Information Systems Frontiers

, Volume 14, Issue 1, pp 43–55 | Cite as

Authorization in cross-border eHealth systems

  • Daisy Daiqin HeEmail author
  • Jian Yang
  • Michael Compton
  • Kerry Taylor


Modern eHealth systems require collaborations between individual social entities such as hospitals, medical centers, emergency services and community services. Security and privacy are critical issues in this interoperability challenge. In an eHealth system that crosses different administrative domains, individual organisations usually define their authorization control policies independently. When a collaboration opportunity arises a number of issues may be raised. For example, is the collaboration possible given the authorization policies of collaboration participants? How can policy inconsistencies among collaboration participants be identified and resolved? What kind of authorization control support is needed as the collaboration proceeds? In this paper, we analyze different types of collaborations and provide insights into authorization control in individual organisations as well as in collaboration activities. We propose a model to capture the necessary elements for specifying authorization policy for cross-border collaboration. Based on the model, various inconsistencies between authorization policies from different business units are discussed and handling strategies are suggested according to the intended collaboration types. We also briefly discuss how a description logic reasoner can be used to test whether two set of policies are suitable for collaboration. This work lays a foundation for policy development, negotiation and enforcement for cross-border collaboration.


Authorization control Health system interoperability eHealth Service composition Web service collaboration 


