Maxwell  Young                                                                                       Homepage: www.cs.uwaterloo.ca/~m22young Location: David R. Cheriton School of Computer Science Email: m22young@cs.uwaterloo.ca

This page serves to document the topics of security, privacy, access control and role management in health informatics via the documents and materials I have encountered throughout the summer term of 2007 whilst enrolled in CS 898 Health Informatics taught by Dr. Ian McKillop. I have attempted to provide some structure to these materials through catagorization; however, this organization should not be viewed as a rigid structure since some papers could easily belong to more than one category. Each document is available either via pdf/ps format (the files have been uploaded to this site) and each external website is referenced via a (currently) functioning hyperlink. Commentary accompanies each item listed below, via the `Notes' link. Clicking this link will bring you directly to the anchored text relevant to the paper of interest; reference information is also included. These notes should not be perceived as a replacement for the paper itself; instead they serve to highlight and discuss those topics of interest to me and it is my hope that they will aid other readers in the identification of relevant material. Enjoy!

Papers and Websites on Access Control and Role Management

Introductory Works

• Privacy, Confidentiality, and Electronic Medical Records by R. Barrows and P. Clayton. Notes
• A Review of Security of Electronic Health Records by K. Win. Notes
• Digest of the Discussion Group Sessions by A. Bakker. Notes

Access Control Models: DAC, MAC and RBAC

• An Introduction to Role Based Access Control by the National Institute of Standards and Technology. Notes
• Role-Based Access Control a Wikipedia article. Notes
• Role-Based Access Control Models by R. Sandhu, E.Coyne, H. Feinstein and Ch. Youman Notes

Access Control Overrides: Exception Mechanisms

• A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs by L. Rostad and O. Elsberg. Notes
• How to Break Access Control in a Controlled Manner by A. Ferreira, R. Cruz-Correia, L. Antunes, P. Harinha, E. Oliveira-Palhares E., W. Chadwick and A. Costa-Pereira. Notes

Challenges in Implementing Access Control

• Authorisation and Access Control for Electronic Health Record Systems by B. Blobel. Notes
• e-Consent: The Design and Implementation of Consumer Consent Mechanisms in an Electronic Environment by E. Coiera and R. Clarke. Notes
• Cassandra: Flexible Trust Management, Applied to Electronic Health Records by M. Becker and P. Sewell. Notes
• OASIS Role-Based Access Control for Electronic Health Records by D. Eyers, J. Bacon and K. Moody. Notes

Issues of Interoperability and Coordination in Access Control

• Access and Authorisation in Glocal e-Health Policy Context by R. Scott, P. Jennett and M. Yeo. Notes
• Security Issues Arising in Establishing a Regional Health Information Infrastructure by R. Neame and M. Olson. Notes
• A Cross-Platform Model for Secure Electronic Health Record Communication by P. Ruotsalainen. Notes

Access Control Over the Internet

• Giving Patients Access to Their Medical Records via the Internet: The PCASSO Experience by D. Masys, D. Baker, A. Butros and K. Cowles. Notes
• Use of a Secure Internet Web Site for Collaborative Medical Research by W. Marshall and R. Haley. Notes

Below are links to websites and materials that the interested reader may find useful. Clicking on the link will open a new browser window at the site of interest.

Other Relevant Websites and Materials:

• CS 898 Twiki Site This site contains resources compiled by members of the class on a variety of topics covered during the term.
• Lecture Slides My lecture slides on access control and role management.
• Health Privacy Project This site is dedicated to the prevention of medical privacy violations. The page documenting past security breaches is particularly illuminating.
• National Institute of Standards and Technology This is the website for the National Institute of Standards and Technology (NIST).
• National Initiative for Telehealth Project This is the website for the National Initiative for Telehealth (NIFTE) project.
• Policy and Peer Permission Project This is the website for the Policy and Peer Permission (PPP) project.
• Ultra-Scan, Corp. This is the website for Ultra-Scan, a manufacturer of finger printing security technology. Their products are used for access control in several hospitals in the US.
• St. Vincent's Hospital This is the website for St. Vincent's Hospital based in Birmingham, Alabama. This hospital was recently named as one of the top 100 most wired hospitals in part, for their adoption of biometric devices in establishing reliable access control.