Steffen Staab [email protected] 1 WeST http://wegov-project.eu/index.php Web Science & Technologies University of Koblenz ▪ Landau, Germany Take CARE Provenance, Policies and Your Obligations in the Future Christoph Ringelstein & Steffen Staab
Jan 26, 2015
Steffen [email protected]
1WeST
http://wegov-project.eu/index.php
Web Science & Technologies
University of Koblenz ▪ Landau, Germany
Take CARE Provenance, Policies and Your
Obligations in the Future
Christoph Ringelstein & Steffen Staab
Steffen [email protected]
2WeST
Do you remember?
That Italian tax office published all tax data about citizens on its Web page…
That CIA published a list of his agents on the internet….
Even in a friendly environment allowing/disallowing data handling is a big issue
Steffen [email protected]
5WeST
exami- nation
Middle Rhine Hospital
admission asking permit
exami- nation
share for research
prepareshare
research
1 2 3 4 5 6 7
YouHealth Record
Jane Doe 1. I want to describe
what may be done
with my record
2. I want to define what
must be done with my
record (obligation)
Steffen [email protected]
6WeST
Integrating Policies with Provenance
Motivation Provenance
very general mechanism to represent• which past events may influence policy decisions
Provenance natural mechanism to consider the past and extend this consideration into the future
Steffen [email protected]
7WeST
....s13
Policies build on the Past and Affect the Future
s2examination
s3asking permit
s6transfer
s4examination
s10prepareshare
s11share
s12analysis
s5discharge
s7.a
s8.a
s8.b s8.c
..
.... .. .... ..
No permission
allowed
Provenance now Future Provenance
Steffen [email protected]
9WeST
exami- nation
Middle Rhine Hospital
admission asking permit
exami- nation
share for research
prepareshare
research
1 2 3 4 5 6 7
Health Record
ProvenanceInformation
History, ..
Propertiesof the Data
Owner, Type, ..
Contextual Information
Actor, Time, ..
You
Steffen [email protected]
10WeST
exami- nation
Middle Rhine Hospital
admission asking permit
exami- nation
share for research
prepareshare
research
1 2 3 4 5 6 7
Health Record
ProvenanceInformation
History, ..
Propertiesof the Data
Owner, Type, ..
Contextual Information
Actor, Time, ..
You
Steffen [email protected]
11WeST
Middle Rhine Hospital
Health Record
Jane Doe
3. Conditions based on Provenance
4. Hiding Information
5. Attributes
6. Interpreting Conditions
1. - 2. Provenance & Policies
admission share for research
prepareshare
research
1 5 6 7 exami- nation
exami- nation
2 asking permit
43
Steffen [email protected]
12WeST
Middle Rhine Hospital
Health Record
Policies
Prove-nance
admission share for research
prepareshare
research
1 5 6 7 exami- nation
exami- nation
2 asking permit
43
You
Steffen [email protected]
13WeST
create
Middle Rhine Hospital
Health Record
Policies
Prove-nance
admission
create
create
1
Steffen [email protected]
14WeST
create
Middle Rhine Hospital
Health Record
Policies
admission
create
1
Sticky Log:step (record, {mrh}, {}, create, patient_treatment, 1, {0})
Sticky Log
Syntax of Provenance in Sticky Logs:step (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs)
OPM [1]create
Steffen [email protected]
15WeST
create
Middle Rhine Hospital
Health Record
Policies
admission
create
1
Sticky Log create(P1): ukob is allowed to process health records for research purposes.
However, ukob is not allowed to transfer the health records of patients to other organizations.
(P2): The mrh demands that the record is only accessed by ukob afterthe sharing of the health records is approved by the patient and the approval must have been confirmed by a doctor.
Steffen [email protected]
16WeST
create
Middle Rhine Hospital
Health Record
Policies
admission
create
1
Sticky Log create
(P1): ukob is allowed to process health records for research purposes. However, ukob is not allowed to transfer the health records of patients to other organizations.
Steffen [email protected]
17WeST
create
Middle Rhine Hospital
Health Record
Policies
admission
create
1
Sticky Log
PAPEL Syntax for Policies:permit (ID) IF Condition .deny (ID) IF Condition .
XACML [2]
create(P1): ukob is allowed to process health records for research purposes.
permit (ID) IF step (record, {ukob}, _, _, research, ID, _).
However, ukob is not allowed to transfer the health records of patients to other organizations.
deny (ID) IF step (record, {ukob}, _, transfer, _, ID, _).
