Evaluating access control of open source electronic health record systems

Incentives and penalties for healthcare providers as laid out in the American Recovery and Reinvestment Act of 2009 have caused tremendous growth in the development and installation of electronic health record (EHR) systems in the US. For the benefit of protecting patient privacy, regulations and certification criteria related to EHR systems stipulate the use of access control of protected health information. The goal of this research is to guide development teams, regulators, and certification bodies by assessing the state of the practice in EHR access control. In this paper, we present a compilation of 25 criteria relative to access control in EHR systems found in the Health Insurance Portability and Accountability Act (HIPAA) regulation, meaningful use certification criteria, best practices embodied in the National Institute for Standards and Technology (NIST) role-based access control standard, and other best practices found in the literature. We then examine the state of the practice in access control by evaluating four open source EHR systems using these 25 evaluation criteria. Our research indicates that the NIST Meaningful Use criteria provide HIPAA compliance, but none of the regulatory and certification criteria address the implementation standards, and best practices related to access control. Additionally, our results indicate that open source EHR system designers are not implementing robust access control mechanisms for the adequate protection of patient data.

[1]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[2]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[3]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[4]  David M. Eyers,et al.  OASIS role-based access control for electronic health records , 2006, IEE Proc. Softw..

[5]  Annie I. Antón,et al.  Aligning Requirements with HIPAA in the iTrust System , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[6]  D. Richard Kuhn,et al.  Role-Based Access Control ( RBAC ) : Features and Motivations , 2014 .

[7]  Sowmya R. Rao,et al.  Use of electronic health records in U.S. hospitals. , 2009, The New England journal of medicine.

[8]  L. Williams,et al.  Work in Progress: Exploring Security and Privacy Concepts through the Development and Testing of the iTrust Medical Records System , 2006, Proceedings. Frontiers in Education. 36th Annual Conference.

[9]  Salvatore J. Stolfo,et al.  Addressing the Insider Threat , 2009, IEEE Security & Privacy Magazine.

[10]  Annie I. Antón,et al.  Evaluating existing security and privacy requirements for legal compliance , 2009, Requirements Engineering.

[11]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[12]  Elisa Bertino,et al.  Purpose based access control of complex data for privacy protection , 2005, SACMAT '05.

[13]  Elisa Bertino,et al.  Context-Aware Adaptation of Access-Control Policies , 2008, IEEE Internet Computing.

[14]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[15]  Arun Kumar,et al.  Context sensitivity in role-based access control , 2002, OPSR.

[16]  David R. Kuhn,et al.  Role-Based Access Control (RBAC): Features and Motivations | NIST , 1995 .

[17]  Sérgio Shiguemi Furuie,et al.  A contextual role-based access control authorization model for electronic patient record , 2003, IEEE Transactions on Information Technology in Biomedicine.