Skip to main content
SpringerLink
Log in

A Mobile Based Authorization Mechanism for Patient Managed Role Based Access Control

  • Conference paper
Information Technology in Bio- and Medical Informatics (ITBAM 2012)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 7451))

Abstract

The Internet has proved the enormous benefits that can be accrued to all players involved in online services. However, it has also clearly demonstrated the risks involved in exposing personal data to the outside world and constitutes at the same time a teeming breeding ground of innovation for highly flexible security solutions that can minimize these risks. It is now widely believed that the benefits of online services to healthcare in general supplant the risks involved, provided adequate security measures are taken and the role played by all the parties involved, be they physicians, nurses or patients are clearly outlined. Due to the highly sensitive nature of the data held on the Electronic Health Record (EHR), it is commonly agreed that providing online access to patients EHR to the outside world carries an unacceptable level of risk not only to the patients but also to the healthcare institution that plays a custodian to that sensitive data. However, by sharing these risks with the patients, healthcare institutions can start to equate the possibility of providing controlled exterior online access to patients EHR. The mobile phone is nowadays the preferred mean by which people can interact with each other at a distance. Not only that, the smartphone constitutes the full embodiment of the truly personal device users carry constantly with them, everywhere. They are therefore the ideal means by which the user can casually and conveniently interact with information systems. In this paper we propose a discretionary online access rights management mechanism based on the Role Based Access Control (RBAC) model that takes advantage on the personal/technical characteristics and data communications capabilities of the smartphone in order to provide patients with the means by which they can conveniently exercise safe discretionary online access permissions to their own EHR.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ebadollahi, S., Coden, A.R., Tanenblatt, M.A., Chang, S.-F., Syeda-Mahmood, T., Amir, A.: Concept-based electronic health records: opportunities and challenges. In: Proceedings of the 14th Annual ACM International Conference on Multimedia, MULTIMEDIA 2006, pp. 997–1006. ACM, New York (2006)

    Chapter  Google Scholar 

  2. Council of Europe. Protection of medical data - recommendation no r (97) 5 (1997)

    Google Scholar 

  3. U.S. Department of Health & Human Services. Health insurance portability and accountability act (1996)

    Google Scholar 

  4. Pereira, C., Oliveira, C., Vilaa, C., Ferreira, A.: Protection of clinical data - comparison of european with american legislation and respective technological applicability. In: HEALTHINF 2011, pp. 567–570 (2011)

    Google Scholar 

  5. Republica Portuguesa. Lei acesso aos documentos da administraçao 46/2007 (2007)

    Google Scholar 

  6. NHS choices. How do i access my medical records (health records)?, 15/09/2010 (2012)

    Google Scholar 

  7. Santos-Pereira, C., Antunes, L., Cruz-Correia, R., Ferreira, A.: One way to patient empowerment - a proposal for an authorization model. In: Proceedings of the HealthInf 2012 - International Conference on Health Informatics, pp. 249–255 (2012)

    Google Scholar 

  8. Hyrinen, K., Saranto, K., Nyknen, P.: Definition, structure, content, use and impacts of electronic health records: A review of the research literature. International Journal of Medical Informatics 77(5), 291–304 (2008)

    Article  Google Scholar 

  9. Peleg, M., Beimel, D., Dori, D., Denekamp, Y.: Situation-based access control: Privacy management via modeling of patient data access scenarios. J. of Biomedical Informatics 41(6), 1028–1040 (2008)

    Article  Google Scholar 

  10. Dept. of Health & HS. The office of the national coordinator for health information technology (2011)

    Google Scholar 

  11. Kroll Fraud Solutions. Healthcare information and management systems society (himss) analytics report: Security of patient data. Technical report, Kroll Fraud Solutions (2008)

    Google Scholar 

  12. Watts, J., Yu, H., Yuan, X.: Case study: Using smart cards with pki to implement data access control for health information systems. In: IEEE Southeastcon 2010: Energizing Our Future, pp. 163–167 (2010)

    Google Scholar 

  13. ISO/TS 22600-2. Health informatics - privilege management and access control (2006)

    Google Scholar 

  14. Kuhn, R., Ferraiolo, D., Sandhu, R.: The nist model for role-based access control: towards a unified standard. In: Proceedings of the Fifth ACM Workshop on Role-Based Access Control, pp. 47–63 (2000)

    Google Scholar 

  15. CEN/ISO EN 13606-4. Health informatics - electronic health record communication - security (2009)

    Google Scholar 

  16. Joshi, J.B.D., Bertino, E., Ghafoor, A.: Temporal hierarchies and inheritance semantics for gtrbac. In: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, SACMAT 2002, pp. 74–83. ACM, New York (2002)

