Trusted Interoperation of Healthcare Information (TIHI)

Subcontract with SRI International

Steve Dawson, PI < >
(formerly XiaoLei Qian)

and the SAW project for manufacturing data

A related project is TID, dealing with medical image filtering.

Startdate: 1 March 1995
Prepared: 18 January 1995, slides added 11 April 1995, abstract and papers added March 1996. Updated by Michel Bilello 12 Jan 1997, SRI PI change May 1997, SAW students Sept 1997, by Gio 20 Feb, 28Jul 1998, 2003.

Participants at Stanford

Gio Wiederhold < >
1997--2002: Michel Bilello < >
1995-1996: Andrea Chavez < > (legal rules)
1996-1997: Chris Donahue < > (demo, completed)
1997-1998: Yan Tan < > (SAW)
1998: Jahnavi Akella < > (SAW)

Summary Points


  1. Wiederhold, Gio: "Future of Security and Privacy in Medical Information"; in Renata Bushko (ed): Future of Health Technology, Studies in Technology and Informatics, vol.80, IOS Press, Amsterdam, 2002, pages 213-229.
  2. Wiederhold, Gio: "Protecting Information when Access is Granted for Collaboration"; Proc. 14th IFIP WG11.3 in Database Security, August 2000, Schoorl, the Netherlands, pages 3-10; and in Bhavani Thurasingham, Reind van der Riet, Klaus R. Dietrich, and Zahir Tari: Data and Applications Security; Developments and Directions (Proc. 14th IFIP WG11.3 in Database Security, August 2000, Schoorl, the Netherlands, pages 1-14, Kluwer Academic Publishers, 2001.
  3. Liu, David, Kincho Law, and Gio Wiederhold: "CHAOS: An Active Security Mediation System"; Advanced Information Systems Engineering (CAISE 12), 5 - 9 June, 2000, Stockholm, Sweden, Springer LNCS.
  4. Wiederhold, Gio: "Collaboration Requirements: A Point of Failure in Protecting Information"; IEEE Transactions on Systems, Man and Cybernetics, Vol.31 No.4, July 2001, pp.336-342.
  5. Wiederhold, Gio, Michel Bilello, Vatsala Sarathy, and XiaoLei Qian: "A Security Mediator for Health Care Information" (updated, in Word format amia2.doc).
    originally published as "A Security Mediator for Health Care Information" (in postscript). Presented and published in the Journal of the AMIA issue containing the Proceedings of the 1996 AMIA Conference, 27Oct1996, as Proceedings of the 1996 AMIA Conference, Washington DC, Oct. 1996, pp.120-124.
    Subsequently an editorial in D-LIB magazine (in html) was published; (local copy).
  6. Wiederhold, Gio, Michel Bilello, Vatsala Sarathy, and XiaoLei Qian: "Protecting Collaboration" (in postscript); presented and published at the National Information Systems Security Conference, 21 Oct.1996; as Proceedings of the NISSC'96, Baltimore MD, Oct. 1996, pp.561-569. The associated figures are in the TIHI section of my viewgraph listing.
  7. Wiederhold, Gio, Michel Bilello, and Chris Donahue: "Web Implementation of a Security Mediator for Medical Databases"; in T.Y. Lin and Shelly Qian: Database Security XI, Status and Prospects, IFIP / Chapman & Hall, 1998, pp.60-72.
  8. Wiederhold, Gio and Michel Bilello: "Protecting Inappropriate Release of Data from Realistic Databases" (html); also (text only), (source on Word6.doc), also available in (postscript); Proc. of Data and Expert Systems (DEXA) Security Workshop, IEEE, August 1998, IEEE, August 1998, pp.330-339.
  9. Latanya Sweeney: "Protection Models for Anonymous Databases"; related work in progress.
  10. Wiederhold et al.: Trusted Interoperation of Healthcare Information (TIHI); abstract prepared for the NSF Challenge Grant PI meeting, March 1996 updated (in HTML); also original (in postscript).

Sample Outputs

Security Officer start
Customer start
Patient's result
Logon failure
Doctor result
Clerk's result for same request
Nurse result for same request
Research general request form
Researcher request
Request rejected
Security officer's review
Dictionary update screen
Researcher's result after approval


The TIHI project addresses the issues that arise when some information must be shared among collaborating, but distinct enterprises. Such enterprises cannot fully share their data and information resources, although some information exchange is essential. The TIHI model deals then with the protection of shared information among friends, rather than with the withholding of information from adversaries. Protection of information interchange can also be necessary within a single enterprise, when authority and responsibilities differ significantly.

TIHI also deals with a specific gap which exists in the current model of authentication, authorization, information access, and presenting the resulting information to the requestor. In most practical domains there is no guarantee that the partitioning used for access will match the partitioning used to organize data for storage and retrieval, unless a very simple model (say: open, secret, top secret) is used and rigorously employed. The unique aspect of the TIHI approach is that it also checks the results.

