Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting the Exchange of Medical Images in Healthcare Process Integration with Web Services Patrick C. K. HUNG Faculty of Business and Information Technology,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Protecting the Exchange of Medical Images in Healthcare Process Integration with Web Services Patrick C. K. HUNG Faculty of Business and Information Technology,"— Presentation transcript:

1 Protecting the Exchange of Medical Images in Healthcare Process Integration with Web Services Patrick C. K. HUNG Faculty of Business and Information Technology, University of Ontario Institute of Technology Patrick.Hung@uoit.ca Eleanna Kafeza Department of Marketing and Communications, Athens University of Economics and Business kafeza@aueb.gr Dickson K. W. CHIU Senior Member, IEEE Dickson Computer Systems Hong Kong kwchiu@acm.org, dicksonchiu@ieee.org Vivying S.Y. Cheng Dept. of Computer Science Hong Kong University of Science & Technology vivying@cs.ust.hk

2 MIEPHICSS40 - 2 Introduction Medical images exist in electronic format for easy storage and maintenance promote high quality healthcare services for patients a picture is worth a thousand words Problem: uncontrolled exchange of medical images Human initiated: emails, fax, ad hoc file transfer, … Software initiated or software-to-software Cross-institutional healthcare processes integration Health Insurance Portability and Accountability Act of 1996 (HIPAA) (1) Privacy, (2) Security, (3) Identifiers (4) Transactions and Code Sets rules cover PHI “in any form or medium”

3 MIEPHICSS40 - 3 Proposed Approach Medical Image Exchange Platform (MIEP) Layered approach Contemporary information technologies Web services for the information transport Role based access control (RBAC) Watermarking for the integrity and privacy protection Single-point border check

4 MIEPHICSS40 - 4 Protocol and Architecture Summary

5 MIEPHICSS40 - 5 Layered Architecture Audit Application Watermarked Images Ontology Web Services Secured transport Privacy + Access Control Rules Enterprise Process ProtectionPolicy and Rules Monitoring Medical Partner Internet SSL and PKI WSDL EPAL / P3P & APPEL Medical Partner OWL / DAML Watermarking Protocol BPEL Laws / Regulation / Standards Audit Application Watermarked Images Ontology Web Services Secured transport Privacy + Access Control Rules Enterprise Process ProtectionPolicy and Rules

6 MIEPHICSS40 - 6 Development Methodology - Overview Policies Rules Technical Auditing

7 MIEPHICSS40 - 7 Development Methodology - Policies Protection policies should comply with requirements in laws, regulations, and code of practices. Healthcare process integration should comply with the protection policies - privacy and access control requirements should be specified explicitly. Existing protection policy guarding internal operations may serve as basic hints for external partners.

8 MIEPHICSS40 - 8 Development Methodology - Rules RBAC for employees of internal and external parties Need-to-know principle - consider: the access need of each task of each process for each role sensitivity of the image content contingencies and necessary override mechanisms => avoid ad hoc decisions. Make sure that medical partners understand not only the protection policies but also the ontology based on which these rules are defined

9 MIEPHICSS40 - 9 Development Methodology - Technical Express these rules in a high level language such as EPAL, P3P, and APPEL. Ensure document images are exchanged via only the pre-defined MIEP Web service calls and from authenticated partners. Firewall and email filters may be implemented to scan for and stop uncontrolled image traffic. Watermark (containing protection information) is inserted into each image sent or received via the MIEP Web services. Validation of document access against the access information embedded in the image watermark.

10 MIEPHICSS40 - 10 Development Methodology - Auditing Auditing application may use existing in-house software as a blue-print, but now stricter. Monitor actively all document image access to ensure security and privacy constraints are met the integrity of image data otherwise, alerts should be sent to the management.

11 MIEPHICSS40 - 11 MIEP Concept Model

12 MIEPHICSS40 - 12 Some Technical Details Outgoing Images Incoming Images Image Pickup Service Privacy Policies and Rules

13 MIEPHICSS40 - 13 Outgoing Images Routed through the outgoing proxy Web service SendDocumentImage (S) - parameters: destination Web service to receive the images, purpose, sender, and target information (such as task, application, personnel, and/or role), image format descriptions, … S calls the enterprise image exchange auditing Web service AuditSend Existing watermark (if any) analyzed for validity and protection policies sender & receiver are indeed legible the exchange does not violate any protection policies Watermark insertion: vital information such as the purpose, sender and target information (such as task, application, personnel, and/or role). Such transactions are logged.

