Visual access control; electronic health records; security and usability; patient empowerment
Abstract :
[en] It has been observed in pilot tests that patients who are able to access their Electronic Health Records (EHR), become more responsible and involved in the maintenance of their health. Patients accessing their EHR can commit more faithfully to therapies, thus increasing their treatments’ success rate. However, despite technologically feasible and legally possible, there is no validated or standardized toolset available yet, for patients to review and manage their EHR. Many privacy, security and usability issues must be solved first before this practice can be made mainstream. This paper proposes and discusses the design of an access control visual application that addresses most of these issues, and offers patients a secure, controlled and easy access to their EHR.
Disciplines :
Computer science
Author, co-author :
Ferreira, Ana ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Lenzini, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Santos-Pereira, Cátia; CINTESIS - Faculty of Medicine, University of Porto
Augusto, Alexandre; CINTESIS - Faculty of Medicine, University of Porto
Correia, Manuel; CINTESIS - Faculty of Medicine, University of Porto
Language :
English
Title :
Envisioning secure and usable access control for patients
Publication date :
May 2014
Event name :
3rd International Conference on Serious Games and Applications for Health
Event date :
from 14-05-2014 to 16-05-2014
Audience :
International
Main work title :
IEEE 3rd International Conference on Serious Games and Applications in Healthcare
Recommendation No. R (97) 5 of the Committee of Ministers to Member States on the Protection of Medical Data. Council of Europe-Committee of Ministers, 1997.
U.S. Department of Health & Human Services, Health insurance portability and accountability act, 1996.
Lei Acesso aos Documentos da Administração, Artigos 5° e 7°. Diário da Rep?blica 46/2007.
F. Falcão-Reis, M. E. Correia, L. Sousa, "Towards patient empowerment-can the patient really decide?", in 11th World Congress on Medical Physics and Biomedical Engineering, vol. 25, pp. 345-348, 2009.
R. P. Burke, A. F. Rossi, B. R. Wilner, R. L. Hannan, J. A. Zabinsky, J. A. White, "Transforming patient and family access to medical information: utilisation patterns of a patient-accessible electronic health record" in Cardiol Youngm, vol. 20, pp. 477-84, 2010.
R. Van der Vaart, C. Drossaert, E. Taal, M. Laar, "Giving patients online home access to their electronic medical record (EMR): advantages, drawback and preconditions according to care providers" in Rheumatol Int, vol. 33, pp. 20405-10, 2013.
C. Bartlett, K. Simpson, A. N. Turner, "Patient access to complex chronic disease records on the Internet" in BMC Medical Informatics and Decision Making, vol. 12, 2012.
C. Pyper, J. Amery, M. Watson, C. Crook, "Access to electronic health records in primary care-a survey of patients' view" in Med Sci Monit, vol. 10, pp. 17-22, 2004.
M. Peleg, D. Beimel, D. Dori, Y. Denekamp, "Situation-based access control: privacy management via modeling of patient data access scenarios" in J Biomed Inform, vol. 41, pp. 1028-40, 2008.
D. W. Roblin, T. K. Houston, J. J. Allison, P. J. Joski, E. R. Becker, "Disparities in use of a personal health record in a managed care organization" in JAMIA, vol. 16, pp. 683-689, 2009.
A. Ferreira, A. Correia, A. Silva, A. Corte, A. Pinto, A. L. Saavedra, A. F. Pereira, R. Cruz-Correia, L. F. Antunes. "Why facilitate patient access to medical records" in Medical and Care Compunetics, vol. 127, pp. 77-90, 2007.
K. Hayrinen, K. Saranto, P. Nykanen, "Definition, structure, content, use and impacts of electronic healthrecords: A review of the research literature" in Int J Med Inform, vol. 77, pp. 291-304, 2008.
K. D. Mandl, P. Szolovitz, I. S. Kohan, "Public standards and patients' control: keep electronic medical records accessible but private" in BMJ, vol. 322, pp. 1368-9, 2001.
