CareGrid: Autonomous Trust Domains for Healthcare Applications
by Naranker Dulay, Emil Lupu, Morris Sloman, Jean Bacon, David Ingram and Ken Moody
The overall goal of the CareGrid project will be to develop middleware for supporting decisions based on trust, privacy, security and context models. Health care will be used as the application domain, but the middleware developed will be applicable to other e-science applications.
Future large-scale health care will involve many different organizations cooperating in patient care, including hospitals, GPs, dentists, pharmacies, drug companies and insurance companies. With the advent of new wireless healthcare devices, it is becoming feasible to contemplate new applications that offer real-time health care to patients, and involve complex interactions between many services in many organizations.
Consider a simple scenario in which a patient with an acute heart condition subscribes to a monitoring service that provides wearable sensors and a small wireless controller. These devices send monitored information to the service centre and provide feedback, if necessary, to the patient from a medic. If an emergency is detected, the monitoring service calls an ambulance. The monitoring service needs access to patient cardiac history from the patient's GP and from the hospital where the patient had treatment, and so liaises with the emergency services and the hospital to which he/she will be taken for emergency treatment. Assume the monitoring service also provides anonymous monitoring records for medical research. Hospitals need to interact with the patient's GP and possibly social services in order to provide care for a patient following treatment. In a small hospital, there may not be sufficient local expertise to evaluate patient information such as X-rays and ECG readings, and so these need to be sent to a remote expert over the network. Perhaps the patient's usual consultant is unavailable and a new trusted one must be chosen: this is a form of trust-based choice of service. A consultant evaluating an X-ray or an ECG may wish to search for similar examples via a medical services grid but then the question of trust in the source of the examples arises. Issues of trust, privacy, security and context pervade this simple scenario.
CareGrid aims to provide middleware for organizing and coordinating trust, privacy and security decisions across collaborating entities using autonomous trust domains and context. Trust domains can be federated and/or grouped in hierarchical or P2P fashion. This requires protocols for group-membership and trust negotiation, as well as an overarching architecture that is self-managing. Examples include a body-area network monitoring the health of a patient, a team of care workers responsible for a patient, and a hospital or regional health authority. In addition to trust domains, specific components of the CareGrid architecture include the following:
- A trusted communication layer somewhat akin to SSL/TSL that supports trust negotiation, privacy control and evidence collection. Requests for trusted interactions are forwarded to the local trust domain, which is responsible for determining whether the interaction should succeed or fail. This can involve negotiation with the trust domain of the requester as well as other trust domains. The trust domain is also capable of providing a signed statement of the reasons for success or failure. If a request succeeds, the system will typically establish a new secure channel and trigger any necessary security adaptations, eg in the communications or access control systems.
- A language framework for specifying trust, privacy, security and management policies.
- A federated access control model suitable for expressing authorization policy for dynamic trust-domains and dynamically created security associations, in particular to dynamically change authorizations, or mandate changes to the security policy in response to changes in trust and context.
- An evidence service that collects, filters, synthesizes and anonymizes experience, risk, recommendation and reputation data that can be used as evidence for trust evaluation. Note that evidence may have to be archived for audit and statistical evaluations. The evidence service will include anonymization mechanisms to maintain the usefulness of evidence data to the greatest possible extent, while still honouring privacy requirements.
- A context management service that allows trust, privacy and security to be related to context, and for triggering trust-privacy-security adaptations when context changes. Examples of context include the location of a person or device, the time of day, environmental readings, physiological state (eg heart rate), patterns of past behaviour, user preferences and current roles. The context management service will support context schemas, context sensing and flexible context querying. Initial work will be performed at Imperial College on incorporating uncertainty into context values and defining functions over uncertain contexts.
- Mechanisms for protection against attacks on the trust-privacy-security-context infrastructure.
The CareGrid project is a collaborative project between groups at Imperial College London and the University of Cambridge. The two groups have common and complementary expertise in distributed and ubiquitous systems, including security and trust management. The project is funded by the UK's EPSRC and is due to start in October 2005.
Naranker Dulay, Imperial College London, UK
Tel: +44 20 7594 8288