The International Arab Journal of Information Technology (IAJIT)


An Ontology-based Compliance Audit Framework for Medical Data Sharing across Europe

Complying with privacy in multi-jurisdictional health domains is important as well as challenging. The compliance management process will not be efficient unless it manages to show evidences of explicit verification of legal requirements. In order to achieve this goal, privacy compliance should be addressed through “a privacy by design” approach. This paper presents an approach to privacy protection verification by means of a novel audit framework. It aims to allow privacy auditors to look at past events of data processing effectuated by healthcare organisation and verify compliance to legal privacy requirements. The adapted approach used semantic modelling and a semantic reasoning layer that could be placed on top of hospital databases. These models allow the integration of fine-grained context information about the sharing of patient data and provide an explicit capturing of applicable privacy obligation. This is particularly helpful for insuring a seamless data access logging and an effective compliance checking during audit trials.

[1] Al-Muhtadi J., Shahzad B., Saleem K., Jameel W., and Orgun M., “Cybersecurity and Privacy Issues for Socially Integrated Mobile Healthcare An Ontology-based Compliance Audit Framework for Medical Data Sharing across Europe 167 Applications Operating in A Multi-Cloud Environment,” Health Informatics Journal, vol. 25, no. 2, pp. 315-329, 2017.

[2] Agrawal R., “Privacy Enhancing Techniques for Database Systems,” in Proceedings of the 9th International Conference for Extending Database Technology, Greece, 2004.

[3] Asharov G., Halevi S., Lindell Y., and Rabin T., “Privacy-Preserving Search of Similar Patients in Genomic Data,” Proceedings on Privacy Enhancing Technologies, vol. 2018, no. 4, pp. 104-124, 2018.

[4] Atymtayeva L. and Kozhakhmet K., “Development of Expert System for Information Security Audit,” International Journal of Computer Research, Huttington, vol. 22, no. 4, pp. 399-433, 2015.

[5] Belaazi M., Rahmouni H., and Bouhoula A., “Towards a Legislation Driven Framework for Access Control and Privacy Protection in Public Cloud,” in Proceedings of 11th International Conference on Security and Cryptography (SECRYPT), Vienna, pp. 1-6, 2014.

[6] Belaazi M., Rahmouni H., and Bouhoula A., “An Ontology Regulating Privacy Oriented Access Controls,” in Proceedings International Conference on Risks and Security of Internet and Systems, Mytilene, pp. 17-35, 2016.

[7] Bender E., “4 BIG QUESTIONS,” Nature, vol. 527, no. 7576, p. S19, 2015.

[8] Brodin M., “A Framework for GDPR Compliance for Small- and Medium-Sized Enterprises,” European Journal for Security Research, vol. 4, no. 2, pp. 243-264, 2019.

[9] Clarke N., Vale G., Reeves E., Kirwan M., Smith D., Farrell M., Hurl G., and McElvaney N., “GDPR: an Impediment to Research?” Irish Journal of Medical Science, vol. 188, no. 4, pp. 1129-1135, 2019.

[10] EU Directive 2011/24/EU of the European parliament and of the council on the application of patients’ rights in cross-border healthcare. Official journal of the European Union. http://eur- L:2011:088:0045:0065:EN:PDF, Last Visited, 2020.

[11] EU Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281. http://eur- LEX:31995L0046:en:HTML, Last Visited, 2020.

[12] EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of European Union, L119/1., Last Visited, 2020.

[13] Essefi I., Rahmouni H., and Ladeb M., “Sensitive Data Discovery in Care Pathways Using Business Process Modelling and HL7- CDA,” International Journal on Advances in Life Sciences, vol. 11, no. 1&2, 2019.

[14] Feltus C., Grandry E., Kupper T., and Colin J., “Model-Driven Approach for Privacy Management in Business Ecosystem,” in Proceedings of the 5th International Conference on Model-Driven Engineering and Software Development, pp. 392-400, 2017.

[15] Fernández-Alemán J., Señor I., Lozoya P., and Toval A., “Security and Privacy in Electronic Health Records: A Systematic Literature Review,” Journal of Biomedical Informatics, vol. 46, no. 3, pp. 541-562, 2013.

[16] Munir K. and Anjum M., “The Use of Ontologies for Effective Knowledge Modelling and Information Retrieval,” Applied Computing and Informatics, vol. 14, no. 2, pp. 116-126, 2018.

[17] Gope P. and Amin R., “A Novel Reference Security Model with the Situation Based Access Policy for Accessing Ephr Data,” Journal of Medical Systems, vol. 40, no. 11, pp. 242, 2016.

[18] Grandison T., Johnson C., and Kiernan J., in Handbook of Database Security, Springer, 2008.

[19] Information Commissioner's Office, 2017, Consultation: GDPR consent guidance. Available at: s/2013551/draft-gdpr-consent-guidancefor- consultation-201703,pdf, Last Visited, 2020.

[20] Iwaya L., Giunchiglia F., Martucci L., Hume A., Fischer-Hübner S., and Chenu-Abente R., IFIP International Summer School on Privacy and Identity Management, Springer, 2015.

[21] Johnson C. and Grandison T., “Compliance with Data Protection Laws Using Hippocratic Database Active Enforcement and Auditing,” IBM Systems Journal, vol. 46, no. 2, pp. 255-264, 2007.

[22] Kalaiprasath R., Elankavi R., and Udayakumar R., “Cloud Security and Compliance-A Semantic Approach in End to End Security,” International Journal of Mechanical Engineering and Technology (Ijmet), vol. 8, no. 5, pp. 987-994, 2017.

[23] Kirchberg M. and Link S., “Hippocratic Databases: Extending Current Transaction Processing Approaches to Satisfy the Limited Retention Principle,” in Proceedings of 43rd Hawaii International Conference on System 168 The International Arab Journal of Information Technology, Vol. 18, No. 2, March 2021 Sciences, Honolulu, pp. 1-10, 2010.

[24] Kwon J. and Johnson M., “Security Practices and Regulatory Compliance in the Healthcare Industry,” Journal of the American Medical Informatics Association, vol. 20, no. 1, pp. 44-51, 2013.

[25] Kwon J. and Johnson M., “Proactive Versus Reactive Security Investments in the Healthcare Sector,” MIS Quarterly, vol. 38, no. 2, pp. 451- 472, 2014.

[26] Liu W. and Park E., “E-Healthcare Cloud- Enabling Characteristics, Challenges and Adaptation Solutions,” Journal of Communications, vol. 8, no. 10, pp. 612-619, 2013.

[27] Mahmood S. and Power L., “Getting to Know the General Data Protection Regulation, Part 6- Designing for Compliance. Privacy Law Blog. Available at: g-to-know-the-general-data-protection-regulation- part-6-designingfor-compliance/, Last Visited, 2020.

[28] Maxwell J., Antón A., Swire P., Riaz M., and McCraw C., “A Legal Cross-References Taxonomy for Reasoning About Compliance Requirements,” Requirements Engineering, vol. 17, no. 2, pp. 99-115, 2012.

[29] Mohammed D., “U.S. Healthcare Industry: Cybersecurity Regulatory and Compliance Issues,” Journal of Research in Business, Economics and Management, vol. 9, no. 5, pp. 1771-1776, 2017.

[30] Munir K., Odeh M., and McClatchey R., “Ontology-Driven Relational Query Formulation Using the Semantic and Assertional Capabilities of OWL-DL,” Knowledge-Based Systems, vol. 35, pp.144-159, 2012.

[31] Negrouk A., Horgan D., Gorini A., Cutica I., Leyens L., Halfmann S., and Pravettoni G., “Clinical Trials, Data Protection and Patient Empowerment in The Era of The New EU Regulations,” Public Health Genomics, vol. 18, no. 6, pp. 386-395, 2015.

[32] O’Connor M., Knublauch H., Tu S., and Mark M., “Writing Rules for the Semantic Web Using SWRL and Jess,” in Proceedings of the 8th International Protégé with Rules workshop collocated with Protégé, Madrid, 2005.

[33] Olive M., Rahmouni H., Solomonides T., Breton V., Legré Y., Blanquer I., Hernandez V., Andoulsi I., Herveg J., and Wilson P., “SHARE Roadmap 1: Towards A Debate,” Studies in Health Technology and Informatics, vol. 126, pp. 164-73, 2007.

[34] Protégé, The Protégé Ontology Editor and Knowledge Acquisition System, Last Visited, 2020.

[35] Rahmouni H., Essefi I., and Ladeb M., “Enhanced Privacy Governance in Health Information Systems through Business Process Modelling and HL7,” Procedia Computer Science, vol. 164, pp. 706-713, 2019.

[36] Rahmouni H., Munir K., Mont M., and Solomonides T., “Semantic Generation of Clouds Privacy Policies,” in Proceedings of International Conference on Cloud Computing and Services Science, Barcelona, pp. 15-30, 2015.

[37] Rahmouni H., Solomonides T., Mont C., Shiu S., and Rahmouni M., “A Model-Driven Privacy Compliance Decision Support for Medical Data Sharing in Europe,” Methods of Information in Medicine, vol. 50, no. 04, pp. 326-336, 2011.

[38] Rahmouni H., Solomonides T., Mont M., and Shiu S., “Privacy Compliance And Enforcement on European Healthgrids: An Approach Through Ontology,” Philosophical Transactions of the Royal Society A, vol. 368, pp. 4057-4072, 2010.

[39] Sapkota K., Aldea A., Younas M., Duce D., and Banares-Alcantara R., “Automating The Semantic Mapping Between Regulatory Guidelines and Organizational Processes,” Service Oriented Computing and Applications, vol. 10, no. 4, pp. 365-389, 2016.

[40] Shi X. and Wu X., “An Overview of Human Genetic Privacy,” Annals of the New York Academy of Sciences, vol. 1387, no. 1, pp. 61- 72, 2017.

[41] Straccia U., Foundations of Fuzzy Logic and Semantic Web Languages, Chapman and Hall/CRC, 2016.

[42] Ternai K., “Semi-Automatic Methodology for Compliance Checking on Business Processes,” in Proceedings of International Conference on Electronic Government and the Information Systems Perspective, Valencia, pp. 243-256, 2015.

[43] Townend D., Implementation of the Data Protection Directive in Relation to Medical Research in Europe, Routledge, 2017.

[44] Wang H. Song Y., “Secure, Cloud-Based EHR System Using Attribute-Based Cryptosystem and Blockchain,” Journal of Medical Systems, vol. 42, no. 8, pp. 152, 2018.

[45] Yimam D. and Fernandez E., “A Survey of Compliance Issues in Cloud Computing,” Journal of Internet Services and Applications, vol. 7, no. 1, pp. 5, 2016.

[46] Yip F., Wong A., Parameswaran N., and Ray P., “Semantic-Based Fuzzy Reasoning for Compliance Auditing,” in Proceedings of IEEE International Conference on Semantic Computing, Santa Clara, pp. 299-306, 2008. An Ontology-based Compliance Audit Framework for Medical Data Sharing across Europe 169

[47] Zerlang J., “GDPR: a Milestone in Convergence for Cyber-Security and Compliance,” Network Security, vol. 2017, no. 6, pp. 8-11, 2017.

[48] Zhang J., Guo Y., and Chen Y., “Collaborative Detection of Cyber Security Threats in Big Data,” The International Arab Journal of Information Technology, vol. 16, no. 2, pp. 186-193, 2019.