Access and Usage Control Requirements for Patient Controlled Record Type of Healthcare Information System

Annanda Thavymony Rath, Jean-Noël Colin

Abstract

This paper addresses the issue of access and usage control requirements in healthcare information system. Our work aims at identifying the access and usage control requirements for a particular healthcare information system where patients have pivotal right to grant or deny access to their health records. We term this system ”Patient Controlled Record type of Healthcare Information System or PCRHIS”. It is worth noting that the requirements, presented in this paper, are the results of our studies from both user’s requirements and legal issues (based on 95/46/EC Directive ) under the scope of Walloon Healthcare Network (WHN). The WHN project aims at providing an electronic healthcare facility for patients inWalloon region, Belgium, that joins all healthcare institutions, clinics, and physicians and allows sharing of patients’ health records when needed. The main contribution of this work is that, with these requirements as a reference, one can identify an appropriate access and usage control model. This applies not only to the proposed system under the scope of WHN project but also to any system that has similar model.

References

  1. Bandar, A. and Colin, F. (2008). Access control requirements for processing electronic health records. In Proceedings of the 2007 international conference on Business process management, BPM'07, pages 371- 382, Berlin, Heidelberg. Springer-Verlag.
  2. DocuLiv EPR (2003). DocuLive EPR: A hospital Electronic health record system developed by Siemens Medical Systems Norway. http://www.siemens.com/entry/cc/en/, latest access: July 2011.
  3. EUdirective (1995). Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. https://www.cdt.org/privacy/eudirective/EU.
  4. HL7 PHR (2011). Health Level International Seven. http://www.hl7.org. Latest access: July 2012.
  5. Hu, V. H., Ferraiolo, D., and Kuhn, D. R. (2006). Assessment of access control system. National Institute of Standards and Technology.
  6. Pretschner, A., Hilty, M., Sch, F., Schaefer, C., and Walter, T. (2008). Usage control enforcement: Present and future. IEEE Security and Privacy, 6:44-53.
  7. Rath, A. and Colin, J.-N. (2012a). Analogue attacks in e-health: Issues and solutions. CeHPSA - 2012 : 2nd IEEE International Workshop on Consumer eHealth Platforms, Services and Applications (CeHPSA)(accepted but unpublished).
  8. Rath, A. and Colin, J.-N. (2012b). Patient privacy preservation: P-RBAC vs OrBAC in patient controlled records type of centralized healthcare information system. case study of walloon healthcare network, belgium. The Fourth International Conference on eHealth, Telemedicine, and Social Medicine eTELEMED 2012, 4:111-118.
  9. Reyneke, A., Botha, R. A., and Perelson, S. (2003). Access control requirements for content management systems. Department of Computer Science, School of IT, University of Pretoria, South Africa.
  10. Rostad, L. (2008). An initial model and a discussion of access control in patient controlled health records. In Proceedings of the 2008 Third International Conference on Availability, Reliability and Security, pages 935-942, Washington, DC, USA. IEEE Computer Society.
  11. Rostad, L. and Edsberg, O. (2006). A study of access control requirements for healthcare systems based on audit trails from access logs. In Proceedings of the 22nd Annual Computer Security Applications Conference, pages 175-186, Washington, DC, USA. IEEE Computer Society.
Download


Paper Citation


in Harvard Style

Thavymony Rath A. and Colin J. (2013). Access and Usage Control Requirements for Patient Controlled Record Type of Healthcare Information System . In Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2013) ISBN 978-989-8565-37-2, pages 331-336. DOI: 10.5220/0004223103310336


in Bibtex Style

@conference{healthinf13,
author={Annanda Thavymony Rath and Jean-Noël Colin},
title={Access and Usage Control Requirements for Patient Controlled Record Type of Healthcare Information System},
booktitle={Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2013)},
year={2013},
pages={331-336},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004223103310336},
isbn={978-989-8565-37-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2013)
TI - Access and Usage Control Requirements for Patient Controlled Record Type of Healthcare Information System
SN - 978-989-8565-37-2
AU - Thavymony Rath A.
AU - Colin J.
PY - 2013
SP - 331
EP - 336
DO - 10.5220/0004223103310336