This article aims to develop an extension access control models framework in Saudi Arabian healthcare systems. The conceptual framework acts as an ascendency structure to organize and support the efforts of several health care standards which reflect on the coherent of confidentiality; integrity; and availability triads in order to achieve the strategic business objectives of Saudi Arabian healthcare institutions. It is considered to be three common access control models developed by ACM institute and extended to other criteria identified by the National Institute of Standards and Technology. While literature explains that an easy-to-use access control model can lead to success healthcare system, understanding the extension of access control systems is vital for Saudi Arabian healthcare institutions to protect resources against unauthorized use. This article has taken a step in this direction.
TopIntroduction
The purpose of information security in Healthcare Information Systems (HIS), in general, is to guarantee the Confidentiality, Integrity, and Availability (CIA) of the data (Srisakthi and Shanthi, 2015). Confidentiality of the data is the protection that only those with appropriate rights and verified permissions might access certain data (Whitman et al., 2013). Data should not be disclosed to unauthorized entities, integrity in general means sustaining and ensuring the accurateness of data over its entire life cycle. In HIS, integrity of the data means that data should not be modified by unauthorized entities/persons. Protection of data in HIS prevents unofficial or accidental with holding of data or resources. To insure HIS security, countries initiate laws and regulations that healthcare organizations must follow. In the US there are three acts, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm Leah Bliley Act (GLBA), and the Sarbanes Oxley Act (SOX), that involve statements to protect personal information from being revealed or retrieved by unofficial persons, entities, or processes (Gopalan et al., 2012). HIPAA upholds principles for the practice and release of Protected Health Information (PHI), which is any data about health status, provision of health care, or health care expenses that can be connected to an individual (Lerouge, et al., 2007).
To protect PHI, healthcare organizations need to enforce the patients’ rights by using a set of policies and technologies. Access control models were introduced to overcome the privacy matter and grant permission to access PHI to only authorized persons. Access control models are used to prevent unofficial use of resources, including using resources in an authorized manner (Zeltsan, 2010). There are many access control models, each of these models have been extended in different ways to cover missing security measures. Healthcare organizations are free to choose the specific access control model that fits the organization’s needs and is compatible with PHI privacy regulations. In addition to laws, regulations, policies and technology, standards are also used to confirm the security of the PHI in healthcare information systems (Fichman and Kemerer, 1997). Standards can be used to deliver the basic required measures to help enforcing and maintaining information security procedure in any institution. There are few well-known standardization tier-1 organizations such as the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), and the Association of Computing Machinery (ACM). There are other standardization organizations specific to certain industries. For example, Health Level Seven (HL7) addresses concerns about healthcare informatics. The industry standardization organizations generally adopt the technology that has been used by tier-1 standardization entities (Meyer and Goes, 1998). The literature study did not provide a methodology to extend for achieving the NISTER, the presented paper provides a starting point to meet the need for developing an extension access control model framework that addresses the synergy between secure healthcare systems and access control models considering NISTER 7874. The rest of this paper is structured as follows: Saudi Arabia health care systems, an overview of access control model, assessment access control model, proposed framework, implication, finally the conclusion and future work.