Access control in healthcare information systems - context aware attribute based approach

Abstract

Role based access control has been in use for years. However, when the Internet based distributed large scale information systems come in use a need for context aware access control becomes evident. This approach has been implemented using attributes of subject of access control, resource of access control environment and the action used while the resource is accessed. Implementing this approach doesn't exclude RBAC. A role becomes a subject's attribute. EXtensible Access Control Markup Language is standardized language for writing access control policies, access control requests and access control responses using attributes. XACML can provide decentralized administration and credentials distribution. In the 2002 version of CEN ENV 13 606 attributes have been attached to EHCR components, and in such a system context aware or Attribute Based Access Control and XACML have been easy to implement. In 2008 CEN ENV 13 606 has been revised and becomes ISO 13 606 while access control in a healthcare information system has been standardized in ISO 22 600. This paper presents writing XACML policies in the case when attributes are in hierarchical structure and examines performances.