A federated interoperability architecture for health

Download PDF
28 downloads 0 Views 5MB Size Report
Comment
HL7 CDA and EN13606 represent a subset of openEHR (Schloeffel et al., 2006), with a specification of the data exchange issues and not for a full federated HIS ...
Int. J. Internet Protocol Technology, Vol. 7, No. 4, 2013

189

A federated interoperability architecture for health information systems Mario Ciampi*, Giuseppe De Pietro, Christian Esposito and Mario Sicuranza Institute for High Performance Computing and Networking (ICAR), National Research Council of Italy (CNR), Via Pietro Castellino, 111 – 80131 Napoli, Italy E-mail: [email protected] E-mail: [email protected] E-mail: [email protected] E-mail: [email protected] *Corresponding author

Paolo Donzelli Department for the Digitization of Public Administration and Technological Innovation (DDI), Presidency of the Council of Ministers, Via Po, 14 – 00198 Roma, Italy E-mail: [email protected] Abstract: The last decade has been characterised by the proliferation of several projects for integrating the already-existing health information systems so as to form national or transnational infrastructures for sharing medical data. This evolution is felt as a promising solution for improving the provided healthcare and reducing its costs by avoiding unnecessary examinations. However, such a vision comes with several challenging issues, in terms of interoperability and security. This paper presents an architecture for federating health information systems in a secure manner, and its concrete implementation. The quality of this implementation is assessed by means of several experiments for measuring the time needed for the retrieval and notification of documents. Keywords: health information systems; interoperability; data sharing; web services; event notification. Reference to this paper should be made as follows: Ciampi, M., De Pietro, G., Esposito, C., Sicuranza, M. and Donzelli, P. (2013) ‘A federated interoperability architecture for health information systems’, Int. J. Internet Protocol Technology, Vol. 7, No. 4, pp.189–202. Biographical notes: Mario Ciampi is a Technologist at the Institute for High Performance Computing and Networking of the Italian National Research Council (ICAR-CNR). He received his MEng in Computer Engineering from the University of Naples Federico II in 2004, and Masters degree in European Master on Critical Networked Systems in 2007. He received his PhD in Information Engineering in 2011 from the University of Naples Parthenope. His topics of interest focus on interoperability architectures for e-health. He is an Adjunct Professor in Elements of Computer Science at the University of Naples Federico I and a member of iHealthlab, AMICO, HL7 Italia, and @ITIM. Giuseppe De Pietro is a Senior Researcher and Coordinator at the Naples branch of the Institute for High-Performance Computing and Networking (ICAR) of Italian National Research Council (CNR). His current research interests are: middleware architecture for pervasive computing, decision support systems, and software architectures for e-health. He has been actively involved in many European and national projects, with industrial cooperation too. He is a contract Professor of Information Systems at the University of Naples ‘Parthenope’. He is the author of over 100 scientific papers published in international journals and conferences. He is a contract Professor of Computer Science at University of Naples ‘Parthenope’ and an IEEE member.

Copyright © 2013 Inderscience Enterprises Ltd.

190

M. Ciampi et al. Christian Esposito is a research grant holder at the Institute for High Performance Computing and Networking (ICAR) – National Research Council of Italy (CNR). He graduated in Computer Engineering from Università di Napoli Federico II in 2006, and he received his PhD from the same university in 2009. His main interests include positioning systems for mobile ad-hoc networks, benchmarking non-functional properties of publish/subscribe services, and reliability strategies for data dissemination in large-scale critical systems. He regularly serves as a reviewer for several leading journals and conferences in the field of distributed and dependable systems. Mario Sicuranza received his BEng in Computer Engineering in 2006 and MEng in 2011 from the University of Naples ‘Federico II’, Italy. He is a PhD student in Information Engineering at the University of Naples ‘Parthenope’, Italy. Since 2011, he has been working at the National Research Council of Italy (CNR). Currently, he is undertaking fellow research at the Naples branch of the Institute for High Performance Computing and Networking (ICAR). He takes part in projects on the EHR systems interoperability. His research interests include e-health, web services and security architectures. He is a member of iHealth lab and HL7 Italia. Paolo Donzelli has been the Head of the Office for Studies and Projects for the Digital Innovation since 2007, which belongs to the Department for the Digitization of Public Administration and Technological Innovation. He graduated with honours in Electrical Engineering from the University of Naples ‘Federico II’. He received his Masters degree in Computer Science at Cranfield University, UK and PhD in Computer and Automation Engineering from the University of Tor Vergata. He has authored about 70 publications in international journals and conferences, on topics related to software engineering, reengineering of processes, requirements engineering and modelling of reliability of complex systems. This paper is a revised and expanded version of a paper entitled ‘On federating health information systems’ presented at the International Conference in Green and Ubiquitous Technology (GUT 2012), Bandung (Indonesia), 07–08 July 2012.

