Regulating Exceptions in Healthcare Using Policy Spaces

  • Claudio Agostino Ardagna
  • Sabrina De Capitani di Vimercati
  • Tyrone Grandison
  • Sushil Jajodia
  • Pierangela Samarati
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5094)


One truth holds for the healthcare industry - nothing should interfere with the delivery of care. Given this fact, the access control mechanisms used in healthcare to regulate and restrict the disclosure of data are often bypassed. This “break the glass” phenomenon is an established pattern in healthcare organizations and, though quite useful and mandatory in emergency situations, it represents a serious system weakness.

In this paper, we propose an access control solution aimed at a better management of exceptions that occur in healthcare. Our solution is based on the definition of different policy spaces regulating access to patient data and used to balance the rigorous nature of traditional access control systems with the prioritization of care delivery.


Access Control Access Control Policy Policy Space Access Control Model Access Request 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ardagna, C., Cremonini, M., De Capitani di Vimercati, S., Samarati, P.: A privacy-aware access control system. Journal of Computer Security (JCS) (to appear, 2008)Google Scholar
  2. 2.
    Bettini, C., Jajodia, S., Wang, X.S., Wijesekera, D.: Provisions and obligations in policy management and security applications. In: Proc. of the 28th Conference Very Large Data Bases (VLDB 2002), Hong Kong, China, (August 2002)Google Scholar
  3. 3.
    Bhatti, R., Grandison, T.: Towards improved privacy policy coverage in healthcare using policy refinement. In: Proc. of the 4th VLDB Workshop on Secure Data Management 2007, Vienna, Austria (September 2007)Google Scholar
  4. 4.
    Bonatti, P., Damiani, E., De Capitani di Vimercati, S., Samarati, P.: An access control system for data archives. In: Proc. of the 16th International Conference on Information Security, Paris, France (June 2001)Google Scholar
  5. 5.
    Bonatti, P., Damiani, E., De Capitani di Vimercati, S., Samarati, P.: A component-based architecture for secure data publication. In: Proc. of the 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, Louisiana, USA (December 2001)Google Scholar
  6. 6.
    Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Transactions on Information and System Security 5(1), 1–35 (2002)CrossRefGoogle Scholar
  7. 7.
    Bonatti, P., Samarati, P.: A unified framework for regulating access and information release on the web. Journal of Computer Security (JCS) 10(3), 241–272 (2002)CrossRefGoogle Scholar
  8. 8.
    Casassa Mont, M.: Dealing with Privacy Obligations: Important Aspects and Technical Approaches. In: Katsikas, S.K., López, J., Pernul, G. (eds.) TrustBus 2004. LNCS, vol. 3184, Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Casassa Mont, M., Beato, F.: On parametric obligation policies: Enabling privacy-aware information lifecycle management in enterprises. In: Proc. of the 8th IEEE Workshop on Policies for Distributed Systems and Networks (Policy 2007), Bologna, Italy (June 2007)Google Scholar
  10. 10.
    eXtensible Access Control Markup Language (XACML) Version 2.0 (February 2005),
  11. 11.
    Gert, H.: How are emergencies different from other medical situations? The Mount Sinai Journal OF Medicine - Issues in Medical Ethics Conference on Special Challenges of Emergency Medicine 72(4), 216–220 (2005)Google Scholar
  12. 12.
    Grandison, T., Davis, J.: The impact of industry constraints on model-driven data disclosure controls. In: Proc. of the 1st International Workshop on Model-Based Trustworthy Health Information Systems (MOTHIS) 2007, Nashville, Tennessee, USA (September 2007)Google Scholar
  13. 13.
    Gupta, S., Mukherjee, T., Venkatasubramanian, K.: Criticality aware access control model for pervasive applications. In: Proc. of the Fourth Annual IEEE International Conference on Pervasive Computing and Communications (PERCOM 2006), Pisa, Italy (March 2006)Google Scholar
  14. 14.
    Han, M., Thiery, T., Song, X.: Managing exceptions in the medical workflow systems. In: Proc. of the 28th international conference on Software engineering (ICSE 2006), Shanghai, China (May 2006)Google Scholar
  15. 15.
    Health Insurance Portability and Accountability Act,
  16. 16.
    Jajodia, S., Samarati, P., Sapino, M., Subrahmanian, V.: Flexible support for multiple access control policies. ACM Trans. Database Syst. 26(2), 214–260 (2001)CrossRefzbMATHGoogle Scholar
  17. 17.
    Keppler, D., Swarup, V., Jajodia, S.: Redirection policies for mission-based information sharing. In: Proc. of the ACM Symposium on Access control Models and Technologies (SACMAT 2006), Lake Tahoe, California, USA (June 2006)Google Scholar
  18. 18.
    Reichert, M., Dadam, P.: Adeptflex-supporting dynamic changes of workflows without losing control. Journal of Intelligent Information Systems (JIIS) 10(2), 93–129 (1998)CrossRefGoogle Scholar
  19. 19.
    Rostad, L., Edsberg, O.: A study of access control requirements for healthcare systems based on audit trails from access logs. In: Proc. of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference (ACSAC 2006) (December 2006)Google Scholar
  20. 20.
    Sandhu, R., Ferraiolo, D., Kuhn, D.: The NIST model for role based access control: Towards a unified standard. In: Proc. of the 5th ACM Workshop on Role Based Access Control, Berlin, Germany (July 2000)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Claudio Agostino Ardagna
    • 1
  • Sabrina De Capitani di Vimercati
    • 1
  • Tyrone Grandison
    • 2
  • Sushil Jajodia
    • 3
  • Pierangela Samarati
    • 1
  1. 1.University of MilanItaly
  2. 2.IBM Almaden Research CenterUSA
  3. 3.George Mason UniversityUSA

Personalised recommendations