Research paper
GDPR impacts and opportunities for computer-aided diagnosis Guidelines and legal perspectives
Micael Pedrosa∗†, Carlos Costa∗ ∗University of Aveiro
Aveiro, Portugal {micaelpedrosa,carlos.costa}@ua.pt
Julián Dorado† †University of A Coruña
Coruña, Spain [email protected]
Abstract—The General Data Protection Regulation (GDPR) is lengthy and it is essential to resume the impacts of it in specific use-cases to diminish the gap between system developers and regulators. Computer-aided diagnosis is one of such use-cases with increased importance on clinical screening programs. The regulation has distinct mentions that affect automated-decision solutions and healthcare records. This work identifies the fundamental legal issues, challenges and opportunities for this scenario and propose architectural guide- lines to tackle them. The result is purely theoretical, however it is based on known architectures such as signaling networks, already applied in the telecommunication sector.
Keywords-GDPR; Computer-Aided Diagnosis; Architectural Guidelines
I. INTRODUCTION
The data explosion crisis is a reality in radiology. This
presents a challenge not only for storage and data flow
[1], but also puts a burden on physicians already in short
supply [2], especially on mass screening programs where the
disease coverage is low. A computer-aided diagnosis (CAD)
system that could rule out the presence of a disease with a
high degree of accuracy and thus relieve radiologists from
reading a significant proportion of images would be highly
desirable. This opens opportunities for third-parties to pro-
vide CAD solutions as a service for healthcare organisations.
However, potential clients of such services are concerned
on the perception of justice in automated-decision making
algorithms [3], as also the possible privacy issues under the
flag of public health interest [4]. CAD solutions can improve
early diagnosis (a key to high rate survival) and lower the
healthcare cost. A good solution should be able to transpose
the best practices of specialists to automated software,
helping the decision of internal physicians. Moreover, the
challenges of CAD systems are migrating from the technical
aspects of performance bottleneck to the realm of security
and legal constraints. The GDPR released some guidelines
for automated decision-making and profiling (art 22).
Technical guidelines, architectures, specifications and
reusable frameworks will be utterly crucial in assuring a
common ground for compliance. This work will identify the
fundamental legal issues and propose architectural guide-
lines to tackle them.
II. BACKGROUND AND LEGAL FRAMING
The GDPR requires that personal data be protected against
illegitimate processing, accidental loss, destruction or dam-
age. IP addresses, device identification, location and cookies
are now considered personal data. The GDPR demands the
use of best practices to minimise the risk of a security
breach (art 32). This changes the way webmasters and
vendors collect, store and use such information. A survey
report conducted by Veritas 1 from 900 business decision
makers around the world indicates that 31% believe that
their enterprise is already GDPR compliant, but the analysis
of the data by experts found that only 2% actually appear
to be compliant. The false perception or even the uncer-
tainty of the results suggests that the regulation is not easy
for interpretation. The regulation is lengthy, and the best
approach for an initial high coverage is to lock down all
data. However, there are many exceptions (i.e. medical emer-
gencies) and implicit consent roads that break the closed
box approach. These exceptions fall into the break-the-glass
security category [5]. Although not utterly important in the
CAD scenario, these exceptions can be managed by the same
access control and consent mechanisms.
A. Lawful basis for processing
The most known legal constraint of the GDPR is related
to consent (art 7), and is distinctively designed for medical
data (art 9) where specific types of consent are required. A
data protection impact assessment (art 35) is also mandatory
for this type of information. Yet, in the healthcare sector, pa-
tient’s data is held under a duty of confidence. Physicians do
not require the subject’s explicit consent; they are protected
by exceptions (art 7) and other bases in the “lawfulness of
processing“ (art 6), such as the public task basis. However,
to invoke this lawfulness, there should be some registry
noticing the service request from the patient, meaning that,
1https://www.veritas.com/content/dam/Veritas/docs/reports/gdpr-report- ch2-en.pdf
616
2019 IEEE 32nd International Symposium on Computer-Based Medical Systems (CBMS)
2372-9198/19/$31.00 ©2019 IEEE DOI 10.1109/CBMS.2019.00128
even implicit consents require some kind of record. Third-
party CAD services are not in this sphere of lawfulness and
also have to concern with other aspects of the regulation.
