Context-Based, Predictive Access Control to Electronic Health Records

Abstract

Effective access control techniques are in demand, as electronically assisted healthcare services require the patient’s sensitive health records. In emergency situations, where the patient’s well-being is jeopardized, different healthcare actors associated with emergency cases should be granted permission to access Electronic Health Records (EHRs) of patients. The research objective of our study is to develop machine learning techniques based on patients’ time sequential health metrics and integrate them with an Attribute Based Access Control (ABAC) mechanism. We propose an ABAC mechanism that can yield access to sensitive EHRs systems by applying prognostic context handlers where contextual information, is used to identify emergency conditions and permit access to medical records. Specifically, we use patients’ recent health history to predict the health metrics for the next two hours by leveraging Long Short Term Memory (LSTM) Neural Networks (NNs). These predicted health metrics values are evaluated by our personalized fuzzy context handlers, to predict the criticality of patients’ status. The developed access control method provides secure access for emergency clinicians to sensitive information and simultaneously safeguards the patient’s well-being. Integrating this predictive mechanism with personalized context handlers proved to be a robust tool to enhance the performance of the access control mechanism to modern EHRs System.

1. Introduction

Handling access to medical information is essential as the safeguarding of the patient’s sensitive data privacy, e.g., her health history, is of prime importance. Access control models are related to the privileges an entity has upon handling particular data objects. These are based on user identity access control models, such as Role-Based Access Control (RBAC), Discretionary Access Control (DAC) and Mandatory Access Control (MAC) [1]. As well as these static approaches, the Attribute-Based Access Control (ABAC) paradigm has been developed, which is dynamic and flexible in nature [2]. In ABAC, there are connections’ snapshots that are produced and dynamically altered based on the current context, instead of statically-defined lists of permissions that link entities with objects.

In the medical sector, contextual information which characterizes an emergency in a patient’s healthcare state should be deemed when controlling access to the healthcare sensitive information to guarantee the most efficient treatment. Accordingly, the implementation of access control models which integrate the context concept, such as the notion of dynamically changing contextual attributes which indicate the current status, is needed. More specifically, context is considered as any information characterizing the status of an entity, such as person, place or object, related to the association between an application and a requestor [3]. Exploiting contextual data facilitates the implementation of access control policies by taking into account the conditions of access requests’ evaluation. For instance, in critical situations, an emergency healthcare professional intends to partially access the patient’s healthcare data to properly address a critical condition. The values of contextual information are obtained, for instance, from IoT devices, such as a wearable able to gauge blood pressure. We report that context handlers are beneficial for implementing processes of dynamic authorization which consider the critical status of a specific medical acute care event before making a decision on access control. In critical conditions, the emergency medical teams should access immediately the patients’ medical records.

The research objective of our study is the investigation of whether real-time health data, e.g., from medical devices and sensors, can be used to identify acute care conditions and permit access to sensitive medical information. We examine the application of machine learning methods to derive dynamic and personalized access control policies for yielding access decisions with respect to sensitive EHRs data based on the current context. Specifically, we are going to use the patient’s recent health history in order to predict key health metrics of the next couple of hours by implementing Long Short Term Memory (LSTM) Neural Networks (NNs) and use the predicted values to assess the criticality of the health condition of the patient. Our research takes advantages of recent developments in Artificial Intelligence in solving complex technical problems, see, e.g., in engineering [4], image processing [5] and e-commerce [6]. We develop an intelligent access control mechanism, which, based on a prediction model and a personalized fuzzy context handler [7], examines recent health metrics of a patient and outputs the patient’s health criticality assessment, which, in turn, controls access to the EHRs system.

2. Related Works

2.1. Access Control in Emergency Situations

Access to patient’s private data is a sensitive topic because there is the danger for patient’s sensitive data to be revealed to malicious subjects. Yielding access to EHRs in emergency cases increases the quality of patient’s life and improves medical decision-making [8]. Povey et al. [9] presented a retrospective access control scheme so that the system is not misused, and where transactions are utilized to make sure that the system’s integrity can be recovered in a data breach incident. The authors propose a break-glass mechanism which warns about misuse before it is activated. According to the authors, in a critical case, the users can operate the tool but, after the event, they have to provide explanation to the administrator of the system so as to avoid the associated penalty.

Saberi et al. [10] introduced a synthesis of blockchain and interplanetary file system. Blockchain is utilized as a secure integrated mechanism for ABAC break-glass paradigms, and as an interplanetary file system which produces a distributed file storage infrastructure to store big files of health records. Additionally, the proposed conceptual model of Saberi et al. [11] was relied on the technology of blockchain, on an interplanetary file system and on ABAC, which does not require circumventing the access control mechanism in order to constitute the patient’s medical information available. Especially in emergency cases, the doctors receive access to the EHRs almost just in time with respect to the attribute-based security rights which are set by the patients.

