A System for Semantic-Based Access Control

Security and privacy of patient's medical data has more than ever become a critical factor in healthcare and, therefore, has a strong influence on the development of Electronic Health Record (EHR) systems. One of the most challenging aspects regards the possibility of specifying fine-grained access control restrictions over EHRs, not only at a document level but also on their specific sections. In order to face this issue, the paper proposes a semantic-based system aimed at supporting the definition of fine-grained access control policies on EHRs. This system relies on a role-based authorization model, encoded in terms of a formal ontology, and a set of access control restrictions defined as "if-then rules", in order to assign to healthcare workers the necessary privileges to carry out a task on specific EHR sections. A prototype implementation has been realized, by offering simple and intuitive interfaces to the security administrators for writing access control policies and restrictions.