Any data flow or processing from those entities requires a
subject consent registry that is non-repudiable, unforgeable
and tamper-resistant. 1) Electronic Consent Framework: Electronic consent
has some advantages over paper documents. For instance, in
the EU eIDAS2 legal framing can now be used to recognise
a digital signature with the same value as a handwritten
signature. This makes granular consent frameworks (such
as ones based on check-boxes) more tamper-resistant. The
availability of electronic records and consents facilitates
its withdraw (art 7 - 3), personal information rectification
(art 16) and the status change notifications. Yet, consent
requires some security features. Non-repudiation is one
of the most important with some attached dependencies,
mainly, integrity and authenticity of records. The former
is easily achieved with digital signatures, but the latter
requires true Self-Sovereign Identities (SS-IDs) [6]. SS-IDs
is a form of user-centric (and sovereign) digital identity
without relying on a centralised organisation. However this
comes with some drawbacks, full sovereignty will make any
break-the-glass procedure unfeasible and unpractical for any
real-world application, especially in medicine where this is
utterly important. 2) Identification and data linkage: In order to demon-
strate proper consent, it is critical to match the correct
patient to the corresponding data that requires consent
within multiple healthcare providers. This connection can
be included in the consent record if it follows appropriate
security requirements. In 2017, the ECRI Institute presented
the report analysis “Health IT Safe Practices: Toolkit for
the Safe Use of Health IT for Patient Identification“3 of
over 7,600 patient safety events related to patient identifi-
cation. These mismatches create safety issues and can lead
to adverse events [7]. Although the IHE Patient Identifier
Cross-referencing (PIX) profile is defined primarily for this
task, it has no cryptographic features that can deliver digital
signatures. Nowadays, we mainly rely on identity providers (IdPs)
to maintain our digital identity. Google, Facebook, Twitter
and others, although offering integration with data curators
through Single-Sign On (SSO) protocols, users do not have
ownership of their digital identity as it is always “given to
them“. IdPs lack the non-repudiable, anti-impersonation and
tamper-resistant features since there is no technical guar-
antee that staff members cannot control or change identity
registries (only the goodwill of the service provider). The
mere possibility of IdPs cheating gives the opportunity for
a user to deny a consent record and trying to blame the IdP
2https://www.eid.as 3https://www.ecri.org/Resources/HIT/Patient
ID/Patient Identification Toolkit final.pdf
for it. There are novel attempts using cryptographic methods
to remove the strong trust in IdPs such as SlashID [8].
However, this requires a drastic change in the authentication
protocol. There are opportunities for federated architectures
[9] to fill the needs of identification and consent registration.
Yet, a reworking has to be made to circumvent the trust
issues, such as introducing self-sovereign elements, claims
and attestations into the mix.
B. Principles of data management
The GDPR creates incentives and relaxes several require-
ments for controllers who pseudonymize and encrypt data,
such as extending the processing to a different purpose than
the one for which it was initially envisioned (art 6 - 4e). And,
since pseudonymization reduces the personal data exposure,
breach notifications can also be diminished (art 33, 34).
On the alternative approach, anonymous data is not under
the GDPR. However, the threshold for anonymisation is
very high. Subject anonymity is more complex than initially
anticipated, DNA sequences can be linked to real-world
human identities and faces can be reconstructed with 3D
magnetic resonance imaging (MRI) [10]. In general, the
techniques are difficult [11] and not always possible [12],
[13], and thus so, constraining the use of specific datasets
without proper consent. The recommendation is, do not
assume that anonymisation is possible.
In terms of data retention policy, there is no absolute
“right to erasure“ (art 17). A subject can invoke this right
only when there is no compelling reason for its con-
tinued processing. Care providers can always justify the
data safekeeping for the purposes of providing continuous
medical care. For CAD providers, data retention must be
in accordance with “the necessity and proportionality of the
processing operations“ (art 35 - 7b) and the principle of
“data minimisation“ (art 5 - 1c). The recommendation is to
erase the data once the automated diagnosis is completed,
minimising the surface area for subject identification.
C. Automated decision-making
Art 13 demands transparency and “meaningful infor-
mation about the logic involved“ for automated-decisions.
This right has become the subject of substantial academic
attention [14], [15]. Some authors are already including it
in their methodologies, not only important machine learning
(ML) metrics but also paying attention to the interpretability
of the model [16]. Google outlines what they considered
the fundamentals of interpretability [17], by “making sense
of hidden layers“. However, this has always a price in
terms of accuracy. Automation is designed to reduce human
error, however also causes a false perception of the lack
of accountability. Black box methodologies can lead to
unpredictable results (bias and overfitting) and are prone to
attacks. Moreover, when the results of automation extend
to the level of experts, the output is viewed as reliable
617
leading to automation complacency [18] and consequently
to the paradoxical effect of increasing errors rather than
eliminating them [19]. The complacency issue was originally
identified in aviation, but from then it has also spread into
the medical field [20]. The purpose of art 22 is to protect the
data subject against such consequences, by ensuring human
control regarding the automated decisions.
