A Mobile Based Authorization Mechanism for Patient Managed Role Based Access Control

  • Cátia Santos-Pereira
  • Alexandre B. Augusto
  • Manuel E. Correia
  • Ana Ferreira
  • Ricardo Cruz-Correia
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7451)


The Internet has proved the enormous benefits that can be accrued to all players involved in online services. However, it has also clearly demonstrated the risks involved in exposing personal data to the outside world and constitutes at the same time a teeming breeding ground of innovation for highly flexible security solutions that can minimize these risks. It is now widely believed that the benefits of online services to healthcare in general supplant the risks involved, provided adequate security measures are taken and the role played by all the parties involved, be they physicians, nurses or patients are clearly outlined. Due to the highly sensitive nature of the data held on the Electronic Health Record (EHR), it is commonly agreed that providing online access to patients EHR to the outside world carries an unacceptable level of risk not only to the patients but also to the healthcare institution that plays a custodian to that sensitive data. However, by sharing these risks with the patients, healthcare institutions can start to equate the possibility of providing controlled exterior online access to patients EHR. The mobile phone is nowadays the preferred mean by which people can interact with each other at a distance. Not only that, the smartphone constitutes the full embodiment of the truly personal device users carry constantly with them, everywhere. They are therefore the ideal means by which the user can casually and conveniently interact with information systems. In this paper we propose a discretionary online access rights management mechanism based on the Role Based Access Control (RBAC) model that takes advantage on the personal/technical characteristics and data communications capabilities of the smartphone in order to provide patients with the means by which they can conveniently exercise safe discretionary online access permissions to their own EHR.


