Privacy-Centric Access Control for Distributed Heterogeneous Medical Information Systems

In many jurisdictions, patients are being increasingly empowered to play a critical role in defining how their medical information can be collected, used and shared across various healthcare data custodians. This patient-centric focus on information custody and management, along with the highly distributed nature of medical information, introduces new access control challenges related to privacy and security of medical information. As a result, when exchanging medical information across systems under different administrative domains, traditional access control models are not effective to enforce patient privacy preferences. To address this challenge, we propose an access control scheme that is patient-centric and offers a consent-based access control solution usable across heterogeneous medical information systems. Our model utilizes a logic-based approach to make inferences about access control decisions, and uses ontology-based knowledge representation to ensure that privacy preferences are correctly understood and applied. All system-level access control decisions can be automated and independently verified for validity and correctness. Our proposed solution offers a flexible and robust model that is most suited for the demanding access control scenarios present in patient care.