Standardized access control mechanisms for protecting ISO 13606-based electronic health record systems

Abstract

EHR systems have acquired a primary role in the technological revolution of healthcare services and the improvement of quality and efficiency of care. Although EHR application is more and more extended, the protection of EHR data against unauthorized intruders continues being a major concern. EHR standards provide authorization requirements flexible enough to be addressed for different technological implementations, and so EHR solutions often develop ad-hoc access control schemes. Although there are wide-known general-purpose mechanisms to enforce access control policies, their application rate to the access control of EHR systems (by satisfying standard requirements) is low. In this work an XACML-based access control mechanism is presented that includes mandatory principles of the ISO 13606 family of standards. This makes use of semantic technologies to boost interoperability by defining attributes as ontology classes and policies as rules. The decision making process is automatically performed by an inference engine based on policies and sensitivity level of EHR extracts from ISO 13606-4. Finally, this work discusses the potential of combining security requirements of EHR standards with wide-known access control schemas.