A Risk-Based Evaluation of Group Access Control Approaches in a Healthcare Setting

  • Maria B. Line
  • Inger Anne Tøndel
  • Erlend Andreas Gjære
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6908)


This paper focuses on access control approaches usable for information sharing through large screens where several individuals are present at the same time. Access control in this setting is quite different from traditional systems where a user logs on to the system. The paper outlines a number of possible approaches to access control, and evaluates them based on criteria derived from risk analyses of a planned coordination system for the perioperative hospital environment. It concludes that future work should focus on extending the location-based approach with situation awareness, and add support for using pop-ups or handheld devices for sharing of the most sensitive information.


Access control privacy health care information security 


  1. 1.
    Faxvaag, A., Røstad, L., Tøndel, I.A., Seim, A.R., Toussaint, P.J.: Visualizing patient trajectories on wall-mounted boards - information security challenges. In: Adlassnig, K.-P., Blobel, B., Mantas, J., Masic, I. (eds.) MIE. Studies in Health Technology and Informatics, vol. 150, pp. 715–719 (2009)Google Scholar
  2. 2.
    Gjære, E.A., Tøndel, I.A., Line, M.B., Andresen, H., Toussaint, P.: Personal health information on display: Balancing needs, usability and legislative requirements. In: MIE. Studies in Health Technology and Informatics (to be published, 2011)Google Scholar
  3. 3.
    Shoemaker, G.B.D., Inkpen, K.M.: Single display privacyware: augmenting public displays with private information. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2001, pp. 522–529 (2001)Google Scholar
  4. 4.
    Tarasewich, P., Campbell, C.: What are you looking at. In: The First Symposium on Usable Privacy and Security, SOUPS 2005 (2005)Google Scholar
  5. 5.
    Bullock, A., Benford, S.: An access control framework for multi-user collaborative environments. In: GROUP 1999: Proceedings of the International ACM SIGGROUP Conference on Supporting Group Work, pp. 140–149 (1999)Google Scholar
  6. 6.
    ANSI, American National Standard for Information Technology - Role Based Access Control. ANSI INCITS 359-2004 (2004)Google Scholar
  7. 7.
    Appari, A., Johnson, M.E.: Information security and privacy in healthcare: Current state of research. Forthcoming: International J. Internet and Enterprise Management (2009)Google Scholar
  8. 8.
    Ferreira, A., Cruz-Correira, R., Antunes, L., Chadwick, D.: Access control: how can it improve patients’ healthcare? Studies in Health Technology and Informatics 127, 65–76 (2007)Google Scholar
  9. 9.
    Røstad, L., Edsberg, O.: A study of access control requirements for healthcare systems based on audit trails from access logs. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference, pp. 175–186 (2006)Google Scholar
  10. 10.
    Hu, J., Weaver, A.C.: Dynamic, context-aware access control for distributed healthcare applications. In: Proceedings of the First Workshop on Pervasive Security, Privacy and Trust, PSPT (2004)Google Scholar
  11. 11.
    Alam, M., Hafner, M., Memon, M., Hung, P.: Modeling and enforcing advanced access control policies in healthcare systems with SECTET. In: 1st International Workshop on Model-Based Trustworthy Health Informaton Systems, MOTHIS 2007 (2007)Google Scholar
  12. 12.
    Cheng, P.-C., Fohatgi, P., Keser, C.: Fuzzy mls: An experiment on quantified risk-adaptive access control. IBM Thomas J. Watson Research Center, Tech. Rep. (January 2007)Google Scholar
  13. 13.
    Dimmock, N., Belokosztolszki, A., Eyers, D., Bacon, J., Moody, K.: Using trust and risk in role-based access control policies. In: Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies, SACMAT 2004, pp. 156–162 (2004)Google Scholar
  14. 14.
    Diep, N.N., Hung, L.X., Zhung, Y., Lee, S., Lee, Y.-K., Lee, H.: Enforcing access control using risk assessment. In: European Conference on Universal Multiservice Networks, pp. 419–424 (2007)Google Scholar
  15. 15.
    Jaatun, M.G., Tøndel, I.A.: Covering your assets in software engineering. In: Third International Conference on Availability, Reliability and Security, pp. 1172–1179 (2008)Google Scholar
  16. 16.
    Wienhofen, L.W.M., Landmark, A.D.: Poster: Representing events in a clinical environment - a case study. In: The 5th ACM International Conference on Distributed Event-Based Systems, DEBS 2011 (to be published, 2011)Google Scholar
  17. 17.
    Fernando, J.I., Dawson, L.L.: The health information system security threat lifecycle: An informatics theory. International Journal of Medical Informatics 78(12), 815–826 (2009)CrossRefGoogle Scholar
  18. 18.
    Vaast, E.: Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare. The Journal of Strategic Information Systems 16(2), 130–152 (2007)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Maria B. Line
    • 1
  • Inger Anne Tøndel
    • 1
  • Erlend Andreas Gjære
    • 1
  1. 1.SINTEF ICTTrondheimNorway

Personalised recommendations