1

Introduction

In current practice, it is common that patients receive healthcare from different kinds of doctors, when treating a given disease. The interface to the national healthcare organisation is typically the general practitioner, who follows patients during their clinical history and provides the primary healthcare. However, there are several physicians, working at hospital and laboratories, who give secondary healthcare, such as specialist examinations or surgery. For an efficient healthcare good communication is critical among general practitioners and secondary-care physicians so as to offer patients the best healthcare possible, i.e., tailored to their needs and clinical history. We can distinguish two different communication flows: 1

one from general practitioners to physicians so as to make available the clinical history of patients

2

one in the opposite direction to report back to general practitioners the results of the provided secondary healthcare.

In most of the cases such communication is based on the exchange of paper-based documents, which has been proved to be not successful (Kripalani at al., 2007). Such difficulties are exacerbated by the increase in patient mobility, i.e., patients receiving treatments somewhere different from where they live. To alleviate such an issue, it is preferible to use ICT technologies to improve the communications among general

practitioners and physicians. Typically, healthcare providers are interconnected by means of the so-called health information systems (HIS) (Hauxe, 2006), allowing them to exchange medical data. However, the size of the current HIS is limited within a hospital or a given region. Common practice is that patient-related medical data are not available at the healthcare provider contacted by the patient to receive secondary care, if this provider is not included in the HIS covering the region where the patient resides. For this reason, the patient has often to re-tell his medical story. Sometimes, it is necessary to repeat some clinical examinations to complete the patient anamnesis and to form a diagnosis and treatment plan. This increases the costs of healthcare, but also augments the time needed to provide the secondary healthcare. The focus of the recent research on this issue is to design and implement platforms for federating the existing HIS so as to enlarge their coverage and allowing the availability of medical data at heterogeneous, and geographically-sparse, healthcare providers by enabling data sharing in a seamless manner. This paper presents the architecture proposed within the context of the OpenInFSE project (http://ehealth.icar.cnr.it) for federating the regional HIS in Italy. Such architecture has been implemented according to the service oriented architecture (SOA) by means of web services (WSs). Our solution goes beyond the available architectures for federating HIS by also proposing a notification infrastructure for clinical data. In fact, the current solutions have the limitation of only allowing a communication style according to a pull-based data

A federated interoperability architecture for health information systems delivery, i.e., the user requests a clinical document knowing its unique reference. Our notification solution allows a push-based data delivery, where the user is informed as soon as the document of interest has been published so that he/she can promptly request it. The above mentioned evolution and its progressive interconnection have contributed to push HIS into a more challenging environment by increasing the complexity of the security issues to be addressed: 1

data are conveyed by wide area networks

2

clinical data of a patient can be stored in different repositories belonging to several distinct HIS, each with given security assurances

3

a large number of users can interact with the infrastructure.

Therefore, the need to protect patient data and to keep them available when required is not a trivial concern, and more advanced security mechanisms are needed than the ones commonly used in traditional HIS. This paper aims at describing how to ensure that the security requirements of HIS are satisfied by adopting the most suitable solution among the ones available within the current literature. This paper is structured as follows. Section 2 provides the necessary background to support our discussion and an analysis of the current literature on the topics addressed by our work. Specifically, Section 2.1 highlights the evolution of HIS by presenting the key enabling technologies. Section 2.2 describes the state of the art in securing WSs and HIS. Section 3 talks about our proposed solution, giving details on how retrieving clinical documents (in Section 3.1), notifying medical data (in Section 3.2), and securing communications and provided services (in Section 3.3). Section 4 presents the assessment campaign performed to evaluate the time needed for retrieving and notifying clinical documents under different usage scenarios, representative of real use cases. We conclude with some final remarks and indications for future work.

2

Background and related work

2.1 HIS evolution A HIS (Hauxe, 2006) consists of the application of ICT technologies with the aim of contributing to high-quality and efficient healthcare. We can distinguish three different generations in the evolution of HIS during these past four decades. When there was a shift towards computer-based information processing and storage about 40 years ago, we find HIS limited within small facilities, such as certain departments of hospitals (we indicate this as HIS of first generation). This type of HIS manages the digitalised form of medical documents, such as images or reports created by means of editing programs. A concrete example is radiology information system (RIS) (Huang, 2004) for storing and managing radiology-related documents. Then, in the 1990s, there was a trend of integrating such departmental