III. ARCHITECTURAL GUIDELINES
The fundamental components and relations were identified
and are depicted in Figure 1. Our goal is not to present a
detailed architecture, but to identify targets and opportunities
for future researches. One should identify three affinity
domains. Besides all external services providing a common
infrastructure, there is the radiology centre from a hospital
(the GDPR controller of patient’s data) and, the third-party
(T-P), a processing entity providing the CAD service. The
objective of the use-case scenario is for medical images to
be analyzed by the CAD service. For this, the CAD-Proxy
(CAD-P) is monitoring recently added images from a picture
archiving and communication system (PACS) 4 server a). The patient can manage his consent records on the Consent
Registry Platform (CRP) remotely from the Authorization
Point (AP) b). From those records the CAD-P is able to filter the eligible studies and send them to the third-party CAD
service c). The image modality is then processed by the respective CAD module d), with the outcome registered in a database e). Those results can be presented to physicians f) in priority order, but none should be automatically discarded.
Although physicians are in a different domain, authentication
and SSO integration can be provided by the IdP. Selecting a
case from the list will open g) a detailed view of the study in a certified workstation h). These usually have direct access to PACS and could be integrated with CAD-P to collect
additional information i) from the CAD result.
A. Network Connectivity
All services can be interconnected in an overlay network
[21] or other message broker system. These type of ar-
chitectures are being widely deployed [22] to interconnect
micro-services and suits perfectly as a message signalling
network. This layer is represented by the blue dotted lines,
capable of controlling other data transfer channels (dark
dotted lines). This architecture is especially important for
the following features: maintaining a scalable service of per-
manent connectivity, delivering breach notifications, tracing
data transmissions and managing erasure requests. These
network signals can be recorded in external services for
accountability management.
4https://searchhealthit.techtarget.com/definition/picture-archiving-and- communication-system-PACS
B. Unique Digital Identity
In order for the pipeline to work a Unique Digital Identity
(UDI) (strongly related to the subject cryptographic secret
key) must exist, glueing all records from different services,
and should serve as a network address. The UDI may be
supported via public key infrastructure (PKI) or eIDAS5
solutions. The CAD-P is the only service capable of trans-
lating from a Patient IDs (PIDs) to UDIs and vice versa.
The UDIs represents a sovereign digital identity supported
by the IdP infrastructure, maintaining features such as:
key-management, pseudonymity, break-the-glass procedures,
integrity and construction of non-repudiable records. This
should fullfill the initial requirements of a proper electronic
consent framework, where all consents should be traced to
a unified identity.
C. Authorization Point
The Authorization Point should refer to a device where
the subject’s cryptographic secret key is secured. This is
the only device capable of generating digital signatures for
the respective UDI. It is the access point for the patient to
interact with other system components. The user interface
should provide features to: manage the identity life cycle
and consents, trace personal data movements and, receive
important notifications (breach notifications, diagnostic re-
sults). Cell phones, smart cards and USB keys should be in
the range of possible options.
D. Consent Registry Platform
One important feature of the CRP is related to non-
repudiation. The CRP is a self-sovereign database of cryp-
tographically signed consents, with the respective secret key
under the UDI jurisdiction. This means that consent can only
be changed by the one controlling the secret key. The CRP
should be authoritative regarding consent management, not
the IdP. Consent records should contain the respective data
references, the purpose of the request, the limited timeline
span (if necessary) and to who is given.
E. Security Breach Isolation
Data minimisation is an important concept that can isolate
privacy breaches. For instance, a security breach on a
financial profile should not spread to healthcare records. This
is implemented in some countries, having an identification
number for each government provided service (social secu-
rity, tax services). There are opportunities to extend the same
method to other services in a way that it is controlled by
the data-subject. Yet, it would be desirable to have a unique
point controlling all existing profiles for a single identity.
