MODELLING ACCESS CONTROL FOR HEALTHCARE INFORMATION SYSTEMS How to control access through policies, human processes and legislation

The widening use of Information Systems, which allow the collection, extraction, storage, management and search of information, is increasing the need for information security. After a user is successfully identified and authenticated to a system, he needs to be authorised to access the resources he/she requested. Access control is part of this last process that checks if a user can access those resources. This is particularly important in the healthcare environment where there is the need to control access to Electronic Medical Records (EMR). Although EMR can be an important support tool for the healthcare professional there are some barriers that prevent its successful integration. These barriers include the fact that healthcare professionals do not participate in the development of access control to access the EMR imposing them extra effort in its use. New access control policies to be implemented should focus on human processes and needs. The main objective of this project is to reduce EMR barriers by including healthcare professionals and patients in the definition and improvement of access control policies and models. If this can be achieved, we hypothesize that the EMR can be more successfully integrated into the healthcare practice and provide for better patient treatment.