Steffen [email protected]
18WeST
create
Middle Rhine Hospital
Health Record
Policies
admission
create
1
Sticky Log create
(P1): ukob is allowed to process health records for research purposes.
permit (ID) IF step (record, {ukob}, _, _, research, ID, _).
However, ukob is not allowed to transfer the health records of patients to other organizations.
deny (ID) IF step (record, {ukob}, _, transfer, _, ID, _).
Matches step(..) an element of the history?
Steffen [email protected]
20WeST
create
admission
create
create
1
Middle Rhine Hospital
Health Record
Policies
Sticky Log:step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})
Sticky Log
exami- nation
update
2
update
Steffen [email protected]
21WeST
create
admission
create
create
1
Middle Rhine Hospital
Health Record
Policies
Sticky Log:step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})
Sticky Log
exami- nation
update
2
update
Mapping the temporal structureto a graph structure!
Steffen [email protected]
22WeST
create
Middle Rhine Hospital
Health Record
Policies
admission
create
1
Sticky Log
(P2): The mrh demands that the record is only accessed by ukob afterthe sharing of the health records is approved by the patient and the approval must have been confirmed by a doctor.
create
Steffen [email protected]
23WeST
create
Middle Rhine Hospital
Health Record
Policies
admission
create
create
1
Sticky Log
(P2): The mrh demands that the record is only accessed by ukob afterthe sharing of the health records is approved by the patient and the approval must have been confirmed by a doctor.
permit (ID) IF (step (record, {ukob}, _, access, _, ID, _) AFTER (step (record, {doctor}, _, _, confirmation, _, _) AND step (record, {patient}, _, _, access_approval, _, _))).
PAPEL Syntax for Policies:condition AND condition condition OR condition condition XOR conditionNOT conditionstep (A) AFTER step (B)
Steffen [email protected]
24WeST
create
exami- nation
admission
create
create
update
update
update
asking permit
1 2 3
You
Middle Rhine Hospital
Health Record
Policies
exami- nation
update
update
4
Sticky Log Hiding
SensitiveInformation
Steffen [email protected]
25WeST
create
exami- nation
admission
create
create
update
update
update
asking permit
1 2 3
Jane Doe
Middle Rhine Hospital
Health Record
Policies
exami- nation
update
update
4
Sticky Log
Syntax of Reduced Facts in Sticky Logs:reduced (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs)replace with hidden as required.
Syntax for Sticky Logs:step (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs)
Steffen [email protected]
26WeST
create
exami- nation
admission
create
create
update
update
update
asking permit
1 2 3
Jane Doe
Middle Rhine Hospital
Health Record
Policies
exami- nation
update
update
4
Sticky Log
Sticky Log:step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})reduced (record, hidden, hidden, update, hidden, 4, {2})
Syntax of Reduced Facts in Sticky Logs:reduced (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs)replace with hidden as required.
Steffen [email protected]
27WeST
create
exami- nation
Middle Rhine Hospital
Health Record
Policies
admission
create
create
update
update
update
asking permit
exami- nation
update
update
1 2 3 4
You
Sticky Log
prepareshare
de-id.
update
encrypt
fulfill
5
UsingAttributes
Steffen [email protected]
28WeST
create
exami- nation
Middle Rhine Hospital
Health Record
Policies
admission
create
create
update
update
update
asking permit
exami- nation
update
update
1 2 3 4
Sticky Log:step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})reduced (record, hidden, hidden, update, hidden, 4, {2})step (record, {mrh}, {}, de-identified, privacy, 5, {4})attribute (record, de-identified, true, 5)
You
Sticky Log
prepareshare
de-id.
update
fulfill
5
encryptSyntax of Attributes in Sticky Logs:attribute (Data, Name, Value, ID)
Steffen [email protected]
29WeST
create
exami- nation
Middle Rhine Hospital
Health Record
Policies
admission
create
create
update
update
update
asking permit
exami- nation
update
update
1 2 3 4
You
Sticky Log
prepareshare
de-id.
fulfill
5
encrypt
(P3): You demand that your record is shared only after de-identification.
permit (ID) IF (step (record, _, _, transfer, _, ID, _) AFTER step (record, _, _, update, de-identify, _, _)).
permit(ID) IF (step (record, _, _, transfer, _, ID, _) AND attribute (record, de-identified, true, ID)).
