Toward an Access Control Model for Sharing Composite Electronic Health Records

The adoption of electronically formatted medical records, so called Electronic Health Records (EHRs), has become extremely important in healthcare systems to enable the exchange of medical information among stakeholders. An EHR generally consists of data with different types and sensitivity degrees which must be selectively shared based on the need-to-know principle. Security mechanisms are required to guarantee that only authorized users have access to specific portions of such critical record for legitimate purposes. In this paper, we propose a novel approach for modelling access control scheme for composite EHRs. Our model formulates the semantics and structural composition of an EHR document, from which we introduce a notion of authorized zones of the composite EHR at different granularity levels, taking into consideration of several important criteria such as data types, intended purposes and information sensitivities.

[1]  Amnon Shabo,et al.  Model Formulation: HL7 Clinical Document Architecture, Release 2 , 2006, J. Am. Medical Informatics Assoc..

[2]  Steven J. DeRose,et al.  XML Path Language (XPath) Version 1.0 , 1999 .

[3]  Lorraine M. Fernandes,et al.  Surveying the RHIO landscape , 2006 .

[4]  Arif Ghafoor,et al.  Policy-based security management for federated healthcare databases (or RHIOs) , 2006, HIKM '06.

[5]  Lorraine Fernandes,et al.  Surveying the RHIO landscape. A description of current RHIO models, with a focus on patient identification. , 2006, Journal of AHIMA.

[6]  Alban Gabillon,et al.  Regulating Access to XML documents , 2001, DBSec.

[7]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[8]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[9]  Elisa Bertino,et al.  Specifying and enforcing access control policies for XML document sources , 2004, World Wide Web.

[10]  Linda Dimitropoulos Privacy and security solutions for interoperable health information exchange: Assessment of variation and analysis of solutions , 2007 .

[11]  David M. Eyers,et al.  OASIS role-based access control for electronic health records , 2006, IEE Proc. Softw..

[12]  Ehud Gudes,et al.  A Model for Evaluation and Administration of Security in Object-Oriented Databases , 1994, IEEE Trans. Knowl. Data Eng..

[13]  David W. Chadwick,et al.  Policy based electronic transmission of prescriptions , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[14]  Elisa Bertino,et al.  A model of authorization for next-generation database systems , 1991, TODS.

[15]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.