Access Control Requirements for Processing Electronic Health Records

Alhaqbani, Bandar S. & Fidge, Colin J. (2007) Access Control Requirements for Processing Electronic Health Records. Business Process Management Workshops, 4928, pp. 371-382.

View at publisher


There is currently a strong focus worldwide on the potential of large-scale Electronic Health Record systems to cut costs and improve patient outcomes through increased e±ciency. A number of countries are developing nationwide EHR systems to aggregate services currently provided by isolated Electronic Medical Record databases. However, such aggregation introduces new risks for patient privacy and data security, both by linking previously-separate pieces of information about an individual, and by creating single access points to a wide range of personal data. It is thus essential that new access control policies and mechanisms are devised for federated Electronic Health Record systems, to ensure not only that sensitive patient data is accessible by authorized personnel only, but also that it is available when needed in life-critical situations. Here we review the traditional security models for access control, Discretionary Access Control, Mandatory Access Control and Role-Based Access Control, and use a case study to demonstrate that no single one of them is su±cient in a federated healthcare environment. We then show how the required level of data security can be achieved through a judicious combination of all three mechanisms.

Impact and interest:

13 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

792 since deposited on 16 Jul 2008
118 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 14080
Item Type: Journal Article
Refereed: No
Keywords: Access Control, Electronic Health Record, Privacy
DOI: 10.1007/978-3-540-78238-4_38
ISBN: 9783540782377
ISSN: 1611-3349
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Format not elsewhere classified (080499)
Divisions: Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Institutes > Information Security Institute
Copyright Owner: Copyright 2007 Springer
Copyright Statement: This is the author-version of the work. Conference proceedings published, by Springer Verlag, will be available via SpringerLink. Lecture Notes in Computer Science
Deposited On: 16 Jul 2008 00:00
Last Modified: 17 Jul 2014 03:45

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page