Skip to main content

Advertisement

SpringerLink
Log in

Access control and privilege management in electronic health record: a systematic literature review

  • Patient Facing Systems
  • Published:
Journal of Medical Systems Aims and scope Submit manuscript

Abstract

This study presents a systematic literature review of access control for electronic health record systems to protect patient’s privacy. Articles from 2006 to 2016 were extracted from the ACM Digital Library, IEEE Xplore Digital Library, Science Direct, MEDLINE, and MetaPress using broad eligibility criteria, and chosen for inclusion based on analysis of ISO22600. Cryptographic standards and methods were left outside the scope of this review. Three broad classes of models are being actively investigated and developed: access control for electronic health records, access control for interoperability, and access control for risk analysis. Traditional role-based access control models are extended with spatial, temporal, probabilistic, dynamic, and semantic aspects to capture contextual information and provide granular access control. Maintenance of audit trails and facilities for overriding normal roles to allow full access in emergency cases are common features. Access privilege frameworks utilizing ontology-based knowledge representation for defining the rules have attracted considerable interest, due to the higher level of abstraction that makes it possible to model domain knowledge and validate access requests efficiently.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

References

  1. NHP Admin, Categories for Adoption of Standards | National Health Portal of India. In: NHP CC DC. http://hi.nhp.gov.in/categories-for-adoption-of-standards_mtl. Accessed 19 Aug 2016, 2015.

  2. Ahamed, S. I., Talukder, N., and Haque, M. M., Privacy challenges in context-sensitive access control for pervasive computing environment. 2007 Fourth Annual Int Conf Mob Ubiquitous Syst Netw Serv 1–6. doi: 10.1109/MOBIQ.2007.4451065, 2007.

  3. Al-Muhtadi, J., Hill, R., and Al-Rwais, S., Access control using threshold cryptography for ubiquitous computing environments. J. King Saud Univ. Comput. Inf. Sci. 23:71–78, 2011. doi:10.1016/j.jksuci.2011.05.003.

    Google Scholar 

  4. Alshehri, S., and Raj, R. K., Secure access control for health information sharing systems. In: 2013 I.E. Int. Conf. Healthc. Informatics. pp 277–286, 2013.

  5. Alshugran, T, and Dichter, J., Toward a privacy preserving HIPAA-compliant access control model for web services. In: IEEE Int. Conf. Electro/Information Technol. pp 163–167, 2014.

  6. Amato, F., De Pietro, G., Esposito, M., and Mazzocca, N., An integrated framework for securing semi-structured health records. Knowl.-Based Syst. 79:99–117, 2015. doi:10.1016/j.knosys.2015.02.004.

    Article  Google Scholar 

  7. Anwar, M., Joshi, J., and Tan, J., Anytime, anywhere access to secure, privacy-aware healthcare services: issues: approaches & challenges. Heal Policy Technol, 2015. doi:10.1016/j.hlpt.2015.08.007.

    Google Scholar 

  8. Ardagna, C. A., De Capitani di Vimercati, S., Foresti, S., et al., Access control for smarter healthcare using policy spaces. Comput. Secur. 29:848–858, 2010. doi:10.1016/j.cose.2010.07.001.

    Article  Google Scholar 

  9. Azkia, H., Cuppens-Boulahia, N., Cuppens, F., et al., Deployment of a posteriori access control using IHE ATNA. Int. J. Inf. Secur. 14:471–483, 2014. doi:10.1007/s10207-014-0265-6.

    Article  Google Scholar 

  10. Bhartiya, S., Mehrotra, D., and Girdhar, A., Proposing hierarchy-similarity based access control framework: a multilevel electronic health record data sharing approach for interoperable environment. J. King Saud Univ. Comput. Inf. Sci. 2015. doi:10.1016/j.jksuci.2015.08.005.

    Google Scholar 

  11. Bhatti, R., Moidu, K., and Ghafoor, A., Policy-based security management for federated healthcare databases (or RHIOs). In: Proc. Int. Work. Healthc. Inf. Knowl. Manag. - HIKM ’06. p 41, 2006.

  12. Boonyarattaphan, A., Bai, Y., Chung, S., and Poovendran, R. Spatial-temporal access control for E-health services. In: 2010 I.E. Fifth Int. Conf. Networking, Archit. Storage. pp 269–276, 2010.

  13. BS EN ISO 22600-1:2014, BS EN ISO 22600-1:2014: health informatics. Privilege management and access control. Overview and policy management. Br. Stand. Institute, 2014.

