Journal of Medical Systems

, 37:9974 | Cite as

The Secure Authorization Model for Healthcare Information System

  • Wen-Shin Hsu
  • Jiann-I Pan
Original Paper


Exploring healthcare system for assisting medical services or transmitting patients’ personal health information in web application has been widely investigated. Information and communication technologies have been applied to the medical services and healthcare area for a number of years to resolve problems in medical management. In the healthcare system, not all users are allowed to access all the information. Several authorization models for restricting users to access specific information at specific permissions have been proposed. However, as the number of users and the amount of information grows, the difficulties for administrating user authorization will increase. The critical problem limits the widespread usage of the healthcare system. This paper proposes an approach for role-based and extends it to deal with the information for authorizations in the healthcare system. We propose the role-based authorization model which supports authorizations for different kinds of objects, and a new authorization domain. Based on this model, we discuss the issues and requirements of security in the healthcare systems. The security issues for services shared between different healthcare industries will also be discussed.


Healthcare Health information systems Privacy Security Role-based 



This project was supported by the National Science Council of Taiwan (Grant No: NSC99-2221-E-320-005).


  1. 1.
    Haux, R., Health information systems - past, present, future. Int. J. Med. Inform. 75:268–281, 2006.CrossRefGoogle Scholar
  2. 2.
    Shaikh, A., Memon, M., Misbahuddin, M., and Memon, N., The role of service oriented architecture in telemedicine healthcare system. Presented at the Complex, Intelligent and Software Intensive Systems, IEEE, 2009.Google Scholar
  3. 3.
    HIMSS, definition of an electronic health record,
  4. 4.
    Katehakis, D. G., Sfakianakis, S. G., Kavlentakis, G., Anthoulakis, D. N., and Tsiknakis, M., Delivering a lifelong integrated electronic health record based on a service oriented architecture. IEEE Trans. Inf. Technol. Biomed. 11(6):639–650, 2007.CrossRefGoogle Scholar
  5. 5.
    Anderson R. J., Security in clinical information systems. London: British Medical Association; 1996.Google Scholar
  6. 6.
    Sandhu, R., Coyne, E. J., Feinstein, H. L., and Youman, C. E., Role based access control models. IEEE Comput. 29(2):38–48, 1996.CrossRefGoogle Scholar
  7. 7.
    Bertino, E., Bonatti, P. A., and Ferrari, E., TRBAC: a temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4(3):191–233, 2001.Google Scholar
  8. 8.
    Ferraiolo, D., Cugini, J., and Kuhn, D. R., Role based access control: features and motivations. 11th Annual Computer Security Applications Proceedings, IEEE Computer Society Press, 1995.Google Scholar
  9. 9.
    Zhang, L., Ahn, G. J., and Chu, B. T., A role-based delegation framework for healthcare information systems. Seventh ACM Symposium on Access Control Models and Technologies, Monterey, pp. 125–134, 2002.Google Scholar
  10. 10.
    Han, R. F., and Wang, H. X., Research of task-role-based access control model. Comput. Eng. Des. 28(4):800–802, 2007.MathSciNetGoogle Scholar
  11. 11.
    Tari, Z., and Chan, S. W., A role-based access control for intranet security. IEEE Internet Comput., 1(5):24–34, 1997.Google Scholar
  12. 12.
    Evered, M., and Bogeholz, S., A case study in access control requirements for a health information system, ACSW Frontiers '04 Proceedings of the second workshop on Australasian information security, Data Mining and Web Intelligence, and Software Internationalisation - Volume 32 pp. 53–61.Google Scholar
  13. 13.
    Meingast, M., Roosta, T., and Sastry, S., Security and privacy issues with health care information technology. Proceedings of the 28th IEEE EMBS Annual International Conference, New York City, USA, Aug 30–Sept 3, pp.5453–5458, 2006.Google Scholar
  14. 14.
    Martino, L. D., Ni, Q., Lin, D., and Bertino, E., Multi-domain and Privacy-aware Role Based Access Control in eHealth. Proceedings of 2nd International Conference on Pervasive Computing Technologies for Healthcare, pp.131–134, 2008.Google Scholar
  15. 15.
    Li, W., and Hoang, D., A New Security Scheme for E-health System. Proceedings of CTS ’09 Proceedings of the 2009 International Symposium on Collaborative Technologies and Systems, pp.361–366, 2009.Google Scholar
  16. 16.
    Hai-bo, S., and Fan, H., An Attribute-Based Access Control Model for Web Services. In the Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT’06), pp. 74–79, 2006.Google Scholar
  17. 17.
    Qing-hai, B., and Ying, Z., Study on the access control model in information security. Presented at the Cross Strait Quad-Regional Radio Science and Wireless Technology Conference (CSQRWC), 2011.Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.Institute of Medical ScienceTzu Chi UniversityHualienRepublic of China
  2. 2.Department of Medical InformaticsTzu Chi UniversityHualienRepublic of China

Personalised recommendations