The already mentioned AP software should be able to switch
between those profiles. In Figure 2 it is presented a possible
approach where profiles have a hidden relation with the main
5https://www.cryptomathic.com/news-events/blog/understanding-eidas
618
Figure 1. The overall architecture of a third-party CAD integration with a radiology centre for medical imaging analysis. Blue dotted lines identify a signalling network that manages and logs the activities of data transmissions on other channels (dark dotted lines). These data transmissions are under the control of the data-subject (identified by the UDI) via the Authorization Point (AP).
UDI, and that, should only be disclosed under the control
of the data-subject. In this approach, isolation is provided
in two steps: 1) disclosing all the data references and locations for a respective profile and 2) providing consent to access those records. The advantage of such methodology
is that the disclosure process can be provided by different
infrastructure services and, if the AP software only has
the required information (access keys/secrets/passwords) to
access a single profile at an instant of time, any security
breach would be isolated to that profile. At the same time,
actions in our daily life are defined by context and consent
should be given in that context.
Figure 2. Overview of the integration of the identity and associated profiles with existing infrastructure. The structure may have two levels of isolation: the disclosure reveals the pseudonymous profile related to the patient UDI and, consent provides access to the profile files stored in organisations.
F. Accountability Manager
The Accountability Manager (AM) is similar to the CRP,
a database of cryptographically signed records. But these
are system records, not user records. Those records will
contain: certifications of UDIs from deployed services,
service level agreements (SLAs) and statistics from CAD
modules, reports of data transmissions collected by the
network, or any other relevant information that may help
to decide the accountability of any decisions made. It would
be important to gather feedback from physicians and build
adequate machine learning metrics (precision, recall, AUC,
etc). This should be the control point of the network, and
the fundamental component governed by the GDPR Data
Protection Officer (if needed). The authenticity of the AM
records is essential when used in legal disputes, providing
research opportunities on how to construct and assure this
requirement.
G. CAD Subsystem
All the identified CAD sub-components should work
together in order to move data from the respective data
controller to interested third-parties. These data movements
(dark dotted lines) should rely on secure channels and
pseudonymization to secure personal data. All activities
would be monitored, registered and controlled by the sig-
nalling network (blue dotted lines). There are opportunities
for seamless integration with existing PACS and medical
workstations to collect exams and present results. As also
opportunities to apply novel pseudonymization methodolo-
gies in the CAD-P component or, data life cycle management
619
on the third-party CAD component.
H. Other security considerations
CAD-P is an internal service of the hospital domain. The
PID or any other information capable of identifying the
patient never leaves the hospital network. The CAD-P does
not get contacted by any other service, so firewall incoming
TCP rules should filter it. Every CAD-P to CAD data session
should be secured. These are certified deployed services with
the respective UDI and cryptographic keys, which means
that the DiffieHellman key exchange can be used to initiate
encrypted channels. However, all message signals initiating
a data transmission session should go through the signalling
network and recorded in the AM with clear distinction of
the source, target and patient UDIs, as also a cryptographic
fingerprint (the hash of transmitted data blocks) of the
transmitted data. This will enable for the AM service to
track all possible data locations.
IV. RELATED WORK
Since the GDPR is a relatively new legal framework, it is
difficult to find good solutions or any existing architectures
to compare our analysis. However, one important identified
necessity of our use-case is the improvement of current
identity and access management systems. Although there
are many solutions from existing identity providers using
Single-Sign On protocols, i.e., OpenID Connect6, the GDPR
has created some new requirements such as non-repudiation
and consequently self-sovereignty. Some projects from the
Decentralized Identity Foundation7 are already dealing with
this, leveraging SS-ID concepts under Distributed Ledger
Technology (DLT). In this regard DLT has many desirable
features to build a proper consent framework, for instance:
integrity/immutability of records for non-repudiation, avail-
ability for consent reads and withdraws, network routing
mechanisms and the necessary number of nodes for a high
available signalling network or, collusion-resistance that
may be used to backup secrets in order to improve key-
management.
Regarding existing CRPs, the IAB Europe’s Transparency
and Consent Framework 8 has been created to tackle the
difficulties of tracing and managing consent by providing
technical specifications. This has resulted in third-party
services named Consent Management Providers (CMP).