  1. ASTM (2005). ASTM E2369—05e1 standard specification for Continuity of Care Record (CCR). Available at
  2. Beale, T., & Heard, S. (2004). Open EHR. Available at
  3. Benson, T. (2009). Principles of health interoperability: hl7 and snomed (health informatics). New York: Springer.Google Scholar
  4. Bettini, C., Jajodia, S., Wang, X. S., & Wijesekera, D. (2002). Provisions and obligations in policy management and security applications. In 28th international conference on very large data bases (VLDB). Hong Kong.Google Scholar
  5. Bhatti, R., Joshi, J., Bertino, E., & Ghafoor, A. (2003). Access control in dynamic XML-based web-services with X-RBAC. In International conference on web services (pp. 243–249). Las Vegas, Nevada, USA.Google Scholar
  6. Bhatti, R., Bertino, E., & Ghafoor, A. (2004a). A trust-based context-aware access control model for web-services. In IEEE International Conference on Web Services (pp. 184–191). San Diego, CA.Google Scholar
  7. Bhatti, R., Bertino, E., Ghafoor, A., & Joshi, J. (2004b). XML-based specification for web services document security. IEEE Computer, 37(4), 41–49.CrossRefGoogle Scholar
  8. Brooks, K. (1999). Migrating to role-based access control. In RBAC’99: Proceedings of the fourth ACM workshop on role-based access control (pp. 71–81). Fairfax, VA, USA.Google Scholar
  9. Croll, P., & Croll, J. (2005). Quality assurance of electronic health information systems using Q.U.i.P.S. In HIC 2005 and HINZ 2005 (pp. 33–39). Victoria, Australia.Google Scholar
  10. Demchenko, Y., Gommans, L., & Laat, C. D. (2007). Using SAML and XACML for complex resource provisioning in grid based applications. In 8th IEEE international workshop on policies for distributed systems and networks (pp. 183–187). Bologna, Italy.Google Scholar
  11. Essmayr, W., Kastner, F., Pernul, G., Preishuber, S., & Tjoa, A. M. (1996). Authorization and access control in IRO-DB. In The 12th international conference on data engineering (pp. 40–47).Google Scholar
  12. European-Commission (2008). Commission recommendation on cross-border interoperability of electronic health record systems. Available at
  13. He, D. D., Compton. M., Taylor, K., & Yang, J. (2009). Access control: What is required in collaboration? In 2009 Australasian database conference (ADC 2009). Wellington, New Zealand.Google Scholar
  14. He, D. D., & Yang, J. (2007). Security policy specification and integration in business collaboration. In 2007 IEEE international conference on services computing (SCC 2007) (pp. 183–187). Salt Lake City, UT, USA.Google Scholar
  15. Horrocks, I., Kutz, O., & Sattler, U. (2006). The even more irresistible \(\mathcal{SROIQ}\). In Proc. of the 10th int. conf. on principles of knowledge representation and reasoning (pp. 57–67). Menlo Park: AAAI Press.Google Scholar
  16. Kagal, L., Paolucci, M., Srinivasan, N., Sycara, K., & Denker, G. (2004). Authorization and privacy for semantic web services. IEEE Intelligent Systems, 19(4), 50–56.CrossRefGoogle Scholar
  17. Kalra, D., Freriks, G., Lloyd, D., Klein, G., Beale, T., & Heard, S. (2002). Towards a revised cen standard for electronic health record communication. In Proc Mobile-Health Europe 2002. Medical Records Institute.Google Scholar
  18. Kuziemsky, C.E. (2009). An ebusiness-based framework for ehealth interoperability. Journal Of Emerging Technologies in Web Intelligence, 1(2), 129–136.Google Scholar
  19. Linehan, M. H. (2008). Sbvr use cases. In Rule representation,interchange and reasoning on the web, international symposium (pp. 182–196). Orlando, FL, USA.Google Scholar
  20. Paci, F., Ouzzani, M., & Mecella, M. (2008). Verification of access control requirements in web services choreography. In IEEE international conference on services computing (Vol. 1, pp. 182–196).Google Scholar
  21. Qing, X., & Adams, C. (2006). XACML-based policy-driven access control for mobile environments. In Canadian conference on electrical and computer engineering (pp. 643–646). Ottawa, ON, Canada.Google Scholar
  22. Sandhu, R. S., Coyne, E., Feinstein, H., & Youman, C. (1996). Role-based access control models. IEEE Computer, 29(2), 38–47.CrossRefGoogle Scholar
  23. Shehab, M., Bhattacharya, K., & Ghafoor, A. (2007). Web services discovery in secure collaboration environments. ACM Transactions on Internet Technology, 8(5).Google Scholar
  24. Sirer, E. G., & Wang, K. (2002). An access control language for web services. In SACMAT02: 7th ACM symposium on access control models and technologies (pp. 23–30).Google Scholar
  25. Sirin, E., Parsia, B., Grau, B. C., Kalyanpur, A., & Katz, Y. (2007). Pellet: A practical OWl-DL reasoner. Journal of Web Semantics, 5(2), 51–53.CrossRefGoogle Scholar
  26. Steven, C., & Horii, M. (1997). A nontechnical introduction to DICOM. Available at
  27. Taylor, K., & Murty, J. (2003). Implementing role based access control for federated information systems on the web. In Conferences in research and practice in information technology: Proc. Australasian information security workshop (Vol. 21). Adelaide: Australian Computer Society.Google Scholar
  28. Thomas, R. K. (1997). Team-based access control (TMAC): A primitive for applying role-based access controls in collaborative environments. In 2nd ACM workshop on role-based access control (pp. 13–19). Fairfax, VA.Google Scholar
  29. Vaidya, J., Atluri, V., & Guo, Q. (2008). Migrating to optimal RBAC with minimal perturbation. In 13th ACM symposium on access control models and technologies (SACMAT08) (pp. 11–20). Estes Park, CO, USA.Google Scholar
  30. W3C (2004). Web Ontology Language (OWL). Available at
  31. W3C (2009). OWL 2 Web Ontology Language. Available at
  32. Yau, S. S., & Chen, Z. (2008). Security policy integration and conflict reconciliation for collaborations among organizations in ubiquitous computing environments. In UIC (pp. 3–19).Google Scholar
  33. Zhang, X., Nakae, M., Covington, M. J., & Sandhu, R. S. (2008). Toward a usage-based security framework for collaborative computing systems. ACM Transactions on Information and System Security (TISSEC), 11(1), 3.1–3.36.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  • Daisy Daiqin He
    • 1
    Email author
  • Jian Yang
    • 1
  • Michael Compton
    • 2
  • Kerry Taylor
    • 2
  1. 1.Macquarie UniversitySydneyAustralia
  2. 2.CSIROCanberraAustralia

Personalised recommendations