Usable access control policy and model for healthcare

Access control defines what users can perform within a system. It is usually defined by software engineers and end users are seldom asked for cooperation. The main objective of this paper is to gather the necessary knowledge from the end users of an Electronic Medical Record (EMR) regarding access control and, with their collaboration, define a list of usable access control rules and access control model, which are closer to user needs and workflows. Access control standards in healthcare were also analyzed. Afterwards, focus groups were applied to health professionals and several access control rules were extracted from the analysis of all the information that was gathered. The Break The Glass - Role Based Access Control model (BTG-RBAC) was created and includes the generated access control rules, which are closer to users´ workflows and needs and can, therefore, improve EMR´s usability while reducing some barriers for its effective integration.