Manasa et al. [12] presented an access control paradigm to achieve patient-centric privacy regarding medical health information in emergency situations. The model proposed by Tsegaye et al. [13] ensures the EHRs confidentiality via RBAC and ABAC, while guarantying integrity by exploiting the Clark–Wilson model that protects the EHRs from both authorized healthcare professionals and unauthorized entities. Furthermore, by implementing their paradigm, the EHRs can be safeguarded and any access issues can be dealt with while yielding EHR access in a critical case. Li et al. [14] introduced an access control framework for personal medical data within the environment of cloud computing. The authors leveraged the Attribute-based Encryption (ABE) paradigm to encrypt patient’s health records. Additionally, the proposed scheme supports users’ on-demand revocation access, and break-glass access under critical situations.

Jagdale et al. [15] integrated a system for controlling data access to medical information in cloud servers. The mechanism provides ABE encryption to encrypt health record files. The mechanism enables modification of file attributes or access policies and break-glass access for emergencies. Farinha et al. [16] presented an implementation of the break-glass paradigm in a real medical situation so as to enforce the legislation about genetic information. Furthermore, the authors evaluated the process of integrating legislation into the medical practice and the impact of break-glass use by concluding that the break-the-glass features are able to filter the non-authorized accesses which would not otherwise be prevented.

Brucker et al. [17] introduced a break-glass model with a SecureUML extension. The authors proposed a security paradigm supporting break-glass that comprises a transformation from break-glass SecureUML policies to eXtensible Access Control Markup Language (XACML). Georgakakis et al. [18] presented the spatio-temporal Emergency RBAC model which is based on spatiotemporal context of time, location, and hierarchy of roles so as to yield exception access in critical situations. In their model, users can access resources either through the regular process of assigned roles according to the security policy of the organization or request access to a resource through the emergency access procedure. Kabbani et al. [19] proposed to integrate situation-based authorization policies by utilizing XACML which provides an attribute-based policy language and a policy-based management architecture. Utilizing XACML, they embody situations as attributes that are used and aggregated in rules, while they transfer to the policy their values’ dynamicity.

Marinovic et al. [20] proposed a break-glass system that builds a break-glass policy by establishing the reason why the access was not permitted. Their model represents conflicting and missing data, permitting the policy to produce a more informed decision when faced with missing or inconsistent knowledge. Maw et al. [21] proposed an access control model in wireless sensor networks and networks of body area, which provides a flexible control of accessing data in emergencies. Guan et al. [22] introduced a scheme leveraging the patients’ fingerprints to help medical professionals to get temporary authorization access of personal health records. In case a patient is in a coma, the medical professional needs to access the patient’s personal health records urgently in order to take effective aid measures. Künzi et al. [23] proposed an emergency access mechanism for EHR systems that employ digital rights management protection of medical information. Due to the usage of their emergency mechanism, their scheme mitigates emergency key distribution problem and is able to be integrated in highly distributed mechanisms.

2.2. Contextual Attributes for Access Control

Context characterizes a particular condition by taking into consideration the circumstances where an event arises. Each contextual attribute serves as a quantitative primitive, such as the requestor’s location. Attributes in ABAC are classified into four following categories [24]: (a) subject attributes characterize the user requesting access, such as age; (b) action attributes characterize the requested action such as read; (c) object attributes characterize the resource of access such as a health record; and (d) environment attributes are correlated with dynamic access control factors, such as time.

Mahalle et al. [25] combined three factors with fuzzy values in order to create fuzzy rules for data access control: the estimated trust value associated with factors such as knowledge, recommendation and experience. Their work additionally follows a fuzzy method and a trust-based access control architecture that receives, from devices which communicate with each other, as inputs the experience-based components of knowledge, recommendation and experience. D’Aniello et al. [26] used a series of agent layers to implement a multi-agent fuzzy consensus model for situation awareness using, as fuzzy variables, air temperature, air humidity and air wetness as inputs in their fuzzy cognitive maps to detect infected corps. De Maio et al. [27] considered the bank intrusion as a situation awareness scenario, so as to support bank security operators in the prevention or detection of robbery and theft.

In order to characterize contextual information that can facilitate the evaluation of emergency medical situations, we reviewed the following works. Nomikos et al. [28] examined patients’ conditions, described using attributes, such as the time when the stroke took place, the age, the Systolic Blood Pressure (SBP), the Diastolic Blood Pressure (DBP), the Glasgow coma scale value and the Scandinavian coma scale, which describe the level of consciousness of the patient. Mahmood et al. [29] estimated the crisp values of blood pressure parameters from Heart Rate (HR). Djam et al. [30] suggested a fuzzy expert system for the management of hypertension using the fuzzy logic approach. As fuzzy inputs, the SBP, DBP, age and Body Mass Index (BMI) were considered to predict hypertension risk.

Manasa et al. [12] took under consideration contextual information such as the patient’s prescriptions, allergies, medical history and basic profile. Additionally, an emergency attribute is defined regarding emergency access. A fuzzy expert system for prediction of heart diseases, which uses the method of cuckoo search, is proposed by Moameri et al. [31] by taking into consideration the attributes of cholesterol level, maximum HR, electrocardiogram results, blood pressure, type of chest pain and age.

