Automated Policy: HIE POLICY ENFORCEMENT
Lead Institution: Stanford
Project Leader: John C. Mitchell
- Focus of the research/Market need for this project
State laws for consent require the use of information only under certain conditions with patient approval. Current EHR/EMR solutions can only enforce policies within the boundaries of their systems and do not provide adequate access control when the record leaves the originating organization.
- Project Aims/Goals
The aim of this project is to develop a way to enforce privacy policies even if a document is transmitted outside of the originating institution. To do this, we must first model the applicable policies to determine the characteristics of valid users. Once the policy has been computed, we apply attribute-based encryption (ABE) to enforce the policy at decryption time.
- Key Conclusions/Significant Findings/Milestones reached/Deliverables
Our efforts with this project have led to the following observations:
- Some access policies can be enforced on medical records without the use of a traditional server-side access control checker
- Privacy law clauses can be encoded in first-order logic as compliance trees (Figure 1) that describe the components of the clauses.
- Changes to privacy law can be modeled and reflected in the corresponding compliance trees
- There exists a finite representative hospital database that illustrates how privacy laws may apply to different cases
- Our logic representation can be used to test and debug laws and support education
- Materials Available for Other Investigators/interested parties
- Source code: http://crypto.stanford.edu/privacy/HIPAA/IHI2012_HIE_Git.zip
- Virtual machine: http://tinyurl.com/lmcvhrq
- Market entry strategies
Current access controls used by companies such as Epic, Cerner and Intersystems cannot guarantee policy enforcement outside of the originating organization. We think that this work will benefit HIE, as it allows policy to follow the medical record as it is shared and re-shared in different contexts.
Peifung E. Lam, John C. Mitchell, Andre Scedrov, Sharada Sundaram, and Frank Wang
ACM SIGHIT International Health Informatics Symposium (IHI12), January 2012