A privacy-aware access control policy specification framework for electronic health records using parameterized roles and domain rules
Abstract
The US Patient Protection and Affordable Care Act of 2010 embrace the notion that electronic health information is the bedrock of modern healthcare. The overriding concern for any service/entity dealing with electronic health records is ensuring security and privacy of a user's personal information. The privacy and access control requirements for ensuring security and privacy of information for online access and sharing of health records in a healthcare environment have not been adequately addressed. To address this problem, we propose a privacy-aware access control policy specification framework, known as Intelligent Electronic Health Records Privacy Manager (iEHRpm). This framework refines the abstract Role Based Access Control model, also commonly known as RBAC, into Parameterized RBAC which provides for finer grain of authorization and comprehensive composition of disclosure rules based on user intentions to ensure security and privacy of electronic health records in a practical healthcare system. An additional requirement in such a framework is that the user specified privacy policy does not conflict with the overall policy of the domain. Conflict occurs when user policy and the domain policy managing the same set of subjects and resources attempt to enforce conflicting policies over them. The proposed framework provides a methodology for verifying the privacy rules to ensure correctness and logical consistency. This framework can be broadly applied to a wide range of distributed and disparate healthcare applications for fine grained and flexible context-aware control of electronic health records.
Degree
M.S.E.C.E.
Advisors
Ghafoor, Purdue University.
Subject Area
Computer Engineering|Computer science
Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server.