research-article

Considering privacy and effectiveness of authorization policies for shared electronic health records

Authors:

Thomas Trojer,

Basel Katt,

Thomas Schabetsberger,

Ruth Breu,

Richard MairAuthors Info & Claims

IHI '12: Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium

Pages 553 - 562

https://doi.org/10.1145/2110363.2110425

Published: 28 January 2012 Publication History

Get Access

Abstract

A central building block of data privacy is the individual right of information self-determination, once these information identify individual persons and can therefore be considered as sensitive. Following from that when dealing with shared electronic health records (SEHR), citizens, as the identified individuals of such health records, have to be enabled to decide what medical data can be used in which way by medical professionals. In this context individual preferences of privacy have to be reflected by authorization policies enforced to control access to personal health records. We see two potential challenges, when enabling patient-controlled access control policy authoring: First, an ordinary citizen is considered a non-security expert, thus not necessarily aware of implications of her/his actions of defining access control to protect personal health data. Second, permissions to access medical data are necessary to support the daily routines of medical personnel. The better the health-care information system supports these work procedures the more effective and useful it is. There should be a balance between access restrictions through privacy settings and required access permissions in order to allow the system to be effective. In this paper we present a case study in the context of SEHR in Austria. In this scenario we identify different types of authorization policies to support individuals' privacy. Patient privacy is an important factor in access decision making, but in order to ensure the privacy - effectiveness balance, citizen-authors of policies should be informed about implications of their privacy settings on the underlying information system. To ensure this balance, policies need to be analysed. In this paper we describe a policy analysis method based on generated rules to evaluate the consequences of citizens privacy settings. Analysis results can then be used to inform and support a citizen during the policy authoring process.

References

[1]

E. Bertino, B. Catania, E. Ferrari, and P. Perlasca. A logical framework for reasoning about access control models. In Proceedings of the sixth ACM symposium on Access control models and technologies, SACMAT '01, 2001.

Abstract

References

Cited By

Index Terms

Recommendations

Privacy policies of personal health records: an evaluation of their effectiveness in protecting patient information

An efficient privacy mechanism for electronic health records

Design and Implementation of a Privacy Aware Framework for Sharing Electronic Health Records

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations