This is one of the possible Use Cases.
A user is at a hospital's Web site to access medical records. The user's and hospital's systems negotiate so as to automatically establish trust with the goal of retrieving medical records. The negotiation is based on the policies and the credentials each system has. The user's and hospital's policies describe who they trust and for what purposes.
The use case has been proposed by REWERSE to the RIF WG participants as use case 'Negotiation II: Automated trust establishment for accessing medical records'.
3. Links to Related Use Cases
4. Relationship to OWL/RDF Compatibility
5. Examples of Rule Platforms Supporting this Use Case
6. Benefits of Interchange
Benefit 1: This use case clearly motivates the need for a rule interchange format since rules expressing policies are to be exchanged between parties engaged in negotiations.
7. Requirements on the RIF
- For negotiation, it should be able to export the policies in a format that can be understood by the other parties engaged in the negotiation.
- Different kinds of rules (deductive, normative, and reactive rules) should be supported.
8.1. Actors and their Goals
- Alice wants to access the medical record of her brother. She uses a system to determine if a party is trustworthy or not.
- Bob is Alice's brother; he is under treatment at two different hospitals.
- The hospital system stores data such as medical reports and has its own policies for records' retrieval.
8.2. Main Sequence
Alice is at the hospital Web site and tries to retrieve the medical record of her brother Bob. A negotiation between Alice's system and the hospital's system begins with Alice's read request over the Web. Alice receives a policy stating that
(r1) she must be a medical employee at the hospital for reading medical records;
(r2) if she is employed at the general medicine department she can retrieve all data of the hospital's medical records;
(r3) if she belongs to other department, she is allowed to retrieve only a subset of the data according to her discipline. For determining this data subset, the hospital's system uses deductive rules (r4).
(r5) anyone can retrieve his or her own records after disclosure of an id to prove identity.
There exist two more policies at the hospital which are not released to Alice but which apply to her request:
(r6) because Bob has been under psychiatric treatment at another hospital for some years, his psychiatric consultant at that hospital can also access his current records. Since this information would already tell any requester (e.g. Alice) that Bob is under psychiatric treatment, the policy is kept private and only disclosed to medical employees of the hospital (after disclosure of the appropriate credential);
(r7) stated by law, the hospital includes a policy stating that patient records can be accessed by police officers with a request signed by a judge.
In case Alice has credentials stating that she is a police officer having such a signed request, upon her read request a notification is sent to the manager of the hospital (r8). If the hospital manager accepts the request, then access is granted.
It is important to note that the two above policies are applicable even if they are not publicly advertised. That means that Bob's psychiatric consultant can send his employee credential together with the request and receive the data without problem.
Finally, apart of the above hospital's policies, there exist a monitoring constraint which states that information about VIP patients (e.g., the president of the government) is never provided online (r9).
Automated trust establishment is possible when policies for every credential and every service can be codified; so as to minimize user intervention, the codified policies should be checked automatically whenever possible. Note that the notion of policies refers to access control policies, privacy policies, business rules, etc.
Taking into consideration the proposed classification of rules, a possible classification of the rules occurring in the given use case is:
- normative rules (r1,r5,r6,r7,r9)
- deductive rules (r2,r3,r4)
- reactive rules (r8)
However, one might argue that rules r5, r6, and r7 are not normative but deductive rules. The above given classification is not the only possible one since the proposed classification of rules (see Classification of Rules) is un-sharp.