Privacy and trust management for electronic health records

Establishing a nationwide Electronic Health Record system has become a primary objective for many countries around the world, including Australia, in order to improve the quality of healthcare while at the same time decreasing its cost. Doing so will require federating the large number of patient data repositories currently in use throughout the country. However, implementation of EHR systems is being hindered by several obstacles, among them concerns about data privacy and trustworthiness. Current IT solutions fail to satisfy patients’ privacy desires and do not provide a trustworthiness measure for medical data. This thesis starts with the observation that existing EHR system proposals suer from six serious shortcomings that aect patients’ privacy and safety, and medical practitioners’ trust in EHR data: accuracy and privacy concerns over linking patients’ existing medical records; the inability of patients to have control over who accesses their private data; the inability to protect against inferences about patients’ sensitive data; the lack of a mechanism for evaluating the trustworthiness of medical data; and the failure of current healthcare workflow processes to capture and enforce patient’s privacy desires. Following an action research method, this thesis addresses the above shortcomings by firstly proposing an architecture for linking electronic medical records in an accurate and private way where patients are given control over what information can be revealed about them. This is accomplished by extending the structure and protocols introduced in federated identity management to link a patient’s EHR to his existing medical records by using pseudonym identifiers. Secondly, a privacy-aware access control model is developed to satisfy patients’ privacy requirements. The model is developed by integrating three standard access control models in a way that gives patients access control over their private data and ensures that legitimate uses of EHRs are not hindered. Thirdly, a probabilistic approach for detecting and restricting inference channels resulting from publicly-available medical data is developed to guard against indirect accesses to a patient’s private data. This approach is based upon a Bayesian network and the causal probabilistic relations that exist between medical data fields. The resulting definitions and algorithms show how an inference channel can be detected and restricted to satisfy patients’ expressed privacy goals. Fourthly, a medical data trustworthiness assessment model is developed to evaluate the quality of medical data by assessing the trustworthiness of its sources (e.g. a healthcare provider or medical practitioner). In this model, Beta and Dirichlet reputation systems are used to collect reputation scores about medical data sources and these are used to compute the trustworthiness of medical data via subjective logic. Finally, an extension is made to healthcare workflow management processes to capture and enforce patients’ privacy policies. This is accomplished by developing a conceptual model that introduces new workflow notions to make the workflow management system aware of a patient’s privacy requirements. These extensions are then implemented in the YAWL workflow management system.

The Conceptual Basis of Personal Information in Australian Privacy Law

Australian privacy law regulates how government agencies and private sector organisations collect, store and use personal information. A coherent conceptual basis of personal information is an integral requirement of information privacy law as it determines what information is regulated. A 2004 report conducted on behalf of the UK’s Information Commissioner (the 'Booth Report') concluded that there was no coherent definition of personal information currently in operation because different data protection authorities throughout the world conceived the concept of personal information in different ways. The authors adopt the models developed by the Booth Report to examine the conceptual basis of statutory definitions of personal information in Australian privacy laws. Research findings indicate that the definition of personal information is not construed uniformly in Australian privacy laws and that different definitions rely upon different classifications of personal information. A similar situation is evident in a review of relevant case law. Despite this, the authors conclude the article by asserting that a greater jurisprudential discourse is required based on a coherent conceptual framework to ensure the consistent development of Australian privacy law.

A matter of confidence : privacy compliance for connected-up enterprises

Governments around the world are increasingly investing in information and communications technology (ICT) as a means of improving service delivery to citizens. Government ICT adoption is also being driven by a desire to streamline information accessibility and information flows within government - both between different levels of government and between different departments at the same level. Increasing the availability of information internally and to citizens has clear and compelling benefits but it also carries risks that must be carefully managed. This talk will examine the implications of such E-government initiatives for a range of compliance obligations, with a focus on information privacy. It will review recent developments in the area of systems-based enforcement of privacy policies and the particular privacy challenges presented by the aggregation of geospatial information.