However, those are primarily designed for advertising and
marketing purposes and do not always have the required fea-
tures to deal with sensitive data. Some IHE profiles9 already
address part of the GDPR, i.e. mechanisms to record the
patient privacy consent using Basic Patient Privacy Consents
(BPPC) and Advanced Patient Privacy Consents (APPC),
6https://openid.net/connect 7http://identity.foundation 8https://www.iabeurope.eu 9https://www.ihe.net/resources/profiles
and methods of exchanging claims about an identity across
enterprise boundaries using Cross-Enterprise User Assertion
(XUA). However, profiles such as Audit Trail and Node
Authentication (ATNA), only offer perimeter protection and
mutual node authentication, not empowering the patient with
control over their data. In general, security measures on
the healthcare sector are oriented to control the access of
personal [23], [24] (operations and physicians) and do not
always extend to patient consent.
In terms of data management concerns, the clear separa-
tion of signals [25] and data networks is usually found in
the telecommunication sector and voice over IP (VOIP) ter-
minals. This technique may also be applied here to enhance
control of data movement and provide better auditing. On the
“right of erasure“ (art 17) there are complete dissertations
on the subject [26], exposing the disconnection between
the law and current enterprise realities. It also states that
the enforcement of this article will be difficult and does
not provide any enhancements on privacy, raising only the
possibilities of censorship. Erasure is a concept hard to
prove, and there seems to be no good available solution,
only the correct behaviour expectation from the processor
entity.
Common isolation methodologies are enabled by soft-
ware virtualisation, sandboxing, OS processes, separated
databases, etc. Although we did not find any published
method to manage and switch between different profiles,
this can probably be constructed adopting cryptography, i.e.
using one-way trapdoor functions [27].
V. CONCLUSION AND DISCUSSION
We conducted an assessment of the impacts of GDPR for
CAD systems and identified possible components. Several
open challenges are not mentioned here and should be en-
gaged in future work. For instance, the possibility of service
providers to repudiate existing records, adulterating consent.
In this regard, there is a potential to include distributed
ledger technology or P2P network overlays to avoid DoS
and repudiation of records. Other difficulties are also present
on identity management, how to recover from a lost or
compromised key or how to initially link between PIDs and
UDIs. Existing medical imaging systems and networks were
not designed with privacy in mind and are possible escape
routes for data leakage.
These guidelines and challenges are open doors for other
contributions. The initial design will impact future develop-
ments of CAD systems.
ACKNOWLEDGMENT
This work is financed by the ERDF European Regional
Development Fund through the Operational Programme
for Competitiveness and Internationalization - COMPETE
2020 Programme, and by National Funds through the FCT
620
Fundação para a Ciência e a Tecnologia within project
CMUP-ERI/TIC/0028/2014.
REFERENCES
[1] K. H. Lee, H. J. Lee, J. H. Kim, H. S. Kang, K. W. Lee, H. Hong, H. J. Chin, and K. S. Ha, “Managing the ct data explosion: initial experiences of archiving volumetric datasets in a mini-pacs,” Journal of digital imaging, vol. 18, no. 3, pp. 188–195, 2005.
[2] D. C. Goodman and E. S. Fisher, “Physician workforce crisis? wrong diagnosis, wrong prescription,” New England Journal of Medicine, vol. 358, no. 16, pp. 1658–1661, 2008.
[3] R. Binns, M. Van Kleek, M. Veale, U. Lyngs, J. Zhao, and N. Shadbolt, “’it’s reducing a human being to a percentage’: Perceptions of justice in algorithmic decisions,” in Proceed- ings of the 2018 CHI Conference on Human Factors in Computing Systems. ACM, 2018, p. 377.
[4] J. G. Hodge, “Ethical issues concerning genetic testing and screening in public health,” in American Journal of Medical Genetics Part C: Seminars in Medical Genetics, vol. 125, no. 1. Wiley Online Library, 2004, pp. 66–70.
[5] A. Ferreira, R. Cruz-Correia, L. Antunes, P. Farinha, E. Oliveira-Palhares, D. W. Chadwick, and A. Costa-Pereira, “How to break access control in a controlled manner,” in Computer-Based Medical Systems, 2006. CBMS 2006. 19th IEEE International Symposium on. IEEE, 2006, pp. 847– 854.
[6] A. Tobin and D. Reed, “The inevitable rise of self-sovereign identity,” The Sovrin Foundation, 2016.
[7] P. N. Valenstein, S. S. Raab, and M. K. Walsh, “Identification errors involving clinical laboratories: a college of american pathologists q-probes study of patient and specimen identi- fication errors at 120 institutions,” Archives of pathology & laboratory medicine, vol. 130, no. 8, pp. 1106–1113, 2006.
