ABSTRACT
In modern healthcare environments, a fundamental requirement for achieving continuity of care is the seamless access to distributed patient health records in an integrated and unified manner, directly at the point of care. However, Electronic Health Records (EHRs) contain a significant amount of sensitive information, and allowing data to be accessible at many different sources increases concerns related to patient privacy and data theft. Access control solutions must guarantee that only authorized users have access to such critical records for legitimate purposes, and access control policies from distributed EHR sources must be accurately reflected and enforced accordingly in the integrated EHRs.
In this paper, we propose a unified access control scheme that supports patient-centric selective sharing of virtual composite EHRs using different levels of granularity, accommodating data aggregation and various privacy protection requirements. We also articulate and handle the policy anomalies that might occur in the composition of discrete access control policies from multiple data sources.
- Jaxe XML editor. http://jaxe.sourceforge.net/.Google Scholar
- J. Barkley and K. Beznosov. Supporting relationships in access control using role based access control. In Proc. of 4th ACM Workshop on Role-Based Access Control, pages 55--65, 1999. Google ScholarDigital Library
- M. Y. Becker and P. Sewell. Cassandra: Flexible trust management, applied to electronic health records. In Proc. of IEEE 17th Computer Security Foundations Workshop, pages 139--154, 2004. Google ScholarDigital Library
- R. Bhatti, K. Moidu, and A. Ghafoor. Policy-based security management for federated healthcare databases (or RHIOs). In Proc. of the international workshop on Healthcare information and knowledge management, pages 41--48, 2006. Google ScholarDigital Library
- J.-W. Byun, E. Bertino, and N. Li. Purpose based access control of complex data for privacy protection. In Proc. of 10th ACM symposium on Access control models and technologies (SACMAT), pages 102--110, 2005. Google ScholarDigital Library
- Ciena. The national health information network creating a new vision. White Paper, Healthcare Information and Management Systems Society (HIMSS) Conference 2008, 2008.Google Scholar
- E. Coiera and R. Clarke. e-consent: the design and implementation of consumer consent mechanisms in an electronic environment. Journal of the American Medical Informatics Association, 11(2):129--140, 2004.Google ScholarCross Ref
- dbMotion. White paper: The critical role of integrated patient information in the delivery of high quality healthcare, January 2008.Google Scholar
- L. L. Dimitropoulos. Privacy and security solutions for interoperable health information exchange: Interim assessment of variation executive summary. http://www.rti.org/pubs/avas execsumm.pdf, July 2007. RTI Project Number 0209825.000.009.Google Scholar
- R. H. Dolin, L. Alschuler, S. Boyer, C. Beebe, F. M. Behlen, and P. V. Biron. Hl7 clinical document architecture, release 2.0. ANSI Standard, 2004.Google Scholar
- D. M. Eyers, J. Bacon, and K. Moody. OASIS role-based access control for electronic health records. In IEEE Proceedings - Software, pages 16--23, 2006.Google ScholarCross Ref
- C. Gates and J. Slonim. Owner-controlled information. In Proc. of the 2003 workshop on New security paradigms, pages 103--111, 2003. Google ScholarDigital Library
- J. Grimson, G. Stephens, B. Jung, W. Grimson, D. Berry, and S. Pardon. Sharing health-care records over the internet. IEEE Internet Computing, 5(3):49--58, 2002. Google ScholarDigital Library
- HL7. Hl7 reference information model. http://www.hl7.org/Library/data-model/RIM/modelpage_mem.htm.Google Scholar
- R. Housley, W. Polk, W. Ford, and D. Solo. Internet x.509 public key infrastructure certificate and certificate revocation list (crl) profile. RFC3280, http://rfc.net/rfc3280.html, 2002. Google ScholarDigital Library
- IEEE-USA's Medical Technology Policy Committee Interoperability Working Group, editor. Interoperability for the National Health Information Network (NHIN). IEEE-USA EBOOKS, 2006.Google Scholar
- Iowa Foundation for Medical Care. HISPC state implementation project summary and impact analysis report for the state of Iowa. http://www.ifmc.org/news/State Impact Report 11-27-07.doc, 2007.Google Scholar
- J. Jin, G.-J. Ahn, M. J. Covington, and X. Zhang. Toward an access control model for sharing composite electronic health record. In Proc. of 4th International Conference on Collaborative Computing, 2008.Google Scholar
- C. M. O'Keefe, P. Greenfield, and A. Goodchild. A decentralised approach to electronic consent and health information access control. Journal of Research and Practice in Information Technology, 37(2):161--178, 2005.Google Scholar
- openEHR Community. openEHR. http://www.openehr.org.Google Scholar
- M. Peleg, D. Beimel, D. Dori, and Y. Denekamp. Situation-based access control: Privacy management via modeling of patient data access scenarios. Journal of Biomedical Informatics, 41(6):1028--1040, 2008. Google ScholarDigital Library
- J. Pritts and K. Connor. The implementation of e-consent mechanisms in three countries: Canada, england, and the netherlands. SAMHSA report, http://ihcrp.georgetown.edu/pdfs/prittse-consent.pdf, 2007.Google Scholar
- C. Ruan and V. Varadharajan. An authorization model for e-consent requirement in a health care application. Applied Cryptography and Network Security, LNCS, 2846:191--205, 2003.Google Scholar
- N. Yang, H. Barringer, and N. Zhang. A purpose-based access control model. In Proc. of 3rd International Symposium on Information Assurance and Security (IAS), pages 143--148, 2007. Google ScholarDigital Library
Index Terms
- Patient-centric authorization framework for sharing electronic health records
Recommendations
Enhancing accountability of electronic health record usage via patient-centric monitoring
IHI '12: Proceedings of the 2nd ACM SIGHIT International Health Informatics SymposiumElectronic Health Record (EHR) and Personal Health Record (PHR) systems could allow patients to better manage their health information and share it to enhance the quality and efficiency of their healthcare. Unfortunately, misuse of information stored in ...
Patient-centric authorization framework for electronic healthcare services
In modern healthcare environments, a fundamental requirement for achieving continuity of care is the seamless access to distributed patient health records in an integrated and unified manner, directly at the point of care. However, Electronic Health ...
A standard-based model for the sharing of patient-generated health information with electronic health records
This paper proposes a standard-based model for the automated collection of patient data using personal health devices and the secure sharing of these data with authorized providers' electronic health records (EHRs). The model addresses a number of ...
Comments