191

information systems so as to support information processing in the hospital as a whole (bringing what we refer to in this paper as HIS of second generation). In this generation, we find the formalisation of the so-called electronic medical records (EMR), which are legal records created in hospitals and ambulatories, including documents and images, which are consulted by healthcare operators from a single organisation. A practical example is picture archiving and communication system (PACS) (Huang, 2004), which involves an image management and communication system and has been often integrated with the systems of several different departments within the hospital, such as RIS. Such evolution contributed to an increase in the size of the HIS and the amount and diversity of the exchanged data. In fact, the transition from the first towards the second generation imposes the resolution of technical and syntactical Interoperability, i.e., technological and protocol compatibility and diversity in formats of medical data. A concrete example of this evolution is the DIOGENE project (Borst et al., 1999), which integrates all patient-related information so as to obtain a seamless communication between hospital actors. The current innovative trend is to integrate all the hospital-size HIS so as to form regional HIS, and federating all the regional ones so as to have national and trans-national HIS (we refer to these HIS as belonging to the third generation). In this new perspective, we have seen the evolution of EMR in electronic health records (EHR), which represent a subset, i.e., summaries, of the EMRs issued by each healthcare provider that took care of the given patient during his/her clinical history. In particular, EHR systems permit the sharing medical information about patients and having patient-related information following him/her through the various healthcare providers in a given region or country. Practical examples are the clinical data repository/health data repository (CHDR) (Bouhaddou et al., 2008) and the epSOS project. The first one consists of interconnecting all the offices belonging to the Department of Defence and the Veterans Affairs over the overall territory of the USA. The second one aims at designing a service infrastructure supporting the interoperability among every national HIS in several European countries. epSOS is connected to similar initiatives running in the European countries participating to the project, for integrating their regional HIS. The evolution towards HIS of third generation has the evident consequence of further increasing system size in terms of number of interconnected components and amount of exchanged data, but it also exacerbates the interoperability issues to be addressed. Specifically, the transition towards the third generation adds also semantic and business Interoperability, i.e., common information models/ terminology, and common business processes. These aspects and related issues are graphically depicted in Figure 1, where the different generations are compared by means of exhibited scale, interoperability needs and complexity.

192 Figure 1

M. Ciampi et al. Evolution of HIS and their issues (see online version for colours)

Interoperability has always been considered as a key enabling technology in the described evolution of HIS. In fact, since the transition from the first to the second generation, there has been the need of defining standard formats for medical imaging storage and transmission, leading to the specification of digital imaging and communications in medicine (DICOM). With the advent of the third generation, as mentioned, there has been the thrust of proper, and innovative, solutions and guidelines for driving an interoperable HIS interconnection. This has been the research topic of the international not-for-profit Foundation called openEHR (http://www.openehr.org/home.html), which issued a detailed and tested specification for an interoperable HIS platform. Such a vision of openEHR had a significant influence on the development of the emergent healthcare industry standards, such as Health Level 7 (HL7) (http://www.hl7.org/) and CEN EN13606 (http://www.en13606.org/), with recommendations for an interoperable interconnection of HIS. HL7 defines, among others, two different specifications: clinical document architecture (CDA) defines the XML schema (format) of exchanged medical documents; while reference information model (RIM) specifies a large, pictorial, representation of medical data (domains). HL7 CDA and EN13606 represent a subset of openEHR (Schloeffel et al., 2006), with a specification of the data exchange issues and not for a full federated HIS of the third generation, which is contained in openEHR. HL7 RIM, on the contrary, is an addition to openEHR for treating semantic interoperability by introducing a common semantic model for exchanged medical data. Nevertheless, the history of healthcare interoperability of the last three decades has shown that healthcare standards are not sufficient alone to ensure interoperability. Indeed, they tend to include many if not all the possible situations, thus suffering from various ambiguities and offering many choices that hamper interoperability (Dogac et al., 2007). To address these issues, the integrating the healthcare enterprise (IHE) initiative has specified the cross-enterprise document sharing (XDS) profile. IHE XDS aims at facilitating the

sharing of clinical documents within an affinity domain (a group of healthcare facilities that intend to work together) by storing documents in an ebXML registry/repository architecture. However, IHE XDS is not concerned with semantic aspects, but instead it specifies a set of metadata for document discovery (Webber and Kernberg, 2006). HIS solutions of the first generation were basically in-house and ad-hoc programs for archiving and retrieving medical documents, tailored on the peculiarities of the given system in terms of type of managed data and hardware configurations. When moving towards HIS of the second generation, the implementation involved the use of well-assessed and -established middleware technologies such as CORBA or DCOM, due to their ability to resolve issues related to technological interoperability. A practical example is represented by the CORBAMed initiative (OMG, 2001), which presents a set of domain-specific services expressed within a specific CORBA domain for the medical environment. Also WS technology is used within the context of the second generation, such as WebCIS described in Sitting et al. (1996), thanks to the ability of XML-based communication to deal with syntactical interoperability, as proved in Jung and Grimson (1999). For the third generation, the preferred solution is to use WS technology since it has demonstrated a high interoperability capacity and the flexibility to integrate already-existing legacy systems. The previously mentioned standards do not demand a specific technology for implementing federated HIS; however, they recommend SOAP communications for exchanging medical data. This has brought key stakeholders to drive the technological choice towards WS. As a concrete example, we can cite the mentioned epSOS project and CHDR, which are implemented by means of WS. However, the current research has also moved towards different kinds of middleware solutions, such as the tuple space-based infrastructure described in Nixon et al. (2007). At the moment, the products implemented by these recent research efforts have been rarely applied in concrete real usage. Although XML-based communications resolve syntactic interoperability, they represent only a pre-requisite to the semantic one, and proper additional mechanisms are needed. In the current literature, semantic interoperability is typically addressed by means of proper ontologies integrated within the communication system to provide the defining concepts of the given domain (Bittner et al., 2005). Such a solution has been investigated within the context of healthcare (Blobel and Oemig, 2009), and practically adopted in Nixon et al. (2007). Although the foundation ontologies for healthcare have been developed by academic research, none of them has been adopted in concrete applications. In fact, Blobel et al. (2009) argue that ontologies for healthcare are not mature solutions, yet. This can be also seen if we study the previously-mentioned standards: only openEHR has specified an ontology to be used in medical data sharing. The most common solutions, i.e., the ones adopted by all the other standards and in practical use cases such as epSOS, are to adopt a reference common model for the communications among HIS, as the

