A Personalized Access Control Framework for Workflow-Based Health Care Information

Access control is one of the key features of any health care organization. Without a strong access control mechanism, there is a risk of inappropriate use of personal health information. Here we focus on Personalized Access Control (PAC) [1] where the patient decides who can access his/her health record. We enhance the PAC model of [1] by proposing a prototypical framework, which incorporates a workflow into the PAC model to express the context of health care processes, and by providing a mechanism to capture a patient's consent to enforce the PAC policy. We enforce the "need to know" principle by associating roles with each task in a workflow and handle problems with delegation. We present a case study outlining the present working procedures of the Seniors' Wellness Program in our local health authority, using NOVA Workflow for workflow modeling and Ponder2 for representing and enforcing policy.