update
Steffen [email protected]
30WeST
create
exami- nation
Middle Rhine Hospital
Health Record
Policies
admission
create
create
update
update
update
asking permit
exami- nation
update
update
1 2 3 4
You
Sticky Log
prepareshare
de-id.
fulfill
5
encrypt
(P3): You demand that your record is shared only after de-identification.
permit(ID) IF (step (record, _, _, transfer, _, ID, _) AND attribute (record, de-identified, true, ID)).
assignment(ID) IF step (record, _, _, _, de-identified, ID, _) DO set_attribute (record, de-identified, true, ID).assignment(ID) IF step (record, _, _, _, re-identified, ID, _) DO set_attribute (record, de-identified, false, ID).
update
Steffen [email protected]
31WeST
create
exami- nation
Middle Rhine Hospital
Health Record
Policies
admission
create
create
update
update
update
asking permit
exami- nation
update
update
prepareshare
de-id.
update
encrypt
fulfill
1 2 3 4 5
Sticky Log
You
share for research
update
transfer
transfer
check
transfer
6
Steffen [email protected]
32WeST
create
exami- nation
Middle Rhine Hospital
Health Record
Policies
admission
create
create
update
update
update
asking permit
exami- nation
update
update
prepareshare
de-id.
update
encrypt
fulfill
1 2 3 4 5
Sticky Log:
step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})reduced (record, hidden, hidden, update, hidden, 4, {2})step (record, {mrh}, {}, de-identified, privacy, 5, {4})attribute (record, de-identified, true, 5)step (record, {mrh}, {ukob}, transfer, research, 6, {5})
Sticky Log
You
share for research
update
transfer
transfer
check
transfer
6
Steffen [email protected]
33WeST
create
exami- nation
Middle Rhine Hospital
Health Record
Policies
admission
create
create
update
update
update
asking permit
exami- nation
update
update
prepareshare
de-id.
update
encrypt
fulfill
1 2 3 4 5
Sticky Log:
step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})reduced (record, hidden, hidden, update, hidden, 4, {2})step (record, {mrh}, {}, de-identified, privacy, 5, {4})attribute (record, de-identified, true, 5)step (record, {mrh}, {ukob}, transfer, research, 6, {5})
Sticky Log
You
share for research
update
transfer
transfer
check
transfer
6
permit (6)?
(P3):permit (ID) IF (step (record, _, _, transfer, _, ID, _) AND attribute (record, de-identified, true, ID)).
Steffen [email protected]
34WeST
create
exami- nation
Middle Rhine Hospital
Health Record
Policies
admission
create
create
update
update
update
asking permit
exami- nation
update
update
prepareshare
de-id.
update
encrypt
fulfill
1 2 3 4 5
Sticky Log:
step (record, {mrh}, {}, create, patient_treatment, 1, {0})step (record, {mrh}, {}, update, examination, 2, {1})reduced (record, hidden, hidden, update, hidden, 4, {2})step (record, {mrh}, {}, de-identified, privacy, 5, {4})attribute (record, de-identified, true, 5)step (record, {mrh}, {ukob}, transfer, research, 6, {5})
Sticky Log
You
share for research
update
transfer
transfer
check
transfer
6
permit (6)?
(P3):permit (ID) IF (step (record, _, _, transfer, _, ID, _) AND attribute (record, de-identified, true, ID)).
Steffen [email protected]
35WeST
create
exami- nation
Middle Rhine Hospital
Health Record
Policies
admission
create
create
update
update
update
asking permit
exami- nation
update
update
share for research
prepareshare
de-id.
update
encrypt
update
transfer
transfer
check
transfer
fulfill
1 2 3 4 5 6
Sticky Log
You
check
update
read
research
7
Formal definition of semantics available.
Steffen [email protected]
37WeST
Policies – Obligation
Alice (nurse)
transfer transfer discharge
Bob (physician)
(P1): Staff members are permitted to transfer the record to Jane Doe after her discharge.(P2): Staff members and the archive are permitted to transfer the record to staff members.
(O1): Jane Doe demands to receive her record after her discharge.(O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge.
(D1): Jane Doe is denied to transfer her record.
Jane Doe
Steffen [email protected]
38WeST
(P1): Staff members are permitted to transfer the record to Jane Doe after her discharge.(P2): Staff members and the archive are permitted to transfer the record to staff members.
(O1): Jane Doe demands to receive her record after her discharge.(O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge.
(D1): Jane Doe is denied to transfer her record.
