An Activity Theory Approach to Specification of Access Control Policies in Transitive Health Workflows

Access control models are implemented to mitigate the risks of unauthorized access in Electronic Health Records (EHRs). These models provide authorization with the help of security policies, wherein the protected resource is governed by one or more policies that exactly specify what attributes a requester needs to fulfill in order to obtain access. However, due to the increasing complexity of current healthcare system, defining and implementing policies are becoming more and more difficult. In this research-inprogress paper, we present an Activity Theory driven methodology to formalize access control policies that can be used in enforcing patient’s privacy consent in a healthcare setting. In order to account for the transitivity in health workflows, we extend the Activity Theory to include “organizational interconnectedness” within the health workflows.