Browse Prior Art Database

A XML-based Approach to Sticky Policy Enforcement in Smarter Healthcare Environments Disclosure Number: IPCOM000201862D
Publication Date: 2010-Nov-29
Document File: 5 page(s) / 35K

Publishing Venue

The Prior Art Database


Disclosed is a system and method for identifying the applicable privacy policy constraints for a document(s) to be shared and sticking them together, forming a single entity of transfer: a sticky policy package. In taking the approach of packaging policy with data, the method maintains centralized decision-making in a distributed enforcement. As only policy constraints that apply to the disclosed data are transferred, the communication impact is relatively small and the system does not require prior agreement among all medical organizations, states and patients.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 21% of the total text.

Page 01 of 5

A XML-based Approach to Sticky Policy Enforcement in Smarter Healthcare Environments

The move to electronic healthcare systems promises many benefits such as better delivery of care, reduction in medical errors, and improved quality of life. Existing business alliances must still preserved, however. This has heralded the formation of Regional Health Information Organizations (RHIOs) and Health Information Exchanges (HIEs). Unfortunately, the privacy and security concerns involved in inter- and intra- collaboration between HIEs (and RHIOs) will become a hindrance to operations and progress in the future.

Each HIE (or RHIO) has independent policies regarding the privacy of health records stored within its environment. Ensuring the privacy of health information when used inside the HIE or RHIO is addressed by contemporary data disclosure technology. However, when two HIEs (or RHIOs) need to share (clinical) documents, enabling the protection of patient privacy is still an open issue, because 1) there can be no assumption of a central authority, 2) policy enforcement may involve multiple privacy policies based on source, destination and the documents involved in a transfer, and 3) data can be forwarded to an entity with additional rights, such as remote update rights.

The purpose of this disclosure is to enable HIE-to-HIE (or RHIO-to-RHIO) collaboration while adhering to data disclosure constraints (i.e., privacy and security concerns). The core of the leveraged technology is called Sticky Policy Enforcement , and it provides a way to ensure that policy constraints are enforced wherever patient data travels. This goal represents a first step towards the broader mission of enabling Privacy Compliance

After Information Disclosure

In terms of related work, there are three prominent examples:
1. The Sticky Policy Paradigm. The underlying notion is that the policy applicable to a piece of data travels with it and is enforceable at each point it is used. Though identified as a critical problem, application-independent solutions that were technically feasible and scalable were not realized.

2. Rivest and Lampson's [1] work on Simple Distributed Security Infrastructure (SDSI) focused on the establishment of trust for a single disclosure object with a single policy. A data recipient is either granted access to the entire document, or must request authorization from the source.

3. Trusted Computing Group (TCG) [2] consortium's work on Trusted Computing Platform is an approach to establishing the trust in single object, single policy environments.

In healthcare, granting access to the entire document and/or requesting authorization from the source is not sufficient. Sticky policy functionality should handle data disclosure to a party with well-defined constraints that allow data release to less privileged parties without requiring the originator's involvement. This avoids the potential pitfall of having to contact a (potentially) large number of...