A Dynamic Access Control Policy for Healthcare Service Delivery in Healthcare Ecosystem using Electronic Health Records

摘要

Recent developments in the global healthcare scenario from technology, regulatory and societal perspectives have catalyzed the emergence of several healthcare ecosystems. These ecosystems facilitate a comprehensive view and exchange of health records of an individual that are scattered across different healthcare service providers (ecosystem components) for cost effective, better quality and evidence based healthcare service delivery. Typically, the activities of a healthcare service delivery process are executed by one or more end users and different activities may be performed by different end users. In an ecosystem, service execution may also involve dynamic interlinking and orchestration amongst inter organization ecosystem components. The dynamic nature of service delivery and interactions in a distributed environment raises various security and privacy concerns. Hence in this paper we propose a novel dynamic access control policy for healthcare service delivery using Electronic Health Records (EHR) in a healthcare ecosystem. This policy lays down the requirements of its main components viz. Activity Based Specification, Access Enforcement Mechanism and Consent Repository. The Activity Based Specification consists of collections of activity rules and an activity rule validator. The Access Enforcement Mechanism mediates request made by an end user to perform activity of a healthcare service delivery process based not only on their role but also patient’s consent and other contextual information. The aim is to enable activity based, consent aware and fine grained access on a patient’s EHR to the end user at the time of healthcare service delivery in a distributed environment.