Take CARE: Provenance, Policies and Your Obligations in the Future

Steffen [email protected]

1WeST

http://wegov-project.eu/index.php

Web Science & Technologies

University of Koblenz ▪ Landau, Germany

Take CARE Provenance, Policies and Your

Obligations in the Future

Christoph Ringelstein & Steffen Staab


2WeST

Do you remember?

That Italian tax office published all tax data about citizens on its Web page…

That CIA published a list of his agents on the internet….

Even in a friendly environment allowing/disallowing data handling is a big issue


3WeST

Middle Rhine Hospital


4WeST


share for research

Health Record


5WeST

examination


admission asking permit

examination

share for research

prepareshare

research

1 2 3 4 5 6 7

YouHealth Record

Jane Doe 1. I want to describe

what may be done

with my record

2. I want to define what

must be done with my

record (obligation)


6WeST

Integrating Policies with Provenance

Motivation Provenance

very general mechanism to represent• which past events may influence policy decisions

Provenance natural mechanism to consider the past and extend this consideration into the future


7WeST

....s13

Policies build on the Past and Affect the Future

s2examination

s3asking permit

s6transfer

s4examination

s10prepareshare

s11share

s12analysis

s5discharge

s7.a

s8.a

s8.b s8.c

..

.... .. .... ..

No permission

allowed

Provenance now Future Provenance


8WeST

WHAT MAY BE DONE?PAPEL: A POLICY LANGUAGE USING PROVENANCE


9WeST

examination



examination

share for research

prepareshare

research

1 2 3 4 5 6 7

Health Record

ProvenanceInformation

History, ..

Propertiesof the Data

Owner, Type, ..

Contextual Information

Actor, Time, ..

You


10WeST

examination



examination

share for research

prepareshare

research

1 2 3 4 5 6 7

Health Record

ProvenanceInformation

History, ..

Propertiesof the Data

Owner, Type, ..

Contextual Information

Actor, Time, ..

You


11WeST


Health Record

Jane Doe

3. Conditions based on Provenance

4. Hiding Information

5. Attributes

6. Interpreting Conditions

1. - 2. Provenance & Policies

admission share for research

prepareshare

research

1 5 6 7 examination

examination

2 asking permit

43


12WeST


Health Record

Policies

Prove-nance

admission share for research

prepareshare

research

1 5 6 7 examination

examination

2 asking permit

43

You


13WeST

create


Health Record

Policies

Prove-nance

admission

create

create

1


14WeST

create


Health Record

Policies

admission

create

1

Sticky Log:step (record, {mrh}, {}, create, patient_treatment, 1, {0})

Sticky Log

Syntax of Provenance in Sticky Logs:step (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs)

OPM [1]create


15WeST

create


Health Record

Policies

admission

create

1

Sticky Log create(P1): ukob is allowed to process health records for research purposes.

However, ukob is not allowed to transfer the health records of patients to other organizations.

(P2): The mrh demands that the record is only accessed by ukob afterthe sharing of the health records is approved by the patient and the approval must have been confirmed by a doctor.


16WeST

create


Health Record

Policies

admission

create

1

Sticky Log create

(P1): ukob is allowed to process health records for research purposes. However, ukob is not allowed to transfer the health records of patients to other organizations.


17WeST

create


Health Record

Policies

admission

create

1

Sticky Log

PAPEL Syntax for Policies:permit (ID) IF Condition .deny (ID) IF Condition .

XACML [2]

create(P1): ukob is allowed to process health records for research purposes.

permit (ID) IF step (record, {ukob}, _, _, research, ID, _).


deny (ID) IF step (record, {ukob}, _, transfer, _, ID, _).


18WeST

create


Health Record

Policies

admission

create

1

Sticky Log create

(P1): ukob is allowed to process health records for research purposes.

permit (ID) IF step (record, {ukob}, _, _, research, ID, _).


deny (ID) IF step (record, {ukob}, _, transfer, _, ID, _).

Matches step(..) an element of the history?


20WeST

create

admission

create

create

1


Health Record

Policies

Sticky Log:step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})

Sticky Log

examination

update

2

update


21WeST

create

admission

create

create

1


Health Record

Policies

Sticky Log:step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})

Sticky Log

examination

update

2

update

Mapping the temporal structureto a graph structure!


22WeST

create


Health Record

Policies

admission

create

1

Sticky Log


create


23WeST

create


Health Record

Policies

admission

create

create

1

Sticky Log


permit (ID) IF (step (record, {ukob}, _, access, _, ID, _) AFTER (step (record, {doctor}, _, _, confirmation, _, _) AND step (record, {patient}, _, _, access_approval, _, _))).

