Usable access control policy and model for healthcare

Access control defines what users can perform within a system. It is usually defined by software engineers and end users are seldom asked for cooperation. The main objective of this paper is to gather the necessary knowledge from the end users of an Electronic Medical Record (EMR) regarding access control and, with their collaboration, define a list of usable access control rules and access control model, which are closer to user needs and workflows. Access control standards in healthcare were also analyzed. Afterwards, focus groups were applied to health professionals and several access control rules were extracted from the analysis of all the information that was gathered. The Break The Glass — Role Based Access Control model (BTG-RBAC) was created and includes the generated access control rules, which are closer to users' workflows and needs and can, therefore, improve EMR's usability while reducing some barriers for its effective integration.

[1]  David W. Chadwick,et al.  Grounding information security in healthcare , 2010, Int. J. Medical Informatics.

[2]  Ramaswamy Chandramouli,et al.  Role-Based Access Control (2nd ed.) , 2007 .

[3]  David W. Chadwick,et al.  Obligation for Role Based Access Control , 2007 .

[4]  David W. Chadwick,et al.  Obligations for Role Based Access Control , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[5]  Shon Harris,et al.  CISSP All-in-One Exam Guide , 2001 .

[6]  Claude Sicotte,et al.  Assessment of a computerized medical record system: disclosing scripts of use , 1999 .

[7]  Lisa Sprague,et al.  Electronic health records: How close? How far to go? , 2004, NHPF issue brief.

[8]  David W. Chadwick,et al.  How to Securely Break into RBAC: The BTG-RBAC Model , 2009, 2009 Annual Computer Security Applications Conference.

[9]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[10]  Anselm L. Strauss,et al.  Qualitative Analysis For Social Scientists , 1987 .

[11]  I. Sim,et al.  Physicians' use of electronic medical records: barriers and solutions. , 2004, Health affairs.

[12]  E. Brink,et al.  Constructing grounded theory : A practical guide through qualitative analysis , 2006 .

[13]  David Chadwick,et al.  Access control: how can it improve patients' healthcare? , 2007, Studies in health technology and informatics.

[14]  R. Kling Computerization and Social Transformations , 1991 .

[15]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..