skip to main content
10.1145/1456508.1456511acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Personalized access control for a personally controlled health record

Published: 31 October 2008 Publication History

Abstract

Access control is a key feature of healthcare systems. Up until recently most healthcare information systems have been local to a healthcare facility and accessible only to clinicians. Currently there is a move towards making health information more accessible to patients. One example is the Personally Controlled Health Record (PCHR) where the patient is in charge of deciding who gets access to the information. In the PCHR the patient is the administrator of access control. While it certainly is possible to create roles representing people most patients would want to share with, like primary physician, it is also likely, and desirable, to afford the patients a high level of control and freedom to be able to create specialized access policies tailored to their personal wishes. We entitle this personalized access control. In this paper we present a semi-formal model for how we believe personalized access control may be realized. The model draws on and combines properties and concepts of both Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) to achieve the desired properties. Throughout the paper we use the PCHR as a motivating example and to explain our reasoning and practical use of the model.

References

[1]
Connecting for health: The personal health working group final report. Technical report, Markle Foundation, July 1 2003.
[2]
American national standard for information technology- role based access control. Technical Report INCITS 359--2004, American National Standards Institute, Inc., 3 February 2004.
[3]
M. A. Al-Kahtani and R. Sandhu. Rule-based rbac with negative authorization. Computer Security Applications Conference, 2004. 20th Annual, pages 405--415, 6--10 Dec. 2004.
[4]
M. I. Kim and K. B. Johnson. Personal health records: Evaluation of functionality and utility. J Am Med Inform Assoc, 9(2):171--180, 2002.
[5]
K. D. Mandl, P. Szolovits, and I. S. Kohane. Public standards and patients? control: how to keep electronic medical records accessible but private commentary: Open approaches to electronic patient records commentary: A patient's viewpoint. BMJ, 322(7281):283--287, 2001.
[6]
S. Osborn, R. Sandhu, and Q. Munawer. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur., 3(2):85--106, 2000.
[7]
L. Røstad. An initial model and a discussion of access control in patient controlled health records. In The International Workshop on Privacy and Assurance (WPA-2008), Proceedings of the The International Conference on Availability, Reliability and Security (ARES 2008), Barcelona, Spain, 2008. IEEE Computer Society.

Cited By

View all
  • (2024)Secure Digital Rights Management in Gamified Personal Health Promotion Applications Using Attribute-Based EncryptionElectronics10.3390/electronics1324490913:24(4909)Online publication date: 12-Dec-2024
  • (2024)Permissioned blockchain network for proactive access control to electronic health recordsBMC Medical Informatics and Decision Making10.1186/s12911-024-02708-824:1Online publication date: 15-Oct-2024
  • (2024)Dynamic and Personalized Access Control to Electronic Health RecordsAdvances in Artificial Intelligence-Empowered Decision Support Systems10.1007/978-3-031-62316-5_5(129-153)Online publication date: 28-Jun-2024
  • Show More Cited By

Index Terms

  1. Personalized access control for a personally controlled health record

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CSAW '08: Proceedings of the 2nd ACM workshop on Computer security architectures
    October 2008
    72 pages
    ISBN:9781605583006
    DOI:10.1145/1456508
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 31 October 2008

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tag

    1. access control

    Qualifiers

    • Research-article

    Conference

    CCS08
    Sponsor:

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)8
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Secure Digital Rights Management in Gamified Personal Health Promotion Applications Using Attribute-Based EncryptionElectronics10.3390/electronics1324490913:24(4909)Online publication date: 12-Dec-2024
    • (2024)Permissioned blockchain network for proactive access control to electronic health recordsBMC Medical Informatics and Decision Making10.1186/s12911-024-02708-824:1Online publication date: 15-Oct-2024
    • (2024)Dynamic and Personalized Access Control to Electronic Health RecordsAdvances in Artificial Intelligence-Empowered Decision Support Systems10.1007/978-3-031-62316-5_5(129-153)Online publication date: 28-Jun-2024
    • (2022)Context-Based, Predictive Access Control to Electronic Health RecordsElectronics10.3390/electronics1119304011:19(3040)Online publication date: 24-Sep-2022
    • (2018) MediChain TM : A Secure Decentralized Medical Data Asset Management System 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData)10.1109/Cybermatics_2018.2018.00258(1533-1538)Online publication date: Jul-2018
    • (2016)Anonymous Role-Based Access Control on E-Health RecordsProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897871(559-570)Online publication date: 30-May-2016
    • (2016)Access control and privilege management in electronic health recordJournal of Medical Systems10.1007/s10916-016-0589-z40:12(1-9)Online publication date: 1-Dec-2016
    • (2016)Reputation based Access Control in Social Networks for Persona ManagementAdvances on Broad-Band Wireless Computing, Communication and Applications10.1007/978-3-319-49106-6_19(209-214)Online publication date: 22-Oct-2016
    • (2015)Auditing and Revocation Enabled Role-Based Access Control over Outsourced Private EHRsProceedings of the 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conf on Embedded Software and Systems10.1109/HPCC-CSS-ICESS.2015.10(336-341)Online publication date: 24-Aug-2015
    • (2014)Ontology-Driven Authorization Policies on Personal Health Records for Sustainable Citizen-Centered HealthcareConcepts and Trends in Healthcare Information Systems10.1007/978-3-319-06844-2_4(43-60)Online publication date: 26-Sep-2014
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media