A few studies consider users’ specificities for the evaluation of access policies. For example, the increased HR can be taken into account as critical for a particular patient only in case that her medical situation, her levels of activity or her age are taken under consideration. Zerkouk et al. [32] proposed an adaptable access control framework and its associated architecture, where the security policy is relied on an analysis of the monitored behavior of the user. Røstad et al. [33] described a mechanism for personalized access control for use in medical records. The model combines concepts and properties of RBAC and DAC in order to achieve the desired properties. Furthermore, the authors consider a set of common policies, which cannot be altered by the patient, along with a set of personal policies which can be edited by the patient. Petković et al. [34] proposed privacy and security enhancements in a RBAC system. Their approach comprises personalized access control that is a combination of role-based and user-managed access control, along with a cryptographic enforcement, which comprises efficient key management for the personalized role-based access control in health records.

Son et al. [35] proposed a dynamic access control approach for preserving the security of personal health information in a cloud environment, which takes under consideration contextual attributes for dynamic access. Their model uses the 5W1H ontological concept to process context-based attributes for dynamic access. A key component of their model is that it deals with the dynamic access control and the medical sector.

2.3. Data Analytics in Healthcare

Tomar et al. [36] have shown that analytics can help medical staff in disease treatment, diagnosis and prediction by ameliorating the quality of service, which results in a reduction in the dataset’s cost information, both predictive (e.g., prediction of forthcoming historical information) and prescriptive (e.g., usage of scenarios which contribute to decision support). Analytics are classified as prescriptive, predictive and descriptive [37]. Descriptive analytics describe systems’ past performance; predictive analytics predicts systems’ future performance; and prescriptive analytics prescribes interventions so as to ameliorate systems’ future performance. Khalifa [38] identifies the analytics’ categories of discovery, prescriptive, predictive, diagnostic and descriptive ones. Each one of them has its unique purpose in ameliorating health systems. Descriptive analytics works by aggregating, classifying, characterizing and categorizing data to be transformed to beneficial information to assist medical staff analyze and understand results, performance and decisions. Prescriptive analytics assists in making a feasible decision and assisting professionals not only to examine the expected results and consequences of their actions and recognize the problems and opportunities, but additionally to assess the best possible alternative to use in a timely manner [39]. Discovery analytics [40] use information to discover new diseases, signs, symptoms, alternative treatments or medications and unknown side effects. Descriptive analytics explore distinct variables and examines any relations between these variables and patient’s probability of admission so as to decide which variables to be utilized in order to develop this decision model [41]. Diagnostic health analytics are used in deciding the cause of an action [42]. They require broad exploration and directed data analysis by exploiting the visualization techniques tools to find the problem’s root causes or to assist professionals understand the problem’s impact and nature. For instance, the increased waiting time in implementing specific medical services could be the cause of patient and provider related factors.

The society Healthcare Information and Management Systems characterizes health analytics [43] as the fundamental utilization of healthcare information and relevant management information through the appliance of analytics methods and means, such as qualitative and quantitative statistics, analysis of context and predictions to build insights and information based operational and strategic management for even more efficient healthcare. Health analytics encompasses a wide range of dimensions and aspects of big data analysis. This analysis is related to data accessibility and availability and information derived via efficient interoperability and implementation of a wide spectrum of technologies like web applications, data warehouses and systems of electronic medical records and medical decision support [44].

The tools of health analytics are taken into account as a set of systems of decision support regarding the medical professionals, providing knowledge among others to pharmacists, health policy makers, health administrators, nurses or physicians, to make even more efficient evidence and acquire vision according to medical decisions [45]. Chen et al. [46] report that health analytics is characterized as a manner of converting information and data into actions and plans using insights and analysis for problem solving and medical decision making. Bates [47] reports that, typically, medical centers healthcare organizations have already implemented descriptive analytics to clinical cases and healthcare information. According to the authors, by exploiting technologies, tools and queries, the clinicians can have at their disposal categorized structured data and information on past performance.

2.4. Health Analytics Using LSTM

LSTM Neural Networks were introduced by Hochreiter and Schmidhuber in 1997 [48] to address the overextended time intervals by recurrent back-propagation that takes a long time, essentially due to decaying, insufficient error backflow. LSTM NNs are widely used in the healthcare domain. Yin et al. [49] proposed a detection system of 3D human action regarding real-time inference for intelligent medical applications based on LSTM, which can be used in emergency warnings. Kadri et al. [50] proposed an approach for forecasting of everyday admissions of patients at the pediatric emergency room, dependent on LSTM NNs. Tsai et al. [51] proposed an architecture in including bottleneck features of voice in a LSTM framework to recognize automatically the intensity of pain-level of the patients in the emergency department during triage. Mantas [52] used LSTM recurrent NN to develop a model for emergency department wait time prediction in the next couple of hours by exploiting a random patient timestamp dataset of a common patient hospital process. Nwakanma et al. [53] proposed an LSTM-based detection system for critical situations, where the sensor aggregates vibration information which assists in predicting emergencies. Reddy et al. [54] presented a Recurrent Neural Networks (RNN) methodology with LSTM that uses longitudinal healthcare sequential information, is promising in predicting lupus patients’ readmission. Zhang et al. [55] used Convolutional Neural Networks (CNN) to analyze Wuhan COVID-19 emergency data. Mou and Yu [56] introduced a CNN LSTM method of blood pressure prediction dependent on pulse wave information. Chae et al. [57] performed ‘particulate matter’ prediction using the LSTM among others, where the ‘particulate matter’ can cause various toxin-induced cancers, affected lungs, and worsened asthma. Mumtaz et al. [58] applied LSTM for predicting the air pollutants concentration and the indoor environment quality, which is helpful for individuals who suffer from acute pulmonary disorders and COVID-19 patients.

