Trust Realisation in Collaborative Clinical Trials Systems
Oluwafemi Ajayi1, Richard Sinnott1, Anthony Stell1
1
National e-Science Centre, University of Glasgow, G12 8QQ
Keywords: Trust Negotiations, Security, Clinical Trials
Abstract
Due to the sensitivity of data and risk of potential unauthorised information disclosure that exists in large distributed
systems, there is the potential for sensitive clinical information to be compromised in terms of integrity, privacy and
confidentiality. The dynamic nature and autonomy of large distributed health systems makes it difficult to define a
centralised access control framework for secure interactions across organisational boundaries. Thus there is the need for
a decentralised access control framework that will integrate credentials and access policies between organisations
without compromising organisational autonomy. In this paper a framework is presented through which trust is
discovered and realised based on an approach we call dynamic trust negotiation (DTN). In this approach, trust is
realised by multiple negotiation and delegation hops of security credentials through mediated trust pathways. This
approach solves cross boundary authorisation issues and provides an alternative to global (centralised) security models
based on shared security ontologies.
Introduction
Distribution and heterogeneity has been a major issue when it comes to security or asserting control
over resources across organisational boundaries. The e-health domain is no exception to this, and
needs ways in which clinical researchers, health providers and associated IT staff can successfully
and seamlessly share health records if they are to improve or make available quality health care
services. One major area that aims to improve health care services is research into and support of
epidemiological studies and clinical trials. Conducting such studies demands that detailed
collaborative agreements between various health care providers, partners and researchers are in
place. Usually, these collaborative agreements are given as specific agreements (protocols)
governing who is involved, where and how collaboration is to be achieved, and importantly how the
data collected can be used. These collaborations require data to be shared between parties and
across boundaries; hence the need to control access to shared resources.
A key concept often used in this context is federation. Federation is a term defined for organisations
that come together to collaborate based on agreed standards that combine business and
technological practices to enable access to resources and services across boundaries in a unified,
secure and trustworthy way. A federation is built on trust, typically manifest through agreed
standards, semantics and procedures being adopted. These agreements1,2 also called negotiations,
are usually reached between sources of authority for given domains and govern what resources to
share, what schemas are exposed, what non-functional requirements are needed, who provides what
and who can access what. It is important to note that no federation can be realised without some
level of trust and negotiations between the parties involved including defining and enforcing the
level of trust.
Currently there are numerous ways of controlling access to remote resources in a federation.
Solutions such as global schemas for federation administration3 or centralised policies have been
used to provide access control to remote resources. But access control across boundaries becomes
complex when collaborating partners are autonomous as regards to what is shared, how it is shared,
how it is described or structured and who can access it4. It becomes more challenging when
dynamic sets of heterogeneous resources are to be federated. Then the problem really is how to
relate and exchange security attributes and other essential security information to support the
federation from one organisation to the other without weakening any given sites security policies or
infrastructure more generally5. Another way this issue has been explored is through semantic
heterogeneity2 of security credentials where the focus is on a credential's context realisation and
how credentials relate with one another across boundaries6,7.
The approach we propose here to address the heterogeneous and autonomous federation of policies
is called Dynamic Trust Negotiation (DTN). This approach is based on trust delegations and
provides dynamic negotiations of attributes, schemas or roles8,9 when objects (resources) are
requested. It is achieved by negotiating security credentials through delegation of privileges. The
rest of the paper introduces a trust negotiation framework for decentralised access control that is
currently being developed and tested in the MRC funded Virtual Organisation for Trials of
Epidemiological Studies (VOTES) project.
Dynamic Trust Negotiation
Dynamic Trust Negotiation (DTN) is an approach to establishing trust between strangers through
the delegation of digital credentials by trusted intermediary entities and the use of access control
policies that specify what credentials can be delegated to strangers. To support this DTN requires
organisations (called nodes) to act as negotiators for other nodes. This concept presents a peer-topeer model where each organisation in the federation establishes trust and negotiates both statically
and dynamically with neighbouring organisations forming what is known as peer trust for peered
organisations. This peer trust permeates interactions between peered and non-peered organisations.