A. Bakker "Access to EHR and access control at a moment in the past: a discussion of the need and an exploration of the consequences" in Int J Med Inform, vol. 73, pp. 267-70, 2004.
A. Ferreira, R. Giustolisi, J-L. Huynen, V. Koenig, G. Lenzini, "Studies in socio-technical security analysis: authentication of identities with TLS certificates" in 3rd IEEE International Symposium on Trust and Identity in Mobile Internet, Computing and Communications (TrustID), 2013.
A. B. Augusto, M. E. Correia. "OFELIA-a secure mobile attribute aggregation infrastructure for user-centric identity management" in Proceedings of the IFIP-Information Security and Privacy Research-Advances in Information and Communication Technology, vol. 376, pp. 61-74, 2012.
D. W. Roblin, T. K. Houston, J. J. Allison, P. J. Joski, E. R. Becker, "Disparities in use of a personal health record in a managed care organization" in JAMIA, vol. 16, pp. 683-689, 2009.
Google Health: http://www.google.com/intl/en-us/health/about/ http://googleblog.blogspot.com/2011/06/update-on-google-health-andgoogle. html. Accessed in November 2013.
I. Carri?n, JL. Fernández-Alemán, A. Toval, "Are personal health records safe? A review of free web-accessible personal health record privacy policies", J Med Internet Res, vol. 14, 2012.
A. Kharrazi, R.Chisholm, D. VanNasdale, B. Thompson, "Mobile personal health records: an evaluation of features and functionality" in Int J Med Inform, vol. 81, pp. 579-593, 2012.
M. Anwar, W. L. Philip, A. Fong, "A visualization tool for evaluating access control policies in facebook-style social network systems" in Proceedings of the 27th Annual ACM Symposium on Applied Computing, pp. 1443-1450, 2012.
P. Díaz, I. Aedo, D. Sanz, A. Malizia, " A model-driven approach for the visual specification of Role-Based Access Control policies in web systems" in IEEE Symposium on Visual Languages and Human-Centric Computing, 2008.
M. Harbach, M. Smith, "Visual access control for research ecosystems" in 5th IEEE International Conference on Digital Ecosystems and Technologies, 2011.
S. Fahl, M. Harbach, M. Smith, "Towards human-centric visual access control for clinical data management" in Stud Health Technol Inform, vol. 180, pp. 756-60, 2012.
C. Santos-Pereira, A. B. Augusto, M. E. Correia, A. Ferreira, R. Cruz-Correia, "A mobile based authorisation mechanism for patient managed tole based access control" in Information Technology in Bio-and Medical Informatics, Lecture Notes in Computer Science, vol. 7451, pp. 54-68, 2012.
H. C. Huang, F. C. Chang, W. C. Fang, "Reversible data hiding with histogram-based difference expansion for QR code applications" in IEEE Transactions on Consumer Electronics, vol. 57, pp. 779-787, 2011.
University of Maryland at College Park, "Questionnaire for User Interaction Satisfaction-QUIS", vol. QUIS 7.0 ed.
ISO/TS 13606-4, "Health informatics-electronic health record communication-Part 4: Security", 2009.
HL7 Security Technical Committee, Role Based Access Control (RBAC) Healthcare Permission Catalog, in Release 2, ed: HL7, 2010.
C. Santos-Pereira, L. Antunes, R. Cruz-Correia, A. Ferreira, "One way to patient empowerment-a proposal for an authorization model" in Proceedings of the International Conference on Health Informatics, pp. 249-255, 2012.
HL7 Security Technical Committee, Role Based Access Control (RBAC) Healthcare Constraint Catalog, ed: HL7 2010.
M. Janic, P. Wijbenga, T. Veugen, "Transparency enhancihng tools (TETs): an overview", STAST workshop, 2013.
O. Garcia-Morchon, K. Wehrle, "Efficient and context-aware access control for pervasive medical sensor networks" in Pervasive Computing and Communications Workshops, pp. 322-327, 2010.