Browse Prior Art Database

A System and Metholody for Improving the Coverage of Policy in Healthcare

IP.com Disclosure Number: IPCOM000176160D
Original Publication Date: 2008-Nov-06
Included in the Prior Art Database: 2008-Nov-06

Publishing Venue

IBM

Abstract

The article provides 1) a model for determining and evaluating the coverage of policy, 2) a methodology for extracting common practice from audit logs and using them to refine the policy in place, and 3) a system organization that would enable the leveraging of all this knowledge to reduce the numbr of exceptions required. The advantages are that the invention (i) fits to the clinical workflow and does not require the workflow to fit to it, i.e. it does not impede the clinical workflow, (ii) enables precise (or rather more realistic) definitions of purposes, criteria for exception-based accesses and categories of authorized users, and (iii) enables improved privacy protection for the patient.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 8% of the total text.

Page 1 of 17

A System and Metholody for Improving the Coverage of Policy in Healthcare

Background:

In healthcare, the delivery of care is the golden rule that cannot be broken. This implies Healthcare Information Technology must be built in order to enable and not impede this tenet. In these sort of environments, access control systems that are built to proactively thwart unauthorized individuals from retrieving secured and or private data may occasionally impede this golden rule. The effect is that the disclosure policy that is normally used as a statement of a companies intent with regards to the security and privacy of one's data becomes useless, as practitioners often subvert this technology to get the information they need to administer care. Fortunately, access and use activity is recorded in audit logs. However, these logs either lack the contextual background or infrastructure to make them useable for both auditor and clients/patients. The proposed solution seeks to leverage the audit log to extract useful organizational practice and incorporate it into the security and privacy policy in order to 1) provide patients with a truer vision of the security and privacy guarantees that they will receive, and 2) reduce the number of exceptions/subversions of the IT's system protection mechanisms.

There are solutions in industry that address access control systems and auditing systems for healthcare data. However, to the best of the inventors' knowledge, there is no other systems that leverage audit logs to enable policy refinement.

From discussions with our industry and academic partners, there is recognition and supporting literature that this over-reliance on exceptions or break the glass technology is currently severe and will only get worse. Thus, as companies start deploying protection systems for healthcare and realizing that the golden rule must be followed, they will start seeing that the technique that we propose is critical in providing value to their client.

Summary:

The invention provides 1) a model for determining and evaluating the coverage of policy, 2) a methodology for extracting common practice from audit logs and using them to refine the policy in place, and 3) a system organization that would enable the leveraging of all this knowledge to reduce the number of exceptions required. The invention's advantages are that (i) it fits to the clinical workflow and does not require the workflow to fit to it, i.e. it does not impede the clinical workflow, (ii) it enables precise (or rather more realistic) definitions of purposes, criteria for exception-based accesses and categories of authorized users, and (iii) it enables improved privacy protection for the patient.

1

Page 2 of 17

Towards Improved Privacy Policy Coverage in Healthcare Using Policy Refinement

Rafae Bhatti and Tyrone Grandison

      IBM Almaden Research C...