SoTRAACE – Socio-Technical Risk-Adaptable Access Control Model

Pedro Moura1,2, Ana Ferreira1, Paulo Fazendeiro2

1Cintesis, 2University of Beira Interior

Smartphones are the most ubiquitous device that people hold nowadays.
In the healthcare domain, professionals can use smartphones to access Health Information Systems (HIS), access Electronic Health Records (EHR) to set and view exam results, share data and prescribe medications . Patients can use smartphones to access their medical records, control access to their health related data, monitor health statistics and view their prescriptions .

However, HIS and EHR’s comprise highly sensitive data, which raises serious concerns regarding patients’ privacy and safety , and are therefore subjected to legal and regulatory restrictions .
Access control aims to provide adequate means to protect health data from unauthorized accesses . With the new mobile paradigm of anytime/everywhere, there is a need to find more innovative, flexible, dynamic, transparent and resilient access control models, that are adaptable to more heterogeneous requests, as traditional solutions are based on predefined access policies and roles.

This work presents a new access control model, SoTRAACE – Socio-Technical Risk-Adaptable Access Control Model, that takes the inherent differences and security requirements present in each access situation and aggregates attributes to help performing a risk assessment at the moment of request. Attributes include: context/location, type of device, user profiling and access history, institution or legal requirements , type and sensitivity level of the resource, unanticipated situations and performed delegations. SoTRAACE is expected to provide a more dynamic, adaptable, transparent and secure access to health data by mobile users.

keywords: Data privacy, Health information systems (HIS), Mobile access control, Risk adaptable access, Socio-technical systems, Ubiquitous access.

Presentation: SoTRAACE Socio-Technical Risk-Adaptable Access Control Model