  14. Burnett, C, Chen, L, Edwards, P, and Norman, T. J., TRAAC : trust and risk aware access control. In: Twelfth Annu. Conf. Privacy, Secur. Trust. pp 371–378, 2014.

  15. Chen, K., Chang, Y.-C., and Wang, D.-W., Aspect-oriented design and implementation of adaptable access control for electronic medical records. Int. J. Med. Inform. 79:181–203, 2010. doi:10.1016/j.ijmedinf.2009.12.007.

    Article  PubMed  Google Scholar 

  16. Chi, H, Jones, E. L., and Zhao, L. Implementation of a security access control model for inter-organizational healthcare information systems. In: Proc. 3rd IEEE Asia-Pacific Serv. Comput. Conf. APSCC 2008. pp 692–696, 2008.

  17. Choi, S., Gutierrez, C., Lim, H.-S., et al., Secure and resilient proximity-based access control. Proc 2013 Int Work Data Manag Anal Healthc - DARE ’13 15–20. doi: 10.1145/2512410.2512425.

  18. Collen, M. F., and Greenes, R. A., Medical informatics: past and future. In: Morris, F., and Collen, M. J. B. (Eds.), Hist. Med. informatics United States, part IV. Springer, London, pp. 725–748, 2015.

    Chapter  Google Scholar 

  19. Dillema, F. W., and Lupetti, S. Rendezvous-based access control for medical records in the pre-hospital environment. In: Proc. 1st ACM SIGMOBILE Int. Work. Syst. Netw. Support Healthc. Assist. living Environ. - Heal. ’07. p 1, 2007.

  20. Eikey, E. V., Murphy, A. R., Reddy, M. C., and Xu, H., Designing for privacy management in hospitals: Understanding the gap between user activities and IT staff’s understandings. Int. J. Med. Inform. 84:1065–1075, 2015. doi:10.1016/j.ijmedinf.2015.09.006.

    Article  PubMed  Google Scholar 

  21. El-Aziz, A. A. A., and Kannan, A. Access control for healthcare data using extended XACML-SRBAC model. In: 2012 Int. Conf. Comput. Commun. Informatics. pp 1–4, 2012.

  22. Ferraiolo, D. F., Kuhn, D. R., and Chandramouli, R., Role-based access control. ACM Trans. Inf. Syst. Secur. 4:224–274, 2001. doi:10.1016/S1361-3723(02)01211-3.

    Article  Google Scholar 

  23. Ferreira, A., Chadwick, D., and Farinha, P., et al., How to securely break into RBAC: the BTG-RBAC model. In: 2009 Annu. Comput. Secur. Appl. Conf. pp 23–31, 2009.

  24. Ferreira, A., Correia, R., Brito, M., and Antunes, L., Usable access control policy and model for healthcare. In: 2011 24th Int. Symp. Comput. Med. Syst. pp 1–6, 2011.

  25. Ferreira, A., Cruz-Correia, R., Antunes, L., et al., How to break access control in a controlled manner. In: Proc. - IEEE Symp. Comput. Med. Syst. pp 847–851, 2006.

  26. Georgakakis, E., Nikolidakis S. A., Vergados D. D., and Douligeris, C., Spatio temporal emergency role based access control (STEM-RBAC): a time and location aware role based access control model with a break the glass mechanism. In: IEEE Symp. Comput. Commun. IEEE, Kerkyra, pp 764–770, 2011.

  27. Henzi, D., International delegates meeting report. http://www.standards.org.au/StandardsDevelopment/accreditation/Documents/SDAC-011_International_Delegates_Meeting_Report_for_Accredited_SDOs.pdf. Accessed 20 Aug 2016, 2015.

  28. Hu, V. C., Ferraiolo, D., Kuhn, R., et al., Guide to attribute based access control (abac) definition and considerations. NIST Spec. Publ. 800:162, 2014. doi:10.6028/NIST.SP.800-162.

    Google Scholar 

  29. ISO - Technical committees - ISO_TC 215 - Health informatics. http://www.iso.org/iso/iso_technical_committee?commid=54960. Accessed 20 Aug 2016.

  30. ITI Planning Committee, IHE information technology infrastructure. http://ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_WP_HITStdsforHIMPratices_Rev1.1_2015-09-18.pdf. Accessed 20 Aug 2016, 2015.

  31. Kapsalis, V., Hadellis, L., Karelis, D., and Koubias, S., A dynamic context-aware access control architecture for e-services. Comput. Secur. 25:507–521, 2006. doi:10.1016/j.cose.2006.05.004.

