Integrating Patient Consent in e-Health Access Control

Many initiatives exist that integrate e-health systems on a large scale. One of the main technical challenges is access control, although several frameworks and solutions, like XACML, are becoming standard practice. Data is no longer shared within one affinity domain but becomes ubiquitous, which results in a loss of control. As patients will be less willing to participate without additional control strategies, patient consents are introduced that allow the patients to determine precise access rules on their medical data. This paper explores the consequences of integrating consent in e-health access control. First, consent requirements are examined, after which an architecture is proposed which incorporates patient consent in the access control service of an e-health system. To validate the proposed concepts, a proof-of-concept implementation is built and evaluated.

[1]  Paul Greenfield,et al.  A Decentralised Approach to Electronic Consent and Health Information Access Control , 2005, J. Res. Pract. Inf. Technol..

[2]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Tao Xie,et al.  Xengine: a fast and scalable XACML policy evaluation engine , 2008, SIGMETRICS '08.

[4]  Naranker Dulay,et al.  Consent-Based Workflows for Healthcare Management , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.

[5]  Gail-Joon Ahn,et al.  Patient-centric authorization framework for sharing electronic health records , 2009, SACMAT '09.

[6]  Seok-Won Lee,et al.  Assimilating and Optimizing Software Assurance in the SDLC: A Framework and Step-Wise Approach , 2010, Int. J. Secur. Softw. Eng..

[7]  A. Policy Review of the 2002 Department of Health and Human Service Notice of Proposed Rule Making for The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations , 2002 .

[8]  Anna Cinzia Squicciarini,et al.  Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[9]  Konstantin Beznosov,et al.  Supporting relationships in access control using role based access control , 1999, RBAC '99.

[10]  Ravi S. Sandhu,et al.  Induced role hierarchies with attribute-based RBAC , 2003, SACMAT '03.

[11]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[12]  Roger Clarke,et al.  Viewpoint Paper: e-Consent: The Design And Implementation of Consumer Consent Mechanisms in an Electronic Environment , 2004, J. Am. Medical Informatics Assoc..

[13]  Haralambos Mouratidis,et al.  Model Based Process to Support Security and Privacy Requirements Engineering , 2012, Int. J. Secur. Softw. Eng..

[14]  Griet Verhenneman,et al.  Consent, an instrument for patient empowerment? , 2010 .

[15]  Harald C. Gall,et al.  Web services for Groupware , 2004 .

[16]  Julian R. Gallop,et al.  Execution Management for Mobile Service-Oriented Environments , 2010, Int. J. Syst. Serv. Oriented Eng..

[17]  Ruth Breu,et al.  Privacy and Access Control for IHE-Based Systems , 2008, eHealth.

[18]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[19]  Mohamed Khalgui,et al.  Embedded Computing Systems: Applications, Optimization, and Advanced Design , 2013 .

[20]  D. Koo,et al.  HIPAA privacy rule and public health; guidance from CDC and the U.S. Department of Health and Human Services , 2003 .

[21]  Ajantha Dahanayake,et al.  Service-Oriented Software System Engineering: Challenges and Practices , 2004 .