Web Science & Technologies                                     University of Koblenz ▪ Landau, Germany                Take...
Do you remember? That Italian tax office published all tax data about citizens  on its Web page… That CIA published a li...
Middle Rhine HospitalWeST   Steffen Staab          3       staab@uni-koblenz.de
Middle Rhine Hospital                                           share for                                           resear...
Middle Rhine Hospital            1           2              3             4            5             6           7        ...
Integrating Policies with ProvenanceMotivation Provenance    very general mechanism to represent       • which past even...
Policies build on the Past and Affect the Future               Provenance                                      now        ...
WHAT MAY BE DONE?       PAPEL: A POLICY LANGUAGE       USING PROVENANCEWeST        Steffen Staab          8            sta...
Middle Rhine Hospital             1             2              3            4            5             6           7      ...
Middle Rhine Hospital             1             2              3            4            5             6           7      ...
Middle Rhine Hospital         1           2              3            4            5             6           7            ...
Middle Rhine Hospital           1           2              3            4            5             6           7          ...
Middle Rhine Hospital           1           admissionHealthRecord      createPolicies    createProve-nance       create  W...
Middle Rhine Hospital           1           admissionHealthRecord      createPolicies    createStickyLog         create   ...
Middle Rhine Hospital           1           admissionHealthRecord      createPolicies    createStickyLog         create (P...
Middle Rhine Hospital           1           admissionHealthRecord      createPolicies    createSticky               (P1): ...
Middle Rhine Hospital           1           admission                   PAPEL Syntax for Policies:Health             permi...
Middle Rhine Hospital           1           admissionHealthRecord      createPolicies    create                           ...
Middle Rhine Hospital           1             2                             exami-           admission                    ...
Middle Rhine Hospital           1             2                             exami-           admission                    ...
Middle Rhine Hospital           1           admissionHealthRecord      createPolicies    createStickyLog         create   ...
Middle Rhine Hospital           1           admissionHealthRecord      create                        PAPEL Syntax for Poli...
Middle Rhine Hospital           1           2              3            4                           exami-         asking ...
Middle Rhine Hospital           1             2              3            4                             exami-         ask...
Middle Rhine Hospital           1             2              3            4                             exami-         ask...
Middle Rhine Hospital           1           2              3            4            5                           exami-   ...
Middle Rhine Hospital           1              2              3            4            5                              exa...
Middle Rhine Hospital           1              2              3            4            5                              exa...
Middle Rhine Hospital           1              2              3            4            5                              exa...
Middle Rhine Hospital           1           2              3            4            5             6                      ...
Middle Rhine Hospital           1              2              3            4            5             6                   ...
Middle Rhine Hospital           1              2              3            4            5             6                   ...
Middle Rhine Hospital           1              2              3            4            5             6                   ...
Middle Rhine Hospital           1           2              3            4            5             6           7          ...
WHAT MUST BE DONE?       OBLIGATIONS WITH CAREWeST        Steffen Staab          36            staab@uni-koblenz.de
Policies – Obligation         (P1): Staff members are permitted to transfer the record to Jane Doe               after her...
Policies – Obligation         (P1): Staff members are permitted to transfer the record to Jane Doe               after her...
(P1): Staff members are permitted to transfer the record to Jane Doe             after her discharge.       (P2): Staff me...
(P1): Staff members are permitted to transfer the record to Jane Doe             after her discharge.       (P2): Staff me...
(P1): Staff members are permitted to transfer the record to Jane Doe               after her discharge.         (P2): Staf...
Future Execution Graph               History                                          now         Future Execution Graph  ...
Closing               History                                          now         Future Execution Graph                 ...
The Destiny                                                                             ..     s2           s3           s...
The Destiny                                                                             ..     s2           s3           s...
Which next steps                                                          have a destiny?                                 ...
Policies                                   ...  Input:                           step (record_jd, bob, null, discharge, 5,...
Which next steps                                                          have a destiny?       discharge         transfer...
Conclusion Policies with Obligations:  `Business rules‘ may decide about what may/may not and  must be done to your data...
Web Science & Technologies                                                    University of Koblenz ▪ Landau, Germany     ...
Upcoming SlideShare
Loading in …5
×

Take CARE: Provenance, Policies and Your Obligations in the Future

591 views
499 views

Published on

Invited Talk given at ESWC-2012 Workshop on "Semantic Web in Provenance"

Published in: Technology, Health & Medicine
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
591
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Take CARE: Provenance, Policies and Your Obligations in the Future

  1. 1. Web Science & Technologies University of Koblenz ▪ Landau, Germany Take CARE Provenance, Policies and Your Obligations in the Future http://wegov-project.eu/index.php Christoph Ringelstein & Steffen StaabWeST Steffen Staab 1 staab@uni-koblenz.de
  2. 2. Do you remember? That Italian tax office published all tax data about citizens on its Web page… That CIA published a list of his agents on the internet…. Even in a friendly environment allowing/disallowing data handling is a big issueWeST Steffen Staab 2 staab@uni-koblenz.de
  3. 3. Middle Rhine HospitalWeST Steffen Staab 3 staab@uni-koblenz.de
  4. 4. Middle Rhine Hospital share for researchHealthRecord WeST Steffen Staab 4 staab@uni-koblenz.de
  5. 5. Middle Rhine Hospital 1 2 3 4 5 6 7 exami- asking exami- prepare share for admission research nation permit nation share research YouHealthRecord 1. I want to describe Jane Doe what may be done with my record 2. I want to define what must be done with my record (obligation) WeST Steffen Staab 5 staab@uni-koblenz.de
  6. 6. Integrating Policies with ProvenanceMotivation Provenance  very general mechanism to represent • which past events may influence policy decisions Provenance  natural mechanism to consider the past and  extend this consideration into the futureWeST Steffen Staab 6 staab@uni-koblenz.de
  7. 7. Policies build on the Past and Affect the Future Provenance now Future Provenance .. s2 s3 s4 s5 s6 examination asking examination discharge transfer .... .. s8.a .. .. .. permit s7.a s8.b s8.c s10 prepare share No permission s11 .... share allowed s12 s13 analysisWeST Steffen Staab 7 staab@uni-koblenz.de
  8. 8. WHAT MAY BE DONE? PAPEL: A POLICY LANGUAGE USING PROVENANCEWeST Steffen Staab 8 staab@uni-koblenz.de
  9. 9. Middle Rhine Hospital 1 2 3 4 5 6 7 exami- asking exami- prepare share for admission research nation permit nation share research YouHealthRecord Contextual Properties Provenance Information of the Data Information Actor, Time, .. Owner, Type, .. History, .. WeST Steffen Staab 9 staab@uni-koblenz.de
  10. 10. Middle Rhine Hospital 1 2 3 4 5 6 7 exami- asking exami- prepare share for admission research nation permit nation share research YouHealthRecord Contextual Properties Provenance Information of the Data Information Actor, Time, .. Owner, Type, .. History, .. WeST Steffen Staab 10 staab@uni-koblenz.de
  11. 11. Middle Rhine Hospital 1 2 3 4 5 6 7 exami- asking exami- prepare share for admission research nation permit nation share research Jane DoeHealthRecord 1. - 2. Provenance & Policies 3. Conditions based on Provenance 4. Hiding Information 5. Attributes 6. Interpreting Conditions WeST Steffen Staab 11 staab@uni-koblenz.de
  12. 12. Middle Rhine Hospital 1 2 3 4 5 6 7 exami- asking exami- prepare share for admission research nation permit nation share research YouHealthRecordPoliciesProve-nance WeST Steffen Staab 12 staab@uni-koblenz.de
  13. 13. Middle Rhine Hospital 1 admissionHealthRecord createPolicies createProve-nance create WeST Steffen Staab 13 staab@uni-koblenz.de
  14. 14. Middle Rhine Hospital 1 admissionHealthRecord createPolicies createStickyLog create OPM [1] Syntax of Provenance in Sticky Logs: step (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs) Sticky Log: step (record, {mrh}, {}, create, patient_treatment, 1, {0}) WeST Steffen Staab 14 staab@uni-koblenz.de
