Professional Access Control

Abstract

Topic area and paper objectives: This paper investigates the hypotheses that it is possible to build a practical access control system for patient records within a hospital domain that ensures access to all those who are at any one time part of a particular patient's treating team yet at the same time provides appropriate barriers to access for those not currently part of this team. A caveat for this hypothesis is that at no time should a clinician be barred from access to a particular record, but that means should exist to ensure that appropriate access is accepted and inappropriate access reported upon. Central to this idea is that it should be possible to use standards of professional ethics and normal workflow to enable the model. Background and concise literature review: Traditional models of access control do not cope well with the problem of how to define access permissions for a team that is dynamic in nature (as is a treating team) and where the access is to objects (patient records) only in the loosest 'owned' by those who have a need to access such objects. In these models either the system administrator has to define permitted access in advance (mandatory access control) or the owner of the data can define the permitted accesses (discretionary access control) (Pfleeger 2000). Extensions to Role Based Access Control (RBAC) and Team Based Access Control (TMAC) have provided the most useful solutions to date but still require a system administrator or surrogate to define appropriate access in advance. (Ferraiolo & Kuhn 1992) (Ramaswamy & Sandhu 1998) (NIST 2004) (Thomas 1997) (Georgiadis et al 2001) (Georgiadis 2002) However, work by Thomas & Sandhu (1997) and Alotaiby & Chen (2004) has shown that it is possible to incorporate changes to access privileges as part of normal workflow. Methods: As a result of observing and discussing normal and unusual workflow patterns within the Tasmanian hospital environment a set of scenarios were developed each of which characterised a unique instance of change to whom should be able to access a patient record. The method used by current access control models to handle each scenario was then analysed. A new definition of a team in a hospital environment was then used to develop the Professional Access control (PAC) model that was implemented and tested in Oracle. Testing was carried out using each scenario in a simulated hospital of 3 wards, 20 staff and 20 patients. Results and discussions: Clinicians at a hospital were defined as either being Members: part of a patient's treating team, Colleagues: having the same role and belonging to the same unit as the patient or Associates: part of the hospital but not currently related to the patient. Being a team Member can be adjusted as part of the normal hospital admission and referral processes. Emergency access is provided subject to retrospective approval and auditing procedures. The model has been developed as an Oracle implementation for a simulated hospital environment and tested against the 24 scenarios defined. The Professional Access Control model allows for dynamic definition of the treating team and facilitates guaranteed availability to clinicians appropriate to their relationship to a patient. This is made possible by relying upon the professional ethics of clinicians rather than those of system administrators. It relieves the burden of predefining access control from system administrators without endowing clinicians with unnecessary system administration privileges.