Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Risk-based access control systems built on fuzzy inferences
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
An analytical solution for consent management in patient privacy preservation
Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium
| Hi-index | 0.00 |
In traditional access control systems, security administrators determine whether an information consumer can access a certain resource. However, in reality, it is very difficult for policy makers to foresee what information a user may need in various situations. In hospitals, failing to authorize a doctor for the medical information she needs about a patient could lead to severe or fatal consequences. In this paper, we propose a practical access control approach to protect patient privacy in health information systems by taking the realities in healthcare into consideration. First, unlike traditional access control systems, our proposed access control model allows information consumers (i.e. doctors) to make access decisions, while still being able to detect and control the over-accessing of patients' medical data by quantifying the risk associated with doctors' data-accessing activities. Second, we do not require doctors to do anything special in order to use our system. We learn about common practices among doctors and apply statistical methods and information theory techniques to quantify the risk of privacy violation. Third, occasional exceptions on information needs, which is common in healthcare, is taken into account in our model. We have implemented a prototype of our solution and performed simulations on real-world medical history records.