Unwanted RBAC Functions Over Health Information System (HIS)

  • Marcelo Antonio de Carvalho JuniorEmail author
  • Paulo Bandiera-Paiva
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 918)


Objective: This article describes unwanted existing role based access-control (RBAC) standard functions over Health Information Systems (HIS) for overall accountability purposes and highlights potential information security policy violation. Methods: RBAC standard study and functions mapping to use-case scenarios is used. Results: Administrative RBAC Core commands are redesign to cope with the need of continuous accountability from HIS users’. Actual function issues, proposed adaptation and inner RBAC reflexes are discussed.


Information systems (L01.700.508.300) Information security Access-control (N04.452.758.849.350) Standards (E05.978.808) RBAC Privacy (SP9.130.010.010) 



We thank CAPES and its partnership with Sao Paulo Federal University (Unifesp) sponsorship for this project.


  1. 1.
    INCITS 359-2012 Information Technology - Role Based Access Control. ANSI 2012.
  2. 2.
    ISO 21298:2017 - Health informatics – Functional and structural roles. International Organization for Standardization (2017)Google Scholar
  3. 3.
    ISO 21091:2013 - Health informatics – Directory services for healthcare providers, subjects of care and other entities. International Organization for Standardization (2017)Google Scholar
  4. 4.
    Carvalho, M.: Bonds to the subject. In: Proceedings - International Carnahan Conference on Security Technology, Medelin, pp. 1–10 (2014).
  5. 5.
    Rajkumar, P.V., Sandhu, R.: POSTER: security enhanced administrative role based access control models. Comput. Netw. 112, 1802–1804 (2016). Scholar
  6. 6.
    Baracaldo, N., Joshi, J.: Beyond accountability: using obligations to reduce risk exposure and deter insider attacks. In: Proceedings of the 18th ACM Symposium Access Control Models and Technologies - SACMAT 2013, p. 213 (2013).\.
  7. 7.
    Wainer, J., Kumar, A.: A fine-grained, controllable, user-to-user delegation method in RBAC. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies, p. 66 (2005).
  8. 8.
    Rabin, A., Gudes, E.: Secure protocol of ABAC certificates revocation and delegation. In: Foundations and Practice of Security, FPS 2017. Lecture Notes in Computer Science, vol. 10723 (2017)Google Scholar
  9. 9.
    Azkia, H., Cuppens-Boulahia, N., Cuppens, F., Coatrieux, G., Oulmakhzoune, S.: Deployment of a posteriori access control using IHE ATNA. Int. J. Inf. Secur. 14(5), 471–483 (2015)CrossRefGoogle Scholar
  10. 10.
    de Carvalho Junior, M.A., Bandiera-Paiva, P.: Acces-control authorization model for health information system (HIS) in Brazil. J. Health Inform. 10(3), 79–82 (2018)Google Scholar
  11. 11.
    de Carvalho Junior, M.A., Bandiera-Paiva, P.: Evaluating ISO 14441 privacy requirements on role based access control (RBAC) restrict mode via colored petri nets (CPN) modeling. In: Proceedings - International Carnahan Conference on Security Technology (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Marcelo Antonio de Carvalho Junior
    • 1
    Email author
  • Paulo Bandiera-Paiva
    • 1
  1. 1.Health Informatics DepartmentFederal University of Sao PauloSão PauloBrazil

Personalised recommendations