An Activity Theory Approach to Specification of Access Control Policies in Transitive Health Workflows

Access control models are implemented to mitigate the risks of unauthorized access in Electronic Health Records (EHRs). These models provide authorization with the help of security policies, wherein the protected resource is governed by one or more policies that exactly specify what attributes a requester needs to fulfill in order to obtain access. However, due to the increasing complexity of current healthcare system, defining and implementing policies are becoming more and more difficult. In this research-inprogress paper, we present an Activity Theory driven methodology to formalize access control policies that can be used in enforcing patient’s privacy consent in a healthcare setting. In order to account for the transitivity in health workflows, we extend the Activity Theory to include “organizational interconnectedness” within the health workflows.

[1]  Y. Engeström,et al.  Activity theory and individual and social transformation. , 1999 .

[2]  S. Chatterjee,et al.  Design Science Research in Information Systems , 2010 .

[3]  Peter J. van Baalen,et al.  An activity theory approach for studying the situatedness of knowledge sharing , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[4]  Steven A. Demurjian,et al.  A security framework for XML schemas and documents for healthcare , 2012, 2012 IEEE International Conference on Bioinformatics and Biomedicine Workshops.

[5]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[6]  Nora Koch,et al.  Towards model-driven development of access control policies for web applications , 2012, MDsec '12.

[7]  Anders Kofod-Petersen,et al.  Using Activity Theory to Model Context Awareness , 2005, MRC.

[8]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[9]  B. Nardi Activity theory and human-computer interaction , 1995 .

[10]  Lorna Uden,et al.  Activity theory for designing mobile learning , 2007, Int. J. Mob. Learn. Organisation.

[11]  Timothy W. Finin,et al.  Policy-Based Access Control for an RDF Store , 2005, IJCAI 2007.

[12]  Snezana Sucurovic,et al.  The need for the use of XACML access control policy in a distributed EHR and some performance considerations. , 2008, Studies in health technology and informatics.

[13]  Sandeep Purao,et al.  The Sciences of Design: Observations on an Emerging Field , 2008, Commun. Assoc. Inf. Syst..

[14]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[15]  H. Raghav Rao,et al.  Web channels in e-commerce , 2001, CACM.

[16]  Huang Yi Extensible Access Control Model BSRBAC Research , 2010 .

[17]  O. Bertelsen,et al.  Activity Theory , 2003 .

[18]  Alan R. Hevner,et al.  Design of an information volatility measure for health care decision making , 2012, Decis. Support Syst..

[19]  Reinhard Wilhelm,et al.  Towards Model-Driven Development of Hard Real-Time Systems , 2006, ASWSD.

[20]  Antonio F. Gómez-Skarmeta,et al.  Using Microsoft Office Infopath to Generate XACML Policies , 2006, SECRYPT.

[21]  Sjaak Brinkkemper,et al.  An Artifact Model for Projects Conforming to Enterprise Architecture , 2008, PoEM.

[22]  Rui Chen,et al.  Data Model Development for Fire Related Extreme Events: An Activity Theory Approach , 2013, MIS Q..

[23]  Ninghui Li,et al.  A Framework for Role-Based Access Control in Group Communication Systems , 2004, ISCA PDCS.

[24]  Guohua Bai,et al.  An Activity Systems Theory Approach to Agent Technology , 2005 .

[25]  Francesco Tiezzi,et al.  On a Formal and User-friendly Linguistic Approach to Access Control of Electronic Health Data , 2013, HEALTHINF.

[26]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[27]  Hélène Kirchner,et al.  Formal Specification and Verification of Modular Security Policy Based on Colored Petri Nets , 2011, IEEE Transactions on Dependable and Secure Computing.

[28]  Rohit Valecha,et al.  An Activity Theory Approach to Leak Detection and Mitigation in Personal Health Information (PHI) , 2012 .

[29]  M. Nauman,et al.  Efficient selection of access control systems through multi criteria analytical hierarchy process , 2012, 2012 International Conference on Emerging Technologies.

[30]  Y. Engeström,et al.  Learning by expanding: An activity-theoretical approach to developmental research , 2014 .

[31]  Christine Nadel,et al.  Case Study Research Design And Methods , 2016 .

[32]  H. Raghav Rao,et al.  Emergency Response to Mumbai Terror Attacks: An Activity Theory Analysis , 2011, Cyber Security, Cyber Crime and Cyber Forensics.

[33]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[34]  Jean Hartley,et al.  Case study research , 2004 .