A Design for Task-Role Based Access Control for Personal Health Record Systems

Abstract – We present our design for a Task-Role Based Access control system for Personal Health Records (PHR). Current access control models deployed for PHR systems are, at best, based on role-based models. This neither allow for flexibility nor fine-grained restrictions on access to records. The ideal situation is to have a dynamic, task-based access control model on top of the role-based restrictions. Multiple constrains were also added to provide a more fine-grained access. Furthermore, specific policies for PHR systems were also defined. From our survey of existing PHR systems none provide these combination of dynamic access control coupled with constraints and roles. We implemented a prototype, a hybrid PHR-EMR (Electronic Medical Record) system, of our design where we applied the security model we are proposing. We also conducted a usability testing and our evaluation shows that our design can be used and implemented in an actual PHR. Keywords: Access Control, TRBAC, Task – Role Based Access Control, PHR, Personal Health Record System