One Way to Patient Empowerment - The Proposal of an Authorization Model

American and European Legislation for protection of medical data agree that the patient has the right to play a pivotal role in the decisions regarding the content and distribution of her/his medical records. The Role Based Access Control (RBAC) model is the most commonly used authorization model in healthcare. The first goal of this work is to review if existing models and standards provide for patients accessing their medical records and customizing access control rules, the second goal is to define and propose an authorization model based on RBAC to be used and customized by the patient. A literature review was performed and encompassed 22 articles and standards from which 12 were included for analysis. Results show that existing standards define guidelines for these issues but they are too generic to be directly applied to real healthcare settings. The proposed authorization model combines characteristics of RBAC, ISO/TS 13606-4, temporal constraints and break the glass. With this model we hope to start bridging the gap between legislation and what really happens in practice in terms of patients controlling and being actively involved in their healthcare. Future work includes the implementation and evaluation of the proposed model in a healthcare setting.

[1]  George Loizou,et al.  Administrative scope: A foundation for role-based administrative models , 2003, TSEC.

[2]  David Chadwick,et al.  Access control: how can it improve patients' healthcare? , 2007, Studies in health technology and informatics.

[3]  Roy H. Campbell,et al.  Sh@re: Negotiated audit in social networks , 2009, 2009 IEEE International Conference on Systems, Man and Cybernetics.

[4]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[5]  Patrick C. K. Hung,et al.  Privacy Access Control Model for Aggregated e-Health Services , 2007, 2007 Eleventh International IEEE EDOC Conference Workshop.

[6]  Robert W. Reeder Usable access control for all , 2011, SACMAT '11.

[7]  D. Lau Patient empowerment--a patient-centred approach to improve care. , 2002, Hong Kong medical journal = Xianggang yi xue za zhi.

[8]  Gari D. Clifford,et al.  Shortliffe Edward H, Cimino James J: "Biomedical Informatics; Computer Applications in Health Care and Biomedicine" , 2006 .

[9]  David W. Chadwick,et al.  How to Securely Break into RBAC: The BTG-RBAC Model , 2009, 2009 Annual Computer Security Applications Conference.

[10]  Catherine Baxter,et al.  Assessing and improving EHR data quality. , 2007, Journal of AHIMA.

[11]  Ravi S. Sandhu,et al.  Role-based Administration of User-Role Assignment: The URA97 Model and its Oracle Implementation , 1999, J. Comput. Secur..

[12]  A. Meyer The Health Insurance Portability and Accountability Act. , 1997, Tennessee medicine : journal of the Tennessee Medical Association.

[13]  David W. Chadwick,et al.  Access Control in Healthcare: the methodology from legislation to practice , 2010, Medinfo.

[14]  Anas Abou El Kalam,et al.  Security Model for Health Care Computing and Communication Systems , 2003, SEC.

[15]  Mor Peleg,et al.  The Context and the SitBAC Models for Privacy Preservation—An Experimental Comparison of Model Comprehension and Synthesis , 2010, IEEE Transactions on Knowledge and Data Engineering.

[16]  Elisa Bertino,et al.  Dependencies and separation of duty constraints in GTRBAC , 2003, SACMAT '03.

[17]  Kaija Saranto,et al.  Definition, structure, content, use and impacts of electronic health records: A review of the research literature , 2008, Int. J. Medical Informatics.

[18]  Xiaohong Yuan,et al.  Case study: Using Smart Cards with PKI to implement data access control for health information systems , 2010, Proceedings of the IEEE SoutheastCon 2010 (SoutheastCon).

[19]  Jason Smith,et al.  A Novel Use of RBAC to Protect Privacy in Distributed Health Care Information Systems ? , 2003 .

[20]  SangYeob Na,et al.  Role delegation in role-based access control , 2000, RBAC '00.

[21]  Luigi Giuri,et al.  Role-based access control: a natural approach , 1996, RBAC '95.

