ONE WAY TO PATIENT EMPOWERMENT - The Proposal of an Authorization Model

Cátia Santos-Pereira, Luis Antunes, Ricardo Cruz-Correia, Ana Ferreira

2012

Abstract

American and European Legislation for protection of medical data agree that the patient has the right to play a pivotal role in the decisions regarding the content and distribution of her/his medical records. The Role Based Access Control (RBAC) model is the most commonly used authorization model in healthcare. The first goal of this work is to review if existing models and standards provide for patients accessing their medical records and customizing access control rules, the second goal is to define and propose an authorization model based on RBAC to be used and customized by the patient. A literature review was performed and encompassed 22 articles and standards from which 12 were included for analysis. Results show that existing standards define guidelines for these issues but they are too generic to be directly applied to real healthcare settings. The proposed authorization model combines characteristics of RBAC, ISO/TS 13606-4, temporal constraints and break the glass. With this model we hope to start bridging the gap between legislation and what really happens in practice in terms of patients controlling and being actively involved in their healthcare. Future work includes the implementation and evaluation of the proposed model in a healthcare setting.

References

  1. American Health Information Management Association Foundation. 2011. myPHR [Online]. American Health Information Management Association. Available: http://www.myphr.com/ [Accessed October 2011].
  2. Beimel, D. Peleg, M. 2009. The Context and the SitBAC Models for Privacy Preservation - An Experimental Comparison of Model Comprehension and Synthesis. IEEE Transactions on Knowledge and Data Engineering
  3. Council of Europe 1997. Protection of Medical Data - Recommendation nºR (97) 5. In: committee of ministers to member states (ed.). Europe.
  4. Ferreira, A., Chadwick, D., Zao, G., Farinha, P., Correia, R., Chilro, R. ,Antunes, L. 2009. How securely break into RBAC: the BTG-RBAC model. Proceedings from 25th Annual Computer Security Applications Conference - ACSAC 2009.
  5. Ferreira, A., Correia, A., Silva, A., Corte, A., Pinto, A., Saavedra, A., Pereira, A. L., Pereira, A. F., CruzCorreia, R., Antunes, L. F. 2007a. Why Facilitate Patient Access to Medical Records. Medical and Care Compunetics 4, 127, 77-90.
  6. Ferreira, A., Cruz-Correia, R., Antunes, L. ,Chadwick, D. 2007b. Access Control: how can it improve patients' healthcare? . Stud Health Technol Inform, 127, 65-76.
  7. Giuri, L. 1996. Role-based access control: a natural approach. Proceedings of the first ACM Workshop on Role-based access control. Gaithersburg, Maryland, United States: ACM.
  8. Honeyman, A., Cox, B. ,Fisher, B. 2005. Potential impacts of patient access to their electronic care records. Informatics in primary care, 13, 55-60.
  9. ISO/TS 13606-4 2009. Health informatics - Electronic health record communication In: ISO/TS (ed.) Part 4: Security. Switzerland: ISO/TC.
  10. ISO/TS 22600-2 2006. Health Informatics - Privilege management and access control In: ISO/TS (ed.) Part 2: Formal Models. Switzerland.
  11. Joshi, J., Aref, W. G., Ghafoor, A., Spafford, E. H. 2001. Security models for web-based applications. Commun. ACM, 44, 38-44.
  12. Joshi, J., Bertino, E., Ghafoor, A. 2002. Temporal hierarchies and inheritance semantics for GTRBAC. Proceedings of the seventh ACM symposium on Access control models and technologies. Monterey, California, USA: ACM.
  13. Microsoft. 2011. Microsoft Health Vault [Online]. Available: http://www.microsoft.com/en-us/health vault/ [Accessed October 2011].
  14. Motta, G. H. M. B., Furuie, S. S. 2003. A contextual rolebased access control authorization model for electronic patient record. Ieee Transactions on Information Technology in Biomedicine, 7, 202-207.
  15. Osborn, S., Sandhu, R., Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur., 3, 85-106.
  16. Patrick, C. K., Hung and Yi Zheng 2007 Privacy Access Control Model for Aggregated e-Health Services. Eleventh International IEEE EDOC Conference Workshop (EDOCW'07).
  17. Pereira, C., Oliveira, C., Vilaça, C., Ferreira, A. 2011. Protection of clinical data - Comparison of European with American Legislation and respective technological applicability. HealthInf 2011 - International Conference on Health Informatics. Rome.
  18. Ravi, S., Venkata, B., Qamar, M. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 1094-9224, 2, 105-135.
  19. Reeder, R. W. 2011. Usable access control for all. Proceedings of the 16th ACM symposium on Access control models and technologies. Innsbruck, Austria: ACM.
  20. Ross, S. E., Lin, C. T. 2003. The effects of promoting patient access to medical records: A review. Journal of the American Medical Informatics Association, 10, 129-138.
  21. Sandhu, R., Ferraiolo, D., Kuhn, R. 2000. The NIST model for role-based access control: towards a unified standard. Proceedings of the fifth ACM workshop on Role-based access control. Berlin, Germany: ACM.
  22. Sejong, O., Ravi, S. 2002. A model for role administration using organization structure. Proceedings of the seventh ACM symposium on Access control models and technologies 1-58113-496-7. Monterey, California, USA: ACM.
  23. Shortliffe, E., Cimino, J. 2006. Biomedical Informatics - Computer applications in Health Care and Biomedicine, New York, Springer.
  24. Siteman, E., Businger, A., Gandhi, T., Grant, R., Poon, E., Schnipper, J., Volk, L. A., Wald, J. S., Middleton, B. 2006. Clinicians recognize value of patient review of their electronic health record data. AMIA ... Annual Symposium proceedings / AMIA Symposium. AMIA Symposium, 1101.
  25. U.S. Department of Health & Human Services 1996. Health Insurance Portability and Accountability Act In: Services, U. S. D. O. H. H. (ed.).
Download


Paper Citation


in Harvard Style

Santos-Pereira C., Antunes L., Cruz-Correia R. and Ferreira A. (2012). ONE WAY TO PATIENT EMPOWERMENT - The Proposal of an Authorization Model . In Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2012) ISBN 978-989-8425-88-1, pages 249-255. DOI: 10.5220/0003787902490255


in Bibtex Style

@conference{healthinf12,
author={Cátia Santos-Pereira and Luis Antunes and Ricardo Cruz-Correia and Ana Ferreira},
title={ONE WAY TO PATIENT EMPOWERMENT - The Proposal of an Authorization Model},
booktitle={Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2012)},
year={2012},
pages={249-255},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003787902490255},
isbn={978-989-8425-88-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2012)
TI - ONE WAY TO PATIENT EMPOWERMENT - The Proposal of an Authorization Model
SN - 978-989-8425-88-1
AU - Santos-Pereira C.
AU - Antunes L.
AU - Cruz-Correia R.
AU - Ferreira A.
PY - 2012
SP - 249
EP - 255
DO - 10.5220/0003787902490255