  15. 15. Middle Rhine Hospital 1 admissionHealthRecord createPolicies createStickyLog create (P1): ukob is allowed to process health records for research purposes. However, ukob is not allowed to transfer the health records of patients to other organizations. (P2): The mrh demands that the record is only accessed by ukob after the sharing of the health records is approved by the patient and the approval must have been confirmed by a doctor. WeST Steffen Staab 15 staab@uni-koblenz.de
  16. 16. Middle Rhine Hospital 1 admissionHealthRecord createPolicies createSticky (P1): ukob is allowed to process health records for research purposes. createLog However, ukob is not allowed to transfer the health records of patients to other organizations. WeST Steffen Staab 16 staab@uni-koblenz.de
  17. 17. Middle Rhine Hospital 1 admission PAPEL Syntax for Policies:Health permit (ID) IF Condition .Record create deny (ID) IF Condition .Policies create XACML [2]Sticky (P1): ukob is allowed to process health records for research purposes.Log create permit (ID) IF step (record, {ukob}, _, _, research, ID, _). However, ukob is not allowed to transfer the health records of patients to other organizations. deny (ID) IF step (record, {ukob}, _, transfer, _, ID, _). WeST Steffen Staab 17 staab@uni-koblenz.de
  18. 18. Middle Rhine Hospital 1 admissionHealthRecord createPolicies create Matches step(..) an element of the history?Sticky (P1): ukob is allowed to process health records for research purposes.Log create permit (ID) IF step (record, {ukob}, _, _, research, ID, _). However, ukob is not allowed to transfer the health records of patients to other organizations. deny (ID) IF step (record, {ukob}, _, transfer, _, ID, _). WeST Steffen Staab 18 staab@uni-koblenz.de
  19. 19. Middle Rhine Hospital 1 2 exami- admission nationHealthRecord create updatePolicies createStickyLog create update Sticky Log: step (record, {mrh}, {}, create, patient_treatment, 1, {0}) step (record, {mrh}, {}, update, examination, 2, {1}) WeST Steffen Staab 20 staab@uni-koblenz.de
  20. 20. Middle Rhine Hospital 1 2 exami- admission nationHealthRecord create updatePolicies create Mapping theStickyLog create update temporal structure to a graph structure! Sticky Log: step (record, {mrh}, {}, create, patient_treatment, 1, {0}) step (record, {mrh}, {}, update, examination, 2, {1}) WeST Steffen Staab 21 staab@uni-koblenz.de
  21. 21. Middle Rhine Hospital 1 admissionHealthRecord createPolicies createStickyLog create (P2): The mrh demands that the record is only accessed by ukob after the sharing of the health records is approved by the patient and the approval must have been confirmed by a doctor. WeST Steffen Staab 22 staab@uni-koblenz.de
  22. 22. Middle Rhine Hospital 1 admissionHealthRecord create PAPEL Syntax for Policies: condition AND conditionPolicies create condition OR condition condition XOR condition NOT condition step (A) AFTER step (B)StickyLog create (P2): The mrh demands that the record is only accessed by ukob after the sharing of the health records is approved by the patient and the approval must have been confirmed by a doctor. permit (ID) IF (step (record, {ukob}, _, access, _, ID, _) AFTER (step (record, {doctor}, _, _, confirmation, _, _) AND step (record, {patient}, _, _, access_approval, _, _))). WeST Steffen Staab 23 staab@uni-koblenz.de
  23. 23. Middle Rhine Hospital 1 2 3 4 exami- asking exami- admission nation permit nationHealthRecord create update updatePolicies create update YouStickyLog create update update Hiding Sensitive Information WeST Steffen Staab 24 staab@uni-koblenz.de
  24. 24. Middle Rhine Hospital 1 2 3 4 exami- asking exami- admission nation permit nationHealthRecord create update updatePolicies create update Syntax for Sticky Logs: step (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs) Jane DoeStickyLog create update update Syntax of Reduced Facts in Sticky Logs: reduced (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs) replace with hidden as required. WeST Steffen Staab 25 staab@uni-koblenz.de
  25. 25. Middle Rhine Hospital 1 2 3 4 exami- asking exami- admission nation permit nationHealthRecord create update updatePolicies create update Jane DoeStickyLog create update update Syntax of Reduced Facts in Sticky Logs: reduced (Data, Actors, InvolvedAgents, Category, Purpose, ID, PIDs) replace with hidden as required. Sticky Log: step (record, {mrh}, {}, create, patient_treatment, 1, {0}) step (record, {mrh}, {}, update, examination, 2, {1}) reduced (record, hidden, hidden, update, hidden, 4, {2}) WeST Steffen Staab 26 staab@uni-koblenz.de
  26. 26. Middle Rhine Hospital 1 2 3 4 5 exami- asking exami- prepare admission nation permit nation shareHealthRecord create update update de-id.Policies create update fulfill YouStickyLog create update update update encrypt Using Attributes WeST Steffen Staab 27 staab@uni-koblenz.de
  27. 27. Middle Rhine Hospital 1 2 3 4 5 exami- asking exami- prepare admission nation permit nation shareHealthRecord create update update de-id.Policies create update fulfill YouStickyLog create update update update Syntax of Attributes in Sticky Logs: encrypt attribute (Data, Name, Value, ID) Sticky Log: step (record, {mrh}, {}, create, patient_treatment, 1, {0}) step (record, {mrh}, {}, update, examination, 2, {1}) reduced (record, hidden, hidden, update, hidden, 4, {2}) step (record, {mrh}, {}, de-identified, privacy, 5, {4}) attribute (record, de-identified, true, 5) WeST Steffen Staab 28 staab@uni-koblenz.de
  28. 28. Middle Rhine Hospital 1 2 3 4 5 exami- asking exami- prepare admission nation permit nation shareHealthRecord create update update de-id.Policies create update fulfill YouStickyLog create update update update encrypt (P3): You demand that your record is shared only after de-identification. permit (ID) IF (step (record, _, _, transfer, _, ID, _) AFTER step (record, _, _, update, de-identify, _, _)). permit(ID) IF (step (record, _, _, transfer, _, ID, _) AND attribute (record, de-identified, true, ID)). WeST Steffen Staab 29 staab@uni-koblenz.de
  29. 29. Middle Rhine Hospital 1 2 3 4 5 exami- asking exami- prepare admission nation permit nation shareHealthRecord create update update de-id.Policies create update fulfill YouStickyLog create update update update encrypt (P3): You demand that your record is shared only after de-identification. permit(ID) IF (step (record, _, _, transfer, _, ID, _) AND attribute (record, de-identified, true, ID)). assignment(ID) IF step (record, _, _, _, de-identified, ID, _) DO set_attribute (record, de-identified, true, ID). assignment(ID) IF step (record, _, _, _, re-identified, ID, _) WeST Steffen Staab 30 DO set_attribute (record, de-identified, false, ID). staab@uni-koblenz.de
  30. 30. Middle Rhine Hospital 1 2 3 4 5 6 exami- asking exami- prepare share for admission nation permit nation share researchHealthRecord create update update de-id. transferPolicies create update fulfill check transfer YouStickyLog create update update update update encrypt transfer WeST Steffen Staab 31 staab@uni-koblenz.de
  31. 31. Middle Rhine Hospital 1 2 3 4 5 6 exami- asking exami- prepare share for admission nation permit nation share researchHealthRecord create update update de-id. transferPolicies create update fulfill check transfer YouStickyLog create update update update update encrypt transfer Sticky Log: step (record, {mrh}, {}, create, patient_treatment, 1, {0}) step (record, {mrh}, {}, update, examination, 2, {1}) reduced (record, hidden, hidden, update, hidden, 4, {2}) step (record, {mrh}, {}, de-identified, privacy, 5, {4}) attribute (record, de-identified, true, 5) WeST stepSteffen Staab {mrh}, {ukob}, transfer, research, 6, {5}) (record, 32 staab@uni-koblenz.de
  32. 32. Middle Rhine Hospital 1 2 3 4 5 6 exami- asking exami- prepare share for admission nation permit nation share researchHealthRecord create update update de-id. transferPolicies create update fulfill check transfer You permit (6)?StickyLog create (P3): update update update update permit (ID) IF (step (record, _, _, transfer, _, ID, _) AND encrypt transfer attribute (record, de-identified, true, ID)). Sticky Log: step (record, {mrh}, {}, create, patient_treatment, 1, {0}) step (record, {mrh}, {}, update, examination, 2, {1}) reduced (record, hidden, hidden, update, hidden, 4, {2}) step (record, {mrh}, {}, de-identified, privacy, 5, {4}) attribute (record, de-identified, true, 5) WeST stepSteffen Staab {mrh}, {ukob}, transfer, research, 6, {5}) (record, 33 staab@uni-koblenz.de
  33. 33. Middle Rhine Hospital 1 2 3 4 5 6 exami- asking exami- prepare share for admission nation permit nation share researchHealthRecord create update update de-id. transferPolicies create update fulfill check transfer You permit (6)?StickyLog create (P3): update update update update permit (ID) IF (step (record, _, _, transfer, _, ID, _) AND encrypt transfer attribute (record, de-identified, true, ID)). Sticky Log: step (record, {mrh}, {}, create, patient_treatment, 1, {0}) step (record, {mrh}, {}, update, examination, 2, {1}) reduced (record, hidden, hidden, update, hidden, 4, {2}) step (record, {mrh}, {}, de-identified, privacy, 5, {4}) attribute (record, de-identified, true, 5) WeST stepSteffen Staab {mrh}, {ukob}, transfer, research, 6, {5}) (record, 34 staab@uni-koblenz.de
  34. 34. Middle Rhine Hospital 1 2 3 4 5 6 7 exami- asking exami- prepare share for admission research nation permit nation share researchHealthRecord create update update de-id. transfer readPolicies create update fulfill check check transfer YouStickyLog create update update update update update encrypt transfer Formal definition of semantics available. WeST Steffen Staab 35 staab@uni-koblenz.de
  35. 35. WHAT MUST BE DONE? OBLIGATIONS WITH CAREWeST Steffen Staab 36 staab@uni-koblenz.de
  36. 36. Policies – Obligation (P1): Staff members are permitted to transfer the record to Jane Doe after her discharge. (P2): Staff members and the archive are permitted to transfer the record to staff members. (O1): Jane Doe demands to receive her record after her discharge. (O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge. (D1): Jane Doe is denied to transfer her record. discharge transfer transfer Jane Doe Bob Alice(physician) (nurse) WeST Steffen Staab 37 staab@uni-koblenz.de
  37. 37. Policies – Obligation (P1): Staff members are permitted to transfer the record to Jane Doe after her discharge. (P2): Staff members and the archive are permitted to transfer the record to staff members. (O1): Jane Doe demands to receive her record after her discharge. (O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge. (D1): Jane Doe is denied to transfer her record. Obligation 1 discharge transfer transfer Jane Doe Bob Alice(physician) (nurse) archive WeST Steffen Staab 38 staab@uni-koblenz.de
  38. 38. (P1): Staff members are permitted to transfer the record to Jane Doe after her discharge. (P2): Staff members and the archive are permitted to transfer the record to staff members. (O1): Jane Doe demands to receive her record after her discharge. (O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge. (D1): The archive is not allowed transfering records to non-staff. Obligation 1 Obligation 2 transfer transfer transfer Alice (nurse) archive Jane DoeWeST Steffen Staab 39 staab@uni-koblenz.de
  39. 39. (P1): Staff members are permitted to transfer the record to Jane Doe after her discharge. (P2): Staff members and the archive are permitted to transfer the record to staff members. (O1): Jane Doe demands to receive her record after her discharge. (O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge. (D1): The archive is not allowed transfering records to non-staff. Obligation 1 Obligation 2 transfer transfer transfer Alice (nurse) archive Jane DoeWeST Steffen Staab 40 staab@uni-koblenz.de
  40. 40. (P1): Staff members are permitted to transfer the record to Jane Doe after her discharge. (P2): Staff members and the archive are permitted to transfer the record to staff members. (O1): Jane Doe demands to receive her record after her discharge. (O2): A nurse has to transfer the record to the archive if she received it after the patient’s discharge. (D1): The archive is not allowed transfering records to non-staff. Obligation 1 Obligation 2 transfer transfer transferAlice (nurse) archive Bob (physician) Jane Doe WeST Steffen Staab 41 staab@uni-koblenz.de
  41. 41. Future Execution Graph History now Future Execution Graph .. s2 s3 s4 s5 s6 examination asking examination discharge transfer .... .. s8.a .. .. .. permit s7.a s8.b s8.c s10 prepare share invalid s11 .... share allowed s12 s13 analysisWeST Steffen Staab 42 staab@uni-koblenz.de
  42. 42. Closing History now Future Execution Graph .. s2 s3 s4 s5 s6 examination asking examination discharge transfer .... .. s8.a .. .. .. permit s7.a s8.b s8.c s10 prepare share invalid s11 .... share allowed s12 s13 analysis closedWeST Steffen Staab 43 staab@uni-koblenz.de
  43. 43. The Destiny .. s2 s3 s4 s5 s6 examination asking examination discharge transfer .... .. s8.a .. .. .. permit s7.a s8.b s8.c s10 prepare share invalid s11 .... share allowed s12 s13 Destiny analysis closedWeST Steffen Staab 44 staab@uni-koblenz.de
  44. 44. The Destiny .. s2 s3 s4 s5 s6 examination asking examination discharge transfer .... .. s8.a .. .. .. permit s7.a s8.b s8.c s10 prepare share invalid s11 .... share allowed s12 s13 Destiny analysis closedWeST Steffen Staab staab@uni-koblenz.de 45 ?
  45. 45. Which next steps have a destiny? ? discharge transfer transfer Alice (nurse) archive Jane DoeWeST Steffen Staab 46 staab@uni-koblenz.de
  46. 46. Policies ... Input: step (record_jd, bob, null, discharge, 5, {4}) step (record_jd, bob, alice, transfer, 6, {5,13}) History + Next Step + + Policy Rules step (record_jd, alice, jane, transfer, 7, {6}) + permit (ID) IF step (record_jd, S, jane_doe, transfer, ID, _) AFTER step (record_jd, _, _, discharge, _, _) AND instance_of (S, staff_member). Translation: Axioms specifying possible steps. Axioms + Translation + Translation to colored Petri nets. Decision: Reachability of a future state where all obligations are met.WeST Steffen Staab 47 staab@uni-koblenz.de
  47. 47. Which next steps have a destiny? discharge transfer transfer Alice (nurse) archive Jane DoeWeST Steffen Staab 48 staab@uni-koblenz.de
  48. 48. Conclusion Policies with Obligations: `Business rules‘ may decide about what may/may not and must be done to your data Provenance Graph is core to store what has and will be done to data Formal underpinning of our approach makes it semantically sound and completeWeST Steffen Staab 49 staab@uni-koblenz.de
  49. 49. Web Science & Technologies University of Koblenz ▪ Landau, Germany Thank You! http://wegov-project.eu/index.phpKey PublicationsRingelstein, Christoph; Staab, Steffen (2010):PAPEL: A Language and Model for Provenance-Aware Policy Definition and Execution.In: BPM 2010 - International Conference on Business Process Management.Ringelstein, Christoph (2011): Data Provenance and Destiny in Distributed Environments.PhD-Thesis. Univ Koblenz, 2011.http://kola.opus.hbz-nrw.de/volltexte/2012/733/pdf/Ringelstein_PhDThesis_2011.pdfThey also link to a few more…. WeST Steffen Staab 50 staab@uni-koblenz.de

×