Patient-centric authorization framework for sharing electronic health records

In modern healthcare environments, a fundamental requirement for achieving continuity of care is the seamless access to distributed patient health records in an integrated and unified manner, directly at the point of care. However, Electronic Health Records (EHRs) contain a significant amount of sensitive information, and allowing data to be accessible at many different sources increases concerns related to patient privacy and data theft. Access control solutions must guarantee that only authorized users have access to such critical records for legitimate purposes, and access control policies from distributed EHR sources must be accurately reflected and enforced accordingly in the integrated EHRs. In this paper, we propose a unified access control scheme that supports patient-centric selective sharing of virtual composite EHRs using different levels of granularity, accommodating data aggregation and various privacy protection requirements. We also articulate and handle the policy anomalies that might occur in the composition of discrete access control policies from multiple data sources.

[1]  Amnon Shabo,et al.  Model Formulation: HL7 Clinical Document Architecture, Release 2 , 2006, J. Am. Medical Informatics Assoc..

[2]  Paul Greenfield,et al.  A Decentralised Approach to Electronic Consent and Health Information Access Control , 2005, J. Res. Pract. Inf. Technol..

[3]  Gail-Joon Ahn,et al.  Toward an Access Control Model for Sharing Composite Electronic Health Records , 2008 .

[4]  Dov Dori,et al.  Situation-Based Access Control: Privacy management via modeling of patient data access scenarios , 2008, J. Biomed. Informatics.

[5]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[6]  Ning Zhang,et al.  A Purpose-Based Access Control Model , 2007, Third International Symposium on Information Assurance and Security.

[7]  Jacob Slonim,et al.  Owner-controlled information , 2003, NSPW '03.

[8]  Konstantin Beznosov,et al.  Supporting relationships in access control using role based access control , 1999, RBAC '99.

[9]  Jane Grimson,et al.  Sharing Health-Care Records over the Internet , 2001, IEEE Internet Comput..

[10]  Roger Clarke,et al.  Viewpoint Paper: e-Consent: The Design And Implementation of Consumer Consent Mechanisms in an Electronic Environment , 2004, J. Am. Medical Informatics Assoc..

[11]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[12]  Vijay Varadharajan,et al.  An Authorization Model for E-consent Requirement in a Health Care Application , 2003, ACNS.

[13]  Joy L Pritts,et al.  Implementation of E-Consent Mechanisms in Three Countries: Canada, England, and the Netherlands , 2007 .

[14]  Elisa Bertino,et al.  Privacy Protection , 2022 .

[15]  Gail-Joon Ahn,et al.  Access Control Model for Sharing Composite Electronic Health Records , 2008, CollaborateCom.

[16]  David M. Eyers,et al.  OASIS role-based access control for electronic health records , 2006, IEE Proc. Softw..

[17]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[18]  Arif Ghafoor,et al.  Policy-based security management for federated healthcare databases (or RHIOs) , 2006, HIKM '06.