Patient-centric authorization framework for sharing electronic health records

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Patient-centric authorization framework for sharing electronic health records

Full text

Pdf (740 KB)

Source

Symposium on Access Control Models and Technologies archive
Proceedings of the 14th ACM symposium on Access control models and technologies table of contents

Stresa, Italy

SESSION: Secure sharing and policy combination table of contents

Pages 125-134

Year of Publication: 2009

ISBN:978-1-60558-537-6

Authors

Jing Jin	University of North Carolina at Charlotte, Charlotte, NC, USA
Gail-Joon Ahn	Arizona State University, Tempe, AZ, USA
Hongxin Hu	Arizona State University, Tempe, AZ, USA
Michael J. Covington	Intel Corporation, Hillsboro, OR, USA
Xinwen Zhang	Samsung Information Systems America, San Jose, CA, USA

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 71, Downloads (12 Months): 227, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1542207.1542228 What is a DOI?

ABSTRACT

In modern healthcare environments, a fundamental requirement for achieving continuity of care is the seamless access to distributed patient health records in an integrated and unified manner, directly at the point of care. However, Electronic Health Records (EHRs) contain a significant amount of sensitive information, and allowing data to be accessible at many different sources increases concerns related to patient privacy and data theft. Access control solutions must guarantee that only authorized users have access to such critical records for legitimate purposes, and access control policies from distributed EHR sources must be accurately reflected and enforced accordingly in the integrated EHRs.

In this paper, we propose a unified access control scheme that supports patient-centric selective sharing of virtual composite EHRs using different levels of granularity, accommodating data aggregation and various privacy protection requirements. We also articulate and handle the policy anomalies that might occur in the composition of discrete access control policies from multiple data sources.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Jaxe XML editor. http://jaxe.sourceforge.net/.
	2	John Barkley , Konstantin Beznosov , Jinny Uppal, Supporting relationships in access control using role based access control, Proceedings of the fourth ACM workshop on Role-based access control, p.55-65, October 28-29, 1999, Fairfax, Virginia, United States [doi>10.1145/319171.319177]
	3	Moritz Y. Becker , Peter Sewell, Cassandra: Flexible Trust Management, Applied to Electronic Health Records, Proceedings of the 17th IEEE workshop on Computer Security Foundations, p.139, June 28-30, 2004 [doi>10.1109/CSFW.2004.7]
	4	Rafae Bhatti , Khalid Moidu , Arif Ghafoor, Policy-based security management for federated healthcare databases (or RHIOs), Proceedings of the international workshop on Healthcare information and knowledge management, November 11-11, 2006, Arlington, Virginia, USA [doi>10.1145/1183568.1183577]
	5	Ji-Won Byun , Elisa Bertino , Ninghui Li, Purpose based access control of complex data for privacy protection, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden [doi>10.1145/1063979.1063998]
	6	Ciena. The national health information network creating a new vision. White Paper, Healthcare Information and Management Systems Society (HIMSS) Conference 2008, 2008.
	7	E. Coiera and R. Clarke. e-consent: the design and implementation of consumer consent mechanisms in an electronic environment. Journal of the American Medical Informatics Association, 11(2):129--140, 2004.
	8	dbMotion. White paper: The critical role of integrated patient information in the delivery of high quality healthcare, January 2008.
	9	L. L. Dimitropoulos. Privacy and security solutions for interoperable health information exchange: Interim assessment of variation executive summary. http://www.rti.org/pubs/avas execsumm.pdf, July 2007. RTI Project Number 0209825.000.009.
	10	R. H. Dolin, L. Alschuler, S. Boyer, C. Beebe, F. M. Behlen, and P. V. Biron. Hl7 clinical document architecture, release 2.0. ANSI Standard, 2004.
	11	D. M. Eyers, J. Bacon, and K. Moody. OASIS role-based access control for electronic health records. In IEEE Proceedings - Software, pages 16--23, 2006.
	12	Carrie Gates , Jacob Slonim, Owner-controlled information, Proceedings of the 2003 workshop on New security paradigms, August 18-21, 2003, Ascona, Switzerland [doi>10.1145/986655.986670]
	13	Jane Grimson , Gaye Stephens , Benjamin Jung , William Grimson , Damon Berry , Sebastien Pardon, Sharing Health-Care Records over the Internet, IEEE Internet Computing, v.5 n.3, p.49-58, May 2001 [doi>10.1109/4236.935177]
	14	HL7. Hl7 reference information model. http://www.hl7.org/Library/data-model/RIM/modelpage_mem.htm.
	15	R. Housley , W. Polk , W. Ford , D. Solo, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC Editor, 2002
	16	IEEE-USA's Medical Technology Policy Committee Interoperability Working Group, editor. Interoperability for the National Health Information Network (NHIN). IEEE-USA EBOOKS, 2006.
	17	Iowa Foundation for Medical Care. HISPC state implementation project summary and impact analysis report for the state of Iowa. http://www.ifmc.org/news/State Impact Report 11-27-07.doc, 2007.
	18	J. Jin, G.-J. Ahn, M. J. Covington, and X. Zhang. Toward an access control model for sharing composite electronic health record. In Proc. of 4th International Conference on Collaborative Computing, 2008.
	19	C. M. O'Keefe, P. Greenfield, and A. Goodchild. A decentralised approach to electronic consent and health information access control. Journal of Research and Practice in Information Technology, 37(2):161--178, 2005.
	20	openEHR Community. openEHR. http://www.openehr.org.
	21	Mor Peleg , Dizza Beimel , Dov Dori , Yaron Denekamp, Situation-Based Access Control: Privacy management via modeling of patient data access scenarios, Journal of Biomedical Informatics, v.41 n.6, p.1028-1040, December, 2008 [doi>10.1016/j.jbi.2008.03.014]
	22	J. Pritts and K. Connor. The implementation of e-consent mechanisms in three countries: Canada, england, and the netherlands. SAMHSA report, http://ihcrp.georgetown.edu/pdfs/prittse-consent.pdf, 2007.
	23	C. Ruan and V. Varadharajan. An authorization model for e-consent requirement in a health care application. Applied Cryptography and Network Security, LNCS, 2846:191--205, 2003.
	24	Naikuo Yang , Howard Barringer , Ning Zhang, A Purpose-Based Access Control Model, Proceedings of the Third International Symposium on Information Assurance and Security, p.143-148, August 29-31, 2007 [doi>10.1109/IAS.2007.5]