With advances in medical information technology, patients and doctors can now benefit from different services. For example, an Electronic Patient Record (EPR) is a repository for electronically stored data related to patients' health status and health care. An EPR system can provide functions to improve the quality and the efficiency of healthcare delivery. Examples of EPR's functionality are providing reminders and alerts, offering access to multiple clinicians at the same time, or linking knowledge sources to a patient's data. Traditional paper-based medical records lack such functions.
In addition, there is an increasing demand for the remote patient monitoring services, hence a number of standardisation activities are aiming at this area such as the Continua Alliance (see www.continuaalliance.org/home) and the Healthcare Information Technology Standards Panel (see www.hitsp.org). Some of the advantages of communicating health related problems electronically include not having to leave the house, which may be an issue for disabled people, asking delicate questions anonymously, or obtaining answers from individuals who one would not have been met otherwise. Although these technologies bring in a number of advantages, however, at the same time, a number of security and privacy issues arise.
Health related data is generally considered as very private, which justifies the existence of extensive legislation and well established ethical principles such as Hippocratic Oath. The European Directive 94/46, the Health Insurance Portability and Accountability Act in the USA (see www.hhs.gov/ocr/privacysummary.pdf) as well as the Health Information Protection Act (see www.health.gov.sk.ca/hipa-checklist) in Canada, legislate the rights of individuals and obligations of trustees such as doctors and nurses in the health system, with respect to personal health information. These acts apply to personal health information in a health system in any form, including traditional paper records and electronic records. The basic goal of the legislation is to protect the privacy of personal health information, while at the same time ensuring that information is available, as needed, to provide services and to monitor, evaluate and improve the health system for the benefit of individuals and the community.
The various legislation require the implementation of a wide range of security measures. One of the main principles is referred to as information minimisation. For example, the HIPA (Health Information Protection Act) specifies the requirement to collect, use or disclose on a need-to-know basis only. The Act requires that personal health information is collected, used or disclosed only on a need-to-know basis. This means that only information that is required for an acceptable purpose should be collected, used or disclosed. It also means that only those individuals who need to access the information for legitimate purposes, under the Act, should have access to the records.
Next to the need-to-know condition, another important factor to determine access rights is certainty in the subject's contextual attributes. In healthcare applications, the access to information very often depends on context information (context attributes are very often used as conditions in access control rules). However, in the process of evaluating rules, very often it is difficult to be 100% sure if a certain context is fulfilled. This is especially the case for DRM (digital rights management) applications, where the client has to evaluate context information. State-of-the-art solutions, such as XACML (eXtensible Access Control Markup Language), take into account context attributes, but they are based on a static authorisation.
A doctor for example, would have the same access rights to his patients' health records from any device (office PC, Home PC, public Internet Café) using any type of authentication method (such as one or two factor authentication). The doctor can access the private health information records of a patient from a PC at a public internet cafe or at his home with the same access rights as he would have when accessing the records from a secure PC at the hospital or at his clinic. However, the certainty in the doctor's attributes (for example his identity) depends a lot on methods used to certify these attributes (for example authentication modalities used).
The same is true for the certainty in other contextual information such as the trustworthiness of PC running a Digital Rights Management or an Access Control client application. However the current static authorisation methods cannot cope with these requirements. Hence there is a need for methods to efficiently determine the certainty in the attributes used for access control and DRM as well as the need-to-know condition, which will be used to accordingly assign the access and usage rights to the authorised person.