Towards unobtrusive patient-centric access-control for Health Information System

Patient consent is currently a missing piece on Health Information Systems (HIS) access permission. The control is needed to ensure personal data as the property of the individual, not data controllers or health-care service providers. This is a newly-designed access-decision flow for HIS secured by Role-Based Access Control (RBAC) including patient-centric control. It makes use of Colored Petri-Nets (CPN) to model RBAC restrictions. A Discretionary Access Control (DAC) functionality is added to Electronic Health-Records (EHR) control to convey a patient's explicit authorization to their data in a non-obstructive access flow. Mutual exclusion was designed to incorporate patient needs so that they could authorize healthcare professionals to access EHR data. Additional information was supplied to a PERMS Access Control matrix and this enabled DAC to be mimicked using existing RBAC Core functions. A minimal addition is proposed to incorporate RBAC-aware systems with no significant drawbacks when compared with previous CPN simulations. The article also discusses the limitations of this technique and the favorable conditions for implementing new features.