As users are now able to take their mobile devices from location to location, there has been a transition from a static program running on a PC/laptop to a dynamic application that can adapt based on a variety of conditions and criteria. This highlights an emerging need to support dynamic permissions of mobile applications as a user moves from location to location based and perform different actions in particular situation. This chapter presents a Spatio-Situation-Based Access Control model that extends role-based access control to secure sensitive data for mobile applications with the ability to make dynamic authorization decisions according to the time/location and the particular situation being encountered by a user. To demonstrate the feasibility of the work, a realistic healthcare scenario examines the complex workflow of treating a patient by a physician utilizing a mobile health (mHealth) app to access patient data, as she/he moves among multiple locations at different times throughout the day/week requiring access to different patient data repositories at different times.
TopIntroduction
Mobile devices and applications have dramatically altered the way that users interact electronically, moving away from a PC/laptop-based world. The idea of sitting in one place to do computing has evolved to one where movement is the norm and not the exception. In acknowledgement of this ever-changing environment, one effort has identified the need for different programming and usability models to develop mobile applications (Harrison, Flood, & Duce, 2013), particularly in the context where individuals are moving from location to location. The usage of location has dramatically changed the way that applications are written – allowing there to be an engagement of interactions that allows users to effortlessly find businesses, restaurants, hotels, shopping venues, etc (Ramey, 2013). This is primarily supported by the ubiquity of GPS chips in mobile devices (Venturebeat Staff, 2014). Mobile devices are also impacting business to business (B2B), business to employee (B2E), and business to consumer (B2C) interactions (Cryderman, 2011) by: providing disposable applications that can target B2C for very short durations which eliminates a need to maintain application versions over time; and, increasing application communications including bi-directional communications for B2C where the user’s feedback can impact the application behavior and the application itself. In all of these activities, the location of the app, and the movement of a user from location to location has changed the view from a static program running on a PC/laptop to a dynamic application that can adapt based on a variety of conditions and criteria.
One area where location-based behavior would be particularly useful and beneficial is in mobile applications for healthcare, coined “mHealth”, in 2009 (Torgan, 2009) with a recognition of its potential impact (Himss, 2014). Mobile applications in healthcare are touted for their potential to improve access to care, patient engagement, and safety, while also requiring new models for physicians to use in their medical practices (Savitz, 2012). For patients, those applications may serve as a diagnostic tool, monitoring glucose level for diabetes or weight for obesity, health/fitness tracking, health information, diseases monitoring, etc.; all of these capabilities can provide new and relevant information for physicians (Haberle, 2014). To give an idea of the scope, a report from the IMS Institute for Healthcare Informatics (Aitken, 2013) found 43,700+ medical applications in the Apple application store, with approximately 69% targeting consumers/patients and 31% for use by medical providers (e.g., physicians, nurses, therapists, specialists, etc.); this was further summarized (Posada, 2014). Medical providers are also increasingly utilizing mobile applications in their medical practices for information management, social networking for consulting physicians, drug and medical information, medical education and training, and patient management and monitoring (Lee Ventola, 2014). All of these various mHealth applications for patients/consumers and medical providers will require Health Insurance Portability and Accountability Act (HIPAA) (HHS, 1996) compliant storage of data collected by patients and the potential interaction of data stored in numerous health information technology (HIT) systems that include an Electronic Health Record (EHR) (PrognoCIS, 2010), an Electronic Medical Record (EMR) (OpenEMR, 2012), and/or a Personal Health Record (PHR) (Microsoft, 2007). All of these mHealth applications contain sensitive information that is collected, recorded, stored, processed, and transferred which require a high degree of privacy safety per both HIPAA and new Food and Drug Administration (FDA) guidelines for mobile medication applications (FDA, 2015).