These interactions between peered and non-peered organisations are the basis for dynamic
negotiations, which has the following objectives:
•
To provide an alternative to the global schema approach;
•
To negotiate security credentials through delegation of privileges;
•
To solve cross boundary authorisation issues;
•
To dynamically discover chains of trust and establish trust;
•
To ultimately provide dynamic discovery and usage of distributed clinical data resources.
In DTN we use a variant of the link state routing algorithm to discover chain of trusts or trust
pathways, which are necessary before credentials can be negotiated. The algorithm uses weights on
paths/links, which are cardinality of trusts-contract sets that exist between nodes. Since DTN is not
about shortest paths to a destination, the algorithm is modified to accommodate the discovery of
multiple paths to a destination. Similarly as broadcast messages are viewed as sensitive information,
broadcasts are restricted to trust peers and messages are encrypted with shared keys or key pairs.
Once each node collates routing information, nodes can judiciously select appropriate nodes with
respect to destination nodes. Details on this routing algorithm are outside the scope of this paper.
Scenario
Dr Bond is a healthcare professional based at Glasgow Royal Infirmary (GRI) who is the principal
investigator for Scottish coronary clinical trial (SCCT) with role Investigator. He logs into the trial
portal and his credentials are pulled from his domain’s credential repository. He decides to query
for consented patient records for prospective participants. The portal pushes his credentials and
query to GRI Access Manger (GRI-AM). GRI-AM sends a request for data along with Bond’s
Investigator credentials to peers that are in static trust relationship with (GRI) such as Southern
General Glasgow Access Manager (SGG-AM). Query results are returned if applicable based on
Bond’s credentials and delegated privileges at SGG. SGG-AM sends a request using credentials it
has delegated to Bond through GRI to other peers that SGG is in a static trust relationship with such
as Royal Infirmary of Edinburgh Access Manager (RIE-AM). RIE-AM responds with delegated
credentials through SGG-AM to GRI-AM. In addition to that RIE-AM also sends a request using
credentials it has delegated to Bond through SGG-AM to other peers that RIE is in static trust
relationship with. GRI, SGG, RIE… are trust pathways. The request process continues with nodes
joining the trust pathways until all possible trust paths are exploited. These negotiated credentials
are forward to GRI-AM, which then makes query request with these credentials on behalf of Bond
to each node’s Resource Manager (RM). Figure 1 shows an architectural view of DTN and figure 2
shows a DTN request sequence.
Figure 1: Dynamic Trust Negotiation
Figure 2: Trust Negotiation Sequence in a
Health System
VOTES
The VOTES project (Virtual Organisations for Trials and Epidemiological Studies) is a 3-year
project funded by the UK Medical Research Council (MRC) involving several UK universities:
Glasgow, Oxford, Imperial, Manchester, Nottingham and Leicester. The project investigates the
implementation of grid technology to the area of clinical trials and epidemiological studies to
further enhance the value of data, and efficiency of data processing, in the clinical domain across
local, regional and national boundaries10 (e.g. between the health boards in Scotland and England).
The project addresses three key areas of clinical trials: Patient Recruitment, Data Collection and
Study Management.
The sensitive nature of the data involved naturally means that security must be paramount and that
any method of federating this data must adhere rigorously to the security policies of the parties
providing the data. However, the flexibility necessary for implementing cross-boundary data
queries must also be maintained, hence a novel grid solution to provision data and operation
security must be developed for the enterprise to succeed.
To this end, the prototype portals currently under development as part of the VOTES project are
being constructed with modular role-based access control as a means of allowing fine-grained
access control as well as providing bases for trust negotiations11. Based on security policies written
by privileged super-users within a given trial, data fields that are classed with different sensitivity
levels are restricted or shown depending on the user’s role within the portal. The portal provides a
unified interface to federated data, which are protected by data providers.
For instance, a trial investigator should be able to see most identifying data (such as name, CHI
number, etc.) about individuals, providing this has been consented and the security policy allows it.
