Regulating Exceptions in Healthcare Using Policy Spaces
Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security
Towards improved privacy policy coverage in healthcare using policy refinement
SDM'07 Proceedings of the 4th VLDB conference on Secure data management
A calculus for the qualitative risk assessment of policy override authorization
Proceedings of the 3rd international conference on Security of information and networks
Relationship-based access control policies and their policy languages
Proceedings of the 16th ACM symposium on Access control models and technologies
A risk-based evaluation of group access control approaches in a healthcare setting
ARES'11 Proceedings of the IFIP WG 8.4/8.9 international cross domain conference on Availability, reliability and security for business, enterprise and health information systems
Purpose control: did you process the data for the intended purpose?
SDM'11 Proceedings of the 8th VLDB international conference on Secure data management
Preemptive mechanism to prevent health data privacy leakage
Proceedings of the International Conference on Management of Emergent Digital EcoSystems
Visualization control for event-based public display systems used in a hospital setting
NordSec'11 Proceedings of the 16th Nordic conference on Information Security Technology for Applications
Ensuring continuous compliance through reconciling policy with usage
Proceedings of the 18th ACM symposium on Access control models and technologies
Mining Deviations from Patient Care Pathways via Electronic Medical Record System Audits
ACM Transactions on Management Information Systems (TMIS) - Special Issue on Informatics for Smart Health and Wellbeing
| Hi-index | 0.00 |
In healthcare, role-based access control systems are often extended with exception mechanisms to ensure access to needed information even when the needs don't follow the expected patterns. Exception mechanisms increase the threats to patient privacy, and therefore their use should be limited and subject to auditing. We have studied access logs from a hospital EPR system with extensive use of exception-based access control. We found that the uses of the exception mechanisms were too frequent and widespread to be considered exceptions. The huge size of the log and the use of pre-defined or uninformative reasons for access make it infeasible to audit the log for misuse. The informative reasons that were given provided starting points for requirements on how the usage needs should be accomplished without exception-based access. With more structured and fine-grained logging, analysis of access logs could be a very useful tool for learning how to reduce the need for exception-based access.