3. Methods

In this study, we extend our previous work on context-aware access policies [7] by considering, apart from the patient’s current health situation, the prognosis of the patient’s future health status. The proposed methodology delivers an access control mechanism which relies on Attribute-based Access Control (ABAC). The methodology combines machine learning techniques to predict the patient’s upcoming health condition along with fuzzy logic to reason about the context of the access request (Figure 1).

The predictive mechanism, implemented with LSTM, receives as input the recent health metrics and outputs the predictions of health metrics for the next two hours. Subsequently, the fuzzy context handler assesses the criticality of the future health status of the patient, by taking into consideration (i) the patient’s age, (ii) the current health metrics and (iii) the predicted health metrics for the next two hours. The criticality assessment determines the decision about granting or not emergency access by healthcare professionals to the EHRs system.

3.1. Fuzzy Context Handlers

A context handler in XACML [59] is a system entity which transforms access requests from the initial format of requests to the canonical form of XACML [60]. Apart from using, or not, the XACML architecture, context handlers are exploited in ABAC to transform the attribute representations into mediums related to the environment of the application. Lower-level context is beneficial for uplifting context of higher level and understanding emergency conditions, for example in the situation of an acute care healthcare dispatcher case. This knowledge is responsible for determining if access to private medical information should be permitted or not.

In our earlier work [7], we developed context handlers governed by fuzzy rules to identify critical situations. A fuzzy context handler uses fuzzy rules that associate contextual attributes with fuzzy values and generates as output an assessment of the criticality of the incident. The related contextual attributes, which are represented in a context model, are presented in detail in [61]. Here, we extend the fuzzy context handlers by taking into consideration apart from the patient’s current state her future one as well, by predicting the patient’s future health status.

3.2. Predicting Mechanism

To implement the prediction mechanism, we rely on the long short term memory (LSTM) model [48], a variant of the recurrent neural network which is used to predict the patient’s future health metrics. LSTM networks have the capability of learning long-term dependencies. The LSTM network outperforms others in the prediction of the next sequence of process instances, because it predicts the next one by storing lengthy input sentences. The LSTM prediction exhibits a considerable rise and aligns with the actual time series data [62].

The basic structure (i.e., a cell) of an LSTM module, as illustrated in Figure 2, comprises three separate gates: input, output and forget. Each cell persists values over arbitrary time intervals while the three mentioned gates adjust the information flow coming into and out of the cell. There are three sigmoid gates, to protect and control the cell state. Each sigmoid gate decides what information should be ignored from the cell state. Calculating the output of a cell involves first the decision on which information to remove from the previous cell. Output “1” or “0” indicate that all previous information should be kept or discarded, respectively. Additionally, the tanh gate serves to convert values to be between −1 and 1. This special structure, apart from the input X_t, takes, additionally as input, the output of the previous block H_t−1 along with the memory from the previous LSTM block C_t−1. The final output H_t is given by Formula (1).

$${\mathrm{H}}_{\mathrm{t}}={\mathrm{O}}_{\mathrm{t}}\ast \tan \mathrm{h}\left({\mathrm{C}}_{\mathrm{t}}\right)$$

(1)

where:

$${\mathrm{O}}_{\mathrm{t}}= \mathsf{\sigma }\left({\mathrm{W}}_{\mathrm{o}}·\left[{\mathrm{H}}_{\mathrm{t}-1},{\mathrm{X}}_{\mathrm{t}}\right]+{\mathrm{b}}_{\mathrm{o}}\right)$$

(2)

$${\mathrm{C}}_{\mathrm{t}}={\mathrm{F}}_{\mathrm{t}}{\ast \mathrm{C}}_{\mathrm{t}-1}+{\mathrm{I}}_{\mathrm{t}}\ast {\mathrm{C}\prime }_{\mathrm{t}}$$

(3)

$${\mathrm{C}\prime }_{\mathrm{t}}= \tan \mathrm{h}\left({\mathrm{W}}_{\mathrm{c}}·\left[{\mathrm{H}}_{\mathrm{t}-1},{\mathrm{X}}_{\mathrm{t}}\right]+{\mathrm{b}}_{\mathrm{c}}\right)$$

(4)

$${\mathrm{I}}_{\mathrm{t}}= \mathsf{\sigma }\left({\mathrm{W}}_{\mathrm{i}}· \left[{\mathrm{H}}_{\mathrm{t}-1},{\mathrm{X}}_{\mathrm{t}}\right]+{\mathrm{b}}_{\mathrm{i}}\right)$$

(5)

$${\mathrm{F}}_{\mathrm{t}}= \mathsf{\sigma }\left({\mathrm{W}}_{\mathrm{f}}· \left[{\mathrm{H}}_{\mathrm{t}-1},{\mathrm{X}}_{\mathrm{t}}\right]+{\mathrm{b}}_{\mathrm{f}}\right)$$

(6)

In the above equations, W_f, W_i, W_c and W_o are weights and b_f, b_i, b_c and b_o are biases, which are learned during the training phase of the network. We perform multi-step forecasting [63] of two next steps based on multivariate input time series.