However, a nurse using the portal in the same trial should only be able to see statistical data (such
as conditions) and not be able to tie this data to specific individuals. A parameter selection screens
in the VOTES portal is shown in figure 3. In terms of underlying infrastructure, figure 4 shows the
architecture of the VOTES portal system.
Figure 3: Parameter selection for privileged role
Figure 4: VOTES portal system architecture
Once the parameters of interest have been selected, a distributed query over the relevant databases
is constructed and executed through a grid service, a data service, and a driving database that guards
a pool of auxiliary database resources. The data is retrieved from these databases, joined based on a
common index, and returned to the user as one unified result.
The security is applied at two levels in this process:
•
At the local resource level, a local manager denotes what roles are allowed to access the data
in the local databases.
•
At the VO level, an access matrix is available that denotes what roles can access what data,
before the query is executed. The construction of this matrix is achieved by querying the
various database schemas and populating the matrix with a pre-set security policy.
The infrastructure outlined so far details the design and operation of a virtual organisation of partner
nodes sharing clinical data. In order for this to be achievable, these roles in form credentials must be
negotiated and exchanged between nodes in a flexible and secure way. DTN provides a means for
this by introducing a negotiation layer as shown in figure 1, where the local trust policies shown in
figure 4 acts as Resource Managers (RM), which grants or deny access to their resources based on
delegated privileges.
Conclusion
Currently negotiations are global and static and they reduce the independence or flexibility that each
partner has because they try to reach a balance between autonomy and heterogeneity. However,
DTN ensures that these negotiations do not have to be global and do not have to be static. This is
achieved by (1) each collaborating member forming a peer-to-peer trust relationship with
neighbouring partners through exchanging security information that make access possible to their
users; (2) each collaborating member being allowed to delegate different trust information to other
neighbouring partners; (3) all collaborating members sharing a common and overlapping sets of
vocabularies that enables resource requests to be understood and used to trigger negotiations; (4)
each collaborating member implementing a hierarchical access control model.
References
1. Heimbigner D, McLeod D. A Federated Architecture for Information Management. ACM
Trans. Inf. Syst. 1985; 3:253-78.
2. Sheth AP, Larson JA. Federated Database Systems for Managing Distributed, Heterogeneous,
and Autonomous Databases. ACM Comput. Surv. 1990; 22:183-236.
3. Sandhu RS, Samarati P. Access Control: Principles and Practice. IEEE Communications
Magazine. 1994; 32:40-48.
4. Becker MY. Cassandra: Flexible Trust Management and its Application to Electronic Health
Records. University of Cambridge, Computer Laboratory, Technical Report; 2005 Oct. Report
No.: UCAM-CL-TR 648.
5. Aslan G, McLeod D. Semantic heterogeneity resolution in federated databases by metadata
implantation and stepwise evolution. The VLDB Journal. 1999; 8:120-32.
6. Boniface M, Wilken P. ARTEMIS: Towards a Secure Interoperability Infrastructure for
Healthcare Information Systems. From Grid to HealthGrid, IOS Press; 2005. p. 181-9.
7. Ehrig M, Sure Y. Ontology Mapping - An Integrated Approach. In Proceedings of the First
European Semantic Web Symposium, Lecture Notes in Computer Science. 2004; 3053:76-91.
8. Sandhu RS, Coyne EJ, Feinstein HL, Youman CE. Role-Based Access Control Models. IEEE
Computer. 1996; 29:38-47.
9. Saunders G, Hitchens M, Varadharajan V. Role-based Access Control and the Access Control
Matrix. SIGOPS Oper. Syst. Rev. 2001; 35:6-20.
10. Sinnott RO, Stell AJ, Ajayi OO. Initial Experiences in Developing e-Health Solutions across
Scotland. Workshop on Integrated Health Records: Practice and Technology, Edinburgh. 2006.
11. Sinnott RO, Ajayi OO, Stell AJ. Development of Grid Frameworks for Clinical Trials and
Epidemiological Studies. Proceedings of HealthGrid 2006 Conference; Valencia, Spain. New
IOS Press; 2006. p. 117-30.