Contextualizing the tensions and weaknesses of information privacy and data breach notification laws

Data breach notification laws have detailed numerous failures relating to the protection of personal information that have blighted both corporate and governmental institutions. There are obvious parallels between data breach notification and information privacy law as they both involve the protection of personal information. However, a closer examination of both laws reveals conceptual differences that give rise to vertical tensions between each law and shared horizontal weaknesses within both laws. Tensions emanate from conflicting approaches to the implementation of information privacy law that results in different regimes and the implementation of different types of protections. Shared weaknesses arise from an overt focus on specified types of personal information which results in ‘one size fits all’ legal remedies. The author contends that a greater contextual approach which promotes the importance of social context is required and highlights the effect that contextualization could have on both laws.

Reinforcing bad behaviour : the misuse of security indicators on popular websites

Before making a security or privacy decision, Internet users should evaluate several security indicators in their browser, such as the use of HTTPS (indicated via the lock icon), the domain name of the site, and information from extended validation certificates. However, studies have shown that human subjects infrequently employ these indicators, relying on other indicators that can be spoofed and convey no cryptographic assurances. We identify four simple security indicators that accurately represent security properties of the connection and then examine 125 popular websites to determine if the sites' designs result in correctly displayed security indicators during login. In the vast majority of cases, at least some security indicators are absent or suboptimal. This suggests users are becoming habituated to ignoring recommended security indicators.

The urban littoral frontier : land reclamation in the history of human settlements

The urban waterfront may be regarded as the littoral frontier of human settlement. Typically, over the years, it advances, sometimes retreats, where terrestrial and aquatic processes interact and frequently contest this margin of occupation. Because most towns and cities are sited beside water bodies, many of these urban centers on or close to the sea, their physical expansion is constrained by the existence of aquatic areas in one or more directions from the core. It is usually much easier for new urban development to occur along or inland from the waterfront. Where other physical constraints, such as rugged hills or mountains, make expansion difficult or expensive, building at greater densities or construction on steep slopes is a common response. This kind of development, though technically feasible, is usually more expensive than construction on level or gently sloping land, however. Moreover, there are many reasons for developing along the shore or riverfront in preference to using sites further inland. The high cost of developing existing dry land that presents serious construction difficulties is one reason for creating new land from adjacent areas that are permanently or periodically under water. Another reason is the relatively high value of artificially created land close to the urban centre when compared with the value of existing developable space at a greater distance inland. The creation of space for development is not the only motivation for urban expansion into aquatic areas. Commonly, urban places on the margins of the sea, estuaries, rivers or great lakes are, or were once, ports where shipping played an important role in the economy. The demand for deep waterfronts to allow ships to berth and for adjacent space to accommodate various port facilities has encouraged the advance of the urban land area across marginal shallows in ports around the world. The space and locational demands of port related industry and commerce, too, have contributed to this process. Often closely related to these developments is the generation of waste, including domestic refuse, unwanted industrial by-products, site formation and demolition debris and harbor dredgings. From ancient times, the foreshore has been used as a disposal area for waste from nearby settlements, a practice that continues on a huge scale today. Land formed in this way has long been used for urban development, despite problems that can arise from the nature of the dumped material and the way in which it is deposited. Disposal of waste material is a major factor in the creation of new urban land. Pollution of the foreshore and other water margin wetlands in this way encouraged the idea that the reclamation of these areas may be desirable on public health grounds. With reference to examples from various parts of the world, the historical development of the urban littoral frontier and its effects on the morphology and character of towns and cities are illustrated and discussed. The threat of rising sea levels and the heritage value of many waterfront areas are other considerations that are addressed.

The impact of users’ cognitive style on their navigational behaviors in web searching

User-Web interactions have emerged as an important area of research in the field of information science. In this study, we investigate the effects of users’ cognitive styles on their Web navigational styles and information processing strategies. We report results from the analyses of 594 minutes recorded Web search sessions of 18 participants engaged in 54 scenario-based search tasks. We use questionnaires, cognitive style test, Web session logs and think-aloud as the data collection instruments. We classify users’ cognitive styles as verbalisers and imagers based on Riding’s (1991) Cognitive Style Analysis test. Two classifications of navigational styles and three categories of information processing strategies are identified. Our study findings show that there exist relationships between users’ cognitive style, and their navigational styles and information processing strategies. Verbal users seem to display sporadic navigational styles, and adopt a scanning strategy to understand the content of the search result page, while imagery users follow a structured navigational style and reading approach. We develop a matrix and a model that depicts the relationships between users’ cognitive styles, and their navigational style and information processing strategies. We discuss how the findings from this study could help search engine designers to provide an adaptive navigation support to users.

