Infrastructures for Secure Interoperability of EHR Systems
This topic addresses the definition and realization of technological infrastructures designed to make heterogeneous Electronic Health Record (EHR) systems interoperable each other, in order to enable citizens and health professionals to get access to clinical documents, wherever they are located and according to stringent security, privacy, and dependability requirements.
The development of an interoperability platform aiming at enabling different EHR solutions to share clinical information requires the design of i) an infrastructure architectural model and ii) mechanisms for the collection and retrieval of health documents and data to all the authorized users.
In order to preserve the autonomy of the existing healthcare domains, the architecture has to lie on a federation of regional registries, each of one has to able to localize healthcare documents and data within a specific regional domain.
Levels of registry federation
Within the InFSE, OpenInFSE, and OpenInFSE 2.0 projects, a novel interoperable infrastructure for EHR have been proposed, which is based on a SOA architecture defined and realized for the interoperability of regional EHR systems.
The proposed InFSE architecture is based on the Web Service technology, and documents are exchanged with WS-Security messages in accordance to the HL7 CDA standard. The architecture has been thought for a seamless access to EHR systems among the federation of the regional registries, but can also be adopted to realize a regional EHR system.
Software components of InFSE
The Connectivity layer is represented by the Public Connectivity System (SPC, as Italian acronym), a technology infrastructure defined by DigitPA (National Centre for IT in Public Administrations) for the application cooperation between the Italian Public Administrations.
The Component layer includes the infrastructural components of InFSE: Access Interface, Federated Index Registry, Document Manager, Hierarchical Event Manager, and Access Policy Manager.
Finally, the Business layer defines the application services, such as ePrescription, Consultation of clinical reports, Patient Summaries, and so on.
Detail of software components
- Access Interface: acts as an interface to the infrastructure. It receives the requests made by authorized users and forwards them to other components.
- Federated Index Registry: consists of a federation of a set of index registers able to search and locate health and social documents archived at the hospital repositories, by consulting a set of metadata.
- Document Manager: allows users to i) memorize in a persistent, reliable, and secure way health documents in hospital repositories, and ii) retrieve documents of interest.
- Hierarchical Event Manager: performs the routing and notification of health events to all the interested users through a network of event brokers, adopting a model based on the publish/subscribe paradigm.
- Access Policy Manager: is responsible for general aspects of security. First, it allows the identification and authentication of a user. In addition, it manages the authorization of user requests by evaluating role-based access policies according to the RBAC model.
The need to respect security and privacy requirements implies that EHR systems have to be able to manage the access to their resources, fulfilling both i) stringent constrains arising from international, national, and regional directives and norms, and ii) obligations regarding the autonomy of regional domains and organizations. For this reason, the definition of advanced access control models for the EHR systems is a very important research issue.
- Temporal component: allows the management of access rights depending on the time condition.
- Permission component: enables the specification of the access rights, that is, defines which operations are permitted on various objects.
- List component: allows patients to define a list of both role and id users.
- Able and NAble relations: enables to indicate the association between system users and permissions on objects. Therefore, this component permits easily to specify the users who have the rights to operate on the objects and those who do not have these rights.
- Purposes component: associates the Intended Purposes (that is, the purpose for which a particular document has been collected) to objects, with the goal of limiting document access to the listed purposes only.
- View component: is placed in the middle between the Able and NAble relations and the Permission component, constituted by object (clinical document) and operation. It allows defining a "list of parts" that is a view on a clinical document (document section). The patient can associate a users' list with a defined list of parts, through the Able relation.
- M.T. Chiaravalloti, M. Ciampi, E. Pasceri, M. Sicuranza, G. De Pietro, R. Guarasci, "A model for realizing interoperable EHR systems in Italy", in 15th International HL7 Interoperability Conference, Prague, Czech Republic, February 9-11, 2015.
- M. Sicuranza, A. Esposito, M. Ciampi, "An access control model to minimize the data exchange in the information retrieval", Journal of Ambient Intelligence and Humanized Computing, Springer Berlin Heidelberg, 2015
- M. Sicuranza, A. Esposito, and M. Ciampi, "A Patient Privacy Centric Access Control Model for EHR Systems", International Journal for Internet Technology and Secured Transactions, vol.5, pp. 163-189, 2014
- M. Sicuranza and M. Ciampi, "A semantic access control for easy management of the privacy for EHR systems", in the proc. of the 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC 2015), pp. 400-405, IEEE, 2014
- M. Sicuranza, A. Esposito, and M. Ciampi "A View-Based Access Control Model for EHR Systems", in IDC 2014: 8th International Symposium on Intelligent Distributed Computing, Madrid, Spain, Studies in Computational Intelligence, Volume 570, 2015, pp 443-452
- M. Ciampi, G. De Pietro, C. Esposito, M. Sicuranza, and P. Donzelli, "A Federated Interoperability Architecture for Health Information Systems", International Journal of Internet Protocol Technology, Inderscience Publishers, vol. 7, no. 4, pp. 189-202, 2013
- M. Sicuranza, M. Ciampi, G. De Pietro, and C. Esposito, “Secure Healthcare Data Sharing among Federated Health Information Systems”, to be printed in the International Journal of Critical Computer-Based Systems, Inderscience Publishers, 2013
- A. Esposito, M. Sicuranza, M. Ciampi, "A Patient Centric Approach for Modeling Access Control in EHR Systems", in ICA3PP 2013: Proceedings of the 13th International Conference on Algorithms and Architectures for Parallel Processing, Lecture Notes in Computer Science, Volume 8286, 2013, pp 225-232, DOI: 10.1007/978-3-319-03889-6_26
- M. Sicuranza e M. Ciampi, “An architecture solution for security and interoperability of EHR systems”, in the 4th Infrastructure workshop on Infrastructures for Healthcare: Action Research, Interventions, and Participatory Design, 2013, available at http://site.uit.no/infrahealth/files/2013/06/Mario_Sicur_12.pdf
- M. Ciampi, G. De Pietro, C. Esposito, M. Sicuranza, P. Mori, A. Gebrehiwot, and P. Donzelli, "On Securing Communications among Federated Health Information Systems", in SAFECOMP 2012 Workshops: Proceedings of the 31st International Conference on Computer Safety, Reliability and Security, Lecture Notes in Computer Science, vol. 7613, pp. 235-246, 2012, Springer-Verlag Berlin Heidelberg
- M. Ciampi, G. De Pietro, C. Esposito, M. Sicuranza, and P. Donzelli, “On Federating Health Information Systems”, in GUT 2012: Proceedings of the International Conference in Green and Ubiquitous Technology, pp. 139-143, 2012, IEEE Press