Human-centric visual access control for clinical data management

This paper introduces a novel human-centric, visual, and context-aware access control (AC) system for distributed clinical data management and health information systems. Human-centricity in this context means that medical staff should be able to configure AC rules, both in a timesaving and reliable manner. Since medical data often include meta information about a patient, it is essential that an AC system only grants access requests that meet the patient's intent. Hence, it is desirable that a patient be included in the AC process. To cater for the strong security needs in the medical domain, both the AC policy creation by medical staff as well as the patient-interaction feature need to be supervised by governing policies. While traditional AC systems such as role-based access control offer sufficient security in theory, they lack in comfort and flexibility. This property does not fulfil the requirements of flexible and distributed environments. Distributed medical institutions could enormously benefit from the opportunity of dynamic AC configuration at an end-user level while adhering to legal, ethical or other privacy requirements. Hence, this paper presents a human-centric visual AC model for medical data, addressing usability, information security and patient interaction. To demonstrate our approach, an integration with the DCM4CHE open source system is presented.