Assessing the potential impact of web services on business processes

Though web services offer unique opportunities for the design of new business processes, the assessment of the potential impact of Web services on existing business information systems is often reduced to technical aspects. This paper proposes a four-phase methodology which facilitates the evaluation of the potential use of Web services on business information systems both from a technical and from a strategic viewpoint. It is based on business process models, which are used to frame the adoption and deployment of Web services and to assess their impact on existing business processes. The application of this methodology is described using a procurement scenario.

Collaboration based on web services

Web services are software components designed to support interoperable machine-to-machine interactions over a network, through the exchange of SOAP messages. Since the underlying technology is independent of any specific programming language, Web Services can be effectively used to interconnect business processes across different organizations. However, a standard way of representing such interconnections has not yet emerged and is the subject of an ongoing debate.

Web searching interaction model based on user cognitive styles

As more and more information is available on the Web finding quality and reliable information is becoming harder. To help solve this problem, Web search models need to incorporate users’ cognitive styles. This paper reports the preliminary results from a user study exploring the relationships between Web users’ searching behavior and their cognitive style. The data was collected using a questionnaire, Web search logs and think-aloud strategy. The preliminary findings reveal a number of cognitive factors, such as information searching processes, results evaluations and cognitive style, having an influence on users’ Web searching behavior. Among these factors, the cognitive style of the user was observed to have a greater impact. Based on the key findings, a conceptual model of Web searching and cognitive styles is presented.

User-web interactions : how wholistic/analytic web users search the web?

User-Web interactions have emerged as an important research in the field of information science. In this study, we examine extensively the Web searching performed by general users. Our goal is to investigate the effects of users’ cognitive styles on their Web search behavior in relation to two broad components: Information Searching and Information Processing Approaches. We use questionnaires, a measure of cognitive style, Web session logs and think-aloud as the data collection instruments. Our study findings show wholistic Web users tend to adopt a top-down approach to Web searching, where the users searched for a generic topic, and then reformulate their queries to search for specific information. They tend to prefer reading to process information. Analytic users tend to prefer a bottom-up approach to information searching and they process information by scanning search result pages.

Research adventures in Web 2.0 : encouraging collaborative local content creation through edgeX

The intersection of current arguments about the role of creative industries in economic development, online user-generated content, and the uptake of broadband in economically disadvantaged communities provides the content for this article. From 2006 to 2008 the authors carried out a research project in Ipswich, Queensland involving local creative practitioners and community groups in their development of edgeX, a Web-based platform for content uploads and social networking. The project aimed to explore issues of local identity and community building through online networking, as well as the possibilities for creating pathways from amateur to professional practice in the creative industries through the auspices of the Website. Set against the backdrop of a rapidly changing technological environment that has problematic implications for research projects aiming to build new online platforms, we present several case studies from the project to illustrate the challenges to participation experienced by people with limited access to, and literacy with, the Internet.

Channel-aware routing in MANETs with route handoff

In wireless mobile ad hoc networks (MANETs), packet transmission is impaired by radio link fluctuations. This paper proposes a novel channel adaptive routing protocol which extends the Ad-hoc On-Demand Multipath Distance Vector routing protocol (AOMDV) to accommodate channel fading. Specifically, the proposed Channel Aware AOMDV (CA-AOMDV) uses the channel average non-fading duration as a routing metric to select stable links for path discovery, and applies a preemptive handoff strategy to maintain reliable connections by exploiting channel state information. Using the same information, paths can be reused when they become available again, rather than being discarded. We provide new theoretical results for the downtime and lifetime of a live-die-live multiple path system, as well as detailed theoretical expressions for common network performance measures, providing useful insights into the differences in performance between CA-AOMDV and AOMDV. Simulation and theoretical results show that CA-AOMDV has greatly improved network performance over AOMDV.

Strengthening and formally verifying privacy in identity management systems

In a digital world, users’ Personally Identifiable Information (PII) is normally managed with a system called an Identity Management System (IMS). There are many types of IMSs. There are situations when two or more IMSs need to communicate with each other (such as when a service provider needs to obtain some identity information about a user from a trusted identity provider). There could be interoperability issues when communicating parties use different types of IMS. To facilitate interoperability between different IMSs, an Identity Meta System (IMetS) is normally used. An IMetS can, at least theoretically, join various types of IMSs to make them interoperable and give users the illusion that they are interacting with just one IMS. However, due to the complexity of an IMS, attempting to join various types of IMSs is a technically challenging task, let alone assessing how well an IMetS manages to integrate these IMSs. The first contribution of this thesis is the development of a generic IMS model called the Layered Identity Infrastructure Model (LIIM). Using this model, we develop a set of properties that an ideal IMetS should provide. This idealized form is then used as a benchmark to evaluate existing IMetSs. Different types of IMS provide varying levels of privacy protection support. Unfortunately, as observed by Jøsang et al (2007), there is insufficient privacy protection in many of the existing IMSs. In this thesis, we study and extend a type of privacy enhancing technology known as an Anonymous Credential System (ACS). In particular, we extend the ACS which is built on the cryptographic primitives proposed by Camenisch, Lysyanskaya, and Shoup. We call this system the Camenisch, Lysyanskaya, Shoup - Anonymous Credential System (CLS-ACS). The goal of CLS-ACS is to let users be as anonymous as possible. Unfortunately, CLS-ACS has problems, including (1) the concentration of power to a single entity - known as the Anonymity Revocation Manager (ARM) - who, if malicious, can trivially reveal a user’s PII (resulting in an illegal revocation of the user’s anonymity), and (2) poor performance due to the resource-intensive cryptographic operations required. The second and third contributions of this thesis are the proposal of two protocols that reduce the trust dependencies on the ARM during users’ anonymity revocation. Both protocols distribute trust from the ARM to a set of n referees (n > 1), resulting in a significant reduction of the probability of an anonymity revocation being performed illegally. The first protocol, called the User Centric Anonymity Revocation Protocol (UCARP), allows a user’s anonymity to be revoked in a user-centric manner (that is, the user is aware that his/her anonymity is about to be revoked). The second protocol, called the Anonymity Revocation Protocol with Re-encryption (ARPR), allows a user’s anonymity to be revoked by a service provider in an accountable manner (that is, there is a clear mechanism to determine which entity who can eventually learn - and possibly misuse - the identity of the user). The fourth contribution of this thesis is the proposal of a protocol called the Private Information Escrow bound to Multiple Conditions Protocol (PIEMCP). This protocol is designed to address the performance issue of CLS-ACS by applying the CLS-ACS in a federated single sign-on (FSSO) environment. Our analysis shows that PIEMCP can both reduce the amount of expensive modular exponentiation operations required and lower the risk of illegal revocation of users’ anonymity. Finally, the protocols proposed in this thesis are complex and need to be formally evaluated to ensure that their required security properties are satisfied. In this thesis, we use Coloured Petri nets (CPNs) and its corresponding state space analysis techniques. All of the protocols proposed in this thesis have been formally modeled and verified using these formal techniques. Therefore, the fifth contribution of this thesis is a demonstration of the applicability of CPN and its corresponding analysis techniques in modeling and verifying privacy enhancing protocols. To our knowledge, this is the first time that CPN has been comprehensively applied to model and verify privacy enhancing protocols. From our experience, we also propose several CPN modeling approaches, including complex cryptographic primitives (such as zero-knowledge proof protocol) modeling, attack parameterization, and others. The proposed approaches can be applied to other security protocols, not just privacy enhancing protocols.

How HCI design influences web security decisions

Even though security protocols are designed to make computer communication secure, it is widely known that there is potential for security breakdowns at the human machine interface. This paper reports on a diary study conducted in order to investigate what people identify as security decisions that they make while using the web. The study aimed to uncover how security is perceived in the individual's context of use. From this data, themes were drawn, with a focus on addressing security goals such as confidentiality and authentication. This study is the first study investigating users' web usage focusing on their self-documented perceptions of security and the security choices they made in their own environment.