    Article  Google Scholar 

  32. Kayes, A. S. M., Han, J., and Colman, A., PO-SAAC : a purpose-oriented situation-aware access control framework for software services. Adv. Inf. Syst. Eng. Springer. Int. Publ. 58–74, 2014.

  33. Khan, A., and McKillop, I. Privacy-centric access control for distributed heterogeneous medical information systems. In: 2013 I.E. Int. Conf. Healthc. Informatics. pp 297–306, 2013.

  34. Khan, M. F. F, and Sakamura, K., Context-awareness: exploring the imperative shared context of security and ubiquitous computing. Proc 14th Int Conf Inf Integr Web-based Appl Serv 101–110. doi: 10.1145/2428736.2428755, 2012.

  35. Khan, M. F. F., and Sakamura, K., Fine-grained access control to medical records in digital healthcare enterprises. In: 2015 Int. Symp. Networks, Comput. Commun. pp 1–6, 2015.

  36. Kuang, T., and Ibrahim, H., Security privacy access control for policy integration and conflict reconciliation in health care organizations collaborations. In: Proc. 11th Int. Conf. Inf. Integr. Web-based Appl. Serv. pp 750–754, 2009.

  37. Le, X. H., Lee, S., Lee, Y.-K., et al., Activity-oriented access control to ubiquitous hospital information and services. Inf. Sci. 180:2979–2990, 2010. doi:10.1016/j.ins.2010.04.020.

    Article  Google Scholar 

  38. Li, J., Bai, Y., and Zaman, N., A fuzzy modeling approach for risk-based access control in eHealth cloud. In: Proc. - 12th IEEE Int. Conf. Trust. Secur. Priv. Comput. Commun. Trust. 2013. pp 17–23, 2013.

  39. Li, Z., Chu, C.-H. H., and Yao, W., A semantic authorization model for pervasive healthcare. J. Netw. Comput. Appl. 38:76–87, 2014. doi:10.1016/j.jnca.2013.06.006.

    Article  Google Scholar 

  40. Li, F., Zou, X., Liu, P., and Chen, J. Y., New threats to health data privacy. BMC Bioinf. 12:S7, 2011. doi:10.1186/1471-2105-12-S12-S7.

    Article  Google Scholar 

  41. Liberati, A., Altman, D. G., Tetzlaff, J., et al., Annals of internal medicine academia and clinic the PRISMA statement for reporting systematic reviews and meta-analyses of studies that evaluate health care interventions. Ann. Intern. Med. 151:W65–W94, 2009. doi:10.1371/journal.pmed.1000100.

    Article  PubMed  Google Scholar 

  42. Lin, D., Rao, P., Bertino, E., et al., EXAM: a comprehensive environment for the analysis of access control policies. Int. J. Inf. Secur. 9:253–273, 2010. doi:10.1007/s10207-010-0106-1.

    Article  Google Scholar 

  43. Mallare, I. J. G., and Pancho-Festin, S., Combining task- and role-based access control with multi-constraints for a medical workflow system. In: 2013 Int. Conf. IT Converg. Secur. ICITCS 2013. pp 0–3, 2013.

  44. Oulmakhzoune, S., Cuppens-Boulahia, N., Cuppens, F., et al., Privacy query rewriting algorithm instrumented by a privacy-aware access control model. Ann. Telecommun. 69:3–19, 2014. doi:10.1007/s12243-013-0365-8.

    Article  Google Scholar 

  45. Peleg, M., Beimel, D., Dori, D., and Denekamp, Y., Situation-based access control: privacy management via modeling of patient data access scenarios. J. Biomed. Inform. 41:1028–1040, 2008. doi:10.1016/j.jbi.2008.03.014.

    Article  PubMed  Google Scholar 

  46. Rashid, A., Kim, I. K., and Khan, O. A., Providing authorization interoperability using rule based HL7 RBAC for CDR (Clinical Data Repository) framework. In: Proc. 2015 12th Int. Bhurban Conf. Appl. Sci. Technol. IBCAST 2015. pp 343–348, 2015.

  47. Record C on I the P, Medicine I of, The computer-based patient record: an essential technology for health care, revised edition. National Academies Press, 1997.

  48. Røstad, L., and Nytro, O., Personalized access control for a personally controlled health record. In: Sci. Technol. pp 9–15, 2008.

  49. Samarati, P., and Di Vimercati, S. D. C., Access control: policies, models, and mechanisms. In: Found. Secur. Anal. Des. pp 137–196, 2001.

