Abstract
This paper examines the access control requirements of distributed health care information networks. Since the electronic sharing of an individual’s personal health information requires their informed consent, health care information networks need an access control framework that can capture and enforce individual access policies tailored to the specific circumstances of each consumer. Role Based Access Control (RBAC) is examined as a candidate access control framework. While it is well suited to the task in many regards, we identify a number of shortcomings, particularly in the range of access policy expression types that it can support. For efficiency and comprehensibility, access policies that grant access to a broad range of entities whilst explicitly denying it to subgroups of those entities need to be supported in health information networks. We argue that RBAC does not support policies of this type with sufficient flexibility and propose a novel adaptation of RBAC principles to address this shortcoming. We also describe a prototype distributed medical information system that embodies the improved RBAC model.
This research was funded and supported by the Commonwealth of Australia — Department of Health and Ageing.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
J. Bacon, M. Lloyd, and K. Moody. Translating role-based access control policy within context. In Policy 2001, Workshop on Policies for Distributed Systems and Networks, pages 107–120. Springer-Verlag, 2001.
Y. Bartal, A. J. Mayer, K. Nissim, and A. Wool. Firmato: A novel firewall management toolkit. In IEEE Symposium on Security and Privacy, pages 17–31, 1999.
R. Chandramouli. A framework for multiple authorization types in a healthcare application system. In 17th Annual Computer Security Applications Conference (ACSAC), December 2001.
R. Clarke. e-Consent: a critical element of trust in e-business. In 15th Bled Electronic Commerce Conference. e-Reality: Constructing the e-Economy — Research Volume, 2002.
E. Coeira. “e-Consent” Consumer Consent in Electronic Health Data Exchange. downloaded from http://www.health.gov.au/hsdd/primcare/it/pdf/coiera.pdf on 3 February 2003.
I. Denley and S. Weston Smith. Privacy in clinical information systems in secondary care. British Medical Journal, 318:1328–1331, May 1999.
D. Ferraiolo, J. Barkley, and D. Kuhn. A role-based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security, 2(1):34–64, February 1999.
D. Ferraiolo, J. Cugini and R. Kuhn. Role based access control (RBAC): Features and motivations. In Annual Computer Security Applications Conference. IEEE Computer Society Press, 1995.
D. Ferraiolo and R. Kuhn. Role-based access controls. In 15th NIST-NCSC National Computer Security Conference, pages 554–563, 1992.
D. Ferraiolo, R. Sandhu, S. Gavrila, D. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), 4(3):224–274, 2001.
L. Giuri and P. Iglio. A formal model for role-based access control with constraints. In 9th IEEE Computer Security Foundations Workshop, pages 136–145, 1996.
R.J. Hayton, J.M. Bacon, and K. Moody. Access control in an open distributed environment. In 19th IEEE Computer Society Symposium on Research in Security and Privacy, pages 3–14.
J. J. Longstaff, M. A. Lockyer, and M. G. Thick. A model of accountability, confidentiality and override for healthcare and other applications. In 5th ACM workshop on Role-based access control, pages 71–76. ACM Press, 2000.
I. Mavridis, G. Pangalos, and M. Khair. eMEDAC: Role-based access control supporting discretionary and mandatory features. In 13th IFIP WG 11.3 Working Conference on Database Security, 1999.
T. Rindfleisch. Privacy, information technology, and health care. Communications of the ACM, 40(8):93–100, August 1997.
R. Simon and M. E. Zurko. Separation of duty in role-based environments. In IEEE Computer Security Foundations Workshop, pages 183–194, 1997.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Reid, J., Cheong, I., Henricksen, M., Smit, J. (2003). A Novel Use of RBAC to Protect Privacy in Distributed Health Care Information Systems. In: Safavi-Naini, R., Seberry, J. (eds) Information Security and Privacy. ACISP 2003. Lecture Notes in Computer Science, vol 2727. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45067-X_35
Download citation
DOI: https://doi.org/10.1007/3-540-45067-X_35
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40515-3
Online ISBN: 978-3-540-45067-2
eBook Packages: Springer Book Archive