PAPEL Syntax for Policies:condition AND condition condition OR condition condition XOR conditionNOT conditionstep (A) AFTER step (B)


24WeST

create

examination

admission

create

create

update

update

update

asking permit

1 2 3

You


Health Record

Policies

examination

update

update

4

Sticky Log Hiding

SensitiveInformation


25WeST

create

examination

admission

create

create

update

update

update

asking permit

1 2 3

Jane Doe


Health Record

Policies

examination

update

update

4

Sticky Log

Syntax of Reduced Facts in Sticky Logs:reduced (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs)replace with hidden as required.

Syntax for Sticky Logs:step (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs)


26WeST

create

examination

admission

create

create

update

update

update

asking permit

1 2 3

Jane Doe


Health Record

Policies

examination

update

update

4

Sticky Log

Sticky Log:step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})reduced (record, hidden, hidden, update, hidden, 4, {2})

Syntax of Reduced Facts in Sticky Logs:reduced (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs)replace with hidden as required.


27WeST

create

examination


Health Record

Policies

admission

create

create

update

update

update

asking permit

examination

update

update

1 2 3 4

You

Sticky Log

prepareshare

de-id.

update

encrypt

fulfill

5

UsingAttributes


28WeST

create

examination


Health Record

Policies

admission

create

create

update

update

update

asking permit

examination

update

update

1 2 3 4

Sticky Log:step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})reduced (record, hidden, hidden, update, hidden, 4, {2})step (record, {mrh}, {}, de-identified, privacy, 5, {4})attribute (record, de-identified, true, 5)

You

Sticky Log

prepareshare

de-id.

update

fulfill

5

encryptSyntax of Attributes in Sticky Logs:attribute (Data, Name, Value, ID)


29WeST

create

examination


Health Record

Policies

admission

create

create

update

update

update

asking permit

examination

update

update

1 2 3 4

You

Sticky Log

prepareshare

de-id.

fulfill

5

encrypt

(P3): You demand that your record is shared only after de-identification.

permit (ID) IF (step (record, _, _, transfer, _, ID, _) AFTER step (record, _, _, update, de-identify, _, _)).

permit(ID) IF (step (record, _, _, transfer, _, ID, _) AND attribute (record, de-identified, true, ID)).

update


30WeST

create

examination


Health Record

Policies

admission

create

create

update

update

update

asking permit

examination

update

update

1 2 3 4

You

Sticky Log

prepareshare

de-id.

fulfill

5

encrypt

(P3): You demand that your record is shared only after de-identification.

permit(ID) IF (step (record, _, _, transfer, _, ID, _) AND attribute (record, de-identified, true, ID)).

assignment(ID) IF step (record, _, _, _, de-identified, ID, _) DO set_attribute (record, de-identified, true, ID).assignment(ID) IF step (record, _, _, _, re-identified, ID, _) DO set_attribute (record, de-identified, false, ID).

update


31WeST

create

examination


Health Record

Policies

admission

create

create

update

update

update

asking permit

examination

update

update

prepareshare

de-id.

update

encrypt

fulfill

1 2 3 4 5

Sticky Log

You

share for research

update

transfer

transfer

check

transfer

6


32WeST

create

examination


Health Record

Policies

admission

create

create

update

update

update

asking permit

examination

update

update

prepareshare

de-id.

update

encrypt

fulfill

1 2 3 4 5

Sticky Log:

step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})reduced (record, hidden, hidden, update, hidden, 4, {2})step (record, {mrh}, {}, de-identified, privacy, 5, {4})attribute (record, de-identified, true, 5)step (record, {mrh}, {ukob}, transfer, research, 6, {5})

Sticky Log

You

share for research

update

transfer

transfer

check

transfer

6


33WeST

create

examination


Health Record

Policies

admission

create

create

update

update

update

asking permit

examination

update

update

prepareshare

de-id.

update

encrypt

fulfill

1 2 3 4 5

Sticky Log:


Sticky Log

You

share for research

update

transfer

transfer

check

transfer

6

permit (6)?

(P3):permit (ID) IF (step (record, _, _, transfer, _, ID, _) AND attribute (record, de-identified, true, ID)).


34WeST

create

examination


Health Record

Policies

admission

create

create

update

update

update

asking permit

examination

update

update

prepareshare

de-id.

update

encrypt

fulfill

1 2 3 4 5

Sticky Log:


Sticky Log

You

share for research

update

transfer

transfer

check

transfer

6

permit (6)?

(P3):permit (ID) IF (step (record, _, _, transfer, _, ID, _) AND attribute (record, de-identified, true, ID)).


35WeST

create

examination


Health Record

Policies

admission

create

create

update

update

update

asking permit

examination

update

update

share for research

prepareshare

de-id.

update

encrypt

update

transfer

transfer

check

transfer

fulfill

1 2 3 4 5 6

Sticky Log

You

check

update

read

research

7

Formal definition of semantics available.


36WeST

WHAT MUST BE DONE?OBLIGATIONS WITH CARE


37WeST

Policies – Obligation

Alice (nurse)

transfer transfer discharge

Bob (physician)

(P1): Staff members are permitted to transfer the record to Jane Doe after her discharge.(P2): Staff members and the archive are permitted to transfer the record to staff members.

(O1): Jane Doe demands to receive her record after her discharge.(O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge.

(D1): Jane Doe is denied to transfer her record.

Jane Doe


38WeST



(D1): Jane Doe is denied to transfer her record.

Policies – Obligation

Alice (nurse)

transfer transfer discharge

Bob (physician)

Jane Doe

Obligation 1

archive

Obligation 2 transfer


39WeST

Alice (nurse)

Obligation 1

transfer transfer

Jane Doearchive

Obligation 2

transfer



(D1): The archive is not allowed transfering records to non-staff.


40WeST

Alice (nurse)

Obligation 1

transfer transfer

Jane Doearchive

Obligation 2

transfer





41WeST

Alice (nurse)

Obligation 1

transfer

Jane Doearchive

Obligation 2

transfer

Bob (physician)

transfer





42WeST

....s13

Future Execution Graph

s2examination

s3asking permit

s6transfer

s4examination

s10prepareshare

s11share

s12analysis

s5discharge

s7.a

s8.a

s8.b s8.c

..

.... .. .... ..

invalid

allowed

History now Future Execution Graph


43WeST

s13

Closing

s2examination

s3asking permit

s6transfer

s4examination

s10prepareshare

s11share

s12analysis

s5discharge

s7.a

s8.a

s8.b s8.c

..

.... .. .... ..

....

closed

invalid

allowed

History now Future Execution Graph


44WeST

s7.a

s13

The Destiny

s2examination

s3asking permit

s6transfer

s4examination

s10prepareshare

s11share

s12analysis

s5discharge

s8.a

s8.b s8.c

closed

Destiny

..

.... .. .... ..

....invalid

allowed


45WeST

s7.a

s13

The Destiny

s2examination

s3asking permit

s6transfer

s4examination

s10prepareshare

s11share

s12analysis

s5discharge

s8.a

s8.b s8.c

..

.... .. .... ..

....

?Destiny

closed

invalid

allowed


46WeST

Alice (nurse)

transfer transfer

Jane Doe

discharge

archive

transfer

?Which next steps have a destiny?


47WeST

Policies

...step (record_jd, bob, null, discharge, 5, {4})step (record_jd, bob, alice, transfer, 6, {5,13})

permit (ID) IF step (record_jd, S, jane_doe, transfer, ID, _) AFTER step (record_jd, _, _, discharge, _, _) AND instance_of (S, staff_member).

step (record_jd, alice, jane, transfer, 7, {6})

+

Input:

History + Next Step +Policy Rules

Translation:

Axioms + Translation

Decision:

Reachability of a future state where all obligations are met.

Axioms specifying possible steps.

+Translation to colored Petri nets.

+


48WeST

Alice (nurse)

transfer transfer

Jane Doe

discharge

archive

transfer

Which next steps have a destiny?


49WeST

Conclusion

Policies with Obligations:`Business rules‘ may decide about what may/may not and must be done to your data

Provenance Graph is core to store what has and will be done to data

Formal underpinning of our approach makes it semantically sound and complete


50WeST

http://wegov-project.eu/index.php

Web Science & Technologies

University of Koblenz ▪ Landau, Germany

Thank You!

Key Publications

Ringelstein, Christoph; Staab, Steffen (2010): PAPEL: A Language and Model for Provenance-Aware Policy Definition and Execution. In: BPM 2010 - International Conference on Business Process Management.

Ringelstein, Christoph (2011): Data Provenance and Destiny in Distributed Environments. PhD-Thesis. Univ Koblenz, 2011.http://kola.opus.hbz-nrw.de/volltexte/2012/733/pdf/Ringelstein_PhDThesis_2011.pdf

They also link to a few more….

Take CARE: Provenance, Policies and Your Obligations in the Future

Technology

middle rhine hospital

middle rhine hospital1

health permit id

step record

health records of patients

west steffen staab15

west steffen staab14

step data