Standardized access control mechanisms for protecting ISO 13606-based electronic health record systems

“…Medical records in the EHR are sensitive data and require security mechanisms to protect their privacy from attackers. In addition, the different levels and privileges of healthcare providers make the development of security mechanisms and authorisation models very difficult [4]. Moreover, applying privacy to medical records (EHR) requires the use of access models in the authorisation of users.…”

“…This standard has many of the features that qualify it for use on the Internet, such as combining policy, combining algorithm, attribute, multiple subjects, policy distribution, implementation independency and obligations [23,28,29]. This technique is based on the specific policies first and then on many modules such as policy enforcement point (PEP), policy decision point (PDP), policy administration point (PAP), policy information point (PIP), and policy retrieval point (PRP) to evaluate the request for access [4], as shown in Figure 3 (PEP sends and receives requests and accesses responses to the repository; PDP evaluates the decision; PAP creates policies based on users’ attributes; PIP retrieves users’ attributes; and PRP retrieves the users’ data from the repository). The result of the decision (permit, deny, not applicable, indeterminate) is sent to the subject via PEP [23].…”

“…The security of medical records in the electronic health record (EHR) system has been a major focus of health and academic institutions, since the efficiency and quality of patients’ data management [1,3] by using the World Wide Web. EHR systems include identifications and patients’ data that require authorisation privileges to determine access control for authorised users [4]. Accurate medical data is essential for diagnosing diseases and determining the condition of patients during their online transfer from patient to healthcare provider [5,6].…”

“…The use of patients’ data for various purposes, such as consultations, access by a relative or caregiver, research, and emergency (secondary or indirect use) is a major challenge for authorisation systems; for example, the researcher should not exceed the limits of privacy granted to him/her [4]. In an emergency, when the patients’ doctor is unavailable or the patient does not have the capacity to give consent to another doctor, the patient’s privacy is seriously compromised [9].…”

PAX: Using Pseudonymization and Anonymization to Protect Patients’ Identities and Data in the Healthcare System

“…Medical records in the EHR are sensitive data and require security mechanisms to protect their privacy from attackers. In addition, the different levels and privileges of healthcare providers make the development of security mechanisms and authorisation models very difficult [4]. Moreover, applying privacy to medical records (EHR) requires the use of access models in the authorisation of users.…”

“…This standard has many of the features that qualify it for use on the Internet, such as combining policy, combining algorithm, attribute, multiple subjects, policy distribution, implementation independency and obligations [23,28,29]. This technique is based on the specific policies first and then on many modules such as policy enforcement point (PEP), policy decision point (PDP), policy administration point (PAP), policy information point (PIP), and policy retrieval point (PRP) to evaluate the request for access [4], as shown in Figure 3 (PEP sends and receives requests and accesses responses to the repository; PDP evaluates the decision; PAP creates policies based on users’ attributes; PIP retrieves users’ attributes; and PRP retrieves the users’ data from the repository). The result of the decision (permit, deny, not applicable, indeterminate) is sent to the subject via PEP [23].…”

“…The security of medical records in the electronic health record (EHR) system has been a major focus of health and academic institutions, since the efficiency and quality of patients’ data management [1,3] by using the World Wide Web. EHR systems include identifications and patients’ data that require authorisation privileges to determine access control for authorised users [4]. Accurate medical data is essential for diagnosing diseases and determining the condition of patients during their online transfer from patient to healthcare provider [5,6].…”

“…The use of patients’ data for various purposes, such as consultations, access by a relative or caregiver, research, and emergency (secondary or indirect use) is a major challenge for authorisation systems; for example, the researcher should not exceed the limits of privacy granted to him/her [4]. In an emergency, when the patients’ doctor is unavailable or the patient does not have the capacity to give consent to another doctor, the patient’s privacy is seriously compromised [9].…”

PAX: Using Pseudonymization and Anonymization to Protect Patients’ Identities and Data in the Healthcare System

“…In the meantime, very little effort is spent describing how to log in to a remote server to retrieve the policy model in the first place. Nevertheless, work has been done to realise an access control model based on the standard [34].…”

An Electronic Healthcare Record Server Implemented in PostgreSQL

Access control solutions in electronic health record systems: A systematic review