Abstract

Medical record sharing across healthcare organisations is fundamental for improving quality of care and reducing assistance costs. However, healthcare organisations are still struggling in building cross-organisation data sharing solutions due to strict data protection regulations that varies across states and regions, availability of a variety of technical standards for medical record sharing, and differences among organisations’ IT infrastructures that have been built over the years to satisfy organisations’ specific needs and requirements. This thesis reports our findings based on various research and industrial projects aiming at connecting healthcare organisations. The primary contributions of this dissertation are: • A methodology and an execution environment to define and execute cross- organisation data sharing processes in compliance with both data protection regulations and organisations’ requirements. The methodology consists of multiple steps that start with the extraction of compliance requirements from regulations and gathering of business requirements from the involved stakeholders, and end with the definition of data sharing processes and policies to satisfy the collected requirements. The modelling framework that supports the methodology provides to users the modelling tools and guidelines to define the business processes and policies for sharing privacy-sensitive data. The execution framework maps the business processes into actionable operations to manage privacy-sensitive data and data protection policies. • An event-driven service integration approach to support cross-organisation data sharing. The integration approach focuses on identifying data dependencies among institutions (i.e., data they produce, consume and would like to exchange) in form of events rather than analysing internal data structures. To support this approach, we propose a privacy-aware event-driven data-sharing protocol and a system architecture based on combination of Service Oriented (SOA) and Event Driven (EDA) architectural patterns. The data-sharing protocol and the underlying fine-grained access control policies provide control on the access and dissemination of sensitive information among the involved organisations. • A set of algorithms to detect and to prevent access control policy violations in data integration caused by the presence of functional dependencies. In data integration typically each source specifies its local access control policies and cannot anticipate the functional dependencies among sets of attributes (or any other type of data inference) that can arise when data is integrated. Functional dependencies can allow malicious users to obtain prohibited information by linking multiple queries and thus violating the local policies. To solve such issues, we propose algorithms to identify the sets of queries that can lead to such privacy violations. We then propose algorithms to identify additional policies that are able to prevent the identified queries from completion and thus prevent policy violations. We show how the proposed solutions have been applied in practice in building Electronic Health Record and Business Intelligence systems that involve cross-organisation sharing of privacy-sensitive data. The thesis reports also the validations of the proposed technologies with end-users and privacy experts, and the lessons learned after deploying an instance of the developed system in a multi-organisation scenario in Trentino, Italy.