As illustrated in Figure 3, the recent health metrics of SBP, DBP and HR are taken into consideration and constitute the input for the multivariate multi-step LSTM model we developed. The model outputs the prediction of these three health metrics for the next two hours.

Next, we discuss an example use case in which our proposed system is used to assess the overall health situation of a patient (i.e., its criticality) for driving the access control decision with respect to emergency access to a certain EHR. In our previous work [7], we developed a fuzzy context handler which is able to map the input fuzzy variables Systolic Blood Pressure (m₁) and Diastolic Blood Pressure (m₂) to fuzzy values ‘Low’, ‘Normal’, ‘Elevated’ and ‘High’, while the input fuzzy variable Heart Rate (m₃) to fuzzy values ‘Low’, ‘Medium’ and ‘High’. Last, the output fuzzy variable Criticality, is mapped to values ‘Low’, ‘Medium’ and ‘High’.

In a general case, we can have the n health metrics m₁ − m_n. After having defined the fuzzy sets, the fuzzy rules per fuzzy variable are defined based on our previous work [7]. An example of a fuzzy rule regarding the SBP is “If SBP is Low then Criticality is High”. After this step, the fuzzy inferencing process is implemented, where the percentage of criticality is deduced per health metric.

For example, for the health metrics of SBP_current = 123 mmHg, DBP_current = 72 mmHg and HR_current = 94 bpm, as presented in the current values of the patient with ID 17, shown in Figure 3, we deduce the following respective criticalities of: (i) criticality(SBP_current = 123 mmHg) = 33%, (ii) criticality(DBP_current = 72 mmHg) = 38.61% and (iii) criticality(HR_current = 94 bpm) = 63.6%. In this particular example, neither case is critical, because, as stated in our work [7], for a case to be critical, it should meet the maximum criticality percentage, which is 67% according to the specific fuzzy inferencing process. Therefore, after having calculated if the current case is critical or not, we proceed to the calculation of the criticality for next two hours. In order to proceed to this particular calculation, we need to have at our disposal the values for the next two hours per each health metric. In order to achieve this goal, we predict these next two hours’ health values by implementing LSTM NNs by taking into consideration the last four-hour health history and the current health metrics. This particular prediction is essential for the emergency doctor so that he has at his disposal a thorough perception of the patient’s clinical profile, and, additionally, is considered as input for the fuzzy context handlers.

As seen throughout this example, the fuzzy context handlers, by having at their disposal the current health metrics of SBP, DBP and HR, will make the criticality assessment (Figure 1) of the respective future health metrics for the next two hours. For example, as seen in Figure 3, if the patient, has for the last five hours, the following values, regarding the health metrics of SBP, DBP and HR, respectively: (i) 118 mmHg, 114 mmHg, 126 mmHg, 115 mmHg and 123 mmHg; (ii) 73 mmHg, 70 mmHg, 74 mmHg, 68 mmHg and 72 mmHg; and (iii) 95 bpm, 92 bpm, 93 bpm, 92 bpm and 94 bpm, then our system predicts as their corresponding future two-hour SBP, DBP and HR values, respectively: (i) 107 mmHg and 105 mmHg, (ii) 67 mmHg and 66 mmHg and (iii) 86 bpm and 83 bpm.

After this specific step, we proceed to the criticality calculation of these future health metrics. Therefore, the criticality percentages for the next hour are: (i) criticality(SBP_after-1-h = 107 mmHg) = 60.2%, (ii) criticality(DBP_after-1-h = 67 mmHg) = 67% and (iii) criticality(HR_after-1-h = 86 bpm) = 36.4%. Therefore, in this case, for the next hour we conclude that the situation is critical, because the criticality of at least one of the health metrics case reaches the maximum percentage of 67% according to the fuzzy inferencing process. Therefore, regarding the next two hours’ case, we have the following criticality percentages: (i) criticality(SBP_after-2-h = 105 mmHg) = 67%, (ii) criticality(DBP_after-2-h = 66 mmHg) = 67% and (iii) criticality(HR_after-2-h = 83 bpm) = 33%, where we conclude that similarly to the after one hour case the patient’s situation is critical because at least one of the criticality percentages reaches its’ maximum level.

The overall criticality result is deduced based on the three individual results of the patient’s current and future state. In this case, even if regarding the current situation the patient’s situation is not considered critical, it is critical for both after one and two hours. The overall critically result is deduced based on the Equation (8) of Section 4.2 which states that even one of the current or future states is critical, then in case the requestor is an emergency doctor, he can be granted access to the patient’s EHRs.

Our methodology regarding the prediction of the patient’s future health metrics is presented in the following Algorithm 1.

