Toward a synergy among discretionary, role-based and context-aware access control models in healthcare information technology

Healthcare information systems collect, store and manage sensitive information about patients and, hence, it is imperative for such systems to provide robust access control mechanisms with a view to thwarting potential security and privacy threats. The access-control requirements in healthcare systems are quite diverse as compared to those of other systems. The existing subject-, role-, object-, attribute-, or context-centric approaches seem insufficient to efficiently and flexibly model the access-control needs of the healthcare domain. In this paper, we propose a combined access control scheme for healthcare information systems, amalgamating features of discretionary access control (DAC), role-based access control (RBAC) and context-aware access control. We discuss the design, implementation and evaluation of the proposed scheme, and explain the rationale behind the combination.