Regulating Exceptions in Healthcare Using Policy Spaces

One truth holds for the healthcare industry - nothing should interfere with the delivery of care. Given this fact, the access control mechanisms used in healthcare to regulate and restrict the disclosure of data are often bypassed. This "break the glass"phenomenon is an established pattern in healthcare organizations and, though quite useful and mandatory in emergency situations, it represents a serious system weakness. In this paper, we propose an access control solution aimed at a better management of exceptions that occur in healthcare. Our solution is based on the definition of different policy spaces regulating access to patient data and used to balance the rigorous nature of traditional access control systems with the prioritization of care delivery.

[1]  Ernesto Damiani,et al.  An Access Control Model for Data Archives , 2001, SEC.

[2]  Sushil Jajodia,et al.  Provisions and Obligations in Policy Management and Security Applications , 2002, VLDB.

[3]  Marco Casassa Mont,et al.  On Parametric Obligation Policies: Enabling Privacy-Aware Information Lifecycle Management in Enterprises , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[4]  Sabrina De Capitani di Vimercati,et al.  A privacy-aware access control system , 2008, J. Comput. Secur..

[5]  Ernesto Damiani,et al.  An access control system for data archives , 2001 .

[6]  Sandeep K. S. Gupta,et al.  Criticality aware access control model for pervasive applications , 2006, Fourth Annual IEEE International Conference on Pervasive Computing and Communications (PERCOM'06).

[7]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[8]  Xiping Song,et al.  Managing exceptions in the medical workflow systems , 2006, ICSE.

[9]  Heather J Gert,et al.  How are emergencies different from other medical situations? , 2005, The Mount Sinai journal of medicine, New York.

[10]  Rafae Bhatti,et al.  Towards Improved Privacy Policy Coverage in Healthcare Using Policy Refinement , 2007, Secure Data Management.

[11]  Tyrone Grandison,et al.  The Impact of Industry Constraints on Model-Driven Data Disclosure Controls , 2007 .

[12]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[13]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[14]  Manfred Reichert,et al.  Adeptflex—Supporting Dynamic Changes of Workflows Without Losing Control , 1998, Journal of Intelligent Information Systems.

[15]  Ernesto Damiani,et al.  A component-based architecture for secure data publication , 2001, Seventeenth Annual Computer Security Applications Conference.

[16]  Lillian Røstad,et al.  A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[17]  Marco Casassa Mont,et al.  Dealing with Privacy Obligations: Important Aspects and Technical Approaches , 2004, TrustBus.

[18]  Sushil Jajodia,et al.  Redirection policies for mission-based information sharing , 2006, SACMAT '06.

[19]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..