[8] G. Elahi, Z. Lieber, and E. Yu, “Trade-off analysis of identity management systems with an untrusted identity provider,” in Computer Software and Applications, 2008. COMPSAC’08. 32nd Annual IEEE International. IEEE, 2008, pp. 661–666.
[9] U. Fragoso-Rodriguez, M. Laurent-Maknavicius, and J. Incera-Dieguez, “Federated identity architectures,” in Proc. 1st Mexican Conference on Informatics Security 2006 (MCIS2006), 2006.
[10] A. Kermi, S. Marniche-Kermi, and M. T. Laskri, “3d- computerized facial reconstructions from 3d-mri of human heads using deformable model approach,” in Machine and Web Intelligence (ICMWI), 2010 International Conference on. IEEE, 2010, pp. 276–282.
[11] J. M. Silva, E. Pinho, E. Monteiro, J. F. Silva, and C. Costa, “Controlled searching in reversibly de-identified medical imaging archives,” Journal of biomedical informatics, vol. 77, pp. 81–90, 2018.
[12] L. Sweeney, A. Abu, and J. Winn, “Identifying participants in the personal genome project by name (a re-identification experiment),” arXiv preprint arXiv:1304.7605, 2013.
[13] A. Narayanan and V. Shmatikov, “Robust de-anonymization of large sparse datasets,” in Security and Privacy, 2008. SP 2008. IEEE Symposium on. IEEE, 2008, pp. 111–125.
[14] M. Veale and L. Edwards, “Clarity, surprises, and further questions in the article 29 working party draft guidance on automated decision-making and profiling,” Computer Law & Security Review, vol. 34, no. 2, pp. 398–404, 2018.
[15] G. Malgieri and G. Comandé, “Why a right to legibility of automated decision-making exists in the general data protection regulation,” International Data Privacy Law, 2017.
[16] P. Costa, A. Galdran, A. Smailagic, and A. Campilho, “A weakly-supervised framework for interpretable diabetic retinopathy detection on retinal images,” IEEE Access, vol. 6, pp. 18 747–18 758, 2018.
[17] C. Olah, A. Satyanarayan, I. Johnson, S. Carter, L. Schubert, K. Ye, and A. Mordvintsev, “The building blocks of inter- pretability,” Distill, vol. 3, no. 3, p. e10, 2018.
[18] R. Parasuraman and D. H. Manzey, “Complacency and bias in human use of automation: An attentional integration,” Human factors, vol. 52, no. 3, pp. 381–410, 2010.
[19] C. D. Wickens, B. A. Clegg, A. Z. Vieane, and A. L. Sebok, “Complacency and automation bias in the use of imperfect automation,” Human factors, vol. 57, no. 5, pp. 728–739, 2015.
[20] D. Lyell, F. Magrabi, M. Z. Raban, L. Pont, M. T. Baysari, R. O. Day, and E. Coiera, “Automation bias in electronic prescribing,” BMC medical informatics and decision making, vol. 17, no. 1, p. 28, 2017.
[21] E. K. Lua, J. Crowcroft, M. Pias, R. Sharma, and S. Lim, “A survey and comparison of peer-to-peer overlay network schemes,” IEEE Communications Surveys & Tutorials, vol. 7, no. 2, pp. 72–93, 2005.
[22] Z. Wang, W. Dai, F. Wang, H. Deng, S. Wei, X. Zhang, and B. Liang, “Kafka and its using in high-throughput and reliable message distribution,” in Intelligent Networks and Intelligent Systems (ICINIS), 2015 8th International Conference on. IEEE, 2015, pp. 117–120.
[23] C. Santos-Pereira, A. B. Augusto, R. Cruz-Correia, and M. E. Correia, “A secure rbac mobile agent access control model for healthcare institutions,” in Computer-Based Medical Sys- tems (CBMS), 2013 IEEE 26th International Symposium on. IEEE, 2013, pp. 349–354.
[24] L. Fuchs, G. Pernul, and R. Sandhu, “Roles in information security–a survey and classification of the research area,” computers & security, vol. 30, no. 8, pp. 748–769, 2011.
[25] J. G. Van Bosse and F. U. Devetak, Signaling in telecommu- nication networks. John Wiley & Sons, 2006, vol. 87.
[26] J. Levesque, “The right to be forgotten: no solution to the challenges of the digital environment,” Ph.D. dissertation, University of British Columbia, 2016.
[27] A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf, “Pseudonym systems,” in International Workshop on Selected Areas in Cryptography. Springer, 1999, pp. 184–199.
621