An Access Control Model to Facilitate Healthcare Information Access in Context of Team Collaboration

The delivery of healthcare relies on the sharing of patients information among a group of healthcare professionals (so-called multidisciplinary teams (MDTs)). At present, electronic health records (EHRs) are widely utilized system to create, manage and share patient healthcare information among MDTs. While it is necessary to provide healthcare professionals with privileges to access patient health information, providing too many privileges may backfire when healthcare professionals accidentally or intentionally abuse their privileges. Hence, finding a middle ground, where the necessary privileges are provided and malicious usage are avoided, is necessary. This thesis highlights the access control matters in collaborative healthcare domain. Focus is mainly on the collaborative activities that are best accomplished by organized MDTs within or among healthcare organizations with an objective of accomplishing a specific task (patient treatment). Initially, we investigate the importance and challenges of effective MDTs treatment, the sharing of patient healthcare records in healthcare delivery, patient data confidentiality and the need for flexible access of the MDTs corresponding to the requirements to fulfill their duties. Also, we discuss access control requirements in the collaborative environment with respect to EHRs and usage scenario of MDTs collaboration. Additionally, we provide summary of existing access control models along with their pros and cons pertaining to collaborative health systems. Second, we present a detailed description of the proposed access control model. In this model, the MDTs is classified based on Belbin’s team role theory to ensure that privileges are provided to the actual needs of healthcare professionals and to guarantee confidentiality as well as protect the privacy of sensitive patient information. Finally, evaluation indicates that our access control model has a number of advantages including flexibility in terms of permission management, since roles and team roles can be updated without updating privilege for every user. Moreover, the level of fine-grained control of access to patient EHRs that can be authorized to healthcare providers is managed and controlled based on the job required to meet the minimum necessary standard and need-to-know principle. Additionally, the model does not add significant administrative and performance overhead.publishedVersio

A Formal Approach for Risk Assessment in RBAC Systems

Risk assessment and access control are important issues in cloud computing. In this paper, we propose a formal approach to risk assessment for RBAC Systems, in which access control decisions are taken after consideration of risk assessment. The risk assessment method considers partial orderings on objects and actions, which allow us to effectively capture the notions of importance of objects and criticality of actions and then to determine the risk of assigning a specific role to a specific user. We in particular consider the cases of permission assignment and delegation assignment