Privacy, information technology, and health care
Communications of the ACM
Future directions in role-based access control
RBAC '95 Proceedings of the first ACM Workshop on Role-based access control
A role-based access control model and reference implementation within a corporate intranet
ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
A model of accountability, confidentiality and override for healthcare and other applications
RBAC '00 Proceedings of the fifth ACM workshop on Role-based access control
Proposed NIST standard for role-based access control
ACM Transactions on Information and System Security (TISSEC)
eMEDAC: Role-based Access Control Supporting Discretionary and Mandatory Features
Proceedings of the IFIP WG 11.3 Thirteenth International Conference on Database Security: Research Advances in Database and Information Systems Security
A Formal Model for Role-Based Access Control with Constraints
CSFW '96 Proceedings of the 9th IEEE workshop on Computer Security Foundations
Separation of Duty in Role-based Environments
CSFW '97 Proceedings of the 10th IEEE workshop on Computer Security Foundations
A Framework for Multiple Authorization Types in a Healthcare Application System
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Securing grid data using mandatory access controls
ACSW '07 Proceedings of the fifth Australasian symposium on ACSW frontiers - Volume 68
Security enhanced Linux to enforce mandatory access control in health information systems
HDKM '08 Proceedings of the second Australasian workshop on Health data and knowledge management - Volume 80
Towards a security policy for ubiquitous healthcare systems
ICUCT'06 Proceedings of the 1st international conference on Ubiquitous convergence technology
A comprehensive privacy-aware authorization framework founded on HIPAA privacy rules
Proceedings of the 1st ACM International Health Informatics Symposium
An auto-delegation mechanism for access control systems
STM'10 Proceedings of the 6th international conference on Security and trust management
A tag-based data model for privacy-preserving medical applications
EDBT'06 Proceedings of the 2006 international conference on Current Trends in Database Technology
Challenges in ehealth: from enabling to enforcing privacy
FHIES'11 Proceedings of the First international conference on Foundations of Health Informatics Engineering and Systems
| Hi-index | 0.00 |
This paper examines the access control requirements of distributed health care information networks. Since the electronic sharing of an individual's personal health information requires their informed consent, health care information networks need an access control framework that can capture and enforce individual access policies tailored to the specific circumstances of each consumer. Role Based Access Control (RBAC) is examined as a candidate access control framework. While it is well suited to the task in many regards, we identify a number of shortcomings, particularly in the range of access policy expression types that it can support. For efficiency and comprehensibility, access policies that grant access to a broad range of entities whilst explicitly denying it to subgroups of those entities need to be supported in health information networks. We argue that RBAC does not support policies of this type with sufficient flexibility and propose a novel adaptation of RBAC principles to address this shortcoming. We also describe a prototype distributed medical information system that embodies the improved RBAC model.