Access Control in Healthcare Information Systems Logic Will Get You from a to B. Imagination Will Take You Everywhere

Access control is a key feature of healthcare information systems. Access control is about enforcing rules to ensure that only authorized users get access to resources in a system. In healthcare systems this means protecting patient privacy. However, the top priority is always to provide the best possible care for a patient. This depends on the clinicians having access to the information they need to make the best, most informed, care decisions. Care processes are often unpredictable and hard to map to strict access control rules. As a result, in emergency or otherwise unexpected situations, clinicians need to be able to bypass access control. In a crisis, availability of information takes precedence over privacy concerns. This duality of concerns is what makes access control in healthcare systems so challenging and interesting as a research subject. To create access control models for healthcare we need to understand how healthcare works. Before creating a model we need to understand the requirements the model should fulfill. Though many access control models have been proposed and argued to be suitable for healthcare, little work has been published on access control requirements for healthcare. This PhD project has focused on bridging the gap between formalized models and real world requirements for access control in healthcare by targeting the following research goals: RG1 To collect knowledge that forms a foundation for access control requirements in healthcare systems. RG2 To create improved access control models for healthcare systems based on real requirements. This PhD project has consisted of a number of smaller, distinct, but related projects to reach the research goals. The main contributions can be summarized as: C1 Requirements for access control in healthcare: Studies performed on audit data, in workshops, by observation and interviews have helped discover requirements. Results from this work include methods for access control requirements elicitation in addition to the actual requirements discovered. C2 Process-based access control: The main conclusion from the requirements work is that access control should be tailored to care processes. Care processes are highly dynamic and often unpredictable, and access control needs to adapt to this. This thesis suggests how existing sources of process information, both explicit and implicit, may be used for this purpose. C3 Personally controlled health records (PCHR): This thesis explores the consequences of making the patient the administrator of access control and proposes a model based on these initial requirements. From a performed usability study it is clear that the main challenge is how to keep the patient informed about the consequences of sharing.