Abstract
The Internet has proved the enormous benefits that can be accrued to all players involved in online services. However, it has also clearly demonstrated the risks involved in exposing personal data to the outside world and constitutes at the same time a teeming breeding ground of innovation for highly flexible security solutions that can minimize these risks. It is now widely believed that the benefits of online services to healthcare in general supplant the risks involved, provided adequate security measures are taken and the role played by all the parties involved, be they physicians, nurses or patients are clearly outlined. Due to the highly sensitive nature of the data held on the Electronic Health Record (EHR), it is commonly agreed that providing online access to patients EHR to the outside world carries an unacceptable level of risk not only to the patients but also to the healthcare institution that plays a custodian to that sensitive data. However, by sharing these risks with the patients, healthcare institutions can start to equate the possibility of providing controlled exterior online access to patients EHR. The mobile phone is nowadays the preferred mean by which people can interact with each other at a distance. Not only that, the smartphone constitutes the full embodiment of the truly personal device users carry constantly with them, everywhere. They are therefore the ideal means by which the user can casually and conveniently interact with information systems. In this paper we propose a discretionary online access rights management mechanism based on the Role Based Access Control (RBAC) model that takes advantage on the personal/technical characteristics and data communications capabilities of the smartphone in order to provide patients with the means by which they can conveniently exercise safe discretionary online access permissions to their own EHR.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Ebadollahi, S., Coden, A.R., Tanenblatt, M.A., Chang, S.-F., Syeda-Mahmood, T., Amir, A.: Concept-based electronic health records: opportunities and challenges. In: Proceedings of the 14th Annual ACM International Conference on Multimedia, MULTIMEDIA 2006, pp. 997–1006. ACM, New York (2006)
Council of Europe. Protection of medical data - recommendation no r (97) 5 (1997)
U.S. Department of Health & Human Services. Health insurance portability and accountability act (1996)
Pereira, C., Oliveira, C., Vilaa, C., Ferreira, A.: Protection of clinical data - comparison of european with american legislation and respective technological applicability. In: HEALTHINF 2011, pp. 567–570 (2011)
Republica Portuguesa. Lei acesso aos documentos da administraçao 46/2007 (2007)
NHS choices. How do i access my medical records (health records)?, 15/09/2010 (2012)
Santos-Pereira, C., Antunes, L., Cruz-Correia, R., Ferreira, A.: One way to patient empowerment - a proposal for an authorization model. In: Proceedings of the HealthInf 2012 - International Conference on Health Informatics, pp. 249–255 (2012)
Hyrinen, K., Saranto, K., Nyknen, P.: Definition, structure, content, use and impacts of electronic health records: A review of the research literature. International Journal of Medical Informatics 77(5), 291–304 (2008)
Peleg, M., Beimel, D., Dori, D., Denekamp, Y.: Situation-based access control: Privacy management via modeling of patient data access scenarios. J. of Biomedical Informatics 41(6), 1028–1040 (2008)
Dept. of Health & HS. The office of the national coordinator for health information technology (2011)
Kroll Fraud Solutions. Healthcare information and management systems society (himss) analytics report: Security of patient data. Technical report, Kroll Fraud Solutions (2008)
Watts, J., Yu, H., Yuan, X.: Case study: Using smart cards with pki to implement data access control for health information systems. In: IEEE Southeastcon 2010: Energizing Our Future, pp. 163–167 (2010)
ISO/TS 22600-2. Health informatics - privilege management and access control (2006)
Kuhn, R., Ferraiolo, D., Sandhu, R.: The nist model for role-based access control: towards a unified standard. In: Proceedings of the Fifth ACM Workshop on Role-Based Access Control, pp. 47–63 (2000)
CEN/ISO EN 13606-4. Health informatics - electronic health record communication - security (2009)
Joshi, J.B.D., Bertino, E., Ghafoor, A.: Temporal hierarchies and inheritance semantics for gtrbac. In: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, SACMAT 2002, pp. 74–83. ACM, New York (2002)
Ferreira, A., Chadwick, D., Farinha, P., Correia, R., Zao, G., Chilro, R., Antunes, L.: How to securely break into rbac: The btg-rbac model. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 23–31. IEEE Computer Society, Washington, DC (2009)
Tacconi, C., Mellone, S., Chiari, L.: Smartphone-based applications for investigating falls and mobility. In: Proceedings of the International Conference on PervasiveHealth and Workshops 2011, pp. 258–261 (2011)
Augusto, A.B., Correia, M.E.: OFELIA – A Secure Mobile Attribute Aggregation Infrastructure for User-Centric Identity Management. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 61–74. Springer, Heidelberg (2012)
Huang, H.-C., Chang, F.-C., Fang, W.-C.: Reversible data hiding with histogram-based difference expansion for qr code applications. IEEE Transactions on Consumer Electronics 57(2), 779–787 (2011)
Saint-Andre, P., Kevin Smith, A., Remko Tronon, A.: XMPP: The Definitive Guide Building Real-Time Applications with Jabber Technologies. O’Reilly Media, Inc. (2009)
Saint-Andre, P.: Xmpp: Core. RFC 3920, IETF (2004)
Paterson, I.: Xep-0206: Xmpp over bosh, http://bit.ly/xep0206 (verified on February 14, 2012)
Augusto, A.B., Correia, M.E.: An xmpp messaging infrastructure for a mobile held security identity wallet of personal and private dynamic identity attributes. In: Proceedings of the XATA 2011 XML: Aplicações e Tecnologias Associadas (2011)
Poitner, M.: G&D Secure Flash Solutions. Mobile security card, http://tinyurl.com/SDMSC (verified on February 14, 2012)
Maia, L., Correia, M.E.: Java jca/jce programming in android with sd smart cards. In: 7a Conferencía Ibérica de Sistemas y Tecnologías de Informacións (CISTI 2012), Madrid/ Spain (2012)
Bakar, A., Ahmad, A.R., Ismail, R., Manan, J.-L.A.: Trust formation based on subjective logic and pgp web-of-trust for information sharing in mobile ad hoc networks. In: SocialCom 2010, pp. 1004–1009 (2010)
Santos, R., Correia, M.E., Antunes, L.: Use of a government issued digital identification card to secure interoperable health information systems. In: The 42nd International Carnahan Conference on Security Technology, ICCST 2008, pp. 1004–1009 (2008)
Eastlake, D.: Randomness recommendations for security, http://j.mp/rrsrfc (verified on February 14, 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Santos-Pereira, C., Augusto, A.B., Correia, M.E., Ferreira, A., Cruz-Correia, R. (2012). A Mobile Based Authorization Mechanism for Patient Managed Role Based Access Control. In: Böhm, C., Khuri, S., Lhotská, L., Renda, M.E. (eds) Information Technology in Bio- and Medical Informatics. ITBAM 2012. Lecture Notes in Computer Science, vol 7451. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32395-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-32395-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32394-2
Online ISBN: 978-3-642-32395-9
eBook Packages: Computer ScienceComputer Science (R0)