Abstract
In healthcare the fast retrieval of clinical information on a patient can be vital, for example in an emergency, and allows anyway, in normal situations, an improvement in the service of care and a consequent significant reduction in costs (for example, eliminating the need to repeat medical examinations). Health information systems, and in particular Electronic Health Record Systems, enable clinical information to be found quickly and in a distributed environment. The information should be available only to authorized users, because much of it is sensitive. For this reason, it is necessary to use a mechanism that realizes access control, the main goal of which is to guarantee the confidentiality and integrity of the data, and to allow the definition of security rules which reflect the need for the privacy of the patients. In this work, we show the designed GUIs, which use the innovative access control system defined. GUIs allow patients to define in a detailed and clear manner the access rules concerning their clinical information, both in document and data form. The main innovation of this work is to provide the ability to protect the resources (documents and clinical data) of the system by presenting only the content of the information needed depending on the type of request made directly by the patients, the content being extrapolated from the resource request. This feature allows the definition of an access control model that increases the patients trust in the EHR system.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Bell DE, LaPadula LJ (1973) Secure Computer Systems: Mathematical Foundations and Model. In: Bedford MA (ed) The Mitre Corporation. Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA, p 01731
Bertino E, Bonatti P, Ferrari E (2000) TRBAC: a temporal role-based access control model. In: Proceedings of the ACM workshop on Role-based access control. ACM Press, New York, NY, USA, pp 21–30
Ferraiolo DF, Cugini J, Kuhn DR (1995) Role-Based Access Control (RBAC): Features and Motivations. In: Proceedings of the 11th Annual Computer Security Application Conference, New Orleans, LA, December 11–15 1995, pp 241–248
Ferreira A, Chadwick D, Farinha P, Correia R, Zao G, Chilro R, Antunes L (2009) How to Securely Break into RBAC: The BTG-RBAC Model. In: Computer Security Applications Conference, 2009. ACSAC ’09. Annual, pp 23–31, 7–11 Dec. 2009. doi:10.1109/ACSAC.2009.12
Ficco M, Romano L (2011) A Generic Intrusion Detection and Diagnoser System Based on Complex Event Processing. In: Processing (CCP), 2011 First International Conference on Data Compression, Communications, 21–24 June 2011, pp 275–284. doi:10.1109/CCP.2011.43
General Data Protection Regulation, European Commission (2012) Regulation of the european parliament and of the council. Online at http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en. (Access date: 13 September 2014)
HL7 Version 3 Clinical Document Architecture (CDA) Release 2, https://www.hl7.org/implement/standards/product_brief.cfm?product_id=7 (Access date: 24 March 2014)
Kilic O, Dogac A (2009) Achieving clinical statement interoperability using r-mim and archetype-based semantic transformations. IEEE Trans Inf Technol Biomed 13(4):467–477. doi:10.1109/TITB.2008.904647
Kim Y, Song E (2001) Privacy-Aware Role Based Access Control Model: Revisited for Multi-Policy Conflict Detection. In: 2010 International Conference on Information Science and Applications (ICISA), pp 1–7, 21–23 April 2010. doi:10.1109/ICISA.2010.5480349
Li N (2011) Discretionary Access Control. Encyclopedia of Cryptography and Security, Springer, US, pp 353–356, January 2011. doi:10.1007/978-1-4419-5906-5_798
Ray I, Kumar M, Yu L (2006) LRBAC: A Location-Aware Role-Based Access Control Model. In: Bagchi A, Atluri V (eds) Information Systems Security. Lecture Notes in Computer Science, vol 4332. Springer, Berlin, pp 147–161. doi:10.1007/11961635_10
Sandhu R, Ferraiolo D, Kuhn R (2000) The NIST Model for Role-Based Access Control: Towards A Unified Standard. http://csrc.nist.gov/rbac/sandhu-ferraiolo-kuhn-00 (Access date: 11 Jannuary 2015)
Schneider FB (2014) Least Privilege and More. Available in http://www.cs.cornell.edu/fbs/publications/leastPrivNeedham (Access date: 14 February 2014)
Shen H, Hong F (2006) An Attribute-Based Access Control Model for Web Services. In: Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies, 2006. PDCAT ’06, Dec. 2006, pp 74–79. doi:10.1109/PDCAT.2006.28
Sicuranza M, Esposito A, Ciampi M (2014a) A patient privacy centric access control model for EHR systems. Int J Internet Technol Secur Trans 5:163–189 (Inderscience Publishers)
Sicuranza M, Esposito A, Ciampi M (2014b) A View-Based Acces Control Model for EHR Systems. In: (2014), Intelligent Distributed Computing VIII on Springer International Publishing. doi:10.1007/978-3-319-10422-5_46
Yang N, Barringer H, Zhang N (2007) A Purpose-Based Access Control Model. In: Third International Symposium on Information Assurance and Security, 2007. IAS 2007, pp 143–148, 29–31 Aug. 2007. doi:10.1109/IAS.2007.29
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Sicuranza, M., Esposito, A. & Ciampi, M. An access control model to minimize the data exchange in the information retrieval. J Ambient Intell Human Comput 6, 741–752 (2015). https://doi.org/10.1007/s12652-015-0275-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-015-0275-x