14 MIEPHICSS40 - 14 Incoming Images Routed through the incoming proxy Web service ReceiveDocumentImage (R) - parameters: destination to receive the images (Web service URL, port and operation), the user id, purpose, sender and target information (such as task, application, personnel, and/or role), image format descriptions, … R call the enterprise image exchange auditing Web service AuditReceive for validation. Compliant watermark from partner’s MIEP (if any) can be extracted for addition validation. Similar watermark insertion for tracking. Such transactions are logged.

15 MIEPHICSS40 - 15 Image Pickup Service Not every business partner could immediately switch to a MIEP platform. Initially allow a “pick up” service to cater for manual retrieval of the image in case the partner is not fully automated. Used in a call back mode to further enhance the security for program-to-program interaction. Pre-registration required for auditing and protection.

16 MIEPHICSS40 - 16 Privacy Policies and Rules P3P - user agents allow users to automatically be informed of site practices and to facilitate decision-making based on the Web sites’ privacy practices. APPEL for expressing users’ preferences of making automated or semi-automated decisions regarding the acceptability of machine- readable privacy policies from P3P enabled Web sites. Matching mechanism A’s preferences (in APPEL) of vs. B’s P3P policies in Step 1.

17 MIEPHICSS40 - 17 Validation with HIPAA rules The right to view and make a copy of a patients own medical records, and the right to request PHI to be shared with the patient in a particular way. Patients can readily request their own medical images through the MIEP image pick up services The right to find out where PHI has been shared for purposes other than care, payment, or healthcare operations MIEP tracks and logs all cross-institutional exchange of medical image. The right to request special restrictions on the use or disclosure of PHI. MIEP maintains the patients’ profiles regarding their privacy preferences The right to file complaints. MIEP can provide exchange records and evidence.

18 MIEPHICSS40 - 18 Summary Replace ad hoc and manual image exchange procedures with a unified Medical Image Exchange Platform (MIEP) Layered MIEP architecture Design and implementation methodology Image exchange protocol Application of Web services and watermarking technologies Embedded watermark ensure integrity, privacy, and access control Advantages of Web service / SOA Legacy systems and existing practices corrected with MIEP Reusability of MIEP => streamlines the development, deployment, and maintenance of software components for image exchange Single border check for all the protection policies and auditing procedures => adequate control and auditing Expandability For future tracking and auditing purposes

19 MIEPHICSS40 - 19 Future Work  Exploration of any potential usability and performance issues.  Mechanisms and tools for managing the interactions taking place between different layers in the proposed framework.  Further requirements engineering for privacy and security.  Application of ontologies  role classifications  terms used to present a domain of knowledge  Representation of the privacy access control policy in EPAL and the compliance of EPAL to the Web services.  Adoption issues  Application in other professional business domains: financial, legal …

20 MIEPHICSS40 - 20 Question and Answer Thank you! Contact: dicksonchiu@ieee.org

21 MIEPHICSS40 - 21 An Illustrative APPEL Privacy Preference … … …...

22 MIEPHICSS40 - 22 An Illustrative P3P Privacy Policy............

Download ppt "Protecting the Exchange of Medical Images in Healthcare Process Integration with Web Services Patrick C. K. HUNG Faculty of Business and Information Technology,"

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Medicaid Management Information System (MMIS) Replacement

Medicaid Management Information System (MMIS) Replacement
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
E-Government Integration with Web Services and Alerts: A Case Study on an Emergency Route Advisory System in Hong Kong Dickson K. W. CHIU Senior Member,

E-Government Integration with Web Services and Alerts: A Case Study on an Emergency Route Advisory System in Hong Kong Dickson K. W. CHIU Senior Member,
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
Enhancing Workflow Automation in Insurance Underwriting Processes with Web Services and Alerts Dickson K. W. CHIU Senior Member, IEEE Dickson Computer.

Enhancing Workflow Automation in Insurance Underwriting Processes with Web Services and Alerts Dickson K. W. CHIU Senior Member, IEEE Dickson Computer.
Travel and Expense Management Scenario Overview

Travel and Expense Management Scenario Overview
Security Controls – What Works

Security Controls – What Works
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
Web-service Based Human Resource Recruitment by Using Matchmaking Decision Support Dickson K. W. CHIU Senior Member, IEEE Dickson Computer Systems Hong.

Web-service Based Human Resource Recruitment by Using Matchmaking Decision Support Dickson K. W. CHIU Senior Member, IEEE Dickson Computer Systems Hong.
Towards Ubiquitous Government Services through Adaptations with Context and Views in a Three-Tier Architecture Dan Hong, SC Cheung, SMIEEE Department of.

Towards Ubiquitous Government Services through Adaptations with Context and Views in a Three-Tier Architecture Dan Hong, SC Cheung, SMIEEE Department of.

Similar presentations

Ads by Google