Algorithm 1 Prediction of future health metrics

CHOOSE NUMBER OF INPUT STEPS (health history of last 4 h)

input_steps ← 5

CHOOSE OUTPUT STEPS (future health metrics of the next two hours)

output_steps ← 2

CHOOSE FEATURES (number of health metrics)

features ← 3

REPEAT FOR ALL DATA FILES

READ EACH DATASET’S FILE PER PATIENT

SELECT TRAIN AND TEST SETS

data_train, data_test ← devide(dataset, 0.8)

SPLIT DATA ACCODING TO INPUT AND OUTPUT STEPS

X_train, Y_train ← split_dataset(data_train, input_steps)

X_test, Y_test ← split_dataset(data_test, input_steps)

RESHAPE X_train and X_test

Reshape X_train, X_test into (samples, inpute_steps, features)

DEFINE MODEL

add(LSTM(200, activation = ‘relu’, input_shape = (input_steps, features)))

add(RepeatVector(output_steps))

add(LSTM(200, activation = ‘relu’, return_sequences = True))

add(TimeDistributed(Dense(features)))

COMPILE MODEL

compile(optimizer = ‘adam’, loss = ‘mse’)

FIT MODEL (to improve the weights and biases of the network)

model.fit(X_train, Y_train, epochs = 200, verbose = 0)

EVALUATE MODEL

SAVE MODEL

model.save(model_file)

END REPEAT

INPUT A PATIENT’S HEALTH METRICS FOR THE LAST 4 HOURS METRICS

input_metrics:

sbp_current, dbp_current, hr_current current health metrics

sbp_before_1, dbp_before_1, hr_ before_1 health metrics before 1 h

sbp_ before_2, dbp_ before_2, hr_before_2 health metrics before 2 h

sbp_ before_3, dbp_ before_3, hr_before_3 health metrics before 3 h

sbp_before_4, dbp_before_4, hr_before_4 health metrics before 4 h

PREDICT AND OUTPUT PATIENT’S FUTURE HEALTH METRICS

output_metrcs:

sbp_next_1, dbp_next_1, hr_next_1 predicted health metrics after 1 h

sbp_next_2, dbp_next_2, hr_next_2 predicted health metrics after 2 h

output_metrics ← model_file.predict(input_metrics)

4. Evaluation

4.1. Technical Implementation

We utilize the XACML architecture to implement the proposed context-based, predictive access control mechanism. XACML also known as a policy-based access control (PBAC) system, where attribute values associated with a resource, an action or a user are perceived as inputs into the access control decision, regarding a given user, a particular target resource and a specific way of access. RBAC can additionally be implemented in XACML as a specialization of ABAC. The XACML architecture contains: (a) the Policy Enforcement Point (PEP), able to protect data and applications, to intercept requests and to propagate authorization requests directed to the Policy Decision Point (PDP); (b) the Policy Information Point (PIP) that connects external attribute sources; and (c) the Policy Administration Point (PAP) responsible for handling access policies.

Policies in ABAC associate attributes, to characterize allowable or not actions, and to grant or deny access to personal information. For instance, when a requestor intends to be granted access to a particular medical information, PDP intercepts her request. PDP evaluates related policies handled by PAP and exploiting attributes retrieved from PIP. ABAC has been used to manage access to EHR platforms [64].

To evaluate our work, we implemented the context-based, predictive access control mechanism based on the XACML architecture and integrated it in EHRServer [65]. EHRServer is a clinical information management system on the basis of the standard of openEHR [66]. A bird’s eye view of the integrated system architecture is shown in Figure 4. The context handler communicates with the criticality evaluation mechanism, which, after having received the patient’s current health metrics, recent health history, age and the prediction of the future health metrics’ values for the next two hours, is able to calculate via the inferencing process the criticality level of the patient, by considering her current and future state for the two hours as well.

We implemented python’s tensorflow and keras in order to develop the LSTM RNNs trained model per patient which predicts her future health metrics based on her recent health history. All trained models were integrated in our web user interface (Figure 5) so as to output the respective predictions by implementing the trained models and to calculate the respective results per patient on the fly.

The web user interface is divided into six panes. In the upper left pane, the patient‘s ID, gender, age, height, weight and BMI are presented, while in the upper center pane, the system’s global access decision is presented. Below this feature, the ABAC selectable options are illustrated, which are the following: (i) the baseline ABAC, which handles basic thresholds as limits so as to permit or not access; (ii) the ABAC non-personalized case, which considers only the fuzzy inferencing process; and (iii) the ABAC personalized case, which considers the fuzzy inferencing process as well as the personalization aspect of age. All the three ABAC methods above take into consideration the SBP, DBP and HR health metrics, as presented in our previous work [7] regarding the patient’s diagnosis of present medical status, and we extend it in our current approach by including the patient’s prognosed health metrics after one or two hours by leveraging LSTM NNs. In the upper right pane, the patient’s current health metrics are demonstrated along with the current health status result of the prognostic context handlers case, which has already been selected on the previous pane, as well as the individual access results per health metric regarding the patient’s current status. In the lower left pane, the patient’s current health history within the last five hours is presented. In the lower center pane, our LSTM NN mechanism predicts the health metrics values for the next two hours along with the corresponding access requests by leveraging the fuzzy inferencing system of our previous work [7]. Finally, in the lower right pane, there is the button “Evaluate” for the system’s decision based on the chosen ABAC case.

4.2. Evaluation Scenarios and Datasets

We tested three scenarios as follows: first, access control was handled by the baseline ABAC. In particular, if the requestor is an emergency department (ED) health professional and at least one of the patients’ health metrics values is above the suggested threshold, then the patient’s situation is critical and, thus, the health professional can have access to the patient‘s healthcare data. The policy rule is presented as follows:

$$\begin{gathered} \mathrm{If} \left(\mathrm{requestor}=\mathrm{ED} \mathrm{Cilinician}\right) \mathrm{AND} \\ \mathrm{contextual} \mathrm{expression} ({\mathrm{SBP}}_{\mathrm{CURRENT}}>{\mathrm{SBP}}_{\mathrm{THRESHOLD}} \mathrm{OR} \\ {\mathrm{DBP}}_{\mathrm{CURRENT}}>{\mathrm{DBP}}_{\mathrm{THRESHOLD}} \mathrm{OR} \\ {\mathrm{HR}}_{\mathrm{CURRENT}}>{\mathrm{HR}}_{\mathrm{THRESHOLD}} \mathrm{OR} \\ {\mathrm{SBP}}_{\mathrm{AFTER}\_1\_\mathrm{HOUR}}>{\mathrm{SBP}}_{\mathrm{THRESHOLD}} \mathrm{OR} \\ {\mathrm{DBP}}_{\mathrm{AFTER}\_1\_\mathrm{HOUR}}>{\mathrm{DBP}}_{\mathrm{THRESHOLD}} \mathrm{OR} \\ {\mathrm{HR}}_{\mathrm{AFTER}\_1\_\mathrm{HOUR}}>{\mathrm{HR}}_{\mathrm{THRESHOLD}} \mathrm{OR} \\ {\mathrm{SBP}}_{\mathrm{AFTER}\_2\_\mathrm{HOURS}}>{\mathrm{SBP}}_{\mathrm{THRESHOLD}} \mathrm{OR} \\ {\mathrm{DBP}}_{\mathrm{AFTER}\_2\_\mathrm{HOURS}}>{\mathrm{DBP}}_{\mathrm{THRESHOLD}} \mathrm{OR} \\ {\mathrm{HR}}_{\mathrm{AFTER}\_2\_\mathrm{HOURS}}>{\mathrm{HR}}_{\mathrm{THRESHOLD}}) \\ \mathrm{then} \left(\mathrm{Critical} \mathrm{Situation}\right) \end{gathered}$$

(7)

In the second and third scenarios, we modified policy rule (7) with non-personalized and personalized context handlers, respectively. The policy rule now includes the patient’s predicted health metrics after one or two hours. (For details about how personalization in context handlers is achieved, please refer to [7]).

$$\begin{gathered} \mathrm{If} (\left(\mathrm{requestor}=\mathrm{ED} \mathrm{Clinician}\right) \mathrm{AND} \\ \mathrm{context} \mathrm{expression} (({\mathrm{CRITICAL}}_{\mathrm{SITUATION}\_\mathrm{CURRENT}}=\mathrm{true}) \mathrm{OR} \\ {(\mathrm{C}\mathrm{R}\mathrm{I}\mathrm{T}\mathrm{I}\mathrm{C}\mathrm{A}\mathrm{L}}_{\mathrm{SITUATION}\_\mathrm{AFTER}\_1\_\mathrm{HOUR}}=\mathrm{true}) \mathrm{OR} \\ {(\mathrm{C}\mathrm{R}\mathrm{I}\mathrm{T}\mathrm{I}\mathrm{C}\mathrm{A}\mathrm{L}}_{\mathrm{SITUATION}\_\mathrm{AFTER}\_2\_\mathrm{HOURS}}=\mathrm{true}))) \\ \mathrm{then} \left(\mathrm{Critical} \mathrm{Situation}\right) \end{gathered}$$

(8)

We tested the three scenarios using the publicly available dataset [67], comprising 4000 patients and including one file per patient. Each patient file, among others, includes SBP, DBP and HR health metrics history. These time-series sequential data are taken sporadically every ten minutes, or twenty minutes or even 1 h or more. The raw format of the dataset is shown in Figure 6.

The first lines of each file, annotated with time “00:00”, indicate the beginning of the metrics’ recording. The first lines denote the characteristics of each patient including age, gender, height or weight. Subsequent lines contain time-series measurements, recorded in chronological order, and the related timestamps from the beginning of the measurements. These measurements were reported at regular intervals ranging from hourly to daily, or at non-frequent timestamps. The metrics of interest to our study are Systolic Arterial Blood Pressure (SysABP), Diastolic Arterial Blood Pressure (DiaABP) and Heart Rate (HR).

We developed an additional software component to extract the health metrics of every hour, and we excluded all the files that had time gaps more than one hour. An example file is shown in Figure 7.

After data pre-processing, 2086 patient files remained. For each patient, a trained prediction model was developed and used for the prediction of the criticality for the next couple of hours.

4.3. Results

Table 1. Error of the predicted criticality.

Access Control Case	Criticality Prediction Error
ABAC with Personalized Fuzzy context handler.	6.86%
ABAC with non-Personalized Fuzzy context handler.	17.31%
Baseline ABAC.	17.74%

presents the error in criticality prediction after one and two hours, for the three previously-mentioned cases of: (i) baseline ABAC method, (ii) ABAC with non-personalized fuzzy context handler and (iii) ABAC with personalized context handler as described in our previous work [7].

