Food & Beverages

A Security Model and its Application to a Distributed Decision Support System for Healthcare

Abstract A distributed decision support system involving multiple clinical centres is crucial to the diagnosis of rare diseases. Although sharing of valid diagnosed cases can facilitate later decision making, possibly from geographically different
of 8
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  A Security Model and its Application to a Distributed Decision Support Systemfor Healthcare Liang Xiao 1 , Javier Vicente 3 , Carlos Sáez 3 , Andrew Peet 2 , Alex Gibb 2 , Paul Lewis 1 , SrinandanDasmahapatra 1 , Madalina Croitoru 1 , Horacio González-Vélez 4 , Magí Lluch i Ariet 5 , David Dupplaw 1   1 University of Southampton, UK  2 University of Birmingham, UK  3  ITACA, Spain 4 University of Edinburgh, UK  5  MicroArt, Spain Abstract  A distributed decision support system involving multipleclinical centres is crucial to the diagnosis of rarediseases. Although sharing of valid diagnosed cases can facilitate later decision making, possibly fromgeographically different centres, the released information could reveal patient privacy if it is not  properly protected. Clinical centres may have to imposetheir distinct regulations and rules that govern the useof their data externally. The collaboration of centres,therefore, must respect the collective policies and ideally, serve users the most appropriate and usefulresources possible in the system according to the past experience. In this way, the system’s value is entrusted and even elevated through continuous collaboration. We present in this paper a link-anonymised data schemeand in addition to that, a security model that together enforce privacy data security and secure resourceaccess for distributed clinical centres. Our illustrationof the approach involves a prototype medical decisionsupport system, HealthAgents, for brain tumour diagnosis. 1. Introduction Distributed decision making systems are becomingincreasingly useful and important for the efficientsharing of data and services amongst collaborativepartners. Use of these systems, based around distributedprocessing, requires the security design to promote trust.The internet infrastructure promotes open transferring of data which in itself is not a safe environment. Well-studied and publicly available data encryptionalgorithms can alleviate this problem when incorporatedinto the system messaging network. The data transmittedin these systems requires secure anonymisationprocesses. Further, the data access requires carefulmanagement to allow different levels of access rights of users distributed amongst multiple organisations. Theseorganisations need to use resources from others andprevent their own resources from unauthorised use. If asystem is over restrictive in resource access control thenthe system is not useful. If a system is not sufficientlyrestrictive then the organisations’ privacy data is indanger   of being exposed. This paper investigates dataanonymisation and the access control required for theprotection of critical resources in collaborative systems. 2. HealthAgents overview and link-anonymised data scheme for preservingprivacy Brain tumours are still an important cause of morbidity and mortality in Europe [1]. The current goldstandard classification of brain tumours by biopsy andhistopathological analysis involves invasive surgicalprocedure and incurs a risk of 2.4-3.5% morbidity and0.2-0.8% mortality, in addition to healthcare costs andstress to patients. There is a need to improve braintumour classification, and to provide non-invasivemethods for brain tumour diagnosis and prognosis, toaid patient management and treatment.The HealthAgents project [2], funded by the EU’sSixth Framework Programme, aims to build the world’slargest distributed data warehouse of brain tumour casesdata. The multi-disciplinary collaboration involves seveneducational and research institutions, two SMEs, as wellas some subcontractor hospitals and external expertisegroups. These groups are spanned over Belgium, Italy,Spain, and the United Kingdom. HealthAgents inheritsthe achievements of its predecessor INTERPRET [3]and is related to the ongoing eTUMOUR [4] project. Itplans to create a multi-agent distributed DecisionSupport System (d-DSS) based on novel medicalimaging and laboratory tests to help determine the  diagnosis and prognosis of brain tumours. Novelmedical imaging techniques, such as magnetic resonancespectroscopy (MRS), and laboratory techniques, such asgene expression arrays, promise to deliver theseadvances. These techniques suffer from a complexity of interpretation which has hindered their incorporationinto routine clinical practice. However, they provide anexcellent test bed for the development of a computeraided decision support system. Furthermore, the rarity of many brain tumour types requires that information mustbe sought from many hospitals. The use of a distributedsystem for data collection and management is, as aresult, a necessity.Prior to incorporation into clinical practice newmethods must be fully tested within a clinical trialssetting. Such trials are subject not only to data protectionlaws but also regulations governing clinical trialsincluding ethical approval and informed consent of theparticipants. For multinational projects, ethical approvalis devolved for regional bodies without any coordinatedor uniform decision making and so data gathered fromdifferent centres may be subject to different restrictions.Allowing for flexibility within the data security model istherefore essential.Clinical trials commonly use data from whichpersonal information (e.g. name, address, date of birth)is removed but to which a unique patient identifier isadded, often termed link-anonymised data. Such ascheme has the advantage of having a high chance of preserving patient anonymity whilst allowing data fromthe same patient to be added at a later date. This schemealso allows a specific patient’s data to be located andremoved from the project at any time they request, acondition usually imposed by ethics committees. Fullpatient records are kept for clinical purposes within thetreating hospital and with the patient’s permission maybe used to generate and periodically update the clinicaltrials data.Clinical trials are usually supported by a centraliseddatabase where the link-anonymised data is stored. Thisallows the patients to be reassured that their data will beafforded a high level of security and allows regulatorybodies ease of access to inspect the processes in place.For a distributed system, similarly robust arrangementsmust be designed to reassure ethics committees andpatients that the data is secure. However, achieving thisis a significant challenge and here we discuss a potentialmodel for achieving this together with the necessarytechnical requirements and their proposed solutions.Each data collecting centre could have an associatedlink-anonymised database as approved by theirappropriate ethics committee. Patient identifiers couldthen be kept along with the clinical patient record in thetreating hospital. These databases need be the onlydatabases kept within the system giving a trulydistributed data-warehouse. The limited data requiredfor analysis could then be subject to stringentanonymisation processes and sent to a small number of specific sites for processing, for example the productionof classifiers. In this way, the distributed nature of thesystem could be preserved whilst allowing appropriateregulatory access to data repositories. Security systemswill need to be in place which can allow each centre topotentially limit the type of data transmitted and thelocations it is transmitted to. 3. The need for an enhanced security model While complete patient records may be accessed onlyby hospitals and local nodes, link anonymised recordsmay be exchanged between a limited numbers of centresproducing classifiers. Furthermore, only limited amountsof data which can be considered as totally anonymisedmay be accessed outside the closed project network. Amodel shown in Figure 1 illustrates such a dataprotection model in a multi-layered fashion. Figure 1. Prototype secure data protectionmodel for HealthAgents Apart from the link-anonymised data scheme, themechanism used by the system for decision making itself offers a further level of protection to privacy data. In thesystem, cases are processed and tumour classifiersproduced while the patient privacy is preserved. This isbecause cases are normally only known to the classifierproducer software (agents). In the tumour diagnosisprocesses, the produced classifier software (agents) asopposed to specific cases are used for decision making.If no such classifier is available a new one may beproduced using the available cases. In any case, noprivate patient data that is involved in the production of classifiers will be revealed to the clinical users.The classifiers, used for differentiating tumour type,grade, or character, are produced by using differentpattern recognition methods and data trained using theavailable cases. If new clinical centres, with their localcase databases, join the existing collaborating centres,they can employ the classification services based on thevalidated data available from around the network, aswell as providing new brain tumour cases for thedistributed data warehouse. New classifiers can then beproduced or existing ones improved using these newrelevant data available. Figure 2 shows the HealthAgentsnetwork.    Figure 2. The HealthAgents network The patient’s private data sent from the hospital isprotected by the link-anonymised data scheme and itsexposure to users minimised by the classificationmechanism. This, however, does not render the systemsafe. Maliciously or accidentally, users may create lowquality classifiers, or assign unmatched ranking values toclassifiers. This could happen if an inexperiencedclinician, with good motivation, trains classifiers orupdates their dynamic performance using low qualityspectra (signal-to-noise ratio lower than 10, etc.). Theuse of these classifiers distracts the process of supporting diagnosis and is untrustworthy. Therefore, inaddition to the private data protection scheme, amechanism must be in place for the access control of thecritical system resources. This is to avoid abuse ormisuse of them by those without authorisation orsufficient privileges. Yet it should be sufficientlyflexible for resource sharing among collaborativeparties.The age of patients and brain tumour locations, forexample, can be associated with tumour types. Thisinformation is useful for diagnosis. A contract signedbetween two clinical centres may allow some cases to betransferred to a single trusted third party but no further.The collaboration of multiple centres, which not onlyprovide their cases but also require classifiers for theirown use, requires the system to respect the accesscontrol policies individually employed by each centre. Inaddition, there might be global constraints applicable toshared resources. All these policies and constraintscould change continuously according to the