Strengthen Electronic Health Records System (EHR-S) Access-Control to Cope with GDPR Explicit Consent.

Patient consent is currently a missing piece on Electronic Health Records System (EHR-S) access permission. The control is needed to ensure personal data as the property of the individual, not data controllers or health-care service providers. To cope with this need, in this article, an adaptation of existent Role-Based Access Control (RBAC), including patient-centric control, is described. The revisited feature of existing administrative and supporting RBAC functions allows exclusive control orchestrated by the patient as sole information owner, including the ability to encrypt their data for confidentiality purposes. The additions mimic a Discretionary Access Control (DAC) capability using existing user group membership to vet access over symmetric keys bind to patient's data via the associated PERMS matrix.

Health Information System Role-Based Access Control Current Security Trends and Challenges.

Objective: This article objective is to highlight implementation characteristics, concerns, or limitations over role-based access control (RBAC) use on health information system (HIS) using industry-focused literature review of current publishing for that purpose. Based on the findings, assessment for indication of RBAC is obsolete considering HIS authorization control needs. Method: We have selected articles related to our investigation theme "RBAC trends and limitations" in 4 different sources related to health informatics or to the engineering technical field. To do so, we have applied the following search query string: "Role-Based Access Control" OR "RBAC" AND "Health information System" OR "EHR" AND "Trends" OR "Challenges" OR "Security" OR "Authorization" OR "Attacks" OR "Permission Assignment" OR "Permission Relation" OR "Permission Mapping" OR "Constraint". We followed PRISMA applicable flow and general methodology used on software engineering for systematic review. Results: 20 articles were selected after applying inclusion and exclusion criteria resulting contributions from 10 different countries. 17 articles advocate RBAC adaptations. The main security trends and limitations mapped were related to emergency access, grant delegation, and interdomain access control. Conclusion: Several publishing proposed RBAC adaptations and enhancements in order to cope current HIS use characteristics. Most of the existent RBAC studies are not related to health informatics industry though. There is no clear indication of RBAC obsolescence for HIS use.