The total number of patients whose future health state is falsely predicted per ABAC case is calculated using Formula (9). This number comprises the patients who are: (i) in non-critical state based on both of the predictions of the next two hours, but in a critical situation based on the real next two-hour situation where at least one the situations of the next two hours is critical, and (ii) in critical state based on at least one of the next two hours prediction, but in a non-critical situation based on both health states of the real next two hours. Formula (10) computes the falsely predicted criticality percentage (criticality prediction error).

$$\begin{gathered} \mathrm{Number}\_\mathrm{of}\_\mathrm{Patients}\_\mathrm{Total}\_\mathrm{Error} =\mathrm{Number} \mathrm{of} \mathrm{patients} \mathrm{where} \\ \mathrm{contextual} \mathrm{expression} {(((\mathrm{C}\mathrm{R}\mathrm{I}\mathrm{T}\mathrm{I}\mathrm{C}\mathrm{A}\mathrm{L}}_{\mathrm{PREDICTED}\_\mathrm{SITUATION}\_\mathrm{AFTER}\_1\_\mathrm{HOUR}}=\mathrm{false} \mathrm{AND} \\ {\mathrm{C}\mathrm{R}\mathrm{I}\mathrm{T}\mathrm{I}\mathrm{C}\mathrm{A}\mathrm{L}}_{\mathrm{PREDICTED}\_\mathrm{SITUATION}\_\mathrm{AFTER}\_2\_\mathrm{HOURS}}=\mathrm{false}) \mathrm{AND} \\ {(\mathrm{C}\mathrm{R}\mathrm{I}\mathrm{T}\mathrm{I}\mathrm{C}\mathrm{A}\mathrm{L}}_{\mathrm{REAL}\_\mathrm{SITUATION}\_\mathrm{AFTER}\_1\_\mathrm{HOUR}}=\mathrm{true} \mathrm{OR} \\ {\mathrm{C}\mathrm{R}\mathrm{I}\mathrm{T}\mathrm{I}\mathrm{C}\mathrm{A}\mathrm{L}}_{\mathrm{REAL}\_\mathrm{SITUATION}\_\mathrm{AFTER}\_2\_\mathrm{HOURS}}=\mathrm{true})) \mathrm{AND} \\ {((\mathrm{C}\mathrm{R}\mathrm{I}\mathrm{T}\mathrm{I}\mathrm{C}\mathrm{A}\mathrm{L}}_{\mathrm{PREDICTED}\_\mathrm{SITUATION}\_\mathrm{AFTER}\_1\_\mathrm{HOUR}}=\mathrm{true} \mathrm{OR} \\ {\mathrm{C}\mathrm{R}\mathrm{I}\mathrm{T}\mathrm{I}\mathrm{C}\mathrm{A}\mathrm{L}}_{\mathrm{PREDICTED}\_\mathrm{SITUATION}\_\mathrm{AFTER}\_2\_\mathrm{HOURS}}=\mathrm{true}) \mathrm{AND} \\ {(\mathrm{C}\mathrm{R}\mathrm{I}\mathrm{T}\mathrm{I}\mathrm{C}\mathrm{A}\mathrm{L}}_{\mathrm{REAL}\_\mathrm{SITUATION}\_\mathrm{AFTER}\_1\_\mathrm{HOUR}}=\mathrm{false} \mathrm{AND} \\ {\mathrm{C}\mathrm{R}\mathrm{I}\mathrm{T}\mathrm{I}\mathrm{C}\mathrm{A}\mathrm{L}}_{\mathrm{REAL}\_\mathrm{SITUATION}\_\mathrm{AFTER}\_2\_\mathrm{HOURS}}=\mathrm{false}))) \end{gathered}$$

(9)

$$\mathrm{Criticality}\_\mathrm{Prediction}\_\mathrm{Error}=\frac{\mathrm{Number}\_\mathrm{of}\_\mathrm{Patients}\_\mathrm{Total}\_\mathrm{Error}}{\mathrm{Number}\_\mathrm{of}\_\mathrm{all}\_\mathrm{patients}} \ast 100$$

(10)

The criticality prediction in the ABAC with personalized context handler case exhibits the lowest percentage error (6.86%) while the corresponding errors of the ABAC with non-personalized context handler and the baseline method are 17.31% and 17.74%, respectively.

5. Conclusions

In emergency healthcare situations, the health criticality of patients should be considered when permitting access to their EHRs. That is, recognizing life threatening situations in automated healthcare access control systems is imperative. Our work introduces an innovative access control method by taking into consideration machine learning techniques by estimating the patient’s future health metrics, based on her recent history. The access control method provides secure access for emergency healthcare professionals to sensitive healthcare information and simultaneously safeguarding the patient’s health.

Results show that personalization of fuzzy context handlers improves the accuracy of the access control results, in comparison with non-personalized context handlers. Our evaluation has shown that the Personalized ABAC Fuzzy Context Handler exhibits a low percentage error in predicting the overall health criticality of a patient. The integration of the predictive mechanism within the personalized context handler proved to be a robust tool to enhance the efficiency of the access control mechanism in EHRs System.

Limitations of our approach include the incorporation of only the patient’s age and a small number of health metrics in the fuzzy rules. Additional metrics, such as BMI, existence of chronic diseases, the glucose and the oxygen levels in blood or smoking or drinking habits, could be included in the future.