Rapid and reliable sharing of patient information across healthcare systems is a major technological factor in improving healthcare. Although such sharing would lower costs, applicable laws and regulations, e.g., HIPAA in the United States, impose security and privacy guarantees that necessitate appropriate access control mechanisms to protect healthcare data. Many currently used access control models in healthcare systems are inadequate, as demonstrated by the constant successful attacks on these systems. As protecting healthcare information and systems from malicious or inadvertent attacks by authorized insiders is crucial, this paper investigates insider threats and develops an approach to protect such information from unauthorized or improper use, disclosure, alteration, and destruction by healthcare personnel. A threat model is designed and constructed for access control in healthcare systems, and used to assess the effectiveness of common access control models such as Role-Based Access Control and Attribute-Based Access Control.
展开▼
