A security framework for XML schemas and documents for healthcare

Abstract

The extensible Markup Language (XML) has wide usage in healthcare to facilitate health information exchange via the Continuity of Care Record (CCR) for storing/managing patient data, diagnoses, medical notes, tests, scans, etc. Health IT products like electronic health record (EHR, e.g., GE Centricity) and personal health record (PHR, e.g., MS Health Vault) use CCR for data representation. To manage patient data in CCR, security as governed by HTPAA must be attained when using XML and its technologies (XACML, XSLT, etc.). Our objective is to have an XML document (CCR instance) appear differently to authorized users at different times based on a user's role, constraints, separation of duty, delegation of authority, etc. In this paper, we propose a security framework that targets XML schemas and documents, in general, and CCR schemas and documents, in particular with control capabilities that achieve customizable access to an XML document's elements by applying secure software engineering methodologies and defining new UML XML-focused diagrams for schemas and permissions. This allows us to generate XACML policies, and enforce security at the runtime level on XML instances to insure that correct and required patient data is securely delivered. In a market of rapidly emerging mobile healthcare applications to allow patients to manage their own data (PHRs) and for self-management of chronic diseases, the need for secure access to information and its authorization and transmission to providers (and EHRs) will be critical.