Examples of enterprises that must collaborate are

Individuals and institutions in these settings must share information so they can collaborate. Exchange of information is being enabled by the rapidly growing communication networks. Such communications are moving inexorably towards automation, but needs for security when collaborating are inadequately served. The focus of security research has been on infrastructure improvements. Communication links are being secured, authentication of users is being improved, and fences around protected domains are being erected, so that we can be protected against actions by enemies. But little thought is being given on how to protect information selectively when the accessors we are dealing with are legitimate but diverse, and their legitimate rights to information overlap. These access rights then form a complex web, which will not match the capabilities of the record systems used to enter, store, use, and maintain the information. Furthermore, preventing an occasional misfiling would be an enormous burden for the data-processing organization.

In the TIHI project we are developing a tool to encode enterprise policies, and have its operation managed by a security officer who has the responsibility and authority to carry out the policies. TIHI deals with the mismatch of access rights to data organization by checking the retrieved result after access and before presenting it to the user. Since automation can never resolve all questions, all instances where automated rules are inadequate are displayed to the security officer for manual resolution.

For more specific technical information go to the summary (html). or to published papers: "Protecting Collaboration"; at the NISSC'96 National Information Systems Security Conference, Baltimore MD, Oct. 1996, or "A Security Mediator for Health Care Information"; at the 1996 AMIA Conference, Washington DC, Oct. 1996.

Statement of Work

The work described here will be performed for SRI by Stanford University to develop and demonstrate techniques for the trusted interoperation of autonomous heterogeneous health care databases containing sensitive data that mismatch in semantics, representations, and security/privacy policies. The work will be built on the query mediation framework being developed at SRI.

Presentation for ACMI Fellows meeting

Viewgraphs in HTML.
Viewgraphs powerpoint source.


Task 1: Assist in the development of information-preserving transformation rules for merging heterogeneous schemas.
Task 2: Assist in the development of a security/privacy policy model. Review and comment on SRI's work on trusted query mediation.
Task 3: Assist in obtaining sample health care databases or schemas as testbeds. Participate in the development of the demonstration system. Assist in testing and evaluating the demonstration system.



Task 1: Information-preserving transformation rules for merging heterogeneous schemas, based on developing mediator technology.
  1. We define a specific sub-domain in medicine of interest to the hospital(s) participating in TIHI.
  2. We select terms from the UMLS ontology prepared for NLM which are appropriate to that domain, and/or process existing, safe medical records to obatin the terms.
  3. We determine mismatches of the standard ontology with usage in the resources used by the participating hospital(s).
  4. We define rules that will permit accessing these resources so that correct, comprehensive, and consistent results are produced.
  5. Support SRI mediation technology to achieve that goal

Figure 1: Layers with a Security Mediator (ps) | 5:Layers with a Security Mediator (gif) Author: gio, Size: 17232, Date: 27Mar95.

Task 2: Security/privacy policy model.

  1. Interview patients, hospital, comunity physicians, and public health officials regarding their expectations for security and privacy.
  2. Place this information into a formal nodel, preferable an inspectable and modifiable on-line ontology.
  3. Determine and assess existing security mechanisms that can satisfy that need, specifically for inter-site communication.
  4. Develop technologies where available mechanisms are lacking. We expect that to be required for the transmission of private patient data for hospital mangemnent, financial claims, and public health purposes.
  5. Define mediators, to be owned by a security officer, to cover both categories.
  6. Establish the role of a security officer, equipped with appropriate tools, in a healthcare environment.

Figure 2: 8: Domain Interoperation (ps) | 8: Domain, not yet in (gif) Author: gio, Size: 17984, Date: 21Jun95.

Task 3: Assist SRI in research and dissemination as needed.

  1. Obtaining sample health care databases.
  2. Record their schemas in a formal manner
  3. Assist SRI staff in the development of the demonstration system.
  4. Assist in testing and evaluating the demonstration system.

TIHI Viewgraphs

the set (ps and or GIfs) or individually

1:Title (ps) | 1:Title (gif) Author: gio, Size: 13740, Date: 2Feb95.
3:Translation (ps) | 3:Translation (gif) Author: gio, Size: 13855, Date: 2Feb95.
4:Statement of Work (ps) | 4:Statement of Work (gif) Author: gio, Size: 13688, Date: 2Feb95.
5:Layers with a Security Mediator (ps) | 5:Layers with a Security Mediator (gif) Author: gio, Size: 17232, Date: 27Mar95.
6:Security and Privacy (ps) | 6:Security and Privacy (gif) Author: gio, Size: 13659, Date: 2Feb95.
7:Security Mediator (ps) | 7:Security Mediator (gif) Author: gio, Size: 13885, Date: 2Feb95.
8: Interoperating Domains (ps) | 10: none (gif) Author: gio, Size: 13529, Date: 2Feb95.
9:Dissemination (ps) | 9:Dissemination (gif) Author: gio, Size: 13529, Date: 2Feb95.

Secure Access Wrapper: Securing Databases by Access Mediation (SAW)

A new proposal, funded late in 1996 (FY97) by DARPA ITO (control number 96030520) will apply the secure mediation technique within the system survivability program.