    Chapter  Google Scholar 

  17. Ferreira, A., Chadwick, D., Farinha, P., Correia, R., Zao, G., Chilro, R., Antunes, L.: How to securely break into rbac: The btg-rbac model. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 23–31. IEEE Computer Society, Washington, DC (2009)

    Google Scholar 

  18. Tacconi, C., Mellone, S., Chiari, L.: Smartphone-based applications for investigating falls and mobility. In: Proceedings of the International Conference on PervasiveHealth and Workshops 2011, pp. 258–261 (2011)

    Google Scholar 

  19. Augusto, A.B., Correia, M.E.: OFELIA – A Secure Mobile Attribute Aggregation Infrastructure for User-Centric Identity Management. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 61–74. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  20. Huang, H.-C., Chang, F.-C., Fang, W.-C.: Reversible data hiding with histogram-based difference expansion for qr code applications. IEEE Transactions on Consumer Electronics 57(2), 779–787 (2011)

    Article  Google Scholar 

  21. Saint-Andre, P., Kevin Smith, A., Remko Tronon, A.: XMPP: The Definitive Guide Building Real-Time Applications with Jabber Technologies. O’Reilly Media, Inc. (2009)

    Google Scholar 

  22. Saint-Andre, P.: Xmpp: Core. RFC 3920, IETF (2004)

    Google Scholar 

  23. Paterson, I.: Xep-0206: Xmpp over bosh, http://bit.ly/xep0206 (verified on February 14, 2012)

  24. Augusto, A.B., Correia, M.E.: An xmpp messaging infrastructure for a mobile held security identity wallet of personal and private dynamic identity attributes. In: Proceedings of the XATA 2011 XML: Aplicações e Tecnologias Associadas (2011)

    Google Scholar 

  25. Poitner, M.: G&D Secure Flash Solutions. Mobile security card, http://tinyurl.com/SDMSC (verified on February 14, 2012)

  26. Maia, L., Correia, M.E.: Java jca/jce programming in android with sd smart cards. In: 7a Conferencía Ibérica de Sistemas y Tecnologías de Informacións (CISTI 2012), Madrid/ Spain (2012)

    Google Scholar 

  27. Bakar, A., Ahmad, A.R., Ismail, R., Manan, J.-L.A.: Trust formation based on subjective logic and pgp web-of-trust for information sharing in mobile ad hoc networks. In: SocialCom 2010, pp. 1004–1009 (2010)

    Google Scholar 

  28. Santos, R., Correia, M.E., Antunes, L.: Use of a government issued digital identification card to secure interoperable health information systems. In: The 42nd International Carnahan Conference on Security Technology, ICCST 2008, pp. 1004–1009 (2008)

    Google Scholar 

  29. Eastlake, D.: Randomness recommendations for security, http://j.mp/rrsrfc (verified on February 14, 2012)

Download references

Author information

Authors and Affiliations

  1. Center for Research in Health Technologies and Information Systems (CINTESIS), Faculty of Medicine of University of Porto (FMUP), Portugal

    Cátia Santos-Pereira, Ana Ferreira & Ricardo Cruz-Correia

  2. Center for Research in Advanced Computing Systems (CRACS), Department of Computer Science, Faculty of Science of University of Porto, Portugal

    Alexandre B. Augusto & Manuel E. Correia

  3. Department of Health Information and Decision Sciences (CIDES), FMUP, Portugal

    Manuel E. Correia

  4. Informatics Centre, FMUP, Portugal

    Ana Ferreira

Authors
  1. Cátia Santos-Pereira
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexandre B. Augusto
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Manuel E. Correia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ana Ferreira
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ricardo Cruz-Correia
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Ludwig-Maximilians-University, Oettingenstraße 67, 80538, München, Germany

    Christian Böhm

  2. Department of Computer Science, San Jose State University, One Washington Square, 95192-0249, San Jose, CA, USA

    Sami Khuri

  3. Faculty of Electrical Engineering, Department of Cybernetics, Czech Technical University, Technicka 2, 166 27, Prague 6, Czech Republic

    Lenka Lhotská

  4. Istituto di Informatica e Telematica del CNR, Via G. Moruzzi 1, 56124, Pisa, Italy

    M. Elena Renda

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Santos-Pereira, C., Augusto, A.B., Correia, M.E., Ferreira, A., Cruz-Correia, R. (2012). A Mobile Based Authorization Mechanism for Patient Managed Role Based Access Control. In: Böhm, C., Khuri, S., Lhotská, L., Renda, M.E. (eds) Information Technology in Bio- and Medical Informatics. ITBAM 2012. Lecture Notes in Computer Science, vol 7451. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32395-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32395-9_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32394-2

  • Online ISBN: 978-3-642-32395-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation