Premium
Towards unobtrusive patient‐centric access‐control for Health Information System
Author(s) -
Carvalho Junior Marcelo Antonio,
BandieraPaiva Paulo
Publication year - 2020
Publication title -
concurrency and computation: practice and experience
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.309
H-Index - 67
eISSN - 1532-0634
pISSN - 1532-0626
DOI - 10.1002/cpe.5845
Subject(s) - role based access control , access control , computer science , permission , computer access control , information flow , computer security , control (management) , data access , authorization , database , artificial intelligence , linguistics , philosophy , political science , law
Summary Patient consent is currently a missing piece on Health Information Systems (HIS) access permission. The control is needed to ensure personal data as the property of the individual, not data controllers or health‐care service providers. This is a newly‐designed access‐decision flow for HIS secured by Role‐Based Access Control (RBAC) including patient‐centric control. It makes use of Colored Petri‐Nets (CPN) to model RBAC restrictions. A Discretionary Access Control (DAC) functionality is added to Electronic Health‐Records (EHR) control to convey a patient's explicit authorization to their data in a non‐obstructive access flow. Mutual exclusion was designed to incorporate patient needs so that they could authorize healthcare professionals to access EHR data. Additional information was supplied to a PERMS Access Control matrix and this enabled DAC to be mimicked using existing RBAC Core functions. A minimal addition is proposed to incorporate RBAC‐aware systems with no significant drawbacks when compared with previous CPN simulations. The article also discusses the limitations of this technique and the favorable conditions for implementing new features.