Access control is the process of determining which users are allowed to perform what operations on which objects in a computer system. Healthcare information systems contain sensitive information about patients that is vital in the treatment process. As such access control in the healthcare sector is about protecting the patient’s right to privacy, while ensuring that healthcare personnel get access to the right information at the right time in order to be able to provide the best possible treatment for their patients. Healthcare is one of the most information intensive sectors in the society. As more and more of the clinical information about a patient is recorded in information systems, it becomes increasingly important to have sound and sufficient mechanisms for providing and restricting access to this information. The old paper-based record is becoming a thing of the past, and as all this information about a patient is being transferred into digital and networked systems the risk scenario changes. Earlier, in order to gain access to information, one had to physically locate where the information could be found and track down the actual papers. Now this is only a matter of searching through a database of available information. Adding to this the fact that digital information can be easily Paper A: Access Control in Healthcare Applications 51 multiplied and transferred while papers have to be copied one by one – the potential for privacy breaches has definitely increased. This potential for much easier access, and also replication, has lead to an increased focus on information security in healthcare. Access control is at the heart of this focus as it is the key issue to be able to protect and make efficient use of this vast amount of digitally stored sensitive information. Access control has two different dimensions that sometimes are in conflict. While the primary objective for applying access control is restricting access to information and functions, usability is an equally important feature. Access control designers need to understand how the organization functions as well as the access requirements of the system users. The result of applying too strict, or simply wrong, access control mechanisms will be users finding other ways of obtaining the information they need. Access control mechanisms implemented in health care information systems today has not proven entirely successful on the usability aspect, namely to support the working procedures of healthcare personnel. As a result, they have had to rely on allowing exceptions from the normal access control mechanisms to be able to satisfy the needs of their users. From an information security point of view exceptions are bad because it results in loss of control over information flow. The goal of the work described here is to study existing mechanisms, and comparing them with the standards the claim to comply with, in order to gain knowledge that may help in designing an improved access control model for healthcare applications

Leave a Reply

Your email address will not be published. Required fields are marked *