A Flexible Solu on for Privilege Management and Access Control in EHR Systems

Background: Inter-organiza onal healthcare businesses are ruled by a huge set of policies: legal policies, organiza onal policies, medical policies, ethical policies, etc., which are quite sta c, pa ents policy and process, social and environmental condi ons, which are highly dynamic. In the context of a business case, those diff erent policies must be harmonized to enable privilege management and access control decisions. Objec ves: The authors off er a methodology to achieve interoperability through policies harmoniza on in a privilege management and access control solu on for EHR systems, to be later on implemented in a cancer care network using HL7 specifi ca ons. Methods: To meet the objec ve, the authors make use of a system-theore cal, architecture-centric, ontology-based approach to formally represen ng the aforemen oned polices for harmoniza on. Results: Because of its fl exibility and generality, a policydriven RBAC model is used to formally represent all the other access control models such as MAC, DAC, RBAC, ABAC, HL7 Data Segmenta on and Labeling Services. All the policies deployed in the context of an inter-organiza onal collabora on for cancer care can be formalized and then harmonized. Conclusions: The authors provide an implementa onindependent methodology to enable policies harmoniza on in EHR systems. The methodology described in the paper is independent on the maturity of organiza ons’ privilege management and access control system. Furthermore, it does not hamper organiza ons progressing to more advanced solu ons over the me. Even dynamic policies can be harmonized at run me, allowing advancement towards a pa ent-centered care.