UNIVERSITY OF CALIFORNIA, IRVINE COAST Services: Achieving Service Customization and Policy-Based Differential Access in Personal Information Systems DISSERTATION submitted in partial satisfaction of the requirements for the degree of DOCTOR OF PHILOSOPHY in Information and Computer Sciences by Alegr´ıaBaquero Merino Dissertation Committee: Professor Richard N. Taylor, Chair Professor Andr´evan der Hoek Professor Michael J. Carey 2014 Portions of Chapters 2, 6, 7 and 8 c 2014 Association for Computing Machinery, Inc. Portions of Chapters 2, 7 and 8 c 2015 Springer-Verlag Berlin Heidelberg All other materials c 2014 Alegr´ıaBaquero Merino DEDICATION To Reuben and Oliver, the loves of my life. To my parents, my everlasting source of love, support, and encouragement. ii TABLE OF CONTENTS Page LIST OF FIGURES vi LIST OF TABLES viii ACKNOWLEDGMENTS ix CURRICULUM VITAE xi ABSTRACT OF THE DISSERTATION xiv 1 Introduction: Service Security and Customization 1 2 Motivation 7 2.1 Motivating Domain: EHR Management . .9 2.1.1 Motivating Scenarios: Obtaining EHR Data . 12 3 Research Questions and Goals 15 4 The Context of this Work 18 4.1 Software Architecture . 18 4.2 Decentralized Systems . 20 4.3 Information Management Systems . 21 4.4 Web Services . 22 4.4.1 Service Provision . 22 4.4.2 Service Composition . 23 4.4.3 Service Customization . 25 4.5 Service Security and Access Control . 26 4.6 Privacy . 28 4.6.1 Privacy Concerns in the Healthcare Domain . 29 4.7 Privacy Policy Languages . 31 4.8 Policies and Services . 33 4.9 Trust and Reputation . 36 4.10 Ontologies . 37 4.10.1 Healthcare Information Standards . 39 iii 5 Foundational Technologies: COAST and Policy Languages 42 5.1 The COAST Architectural Style . 43 5.1.1 Architectural Foundations . 43 5.1.2 Motile/Island . 47 5.1.3 Comparison with other styles and technologies . 49 5.2 Policy Specification Languages . 51 5.2.1 Evaluation Criteria . 52 5.2.2 Languages Overview and Evaluation . 54 5.2.3 Evaluation summary . 68 6 Policy-Based COAST Services 72 6.1 Policy-based Differential Service Provision . 75 6.1.1 Specifying Policies . 75 6.1.2 Policy Evaluation . 83 6.1.3 Associations of Policy and Service Capabilities . 85 6.1.4 Service CURLs . 87 6.1.5 Services Definition . 89 6.1.6 Dynamic Creation of Consumer-specific Services . 91 6.1.7 Capability Accounting . 96 6.2 Consumer-controlled Service Customization . 99 6.2.1 Customizing Single-Source Services . 100 6.2.2 Customizing Multi-Source Services . 103 6.2.3 Comparison to Other Related Technologies . 107 6.3 Limitations and Scope of this Work . 110 7 Practical Experiments: COASTmed 114 7.1 Empirical Domain: EHR Management . 115 7.1.1 Rethinking the EHR Scenario: Sharing and Using Patient Data in COASTmed . 117 7.1.2 EHR Data Model . 119 7.2 Initial System Architecture . 120 7.3 Specifying Policies in COASTmed . 123 7.3.1 Describing Policies Using Ontologies and User Interfaces . 127 7.4 Generating Service CURLs . 129 7.4.1 Evaluating Policies at CURL Creation Time . 130 7.4.2 Capability Accounting . 135 7.5 Using Services through User-specific CURLs . 136 7.5.1 Evaluating Policies at Service Use Time . 136 7.5.2 Other Explored Techniques to Retrieve Facts . 139 7.5.3 Dynamically Creating User Services . 141 7.5.4 Typed Messages . 143 7.5.5 Capability Accounting for Tracking Service Usage . 144 7.6 COASTmed within a Large Organization . 146 7.7 Implementation Technologies . 148 7.8 Design and Development Experience Insights . 150 iv 8 Evaluation 153 8.1 Scenario-based Evaluations . 154 8.1.1 Simulation Setup . 156 8.1.2 Goal 1: Differential Access Support . 157 8.1.3 Goal 2: Capability Revocation . 163 8.1.4 Goal 3: Service Customization . 169 8.1.5 Goal 4: Data Integration . 171 8.2 Comparative Analysis . 178 8.2.1 Technologies Overview . 178 8.2.2 Systems Overview . 185 8.2.3 Analysis Results . 210 8.2.4 Discussion . 217 8.3 Generalizability to Other Domains . 221 9 Conclusion 223 Bibliography 231 A Examples of privacy policies 252 A.0.1 Hospital organizational privacy policies . 252 A.0.2 Insurance company organizational privacy policies . 257 B Sample healthcare policies expressed in various policy languages 259 B.1 EPAL . 260 B.2 XACML . 278 B.3 Cassandra . 306 B.4 PeerTrust . 308 B.5 Ponder . 310 B.6 Rei . 313 C PrimaCare's data model 316 v LIST OF FIGURES Page 2.1 A patient in the effort to access and share his EHR. 13 2.2 Researchers trying to obtain and organized distributed medical information. 13 2.3 Patient trying to obtain data from multiple, inter-related service providers. 14 5.1 Notional structure of a COAST execution host [121]. 45 6.1 A provider, based on a set of policies, dynamically creates user-specific services. 74 6.2 A policy's contents. 76 6.3 Associations between policies and capabilities. 86 6.4 Explicit associations of policies and capabilities. 87 6.5 A CURL's anatomy. 88 6.6 Obtaining a user-specific CURL. 89 6.7 A provider's services. 90 6.8 A healthcare provider's services. 91 6.9 Sequence of messages for CURL request, and service creation and use. 94 6.10 Dynamic creation of user services. 95 6.11 Valid and revoked CURL scenarios. 97 6.12 Service customization. 100 6.13 A COAST peer running 3 user services. 101 6.14 EHR service customization. 102 6.15 Independent star topology. 104 6.16 Dependent star topology. 104 6.17 Ring topology. 105 6.18 Independent star topology scenario. 105 6.19 Dependent star topology scenario. 106 6.20 Ring topology scenario. 107 7.1 Parties and interactions in the healthcare domain. 116 7.2 Initial system architecture. 121 7.3 System architecture at tn............................. 122 7.4 A relational database structure to store policies . 125 7.5 User interface to specify policies . 126 7.6 Policy creation process . 127 7.7 Using ontologies for policy specification . 128 7.8 A service consumer's service CURL request . 129 vi 7.9 CURL sent to Dr. Smith . 134 7.10 Dynamic user-specific service creation . 137 7.11 Dynamic service creation based on CURL's data . 142 7.12 A master policy maker creating a new global policy within each service provider system. 147 7.13 Policies also being retrieved from a global database at CURL creation time. 148 8.1 Simulation's main screen. 156 8.2 Scenario 1a: Jim (UUID 1) viewing John's EHR (UUID 5) . ..