Policies – Obligation
Alice (nurse)
transfer transfer discharge
Bob (physician)
Jane Doe
Obligation 1
archive
Obligation 2 transfer
Steffen [email protected]
39WeST
Alice (nurse)
Obligation 1
transfer transfer
Jane Doearchive
Obligation 2
transfer
(P1): Staff members are permitted to transfer the record to Jane Doe after her discharge.(P2): Staff members and the archive are permitted to transfer the record to staff members.
(O1): Jane Doe demands to receive her record after her discharge.(O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge.
(D1): The archive is not allowed transfering records to non-staff.
Steffen [email protected]
40WeST
Alice (nurse)
Obligation 1
transfer transfer
Jane Doearchive
Obligation 2
transfer
(P1): Staff members are permitted to transfer the record to Jane Doe after her discharge.(P2): Staff members and the archive are permitted to transfer the record to staff members.
(O1): Jane Doe demands to receive her record after her discharge.(O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge.
(D1): The archive is not allowed transfering records to non-staff.
Steffen [email protected]
41WeST
Alice (nurse)
Obligation 1
transfer
Jane Doearchive
Obligation 2
transfer
Bob (physician)
transfer
(P1): Staff members are permitted to transfer the record to Jane Doe after her discharge.(P2): Staff members and the archive are permitted to transfer the record to staff members.
(O1): Jane Doe demands to receive her record after her discharge.(O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge.
(D1): The archive is not allowed transfering records to non-staff.
Steffen [email protected]
42WeST
....s13
Future Execution Graph
s2examination
s3asking permit
s6transfer
s4examination
s10prepareshare
s11share
s12analysis
s5discharge
s7.a
s8.a
s8.b s8.c
..
.... .. .... ..
invalid
allowed
History now Future Execution Graph
Steffen [email protected]
43WeST
s13
Closing
s2examination
s3asking permit
s6transfer
s4examination
s10prepareshare
s11share
s12analysis
s5discharge
s7.a
s8.a
s8.b s8.c
..
.... .. .... ..
....
closed
invalid
allowed
History now Future Execution Graph
Steffen [email protected]
44WeST
s7.a
s13
The Destiny
s2examination
s3asking permit
s6transfer
s4examination
s10prepareshare
s11share
s12analysis
s5discharge
s8.a
s8.b s8.c
closed
Destiny
..
.... .. .... ..
....invalid
allowed
Steffen [email protected]
45WeST
s7.a
s13
The Destiny
s2examination
s3asking permit
s6transfer
s4examination
s10prepareshare
s11share
s12analysis
s5discharge
s8.a
s8.b s8.c
..
.... .. .... ..
....
?Destiny
closed
invalid
allowed
Steffen [email protected]
46WeST
Alice (nurse)
transfer transfer
Jane Doe
discharge
archive
transfer
?Which next steps have a destiny?
Steffen [email protected]
47WeST
Policies
...step (record_jd, bob, null, discharge, 5, {4})step (record_jd, bob, alice, transfer, 6, {5,13})
permit (ID) IF step (record_jd, S, jane_doe, transfer, ID, _) AFTER step (record_jd, _, _, discharge, _, _) AND instance_of (S, staff_member).
step (record_jd, alice, jane, transfer, 7, {6})
+
Input:
History + Next Step +Policy Rules
Translation:
Axioms + Translation
Decision:
Reachability of a future state where all obligations are met.
Axioms specifying possible steps.
+Translation to colored Petri nets.
+
Steffen [email protected]
48WeST
Alice (nurse)
transfer transfer
Jane Doe
discharge
archive
transfer
Which next steps have a destiny?
Steffen [email protected]
49WeST
Conclusion
Policies with Obligations:`Business rules‘ may decide about what may/may not and must be done to your data
Provenance Graph is core to store what has and will be done to data
Formal underpinning of our approach makes it semantically sound and complete
Steffen [email protected]
50WeST
http://wegov-project.eu/index.php
Web Science & Technologies
University of Koblenz ▪ Landau, Germany
Thank You!
Key Publications
Ringelstein, Christoph; Staab, Steffen (2010): PAPEL: A Language and Model for Provenance-Aware Policy Definition and Execution. In: BPM 2010 - International Conference on Business Process Management.
Ringelstein, Christoph (2011): Data Provenance and Destiny in Distributed Environments. PhD-Thesis. Univ Koblenz, 2011.http://kola.opus.hbz-nrw.de/volltexte/2012/733/pdf/Ringelstein_PhDThesis_2011.pdf
They also link to a few more….