systemneeds. For instance, a new junior clinician who has just joined one of the collaborative centres may have no rightto create a new classifier, or give a definitive diagnosisto a case that will later trigger a classifier reputationbeing updated. These operations could have globalimpact on all diagnoses across centres. But he/she maybe allowed to do such operations later on when they gainmore experience. The system may have to assign todifferent users or even the same user at different times orunder different contexts, various access rights to systemresources distributed amongst the centres. Moreover,after accumulative interactions, the system couldpossibly tell which classifiers are good and which arebad in terms of their performance, feedback beingobtained from clinicians after their use of them. Thesystem could then, ideally, always find the proper nodeswhere high quality classifiers are built and high qualitydata is supplied, and even adjust the overall interactionpattern to serve its users. Many such scenarios beingconsidered, a model adaptive to continuouscollaboration is needed, concerning not only security(access control in particular), but also trust andreputation which all have crucial global effects on theoverall system. A solution centred on a particular type of agents, the YellowPagesAgent, will be discussed next. 4. An enhanced resource controllability andperformance dependability model In the heart of the HealthAgents network shown inFigure 2 is the YellowPagesAgent. TheYellowPagesAgent plays a key role in agentcommunication of the HealthAgents system. Agents cansearch for other agents in the YellowPages based onagent properties and send the messages to the result of that search. Apart from the yellow page functionsrcinally designed in the system useable to all agentsfor looking up information, the YellowPagesAgent isenvisioned a key component and a control point for thesystem’s resource access and secure communication, aswell as the continuous improvement of the system’sperformance and hence the value of the system. 4.1 The secure communication mechanism Communication amongst clinical centres must besecured. This means that the messages being transportedin the HealthAgents network which might containpatient privacy information or diagnosis results shouldnot be intercepted or modified by eavesdroppers.Symmetric encryption involving secret keys is bestsuited for the encryption of the message contents whileasymmetric encryption involving public and private keypairs for the protection of the secret keys. In theinfrastructure, we make use of YellowPagesAgent forstoring and managing public keys and in establishingtrust relationships. Only agents who have been formallyrecognised and registered in the YellowPagesAgent willbe regarded trustworthy and so YellowPagesAgent playsthe role of Certificate Authority (CA) in the sense of   their assurance of the trustworthiness of communicatingparties. Being an integral part of the framework, theYellowPagesAgent simplifies the mechanism of thesecure communication. Figure 3. The secure communication scheme inHealthAgents More specifically, Figure 3 shows a generic scenariowith two agents communicate with each other. Thereceiver agent must at start-up stage, while it registersitself to the system via the YellowPagesAgent, generatesa pair of public and private keys. The public key isobtained by the YellowPagesAgent and the private keyobtained by itself. The sender agent can retrieve receiveragent’s public key, at runtime, from a key storemaintained by the YellowPagesAgent. Upon obtainingthis public key, the sender agent generates a secret keythat will be used to encrypt the plain-text message to besecured. The secret key must be shared between twoagents. This can be achieved via the sender agent’sencryption of the secret key using receiver agent’s publickey. This data with the secret key encrypted is furthersigned by the sender agent’s private key. The secret keyprotected message and the private key protected secretkey is encapsulated in the transmitted message. Uponreceiving the message, the receiver agent reads thesender agent’s signed data and verifies its identity byretrieving the public key of the sender agent from thecommon public key store. The data is then decrypted bythe receiver agent using its own private key and thus thesecret key is revealed. The encrypted message will befinally decrypted using the secret key. A commonapproach for implementing this scheme is the JavaCryptograph Architecture (JCA). 4.2 The resource access control scheme The other layer of security in the HealthAgentssystem is concerned about the resource access control inthe business level as opposed to the physical network level. This layer of security requires more delicateconsiderations where ordinary business needs shall notbe compromised and the users access what they havebeen granted. The YellowPagesAgent constrains thecollaboration pattern through the imposition of accesscontrol.Specifically, the YellowPagesAgent can be looked upby Clinical GUI Agents which send questions to besolved and then a list of classifiers appropriate in thatcontext will be returned. Moreover, the yellow pages canbe referred to for data sources when new classifiers needto be produced. In this business infrastructure, theYellowPagesAgent maintains a list of availableclassifiers, along with their associated profiles includingabilities (questions to be solved for clinicians),reputation, and a profile of the training data with whichthey were produced.Once trained by the Training Manager