A federated interoperability architecture for health information systems one specified in HL7 RIM, and a set of mediators for translating from/to such a common model towards the one adopted by each specific HIS.



2.2 Security in WSs and in HIS Securing WSs has been an active research topic in the last decade and has been standardised in the OASIS specification called WS-security (Nordbotten, 2003), which is a composite standard made by combining other different specifications and methods, and specifies two different levels of mechanisms to enforce the provided security level: •

the first is implemented at the message level by defining a SOAP header that carries out extensions to security



the second is realised at service level to perform higher-level security mechanisms such as access control or authentication.

In particular, at the message level we can find two main XML security standard techniques that can be introduced in the mentioned SOAP header extensions: XML signature and XML encryption. The former aims at having a small portion of the XML content digitally signed (such element is called digest) so as to provide integrity and non-repudiation for the overall XML content. On the other hand, the latter has the goal to encrypt a part of the overall XML content by using a certain key, which can be public or private according to the chosen encryption strategy. In the case of WS-security, the SOAP header has a given field, called DigestValue, to contain the digest with indications of the adopted signature method. If encryption is used, the SOAP header has to contain the adopted key, which is itself encrypted by using a proper public key. Besides these two important message-level methods, we have an additional one: secure socket layer (SSL), which realises a secure form of the TCP transport protocol, by offering mechanisms for the key agreement, encryption and authentication of the endpoints in a connection-oriented communication. On top of these message-level mechanisms, we can find service-level ones: •



Security Assertion Markup Language (SAML) is a framework to exchange authentication and authorisation information in a request/respond manner when the communication participants do not share the same platform or belong to the same system. The core of this framework is the assertion, expressed with XML constructs, containing the identity of the requestor, and the authorisation decisions or credentials. Extensible Access Control Markup Language (XACML) is used to specify roles and policies used by an access control mechanism to infer the access decisions for users. Different HIS can adopt their own access roles and grants, and XACML is used to exchange such decisions among HIS and to orchestrate their access decisions.

193

Lastly, we can find two other specifications: Extensible Rights Markup Language (XrML) and XML key management specification (XKMS). The first is used to express rights and conditions related to the access control (such as expiration times); while the second defines interfaces for the distribution of keys used in XML signature and XML encryption.

Security is a key issue in HIS, and the review in Appari and Johnson (2010) provides a complete view of the research efforts spent and achievements obtained so far. As is noticeable from the Appendix 1 of this review, less attention has been spent on architectures and frameworks, but more focus has been given to qualitative research, modelling and economic studies. Based on these research activities, few prototypes have been realised. Our work has not only an academic value since it investigates security with a theoretical perspective, but also a very practical added value, since we have realised a prototype that we are integrating in the existing regional HIS. In addition, all the existing efforts to enforce security were limited to systems with limited size, such as within a hospital or even a clinical department. Our work differs from those since we are addressing the more challenging issue of securing operations for an HIS within a region, but also within federation among heterogeneous regions, which differ among each other not only from the technological point of view, but also from an organisational one (such as different specifications of security requirements and policies).

3

Architecture

In accordance with the current literature, our proposed InFSE architecture is based on the WS technology, and data is exchanged as SOAP messages in accordance to the HL7 CDA and OASIS ebXML RegRep standards. We have defined a reference common model similar to the one specified in HL7 RIM. The architecture has been conceived for a seamless access to EHR among the federation of HIS at the Italian regions, but can also be adopted to realise a regional EHR system. However, with minor changes, it is possible to realise other possible communication patterns among the federated HIS with the proposed architecture. Specifically, Figure 2 provides an architectural overview of InFSE, which is structured as a multi-level service-oriented architecture: 1

the lower level of the architecture, called connectivity layer, is represented by the public connectivity system (SPC, as an Italian acronym), a technology infrastructure defined by DigitPA (National Centre for IT in public administrations) for application cooperation between the Italian public administrations

194 2

3

M. Ciampi et al. the intermediate level, named component layer, includes the infrastructural components of InFSE, which are deployed at the healthcare facilities Finally, the top layer, called business layer, defines the application services, such as ePrescription, consultation of clinical reports, patient summaries, and so on.

Let us consider the component layer, and describe it in detail as a composition of

1

a given set of WSs

2

a data repository for storing the clinical documents published in a given HIS

3

a registry serving as the index for the previous repository

4

a publish/subscribe broker, as depicted in Figure 3.

