Credential Based Hybrid Access Control Methodology for Shared Electronic Health Records

Various credential based approaches have been proposed for realizing access control on shared data sources. These approaches use various types of credentials like identity certificates, attribute certificates, authorization certificate etc. The access control policies and mechanisms required in EHR must not only ensure that sensitive patient data is accessible to the authorized personnel only, but also ascertain that it is immediately available when needed in life-critical situations. The approaches based on identity credentials entail prior user registration whereas the attribute or authorization certificate based approaches incur considerable delay in fetching the appropriate certificates for granting access to shared data. Therefore these approaches are not suitable to handle immediate access required by an unknown competent user in critical situation. In this paper, we have proposed a hybrid access control methodology that not only enables immediate and open access to critical information by competent users but also provides fine grained access control on domain confined data. In this methodology, access control policy for EHR is defined using various types of credentials. Use of different types of credentials simplifies the specification of access control policy required to address the varied requirements of EHR. Credentials are supposed to be acquired independently by the user from appropriate Credential Issuing Authority and have been realized as digital certificates.