A Risk-aware Access Control Model for Biomedical Research Platforms

Data sharing and collaboration are important success factors for modern biomedical research. As biomedical data contains sensitive information, any mechanism that governs biomedical data sharing should protect subjects' privacy while providing high-utility data in an efficient and prompt manner. The use of biomedical data for research has been studied extensively from the legal aspect. Several regulations control its use and sharing to limit privacy risks. However, current sharing mechanisms can be a barrier to the research community needs. Going through the IRB process is time consuming and will become a bottleneck for the intensive data need of the biomedical research community. Alternatively, creating a universal de-identified research sub-dataset accessible through honest-broker-systems will not satisfy all research use-cases, as stringent de-identification methods can reduce data utility. A risk-aware access control model is a good alternative toward making data more available. In such a model, data requests are evaluated against their incurred privacy risks, and are granted access after the application of appropriate protection levels. In this paper, we describe a formal risk-aware model that will be used in the access control layer and describe the different risk components that can be combined to provide a decision against a data access request.