  50. Santos-Pereira, C., Augusto, A. B., Cruz-Correia, R., and Correia, M. E., A secure RBAC mobile agent model for healthcare institutions-preliminary study. Inf. Technol. Biomed. Informatics 8060:108–111, 2013. doi:10.1007/978-3-642-40093-3.

    Google Scholar 

  51. Saripalle, R. K., De la Rosa Algarin, A., and Ziminski, T. B., Towards knowledge level privacy and security using RDF / RDFS and RBAC. In: 2015 I.E. 9th Int. Conf. Semant. Comput. (IEEE ICSC 20 IS). pp 264–267, 2015.

  52. Sicuranza, M., and Ciampi, M., A semantic access control for easy management of the privacy for EHR systems. In: Int. Conf. P2P, Parallel, Grid, Cloud Internet Comput. pp 400–405, 2014.

  53. Sicuranza, M., Esposito, A., and Ciampi, M., An access control model to minimize the data exchange in the information retrieval. J. Ambient. Intell. Humaniz. Comput. 6:741–752, 2015. doi:10.1007/s12652-015-0275-x.

    Article  Google Scholar 

  54. Son, J., Kim, J.-D., Na, H.-S., and Baik, D.-K., Dynamic access control model for privacy preserving personalized healthcare in cloud environment. Technol. Health Care 24:S123–S129, 2016. doi:10.3233/THC-151059.

    Article  Google Scholar 

  55. Sujansky, W. V., Faus, S. A., Stone, E., and Brennan, P. F., A method to implement fine-grained access control for personal health records through standard relational database queries. J. Biomed. Inform. 43:S46–S50, 2010. doi:10.1016/j.jbi.2010.08.001.

    Article  PubMed  Google Scholar 

  56. Sun, L., and Wang, H. A purpose based usage access control model. In: Int. J. Comput. Inf. Eng. pp 44–51, 2010.

  57. Sun, L., Wang, H., Yong, J., and Wu, G., Semantic access control for cloud computing based on e-Healthcare. In: Proc. 2012 I.E. 16th Int. Conf. Comput. Support. Coop. Work Des. CSCWD 2012. pp 512–518, 2012.

  58. Tejero, A., and De La Torre, I., Advances and current state of the security and privacy in electronic health records: survey from a social perspective. J. Med. Syst. 36:3019–3027, 2012. doi:10.1007/s10916-011-9779-x.

    Article  PubMed  Google Scholar 

  59. Thuy, P. T. T., Lee, Y. K., and Lee, S., S-trans: semantic transformation of XML healthcare data into OWL ontology. Knowl.-Based Syst. 35:349–356, 2012. doi:10.1016/j.knosys.2012.04.009.

    Article  Google Scholar 

  60. Vieira-Marques, P. M., Patriarca-Almeida, J. H., Frade, S., et al., OpenEHR aware multi agent system for inter- institutional health data integration. In: Inf. Syst. Technol. (CISTI), 2014 9th Iber. Conf. pp 683–688, 2014.

  61. Wang, Q., and Jin, H., Quantified risk-adaptive access control for patient privacy protection in health information systems. Proc 6th ACM Symp Information, Comput Commun Secur - ASIACCS ’11 406. doi: 10.1145/1966913.1966969, 2011.

  62. Yarmand, M. H., Sartipi, K., and Down, D. G., Behavior-based access control for distributed healthcare systems. J. Comput. Secur. 21:1–39, 2013. doi:10.3233/JCS-2012-0454.

    Article  Google Scholar 

  63. Zheng, Y., Chiu, D. K. W., Wang, H., and Hung, P. C. K. Towards a privacy policy enforcement middleware with location intelligence. In: Elev. Int. IEEE EDOC Conf. Work. 2007. EDOC ’07. pp 97–104, 2007.

  64. Zickau, S., Thatmann, D., Ermakova, T., and Repschl, J., Enabling location-based policies in a healthcare cloud computing environment. In: IEEE 3rd Int. Conf. Cloud Netw. Enabling. pp 333–338, 2014.

Download references

Author information

Authors and Affiliations

  1. Asia Pacific University of Technology and Innovation, Technology Park Malaysia, Bukit Jalil, 57000, Kuala Lumpur, Malaysia

    Manoj Jayabalan & Thomas O’Daniel

Authors
  1. Manoj Jayabalan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas O’Daniel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Manoj Jayabalan.

Additional information

This article is part of the Topical Collection on Patient Facing Systems

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jayabalan, M., O’Daniel, T. Access control and privilege management in electronic health record: a systematic literature review. J Med Syst 40, 261 (2016). https://doi.org/10.1007/s10916-016-0589-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10916-016-0589-z

Keywords

Search

Navigation