee, and Khaja Ahmad Shaik. 2020. Towards collaborative intelligent IoT eHealth: From device to fog, and cloud. Microprocessors and Microsystems 72 (2020), 102938. DOI:https://doi.org/10.1016/j.micpro.2019.102938Google Scholar
Digital Library
- Antonios Gouglidis, Ioannis Mavridis, and Vincent C. Hu. 2014. Security policy verification for multi-domains in cloud systems. International Journal of Information Security 13, 2 (April 2014), 97–111. DOI:https://doi.org/10.1007/s10207-013-0205-x Google Scholar
Digital Library
- Michele Guerriero, Damian Andrew Tamburri, and Elisabetta Di Nitto. 2018. Defining, enforcing and checking privacy policies in data-intensive applications. In Proceedings of the 13th International Conference on Software Engineering for Adaptive and Self-Managing Systems (SEAMS’18). Association for Computing Machinery, New York, NY, 172–182. DOI:https://doi.org/10.1145/3194133.3194140 Google Scholar
Digital Library
- Jigna J. Hathaliya and Sudeep Tanwar. 2020. An exhaustive survey on security and privacy issues in Healthcare 4.0. Computer Communications 153 (2020), 311–335. DOI:https://doi.org/10.1016/j.comcom.2020.02.018Google Scholar
Digital Library
- Vincent Hu, D. Kuhn, Tao Xie, and Jeehyun Hwang. 2011. Model checking for verification of mandatory access control models and properties. International Journal of Software Engineering and Knowledge Engineering 21 (Feb. 2011), 103–127. DOI:https://doi.org/10.1142/S021819401100513XGoogle Scholar
Cross Ref
- V. C. Hu and D. R. Kuhn. 2016. General methods for access control policy verification (application paper). In 2016 IEEE 17th International Conference on Information Reuse and Integration (IRI’16). 315–323. DOI:https://doi.org/10.1109/IRI.2016.49Google Scholar
- Amani Abu Jabal, Maryam Davari, Elisa Bertino, Christian Makaya, Seraphin Calo, Dinesh Verma, Alessandra Russo, and Christopher Williams. 2019. Methods and tools for policy analysis. ACM Computing Surveys 51, 6 (Feb. 2019), Article 121, 35 pages. DOI:https://doi.org/10.1145/3295749 Google Scholar
Digital Library
- Fakhri Alam Khan, Sadaf Shaheen, Muhammad Asif, Atta Ur Rahman, Muhammad Imran, and Saeed Ur Rehman. 2019. Towards reliable and trustful personal health record systems: A case of cloud-dew architecture based provenance framework. Journal of Ambient Intelligence and Humanized Computing 10, 10 (2019), 3795–3808. DOI:https://doi.org/10.1007/s12652-019-01292-4Google Scholar
Cross Ref
- J. Ma, D. Zhang, G. Xu, and Y. Yang. 2010. Model checking based security policy verification and validation. In Proceedings of the 2010 2nd International Workshop on Intelligent Systems and Applications. 1–4. DOI:https://doi.org/10.1109/IWISA.2010.5473291Google Scholar
Cross Ref
- Irfan Mehmood, Zhihan Lv, Yudong Zhang, Kaoru Ota, Muhammad Sajjad, and Amit Kumar Singh. 2019. Mobile cloud-assisted paradigms for management of multimedia big data in healthcare systems: Research challenges and opportunities. International Jouornal of Information Management 45 (2019), 246–249. DOI:https://doi.org/10.1016/j.ijinfomgt.2018.10.020Google Scholar
Cross Ref
- Tom Mens and Pieter Van Gorp. 2006. A taxonomy of model transformation. Electronic Notes in Theoretical Computer Science 152 (2006), 125–142. Google Scholar
Digital Library
- Samrat Mondal, Shamik Sural, and Vijayalakshmi Atluri. 2011. Security analysis of GTRBAC and its variants using model checking. Computer Security 30, 2–3 (March 2011), 128–147. DOI:https://doi.org/10.1016/j.cose.2010.09.002 Google Scholar
Digital Library
- Francesco Piccialli and Jason J. Jung. 2018. Data fusion in the internet of data. Concurrency and Computation: Practice and Experience 30, 15 (2018), e4700.Google Scholar
Cross Ref
- Rohit Ranchal, Bharat Bhargava, Pelin Angin, and Lotfi Ben Othmane. 2018. Epics: A framework for enforcing security policies in composite web services. IEEE Transactions on Services Computing 12, 3 (2019), 415–428.Google Scholar
Cross Ref
- Sriti Thakur, Amit Kumar Singh, Satya Prakash Ghrera, and Mohamed Elhoseny. 2019. Multi-layer security of medical data through watermarking and chaotic encryption for tele-health applications. Multimedia Tools and Applications 78, 3 (Feb. 2019), 3457–3470. DOI:https://doi.org/10.1007/s11042-018-6263-3 Google Scholar
Digital Library
- Wil M. P. Van Der Aalst and Arthur H. M. ter Hofstede. 2012. Workflow patterns put into context. Software & Systems Modeling 11, 3 (2012), 319–323. Google Scholar
Digital Library
Index Terms
A Security and Privacy Validation Methodology for e-Health Systems
Recommendations
Privacy and Security in Public Health: Maintaining the Delicate Balance between Personal Privacy and Population Safety
ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications ConferenceAmidst threats of pandemic avian influenza and bioterrorist attack, public health surveillance and preparedness have never been more important. Early detection of biological events, electronic reporting of laboratory test results, efficient exchange of ...
Developing an interdisciplinary health informatics security and privacy program (abstract only)
SIGCSE '12: Proceedings of the 43rd ACM technical symposium on Computer Science EducationHealth informatics is one of the nation's largest growth industries. With the government's increasing interest in electronic health records and growing investment by healthcare organizations in technology, there is a large demand for a health ...
Privacy and security in open and trusted health information systems
HIKM '09: Proceedings of the Third Australasian Workshop on Health Informatics and Knowledge Management - Volume 97The Open and Trusted Health Information Systems (OTHIS) Research Group has formed in response to the health sector's privacy and security requirements for contemporary Health Information Systems (HIS). Due to recent research developments in trusted ...






Comments