Figure 2

Architectural overview of the proposed architecture (see online version for colours)

Figure 3

WSs composing the component layer (see online version for colours)

A federated interoperability architecture for health information systems From a high level of abstraction we can distinguish five components in it:

2



3

Access interface represents the access point to the functionalities provided by InFSE. It receives requests from authorised users and similar components from the other regional domains and forwards them to the underlying infrastructure components of InFSE. As shown in Figure 3, it is composed of five WSs exposing to the business layer all the functionalities offered by the other components: 1 IDocument is the interface for publishing and retrieving clinical documents within the repository 2 IRegistryFederation is used for managing the federation of registries, hosted at each HIS, by means of metadata related to the regional registries 3 IEntry is used for submitting queries and updating the content in the registry 4 IEvent is contacted for publishing and/or getting notifications through the adopted publish/subscribe service 5 IBrokerFederation aims at managing the publish/subscribe broker within the federation.



Federated index registry enables the medical data query managed by each HIS by federating the regional registries, each able to localise the data archived in the repositories within the region. It is composed of four WSs that interact with the regional registry and receive user requests from the two relative WSs in the Access Interface: 1 IRegistryFederationMgt offers functionalities to define and manage federations of registries 2 IQueryMgt performes queries to its assigned registry or within the overall registry federation 3 IMetadataMgt manages the metadata related to the clinical documents stored in the repository 4 IEventMgt is used for notifying events among the registries of the federation.



Document manager allows storing and retrieving documents created by an authorised user at each occurrence of a clinical event of a patient. It is implemented as a single WS called IDocumentMgt, which allows users to add and/or obtain a document with the specified identifier.



Hierarchical event manager notifies clinical data to all interested users through a federation of brokers, by adopting a hierarchical classification of events based on the publish/subscribe paradigm. Such a notification solution is built on top of a publish/subscribe service that adopts a brokered topology. This component is implemented by means of four WSs: 1 IPublisherRegistrationMgt offers publication capabilities such as defining topics or publishing events

4



195

INotificationBrokerMgt allows users to retrieve published events ISubscriptionMgt provides the possibility to register subscription predicates to the system IBrokerFederationMgt gives means to manage the federation of publish/subscribe brokers, which route published events to interested destinations.

Access policy manager is responsible for general security aspects. It allows, after the user authentication and identification phases, to authorise access requests to documents and metadata related to a given patient through the assessment of role-based access policies.

In the following subsections, we provide more details on the main functionalities of the InFSE architecture.

3.1 Query and retrieval of clinical documents Among the various functionalities offered by InFSE, the most common and important operations are the information search and retrieval, i.e., looking for a particular document among all the federated registries and obtaining it. The search operation is typically performed by consulting the metadata about the hosted documents. Therefore, it is essential how such metadata are organised and structured. There are two main possible approaches. On the one hand, federated registries contain very few metadata, for example just the ‘pointer’ to the document and a very small set of related information (e.g., patient identifier, emitter organisation, and so on). On the other hand, a large amount of application information is available for hosted documents, by which the document is described in great detail about its content. It is evident that the second approach implies a laborious generation of metadata when a new document is issued. However, it allows the implementation of more efficient and advanced search operations (e.g., search for the CBC trend in the clinical reports), which represent a desirable added value for the users. As stated by a leading Roman lyric poet named Horace, and with respect to current engineering practice, ‘virtue stands in the middle’, so we have not applied one of these approaches, but an intermediate one. Specifically, metadata are described by a proper model corresponding to the main concepts of the HL7 CDA Rel. 2 domain (Calamai and Giarré, 2010). In addition, in order to ensure interoperability with the infrastructures based on the IHE XDS profile, the mentioned model covers the most important concepts of the information model of the XDS.b version of this profile. Finally, the model also includes the information necessary for managing registry federations. It is worth noting that each regional registry contains metadata related only to the documents available in the region. We refer interested readers to Ciampi (2012) for more details on the metadata model.

196

M. Ciampi et al.

3.2 Notifying clinical documents As shown in Figure 3, our notification solution is built on top of a given publish/subscribe service (Eugster et al., 2003), which can be of any given type. Owing to the brokered architecture that enforces the scalability and efficiency properties, we have used in our system a product compliant to the Java Messaging Service standard (http://www.oracle.com/technetwork/java/jms/ index.html), specifically Apache Active MQ (http://activemq.apache.org), which provides a popular and powerful open source message broker. JMS describes a topic-based publish/subscribe service. Therefore, in our architecture a client can subscribe to one or more topics, intended as the possible types of medical data that the system can disseminate, such as results of blood or urine analysis, discharge letters or medical reports. We have not fixed a certain format for the data that can be notified with our proposed architecture, i.e., internal structure of exchanged events in terms of simple and/or complex data types. But, the user is able to express any format of interest for its data, e.g., according to the HL7 CDA specification, in XML format. Our architecture can be used either directly by users, i.e., general practitioners and physicians, or by the software components of federated HIS. Such coarse-grain granularity of subscripting is not adequate in the domain of HIS, since a general practitioner would not be interested in being notified whenever a new blood analysis report is generated within the whole region covered by our system. In fact, it is more reasonable that it would be only interested in receiving notifications of blood Figure 4

analysis reports related to one of its patients. Therefore, to improve the efficiency of the adopted subscription scheme, we have introduced a content-based filtering within the notification manager. Such a filter is applied to the identity of the patient whose notification is related. Moreover, typically, general practitioners are not interested in the notification of single documents, but in a certain set of documents, somehow correlated, which forms a diagnostic plan. For this reason, we have introduced the concept of hierarchy of topics and association between two topics. Specifically, a hierarchy is a set of topic links among each others by proper associations, which can be of three types: AND, when notifications of two topics have to be provided to the user at the same time, TIMED AND, similar to the previous one only if the difference between their respective production time does not exceed a certain threshold, and OR when two topics are alternative. These introduced Boolean operators establish a hierarchical order on the topics forming a hierarchy and describing a diagnosis plan or a clinical workflow. Content-based filtering can be applied to single topics, but also to hierarchies. The adopted broker topology is structured according a two-level federation, as depicted in Figure 4. Given a certain region, such as a country, we can have a federation of brokers belonging to different regions (level one), but also a federation (level two) of brokers within the same region. In the case of the presence of the second level federation, a hybrid peer-to-peer organisation (Yang and Garcia-Molina, 2003) is realised: one of the brokers is elected as a gateway between the federation of first level and the one of second level.

Example of two level topology in our notification solution (see online version for colours)

A federated interoperability architecture for health information systems

3.3 Securing communications within federated HIS In InFSE, we have chosen not to adopt all the specifications composing the WS-Security standard, but a certain sub-set. First of all, we decided not to encrypt the body of the exchanged SOAP Messages, but only their signatures. The reason is owing to the fact that exchanged SOAP messages, when they are carrying sensitive medical information, are made anonymous so as to implicitly protect patient privacy (Brannigan and Beier, 1995). In fact, national and international regulations demand the elimination of the personal nature of healthcare data by separating patient personal information and clinical data (i.e., these two elements should not be present in the same message or the same data repository). On the other hand, we protect the communications by using hypertext transfer protocol over secure socket layer (HTTPS), which layers HTTP on top of the SSL. Incoming SOAP messages contain assertions defined by means of SAML, which are evaluated before being passed to their WS of interest. Specifically, we implemented a security component to hijack a SOAP message before it is delivered to its target WS to store and to evaluate the security assertions contained in its header. If such evaluation is verified, i.e., an access right can be granted to the given SOAP message based on the contained assertion, then the body of such a message is passed to the WS. Otherwise, the message is discarded. Access rights are granted depending on the proper regional XACML access policies and on the role of the physician within the regional healthcare provider. In addition, despite using keys encrypting signatures, we do not need XKMS since the used keys are private, decided and provided to healthcare providers by each region.

4

Tests

As part of the OpenInFSE project, an experimental interoperability infrastructure based on the InFSE architecture and information model has been implemented. The scope is to interconnect the HIS of some Italian regions (in our campaign the involved regions are Calabria, Campania, and Piemonte, as depicted in Figure 5). The experimentation consists in enabling regional HIS to exchange medical documents related to some patients, available at the various healthcare facilities. In particular, the HIS of Calabria and Campania regions have a similar architectural model. So, for brevity’s sake, only the integration of two kinds of HIS is described and shown in Figure 6: the one of the Campania region and the one of the Piemonte region. The interconnection of the interoperability infrastructure with the regional HIS of the Campania region has required the following actions:

197

1

deployment of the access interface and federated index registry components at the regional node; in particular, this last component interacts with a dedicated registry containing pointers to the internal healthcare documents

2

deployment of the document manager components at the healthcare facilities and creation of wrappers aiming at making such components able to interact with the legacy repositories.

Instead, the actions to be performed for the integration of the HIS of the Piemonte region are 1

development of a wrapper able to interconnect the federated index registry component with the registry of the regional HIS; in particular, the main objective of this wrapper is to map the metadata of the InFSE information model with those used by the local HIS

2

creation of a wrapper capable of interacting the access interface component with the legacy repositories of the healthcare facilities.

This way, the retrieval of the healthcare documents related to a patient available in the country, can be performed in two steps. The first step consists of a federated search: a user (e.g., a general practitioner) sends a query to the regional HIS, which propagates it to the Federated Index Registry component; it 1

makes the query to its own registry

2

interacts with the federated index registry components of the other regions, which execute the query to their registries

3

aggregates all the metadata results

4

returns these to the user.

The second step is a document retrieval: the user selects a document he/she wants to obtain and sends a request to the regional HIS, which forwards it to the access interface component of the region containing the document; this one retrieves the document by communicating with the HIS of the region where it is deployed. Figure 5

Italian regions interconnected by InFSE implementation (see online version for colours)

198 Figure 6

M. Ciampi et al. InFSE components (cyan) integrated within the regional HIS of (a) Piemonte and (b) Campania (see online version for colours)

(a)

(b)

A federated interoperability architecture for health information systems We have tested the quality of the search and retrieval operations with two different experiment scenarios: inter-regional, i.e., the user in a given region wants to obtain a document of a patient from a different region; and intra-regional, i.e., the user in a given region wants to obtain a document of a patient from the same region. We have performed search and retrieval operations approximately 50 times from one region of document identifiers randomly chosen among those hosted by the other two regions (inter-regional scenario). We obtained the service time in milliseconds plotted in the first chart of Figure 7. The retrieval returns a couple of files for a given medical document: one in XML HL7 CDA 2 format of about 40 KB and the other one in PDF/A format of about 220 KB. We had a100% find rate for documents searched. We have remade such an experiment in an intra-regional scenario focusing on the Campania region, and obtained results shown in the second chart of Figure 7. The query exhibits a moderate standard deviation in the inter-regional scenario, while it is more considerable in the intra-regional one; it is half the time needed to retrieve the searched documents. Retrieval only depends on the size of downloaded documents and network performance. Figure 7

Figure 8

199

Test scenarios for the assessment of the notification solution in InFSE (see online version for colours)

Pub

Medical NotArch

Sub Machine A

    

Pub

Medical NotArch

Sub Machine B

Machine A

      Admin

Admin

Service time in the two experiment scenarios, (a) inter-regional and (b) intra-regional (see online version for colours)

Medical NotArch

Pub

Medical NotArch Sub

AMQ Broker Machine A

AMQ Broker Machine B

     

(a)

(b)

We have conducted another series of experiments in order to evaluate the performance of our notification architecture. In particular, we have focused on the push-based event notification, and defined three different test scenarios, as shown in Figure 8: 1

local scenario, where our medical notification architecture (denoted as medical NotArch in figure), publisher and subscriber applications are running on the same machine

2

distributed scenario A, where medical NotArch and the two applications are running on two distinct machines

3

distributed scenario B, where each machine runs an instance of our medical NotArch and a publisher or subscriber applications and the interconnection between two instances of medical NotArch is realised thanks to a network of two brokers of apache MQ (denoted AMQ in figure), configured by two administrator applications (one per each machine) by using services offered by the IBrokerFederationMgt interface.

200

M. Ciampi et al.

Figure 9

Average and standard deviation of delivery time when varying the test scenario (see online version for colours)

We have envisaged two different distributed scenarios since they model two different potential usage situations that our notification architecture may face: 1

intra-HIS notification, i.e., the general practitioner and the secondary healthcare provider reside quite close and are within a given regional HIS

2

inter-HIS notification, i.e., the general practitioner and the secondary healthcare provider reside far away so they belong to two distinct regional HIS.

During a single experiment our publisher application produces 100 notifications, which adopt a simple event type constituted by three fields: 1

patient identifier

2

secondary healthcare provider identifier

3

document type, such as blood work, cholesterol check, or blood-sugar checks.

We report the average of three different experiments on the same scenario and setting. The adopted network is wireless with an average latency of two milliseconds.

In Figure 9, we can see the delivery time of an event when varying the test scenario, only one topic has been created and no content filter has been defined. In particular, for the local scenario, we see that the mean delivery time is equal to 136,645 milliseconds. We have performed such a test by varying the number of topics created by the publisher and subscribed by the subscriber, but we have not experienced a considerable degradation in performance (i.e., the degradation with an additional topic is equal in average to 4,831 milliseconds). We have also replicated such experiments with the subscriber application defining a content-based filter on the value assumed by the patient ID. The overhead registered for performing the filtering is about 1,737 milliseconds. When we have passed to more distributed scenarios, we have noticed an increase in the experienced dissemination time owing to exchanging SOAP messages among the distributed applications. Specifically, such an increase is respectively 25,876 milliseconds for the first distributed scenario and 300,138 milliseconds for the second one. Also the standard deviation of the experienced dissemination time follows such tendency: it is low for the local scenario, i.e., 16,707, and it increases when we consider a more distributed scenario.

A federated interoperability architecture for health information systems

5

Future work and concluding remarks

We have presented an architecture and its implementation for sharing medical documents among federated HIS. The provided functionalities by such a solution are 1

the retrieval of clinical document in a pull-based manner,

2

the notification of clinical data to realise a push-based delivery

3

the protection of the offered services and communications.

We have described some preliminary results for assessing the quality of the proposed architecture when retrieving and notifying documents. We are working on a more complete assessment with an higher number of interconnected HIS and more complex data structures. Our future plans are to investigate reliability aspects of this architecture and to evaluate the performance penalties implied by the use of the described security mechanisms. In addition, we plan to extend our work to the ubiquitous and pervasive systems (Coronato and De Pietro, 2011; Coronato et al., 2008) used within hospital and for telemedicine.

Acknowledgements This work has been partially supported by the project named OpenInFSE, a Convention between the Department for the digitisation of public administration and technological innovation (DDI) of the Presidency of the Council of Ministers and the ICT Department of the Italian National Research Council (CNR).

