A Flexible Solution for Privilege Management and Access Control in EHR Systems

Background: Inter-organizational healthcare businesses are ruled by a huge set of policies: legal policies, organizational policies, medical policies, ethical policies, etc., which are quite static, patients policy and process, social and environmental conditions, which are highly dynamic. In the context of a business case, those different policies must be harmonized to enable privilege management and access control decisions. Objectives: The authors offer a methodology to achieve interoperability through policies harmonization in a privilege management and access control solution for EHR systems, to be later on implemented in a cancer care network using HL7 specifications. Methods: To meet the objective, the authors make use of a system-theoretical, architecture-centric, ontology-based approach to formally representing the aforementioned polices for harmonization. Results: Because of its flexibility and generality, a policy-driven RBAC model is used to formally represent all the other access control models such as MAC, DAC, RBAC, ABAC, HL7 Data Segmentation and Labeling Services. All the policies deployed in the context of an inter-organizational collaboration for cancer care can be formalized and then harmonized. Conclusions: The authors provide an implementation-independent methodology to enable policies harmonization in EHR systems. The methodology described in the paper is independent on the maturity of organizations’ privilege management and access control system. Furthermore, it does not hamper organizations progressing to more advanced solutions over the time. Even dynamic policies can be harmonized at run time, allowing an advancement towards a patient-centered care.