[22]  Ana Silva,et al.  Why facilitate patient access to medical records. , 2007, Studies in health technology and informatics.

[23]  Tejal K. Gandhi,et al.  Clinicians Recognize Value of Patient Review of their Electronic Health Record Data , 2006, AMIA.

[24]  Rabiah Ahmad,et al.  Threats to Health Information Security , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[25]  Bernd Blobel,et al.  Modelling privilege management and access control , 2006, Int. J. Medical Informatics.

[26]  Cátia Santos-Pereira,et al.  Protection of Clinical Data - Comparison of European with American Legislation and Respective Technological Applicability , 2011, HEALTHINF.

[27]  Chen-Tan Lin,et al.  Review Paper: The Effects of Promoting Patient Access to Medical Records: A Review , 2003, J. Am. Medical Informatics Assoc..

[28]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[29]  Walid G. Aref,et al.  Security models for web-based applications , 2001, CACM.

[30]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[31]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[32]  Fan Hong,et al.  An Attribute-Based Access Control Model for Web Services , 2006, PDCAT.

[33]  Ravi S. Sandhu,et al.  A model for role administration using organization structure , 2002, SACMAT '02.

[34]  Ana Ferreira,et al.  Modelling access control for healthcare information systems : how to control access through policies, human processes and legislation , 2010 .

[35]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[36]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[37]  Lillian Røstad Access Control in Healthcare Information Systems , 2009 .

[38]  Sergio Shiguemi Furuie,et al.  MAAC: a software tool for user authentication and access control to the electronic patient record in an open distributed environment , 2004, SPIE Medical Imaging.

[39]  C. Safran,et al.  Internet based repository of medical records that retains patient confidentiality , 2000, BMJ : British Medical Journal.

[40]  Benita Cox,et al.  Potential impacts of patient access to their electronic care records. , 2005, Informatics in primary care.

[41]  Elisa Bertino,et al.  Temporal hierarchies and inheritance semantics for GTRBAC , 2002, SACMAT '02.

[42]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[43]  Fazl-e-Hadi,et al.  New Factor of Authentication: Something You Process , 2009, 2009 International Conference on Future Computer and Communication.

[44]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2001, TSEC.

[45]  Jorge Lobo,et al.  Proceedings of the 16th ACM symposium on Access control models and technologies , 2011, SACMAT 2011.

[46]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[47]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[48]  David M. Eyers,et al.  OASIS role-based access control for electronic health records , 2006, IEE Proc. Softw..

[49]  Emmanuelle Vaast,et al.  Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare , 2007, J. Strateg. Inf. Syst..

[50]  David Young,et al.  Research Paper: Patient Experiences and Attitudes about Access to a Patient Electronic Health Care Record and Linked Web Messaging , 2004, J. Am. Medical Informatics Assoc..

[51]  Jason Crampton Administrative scope and role hierarchy operations , 2002, SACMAT '02.

[52]  Edward J. Coyne,et al.  Proceedings of the First ACM Workshop on Role-Based Access Control, RBAC 1995, Gaithersburg, MD, USA, November 30 - December 2, 1995 , 1996, RBAC.

[53]  Gail-Joon Ahn,et al.  A role-based delegation framework for healthcare information systems , 2002, SACMAT '02.

[54]  Gary Enos Agencies reap benefits of planning ahead HIPAA. Health Insurance Portability and Accountability Act. , 2002, Behavioral healthcare tomorrow.

[55]  Dov Dori,et al.  Situation-Based Access Control: Privacy management via modeling of patient data access scenarios , 2008, J. Biomed. Informatics.

[56]  David W. Chadwick,et al.  Obligations for Role Based Access Control , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[57]  Sérgio Shiguemi Furuie,et al.  A contextual role-based access control authorization model for electronic patient record , 2003, IEEE Transactions on Information Technology in Biomedicine.