مدل کنترل دسترسی پویای حافظ حریم خصوصی با قابلیت وکالت دسترسی درسلامت الکترونیکی

گسترش استفاده از فناوری اطلاعات و به‌طور خاص اینترنت اشیا در حوزه سلامت الکترونیکی، مسائل مختلفی را به‌همراه دارد که از مهم‌ترین آنها مساله امنیت و کنترل دسترسی است. در این راستا نیازمندی‌های مختلفی از جمله مساله دسترسی پزشک به پرونده بیمار بر اساس موقعیت فیزیکی پزشک، مساله تشخیص شرایط اضطراری و اعطای پویای دسترسی موقت به پزشک حاضر، حفظ حریم خصوصی بیمار بر اساس ترجیحات وی و مساله اعطای وکالت دسترسی به حقوق دسترسی پزشک دیگر مطرح است که در مدل‌های ارائه‌شده تاکنون پوشش داده نشده است. در این مقاله یک مدل کنترل دسترسی پویا و حافظ حریم خصوصی با قابلیت وکالت دسترسی در سلامت الکترونیکی با نام tbdac ارائه شده است؛ به‌طوری‌که هنگام دسترسی پزشکان و پرستاران به پرونده بیمار بتواند چالش‌های امنیتی مطرح در این محیط‌ها را برطرف‌کند. با پیاده‌سازی یک سامانه کنترل دسترسی بر اساس مدل پیشنهادی و بررسی سناریوهایی واقعی در محیط بیمارستانی با استفاده از آن، کاربرد عملی این مدل در محیط واقعی و کارایی آن نشان داده شده است.

Privacy Preserving Dynamic Access Control Model with Access Delegation for eHealth

eHealth is the concept of using the stored digital data to achieve clinical, educational, and administrative goals and meet the needs of patients, experts, and medical care providers. Expansion of the utilization of information technology and in particular, the Internet of Things (IoT) in eHealth, raises various challenges, where the most important one is security and access control. In this regard, different security requirements have been defined; such as the physician rsquo;s access to the patient rsquo;s EHR (electronic health record) based on the physician rsquo;s physical location, detection of emergency conditions and dynamically granting access to the existing physician or nurse, preserving patients rsquo; privacy based on their preferences, and delegation of duties and related permissions. In security and access control models presented in the literature, we cannot find a model satisfying all these requirements altogether. To fill this gap, in this paper, we present a privacy preserving dynamic access control model with access delegation capability in eHealth (called TbDAC). The proposed model is able to tackle the security challenges of these environments when the physicians and nurses access the patients rsquo; EHR. The model also includes the data structures, procedures, and the mechanisms necessary for providing the access delegation capability.The proposed access control model in this paper is in fact a family of models named TbDAC for access control in eHealth considering the usual hospital procedures. In the core model (called TbDAC0), two primitive concepts including team and role are employed for access control in hospitals. In this model, a set of permissiontypes is assigned to each role and a medical team (including a set of hospital staff with their roles) is assigned to each patient. In fact the role of a person in a team determines his/her permissions on the health information of the patient. Since patients rsquo; vital information is collected from some IoT sensors, a dynamic access control using a set of dynamic and contextaware access rules is considered in this model. Detecting emergency conditions and providing proper permissions for the nearest physicians and nurses (using location information) is a key feature in this model. Since health information is one of the most sensitive individuals rsquo; personal information, the core model has been enhanced to be a privacy preserving access control model (named TbDAC1). To this aim, the purpose of information usage and the privacy preferences of the patients are considered in the access control enforcement procedure. Delegation of duties is a necessity in medical care. Thus, we added access delegation capability to the core model and proposed the third member of the model family, which is named TbDAC2. The complete model that considers all security requirements of these environments including emergency conditions, privacy, and delegation is the last member of this family, named TbDAC3. In each one of the presented models, the therapeutic process carried out in the hospitals, the relational model, and the entities used in the model are precisely and formally defined. Furthermore in each model, the access control process and the dynamic access rules for different situations are defined. Evaluation of the proposed model is carried out using three approaches; comparing the model with the models proposed in related research, assessing the realworld scenarios in a case study, and designing and implementing a prototype of an access control system based on the proposed model for mobile Android devices. The evaluations show the considerable capabilities of the model in satisfying the security requirements in comparison to the existing models which proposed in related research and also its applicability in practice for different simple and complicated access scenarios.