Multi-Level Security in Healthcare Using a Lattice-Based Access Control Model

1. Introduction

Ensuring that the correct individual receives only authorized information is one of the key security concerns in the health care domain. This requires that access to both personally identifiable information (PII) and personal health information (PHI) be precisely controlled. There are two dimensions that are relevant for securely accessing health care data. For the first dimension, access control must be realized in all of the health information technology (HIT) systems that are available to the various stakeholders (medical professionals, administrative staff, patients, family members, etc.). HIT systems include: electronic health records (EHRs), practice management systems (PMS), and personal health records (PHRs); the majority but not all of these systems must adhere to the Health Insurance Portability and Accountability Act (HIPAA) (HIPAA, 2017) for the security, availability, transmission, and release of a patient's medical information. For the second dimension, patient-controlled access to data is a desirable and increasingly important aspect of making information accessible, and may allow patients to define who (among the aforementioned stakeholders) can have access to what information at which times to view/modify medical/health/fitness data. While both privacy and security are of paramount concern for both these dimensions, our focus is on ensuring that the security is robust enough to operationalize a wide variety of potential privacy policies including HIPAA and patient control. Caine and Hanania (Caine & Hanania, 2013) studied the type and granularity of medical/health/fitness data for which patients wanted to control access. An earlier effort (Sujansky et al., 2010) emphasized fine grained access control by role to allow a patient to define that, for example: a family member can view a subset of my medication list, a person’s personal physician may view/modify medical/health/fitness data, and an emergency physician can see all of an individual’s medical/health data in an emergent situation, etc. Previously, Peleg et al (Peleg et al., 2008) described a method to establish privileges and access control from the perspective of the patient – called situation-based access control. More recently, it has been proposed (Kendall & Quill, 2017) that every American have a lifetime electronic health record that has complete information and is available from any location.