A Novel Use of RBAC to Protect Privacy in Distributed Health Care Information Systems
Reid, Jason F., Cheong, Ian, Henricksen, Matthew P., & Smith, Jason (2003) A Novel Use of RBAC to Protect Privacy in Distributed Health Care Information Systems. In Safavi-Naini, Rei & Seberry, Jennifer (Eds.) 8th Australasian Conference on Information Security and Privacy (ACISP 2003), July 9-11, 2003, Wollongong.
This paper examines the access control requirements of distributed health care information networks. Since the electronic sharing of an individual's personal health information requires their informed consent, health care information networks need an access control framework that can capture and enforce individual access policies tailored to the specific circumstances of each consumer. Role Based Access Control (RBAC) is examined as a candidate access control framework. While it is well suited to the task in many regards, we identify number of shortcomings, particularly in the range of access policy expression types that it can support. For efficiency and comprehensibility, access policies that grant access to a broad range of entities whilst explicitly denying it to subgroups of those entities need to be supported in health information networks. We argue that RBAC does not support policies of this type with sufficient flexibility and propose a novel adaptation of RBAC principles to address this shortcoming. We also describe a prototype distributed medical information system that embodies the improved RBAC model.
Impact and interest:
Citation counts are sourced monthly from and citation databases.
Citations counts from theindexing service can be viewed at the linked Google Scholar™ search.
Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.
|Item Type:||Conference Paper|
|Keywords:||role based access control, medical records privacy, consent, contraints, Jason Reid, Ian Cheong, Matthew Henricksen, and Jason Smith|
|Subjects:||Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > LIBRARY AND INFORMATION STUDIES (080700) > Information Retrieval and Web Search (080704)
Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Format not elsewhere classified (080499)
Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > INFORMATION SYSTEMS (080600) > Interorganisational Information Systems and Web Services (080612)
|Divisions:||Past > QUT Faculties & Divisions > Faculty of Science and Technology|
|Copyright Owner:||Copyright 2003 Springer|
|Copyright Statement:||This is the author-version of the work. Conference proceedings published, by Springer Verlag, will be available via SpringerLink: http://www.springer.de/comp/lncs/ Lecture Notes in Computer Science|
|Deposited On:||09 Aug 2004|
|Last Modified:||29 Feb 2012 12:59|
Repository Staff Only: item control page