Subcontract with SRI International

Steve Dawson, PI < >
Pierangela Samarata, SRI researcher < >


  1. Xin Yu, PhD EES (fall, winter quarter 1996-1997)
  2. Yan Tan, MS/PhD EE (summer, fall, 1997-1998)

The application focus of SAW is on collaboration in manufacturing. This proposal will include more automation, since in rapid response military environments the delays imposed by a security officer can be excessive.
Slide show of Presentation at Boeing Aircraft Co March 1998, Presentation source (powerpoint V.4)

Current efforts are to define the operation and interaction among collaborating manufacturing units, and construct a platform for demonstrating the required concepts. The paltform for SAW utilizes JAVA,


  • Qian, XioaLei and Gio Wiederhold: "Protecting Collaboration"; abstract for IEEE Information Survivability Workshop, ISW'97, Feb.1997, San Diego.

    Trusted Image Dissemination (TID)

    Work on Image Security was funded starting October 1998 as part of the NSF Digital Library II (DLI-II) program. Steve Griffin is the program manager. See (TID).

    Participants at Stanford

    Gio Wiederhold < > (Principal Investigator)
    Michel Bilello, PhD < > (Neural Networks)
    James Z. Wang < wangz@CS.Stanford.EDU > (Image processing)

    Secure Sharing of Multimedia Medical Information on the Internet


    We propose to provide image filtering capabilities to complement other means of checking the contents of documents. An example is information contained in images that are part of an electronic medical record for violations of security or privacy.

    An increasing amount of information being transmitted over the Internet is in image form. This trend will certainly affect medical images (used in diagnosis or research) in the near future. Such information has not been processed in the past with concern for security or privacy. Our approach will provide an innovative capability based on experience with image database and with protecting the privacy of information in medical databases.

    We will extend the facilities we have developed in current security-oriented projects at Stanford (TIHI, SAW) to provide more thorough filtering of medical information, including images containing text. The TIHI effort, supported by NSF's HPPC challenge program, has now built a prototype of a software tool, called a security mediator, to enable legitimate external customers to obtain remote electronic access to medical information residing in a medical institution, while inhibiting the release of content that cannot be released, even when the accessors appear to be authorized. The successor project, SAW, focuses on protecting shared manufacturing data. Image filtering is becoming relevant in manufacturing domains as well, since more and more computerized information in manufacturing and business involves images, but security of contents is not supported within the scope of most research efforts.

    Nearly all approaches to security focus on controlling access. Unfortunately, controlling access only requires a perfect organization of the internal data in an enterprise. In many practical cases this requirement cannot be fulfilled, since it implies a radical restructuring of all internal information services. The cost of aligning all internal data to deal with external access privileges is not only costly from the systems point-of-view, but also for all internal users of information systems, who now must file all data according to external requirements that are normally none of their concern. Storing and securely labeling data in duplicate can solve the access problem, but not the load on the participants. For instance, in a hospital, if some X-rays are to be released for research purposes, then certain identifying marks, used internally to prevent mis-diagnoses, must be duplicated without such information. In manufacturing, drawings containing proprietary data, must be edited if the decision is made to have the parts produced by an external subcontractor.

    Filtering of images in addition to text is becoming essential, since modern computing has greatly facilitated the use of information in image form. We believe that this will soon become relevant to electronic medical information. We have developed novel means of recognizing features in images, specifically in linking perceptual factors to parameters in wavelet-based analysis of images.

    We have experimented with a number of tools, mostly based on parameterized wavelets, that can recognize crucial information, such as text in images, and submit it to the content checking rules our base TIHI system provides. Initial results are very promising.

    In summary, the image filtering that we propose will rely primarily on wavelet technology. Work has been completed at Stanford that demonstrates the capability of indexing and retrieving images by wavelet transform analysis. The wavelet approach has been demonstrated to be fast and highly reliable. Its formal basis provides stability in development over more ad-hoc approaches, and has also been easy to transfer among programming languages. We will further develop the existing algorithms focusing on the properties evidenced by text placed within images. We anticipate that secure transmission of electronic medical information over the Internet will be a major area of application.

    Prior Work

    Prior research work was based on the development of image database search technology performed for the Stanford University Libraries and extended as part of project class work (CS54I). We expect to cooperate with the medical image processing research (ICBM) at UCLA and LRI at UCSF.

    Summary Points

    Specific projects related to security and privacy include: The technolgy is based on feature extraction using wavelet-based decomposition, shape moments, and the linking of semantically relevant perception parameters with the features.

    Course pointer

    A related course is given annually (CS545I: Advanced Image Database Seminar) in the winter quarter.


    1. James Ze Wang, Jia Li, Gio Wiederhold, and Oscar Firschein: "System for Screening Objectionable Images"; to appear in Computer Communications Journal, Elsevier Science, 1998. (abstract in HTML with link to full paper in PostScript)
    2. James Ze Wang, Jia Li, Gio Wiederhold, and Oscar Firschein: "System for Classifying Objectionable Websites"; submitted for conference publication, 1998. (abstract in HTML with link to full paper in PostScript)

    Related work

    Trusted Interoperation of Health care Information.
    Large-Scale Integration and Composition.

    Gio Wiederhold,
    Stanford University,