Multi-Owner Multi-Stakeholder Access Control Model for a Healthcare Environment

Abstract

Pervasive usage and wide-spread sharing of Electronic Health Records (EHRs) in modern healthcare environments has resulted in high availability of patients' medical history from any location and at any time, which has potential to make health care services both cheaper and of higher quality. However, EHRs contain huge amounts of sensitive information which should be protected from unauthorized accesses, otherwise allowing these records to be accessed by multiple parties may put patient privacy at high risk. Access control solutions must assure to reflect access control policies of all healthcare providers who are involved in generating such critical records as well as authorization policies of the patient as the primary stakeholder. In this paper, we propose a fine-grained semantic-based access control model that supports multi-owner multi-stakeholder policy specification and enforcement. In the proposed scheme, a trusted Policy Server is responsible for evaluating access requests to patients' health information. We also handle the policy conflicts that might arise at the time of access control policy enforcement. A proof-of-concept prototype is also implemented to demonstrate the feasibility of our model.