Towards Risk-aware Access Control Framework for Healthcare Information Sharing

Access control models play an important role in the response to insider threats such as misuse and unauthorized disclosure of the electronic health records (EHRs). In our previous work in the area of access control, we proposed a work-based access control (WBAC) model that strikes a balance between collaboration and safeguarding sensitive patient information. In this study, we propose a framework for risk assessment that extend the WBAC model by incorporating a risk assessment process, and the trust the system has on its users. Our framework determines the risk associated with access requests (user's trust level and requested object's security level) and weighting such risk against the risk appetite and risk threshold of situational conditions. Specifically, an access request will be permitted if the risk threshold outweighs the risk of granting access to information, otherwise it will be denied.