Integrated Modeling and Analysis of Attribute Based Access Control Policies and Workflows in Healthcare

Abstract

Healthcare information systems deal with sensitive data across complex workflows. They often allow various stakeholders from different environments to access data across organizational boundaries. This elevates the risk of exposing sensitive healthcare information to unauthorized personnel. To prevent unwanted access to sensitive information, healthcare organizations need to adopt effective workflows and access control mechanisms. This research addresses this issue by developing a methodology for integrated modeling and analysis of organizational workflows and attribute-based access control policies. This methodology can help identify workflow activities that are not being protected by access control policies and improve existing access control policies. In addition to subjects, resources, and actions, our methodology introduces 'environment' as a new element to workflow activity. This allows more contextual information to be associated with workflow activity for access control analysis.