Agent, newclassifiers can register themselves with theYellowPagesAgent together with their profiles.Clinicians can then search for those relevant to theparticular cases under consideration using the GUIAgent. Once classification results are produced, they areevaluated via comparing with the validated diagnosisresults supplied by the clinicians and the reputation of classifiers is updated accordingly in theYellowPagesAgent. The next time when they arerunning, more accurate information about theseclassifiers is known to the clinicians. This processcontinues iteratively and the YellowPagesAgent keepsupdating classifier profiles for the most accurate andefficient performance of the overall system possible. Figure 4. The sequence diagram of data andclassifier access control in HealthAgents Figure 4 shows the message passing sequence amongseveral HealthAgents agents. The processes of runningand building of classifiers are included as part of theoverall diagram. The diagram illustrates theYellowPagesAgent’s function in informing clinicians of classifiers and informing classifier producers of datasources for the production, as well as maintaining thereputation of classifiers. Two major alternative  interactions involving distinct YellowPagesAgentfunctions are differentiated and shown in the upper andlower partition of the “alt” region with their respectiveguards. Various security policy sets are applied incorresponding circumstances, e.g. when availableclassifiers are queried and, once the validated diagnosisof the case is given by the clinician, reputation values of the executed ones are updated and so YellowPagesAgentis maintained. The security constraints are usuallyexplicitly expressed and such knowledge is subject tocontinuous maintenance, being in a direct humanintervene process as shown in Figure 5. Figure 5. A scheme relating the impactingfactors to data and classifier access control The design diagram of Figure 4 indicates the globalresource access control the YellowPagesAgent couldimpose as well as the affect it could make to the overallclassification results through its own performance. Weare aiming at achieving flexible management of securityaccess and continuous performance enhancement,respectively, through the careful design of theYellowPagesAgent.In the secure access perspective, clinicians withcertain access rights should only access the properresources and do the proper operations. TheYellowPagesAgent may reject access to privateclassifiers (e. g. a classifier trained exclusively with datafrom one and only hospital, as opposite to a public one,trained with data from all the hospitals in the network)from external centres. Also, the YellowPagesAgent mayreject classification production requests or classifierreputation updating requests from certain clinicians. Butsuch response should by no means be fixed. Instead, itshould use the up-to-date policies to reflect the currentsecurity needs. A security policy model elaborated inSection 5 will discuss in more details a solution to theoutlined security infrastructure. 4.3 The performance and system usabilityenhancement In the performance and system usability enhancementperspective, the appropriate classifiers for use dependson many factors, including not only the performance, butalso the similarity of the new case under classificationwith the ones used for training the classifier. Again, aflexible model must be available to theYellowPagesAgent to serve classification requests,transparently to end users. Briefly, the suitability of classifiers being used for classification depends on   thefollowings and these are illustrated in Figure 6. •   Similarity of the new case with the training set fromwhich the classifier is derived. •   Static performance of the classifier. The classifierthe evaluation is based on the accuracy, thebalanced error rate, or the geometric mean of success as calculated after the training. This isgenerally obtained with an independent test set or, if not available, using techniques such as crossvalidation. •   Dynamic performance of the classifier. This is theperformance of the classifier with the ‘unseen’ casesthe clinicians launch for orientation purposes. Theanswer given by the classifier is compared with thediagnosis the clinicians give once they are sure of it. •   Use level of the classifier. •   Evolution of all the previous factors during theclassifier’s life. Figure 6. A scheme relating the impactingfactors to classifier reputation/ranking The knowledge accumulated in the running processesof the HealthAgents system is therefore of significantvalue to the automatic improvement of systemperformance. Comparatively, such knowledge isimplicitly incremented as opposed to explicitly specifiedas Figure 5 shows.To enhance the management of both reputation andsecurity perspectives of the system, data, classifiers,security policies, and even people distributed amongmultiple clinical centres must collaborate in a mannerthat respects disparate impacting factors and take intoaccount their dynamics. Note that both the “SecurityConstraints” in Figure 5 and the “Classifier Profiles” inFigure 6 are managed by the YellowPagesAgent. Thesecan be seen as two sets of metadata or knowledgebasethat the agent uses in working between users andresources. The “Security Constraints” are used in thefirst place to justify if users can access resources and if so, then the “Classifier Profiles” are used to choose thesuitable resources for authorised users. The principle is
Similar documents
View more...
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks