Abstract
Access control is one of the key features of any health care organization. Without a strong access control mechanism, there is a risk of inappropriate use of personal health information. Here we focus on Personalized Access Control (PAC) [1] where the patient decides who can access his/her health record. We enhance the PAC model of [1] by proposing a prototypical framework, which incorporates a workflow into the PAC model to express the context of health care processes, and by providing a mechanism to capture a patient’s consent to enforce the PAC policy. We enforce the “need to know” principle by associating roles with each task in a workflow and handle problems with delegation. We present a case study outlining the present working procedures of the Seniors’ Wellness Program in our local health authority, using NOVA Workflow for workflow modeling and Ponder2 for representing and enforcing policy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Rostad, L., Nytro, O.: Personalized access control for a personally controlled health record. In: CSAW 2008: Proceedings of the 2nd ACM Workshop on Computer Security Architectures, pp. 9–16. ACM, New York (2008)
Rostad, L.: Access control in healthcare applications. In: NOKOBIT 2005, pp. 241–253 (2005)
Jacobsson, A.: Privacy and Security in Internet-Based Information Systems. PhD thesis, Blekinge Institute of Technology (2008)
Ferreira, A., Chadwick, D., Antunes, L.: Modelling access control for healthcare information systems. In: Doctoral Consortium at the 9th International Conference on Enterprise Information Systems, ICEIS (2007)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role based access control models. IEEE Computer 29(2), 38–47 (1996)
Russello, G., Dong, C., Dulay, N.: Consent-based workflows for healthcare management. In: Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks, pp. 153–161. IEEE Computer Society, Washington, DC, USA (2008)
Atluri, V., Huang, W.: An Authorization Model for Workflows. In: Martella, G., Kurth, H., Montolivo, E., Hwang, J. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 44–64. Springer, Heidelberg (1996)
Rabbi, F.: Design, development and verification of a compensable workflow modeling language. M.Sc., St. Francis Xavier University (expected 2011) Preliminary version, http://logic.stfx.ca/~software/DDVCWML.pdf
Twidle, K., Lupu, E., Dulay, N., Sloman, M.: Ponder2 - a policy environment for autonomous pervasive systems. In: POLICY 2008: Proceedings of the 2008 IEEE Workshop on Policies for Distributed Systems and Networks, pp. 245–246. IEEE Computer Society, Washington, DC, USA (2008)
Wei, D.: Privacy protection reference model for shared electronic health record, M.Sc. Thesis, Dalhousie University (2005)
Personal Information Protection and Electronic Documents Act, C.I.O.H.R.C, http://www.cihi.ca/CIHI-ext-portal/pdf/internet/protection_qa_EN (last accessed March 2011)
Knorr, K.: Dynamic access control through petrinet workflows. In: Proceedings of the 16th Annual Computer Security Applications Conference, pp. 159–167. IEEE Computer Society, New Orleans (2000)
Russello, G., Dong, C., Dulay, N.: A workflow-based access control framework for e-health applications. In: International Conference on Advanced Information Networking and Applications Workshops, pp. 111–120. IEEE Computer Society, Los Alamitos (2008)
Samiha, A., Cuppens-Boulahia, N., Cuppens, F.: Deploying access control in distributed workflow. In: Proceedings of the Sixth Australasian Conference on Information Security, AISC 2008, vol. 81, pp. 9–17. Australian Computer Society, Inc., Darlinghurst (2008)
Fernández-Medina, E., Trujillo, J., Villarroel, R., Piattini, M.: Access control and audit model for the multidimensional modeling of data warehouses. Decision Support Systems 42, 1270–1289 (2006)
(Consent), H.C., 181, C.F.A.A.R.C., http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/00_96181_01 (last accessed March 2011)
Ferreira, A., Chadwick, D., Farinha, P., Correia, R.C., Zhao, G., Chilro, R., Antunes, L.: How to securely break into RBAC: The BTG-RBAC model. In: Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC), pp. 23–31. ACM press (2009)
Lymberopoulos, L., Lupu, E., Sloman, M.: Ponder policy implementation and validation in a cim and differentiated services framework. In: Proceedings of IFIP / IEEE Network Operations and Management Symposium, Seoul, South Korea, pp. 31–44 (2004)
Finin, T., Joshi, A., Kagal, L., Niu, J., Sandhu, R., Winsborough, W., Thuraisingham, B.: ROWLBAC - Representing Role Based Access Control in OWL. In: Proceedings of the 13th Symposium on Access control Models and Technologies. ACM Press, Estes Park (2008)
Leyla, N.: A personalized access control framework for workflow-based healthcare information. M.Sc. Thesis, St. Francis Xavier University (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Leyla, N., MacCaull, W. (2012). A Personalized Access Control Framework for Workflow-Based Health Care Information. In: Daniel, F., Barkaoui, K., Dustdar, S. (eds) Business Process Management Workshops. BPM 2011. Lecture Notes in Business Information Processing, vol 100. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28115-0_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-28115-0_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28114-3
Online ISBN: 978-3-642-28115-0
eBook Packages: Computer ScienceComputer Science (R0)