Patient Empowerment e-health Electronic Health Records RBAC Secure Mobile Wallet PKI smartcard QR codes Secure Tokens 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ebadollahi, S., Coden, A.R., Tanenblatt, M.A., Chang, S.-F., Syeda-Mahmood, T., Amir, A.: Concept-based electronic health records: opportunities and challenges. In: Proceedings of the 14th Annual ACM International Conference on Multimedia, MULTIMEDIA 2006, pp. 997–1006. ACM, New York (2006)CrossRefGoogle Scholar
  2. 2.
    Council of Europe. Protection of medical data - recommendation no r (97) 5 (1997)Google Scholar
  3. 3.
    U.S. Department of Health & Human Services. Health insurance portability and accountability act (1996)Google Scholar
  4. 4.
    Pereira, C., Oliveira, C., Vilaa, C., Ferreira, A.: Protection of clinical data - comparison of european with american legislation and respective technological applicability. In: HEALTHINF 2011, pp. 567–570 (2011)Google Scholar
  5. 5.
    Republica Portuguesa. Lei acesso aos documentos da administraçao 46/2007 (2007)Google Scholar
  6. 6.
    NHS choices. How do i access my medical records (health records)?, 15/09/2010 (2012)Google Scholar
  7. 7.
    Santos-Pereira, C., Antunes, L., Cruz-Correia, R., Ferreira, A.: One way to patient empowerment - a proposal for an authorization model. In: Proceedings of the HealthInf 2012 - International Conference on Health Informatics, pp. 249–255 (2012)Google Scholar
  8. 8.
    Hyrinen, K., Saranto, K., Nyknen, P.: Definition, structure, content, use and impacts of electronic health records: A review of the research literature. International Journal of Medical Informatics 77(5), 291–304 (2008)CrossRefGoogle Scholar
  9. 9.
    Peleg, M., Beimel, D., Dori, D., Denekamp, Y.: Situation-based access control: Privacy management via modeling of patient data access scenarios. J. of Biomedical Informatics 41(6), 1028–1040 (2008)CrossRefGoogle Scholar
  10. 10.
    Dept. of Health & HS. The office of the national coordinator for health information technology (2011)Google Scholar
  11. 11.
    Kroll Fraud Solutions. Healthcare information and management systems society (himss) analytics report: Security of patient data. Technical report, Kroll Fraud Solutions (2008)Google Scholar
  12. 12.
    Watts, J., Yu, H., Yuan, X.: Case study: Using smart cards with pki to implement data access control for health information systems. In: IEEE Southeastcon 2010: Energizing Our Future, pp. 163–167 (2010)Google Scholar
  13. 13.
    ISO/TS 22600-2. Health informatics - privilege management and access control (2006)Google Scholar
  14. 14.
    Kuhn, R., Ferraiolo, D., Sandhu, R.: The nist model for role-based access control: towards a unified standard. In: Proceedings of the Fifth ACM Workshop on Role-Based Access Control, pp. 47–63 (2000)Google Scholar
  15. 15.
    CEN/ISO EN 13606-4. Health informatics - electronic health record communication - security (2009)Google Scholar
  16. 16.
    Joshi, J.B.D., Bertino, E., Ghafoor, A.: Temporal hierarchies and inheritance semantics for gtrbac. In: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, SACMAT 2002, pp. 74–83. ACM, New York (2002)CrossRefGoogle Scholar
  17. 17.
    Ferreira, A., Chadwick, D., Farinha, P., Correia, R., Zao, G., Chilro, R., Antunes, L.: How to securely break into rbac: The btg-rbac model. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 23–31. IEEE Computer Society, Washington, DC (2009)Google Scholar
  18. 18.
    Tacconi, C., Mellone, S., Chiari, L.: Smartphone-based applications for investigating falls and mobility. In: Proceedings of the International Conference on PervasiveHealth and Workshops 2011, pp. 258–261 (2011)Google Scholar
  19. 19.
    Augusto, A.B., Correia, M.E.: OFELIA – A Secure Mobile Attribute Aggregation Infrastructure for User-Centric Identity Management. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 61–74. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. 20.
    Huang, H.-C., Chang, F.-C., Fang, W.-C.: Reversible data hiding with histogram-based difference expansion for qr code applications. IEEE Transactions on Consumer Electronics 57(2), 779–787 (2011)CrossRefGoogle Scholar
  21. 21.
    Saint-Andre, P., Kevin Smith, A., Remko Tronon, A.: XMPP: The Definitive Guide Building Real-Time Applications with Jabber Technologies. O’Reilly Media, Inc. (2009)Google Scholar
  22. 22.
    Saint-Andre, P.: Xmpp: Core. RFC 3920, IETF (2004)Google Scholar
  23. 23.
    Paterson, I.: Xep-0206: Xmpp over bosh, (verified on February 14, 2012)
  24. 24.
    Augusto, A.B., Correia, M.E.: An xmpp messaging infrastructure for a mobile held security identity wallet of personal and private dynamic identity attributes. In: Proceedings of the XATA 2011 XML: Aplicações e Tecnologias Associadas (2011)Google Scholar
  25. 25.
    Poitner, M.: G&D Secure Flash Solutions. Mobile security card, (verified on February 14, 2012)
  26. 26.
    Maia, L., Correia, M.E.: Java jca/jce programming in android with sd smart cards. In: 7a Conferencía Ibérica de Sistemas y Tecnologías de Informacións (CISTI 2012), Madrid/ Spain (2012)Google Scholar
  27. 27.
    Bakar, A., Ahmad, A.R., Ismail, R., Manan, J.-L.A.: Trust formation based on subjective logic and pgp web-of-trust for information sharing in mobile ad hoc networks. In: SocialCom 2010, pp. 1004–1009 (2010)Google Scholar
  28. 28.
    Santos, R., Correia, M.E., Antunes, L.: Use of a government issued digital identification card to secure interoperable health information systems. In: The 42nd International Carnahan Conference on Security Technology, ICCST 2008, pp. 1004–1009 (2008)Google Scholar
  29. 29.
    Eastlake, D.: Randomness recommendations for security, (verified on February 14, 2012)

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Cátia Santos-Pereira
    • 1
  • Alexandre B. Augusto
    • 2
  • Manuel E. Correia
    • 2
    • 3
  • Ana Ferreira
    • 1
    • 4
  • Ricardo Cruz-Correia
    • 1
  1. 1.Center for Research in Health Technologies and Information Systems (CINTESIS)Faculty of Medicine of University of Porto (FMUP)Portugal
  2. 2.Center for Research in Advanced Computing Systems (CRACS), Department of Computer ScienceFaculty of Science of University of PortoPortugal
  3. 3.Department of Health Information and Decision Sciences (CIDES)FMUPPortugal
  4. 4.Informatics CentreFMUPPortugal

Personalised recommendations