References Appari, A. and Johnson, M. (2010) ‘Information security and privacy in healthcare: current state of research’, International Journal of Internet and Enterprise Management, Vol. 6, No. 4, pp.279–314. Bittner, T., Donnelly, M. and Winter, S. (2005) ‘Ontology and semantic interoperability’, Large-Scale 3D Data Integration, CRC Press, London. Blobel, B. and Oemig, F. (2009) ‘What is needed to finally achieve semantic interoperability?’, IFMBE Proceedings, Vol. 25, No. 12, pp.411–414. Blobel, B. et al. (2009) ‘The role of ontologies for sustainable semantically interoperable and trustworthy EHR solutions’, Studies on Health Technologies and Informatics, Vol. 150, pp.953–957. Borst, F., Appel, R., Baud, R., Ligier, Y. and Scherrer, J.R. (1999) ‘Happy birthday DIOGENE: a hospital information system born 20 years ago’, International Journal of Medical Informatics, June, Vol. 54, No. 3, pp.157–167.

201

Bouhaddou, O. et al. (2008) ‘Exchange of computable patient data between the department of veterans affairs (VA) and the Department of Defense (DoD): terminology mediation strategy’, Journal of the American Medical Informatics Association, Vol. 15, No. 2, pp.174–183. Brannigan, V.M. and Beier, B.R. (1995) ‘Patient privacy in the era of medical computer networks: a new paradigm for a new technology’, Medinfo, Vol. 8, No. I, pp.640–643. Calamai, R. and Giarré, L. (2010) ‘HL7 v3 CDA Rel.2 patient summary and chronic care model: localization experience and GP/HS integration project’, Proceedings of the 2010 IEEE International Conference on Systems Man and Cybernetics, pp.147–155. Ciampi, M. (2012) The Metadata Information Model for the Italian Interoperability Infrastructure of EHR Systems, ICAR-CNR Technical Report RT-ICAR-NA-2012-02, February [online] http://www.na.icar.cnr.it/pubblicazioni/tr022012 (accessed February 2013). Coronato, A. and De Pietro, G. (2011) ‘Formal specification and verification of ubiquitous and pervasive systems’, ACM Transactions on Autonomous and Adaptive Systems (TAAS), February, Vol. 6, No. 1, Article No. 9. Coronato, A., De Pietro, G. and Gallo, L. (2008) ‘An agent based platform for task distribution in virtual environments’, Journal of Systems Architecture, Vol. 54, No. 9, pp.877–882. Dogac, A. et al. (2007) ‘Enhancing IHE XDS for federated clinical affinity domain support’, IEEE Transactions on Information Technology in Biomedicine, Vol. 11, No. 2, pp.213–221. Eugster, P., Felber, P., Guerraoui, R. and Kermarrec, A-M. (2003) ‘The many faces of publish/subscribe’, ACM Computing Surveys, June, Vol. 35, No. 2, pp.114–131. Hauxe, R. (2006) ‘Health information systems’, International Journal of Medical Informatics, March, Vol. 75, No. 3, pp.268–281. Huang, H.K. (2004) PACS and Imaging Informatics: Basic Principles and Applications, 1st ed., Wiley-Liss, Hoboken, NJ, April. Jung, B. and Grimson, J. (1999) ‘Synapses/SynEx goes XML’, Studies in Health Technology and Informatics, Vol. 68, pp.906–1111. Kripalani, S. at al. (2007) ‘Decits in communication and information transfer between hospital-based and primary care physicians’, The Journal of American Medical Association (JAMA), Vol. 297, No. 8, pp.831–841. Nixon, L.J.B. et al. (2007) ‘Enabling collaborative ehealth through triple space computing’, Proceedings of the 16th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE ‘07), pp.80–85. Nordbotten, N.A. (2003) ‘XML and web services security standards’, IEEE Communications Surveys & Tutorials, April, Vol. 36, No. 4, pp.96–98. Object Management Group, Inc. (OMG) (2001) ‘CORBAmed specifications’, April, [online] http://www.omg.org/ (accessed February 2013). Schloeffel, P., Beale, T., Hayworth, G., Heard, S. and Leslie, H. (2006) ‘The relationship between CEN 13606, HL7 and openEHR’, Proceedings of the Health Informatics Conference.

202

M. Ciampi et al.

Sittig, D.F., Kuperman, G.J. and Teich, J.M. (1996) ‘WWW-based interfaces to clinical information systems: the state of the art’, Proceedings of the AMIA Annual Fall Symposium, pp.694–698. Webber, D. and Kernberg, M. (2006) ‘Exploiting ebXML registry semantic constructs for handling archetype metadata in healthcare informatics’, International Journal of Metadata, Semantics and Ontologies, Vol. 1, No. 1, pp.21–36.

Yang, B. and Garcia-Molina, H. (2003) ‘Designing a super-peer network’, Proceedings of the 19th International Conference on Data Engineering (ICDE 2003), March, pp.49–60.