Sensitivity of clinical data and strict rules regarding data sharing have caused privacy and security to be critical requirements for using patient profiles in distributed healthcare systems. The amalgamation of new information technology with traditional healthcare workflows for sharing patient profiles has made the whole system vulnerable to privacy and security breaches. Standardization organizations are developing specifications to satisfy the required privacy and security requirements. In this paper we present a novel access control model compliant with healthcare standards based on a framework designed for data and service interoperability in the healthcare domain. The proposed model for customizable access control captures the dynamic behavior of the user and determines access rights accordingly.The model is generic and flexible in the sense that an access control engine dynamically receives security effective parameters from the subject user, and identifies the privilege level in accessing data using different specialized components within the engine. Standard data representation formats and ontologies are used to make the model compatible with different healthcare systems. The access control engine employs an approach to follow the user's behavior and navigates among engine components to provide the user's privilege to access a resource. A simulation environment is implemented to evaluate and test the proposed model.
M.H. Yarmand et al. / Behavior-based access control for distributed healthcare systemsWhile solving the problem of interoperability among heterogeneous systems, these proposals introduce many security and privacy issues, as natural consequences of providing customizable services. Regarding confidentiality, integrity and availability requirements of patient data, a major concern is to avoid disclosure of these data to unqualified users. Access by unauthorized users to patient data may result in misdiagnosis, delays in treatment, or mistreatment. Other consequences may include financial problems such as denial of insurance coverage and loss of job opportunities [36].Authentication and authorization methods at inter-/intra-organizational levels should be employed to provide the required security. In this context, several methods have been proposed namely role-based [20,45,54,63], team-based [21], attribute-based [16], content-based [22], scenario-based [43,48], situation-aware [61], context-aware [1,4,33,63], and context sensitive [34] access control methods.Only a few consider the problem in distributed systems [4,33,45,61]. Moreover, most access control methods deal only with static systems. However, dynamism and configurability are two requirements of models for distributed systems [33,45,61,62].There are a small number of approaches that propose models adherent to healthcare standards [6,35,42].In very large scale distributed systems, the integrity, flexibility, generality, and robustness of the model becomes critical. Due to the high complexity of these systems, any errors in the operation...